redis -- multiple vulnerabilities

The Redis core team reports: CVE-2023-25155 Specially crafted SRANDMEMBER, ZRANDMEMBER, and HRANDFIELD commands can trigger an integer overflow, resulting in a runtime assertion and termination of the Redis server process. CVE-2022-36021 String matching commands like SCAN or KEYS with a specially...

mod_gnutls -- Infinite Loop on request read timeout

The modgnutls project reports: Modgnutls is a TLS module for Apache HTTPD based on GnuTLS. Versions from 0.9.0 to 0.12.0 including did not properly fail blocking read operations on TLS connections when the transport hit timeouts. Instead it entered an endless loop retrying the read operation,...

go -- crypto/elliptic: incorrect P-256 ScalarMult and ScalarBaseMult results

The Go project reports: crypto/elliptic: incorrect P-256 ScalarMult and ScalarBaseMult results The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars a scalar larger than the order of the curve...

chromium -- multiple vulnerabilities

Chrome Releases reports: This update includes 10 security fixes: 1415366 Critical CVE-2023-0941: Use after free in Prompts. Reported by Anonymous on 2023-02-13 1414738 High CVE-2023-0927: Use after free in Web Payments API. Reported by Rong Jian of VRI on 2023-02-10 1309035 High CVE-2023-0928: Us...

zeek -- potential DoS vulnerabilities

Tim Wojtulewicz of Corelight reports: Receiving DNS responses from async DNS requests via the lookupaddr, etc BIF methods with the TTL set to zero could cause the DNS manager to eventually stop being able to make new requests. Specially-crafted FTP packets with excessively long usernames,...

FreeBSD -- OpenSSH pre-authentication double free

Problem Description: A flaw in the backwards-compatibility key exchange route allows a pointer to be freed twice. Impact: A remote, unauthenticated attacker may be able to cause a denial of service, or possibly remote code execution. Note that FreeBSD 12.3 and FreeBSD 13.1 include older versions ...

FreeBSD -- Multiple vulnerabilities in OpenSSL

Problem Description: X.400 address type confusion in X.509 GeneralName CVE-2023-0286 There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1STRING but the public structure definition for GENERALNAME incorrect...

curl -- multiple vulnerabilities

Harry Sintonen and Patrick Monnerat report: CVE-2023-23914 A cleartext transmission of sensitive information vulnerability exists in curl v7.88.0 that could cause HSTS functionality fail when multiple URLs are requested serially. Using its HSTS support, curl can be instructed to use HTTPS instead...

clamav -- Multiple vulnerabilities

Simon Scannell reports: CVE-2023-20032 Fixed a possible remote code execution vulnerability in the HFS+ file parser. CVE-2023-20052 Fixed a possible remote information leak vulnerability in the DMG file parser...

git -- Local clone-based data exfiltration with non-local transports

git team reports: Using a specially-crafted repository, Git can be tricked into using its local clone optimization even when using a non-local transport. Though Git will abort local clones whose source $GITDIR/objects directory contains symbolic links c.f., CVE-2022-39253, the objects directory...

git -- "git apply" overwriting paths outside the working tree

git team reports: By feeding a crafted input to "git apply", a path outside the working tree can be overwritten as the user who is running "git apply"...

go -- multiple vulnerabilities

The Go project reports: path/filepath: path traversal in filepath.Clean on Windows On Windows, the filepath.Clean function could transform an invalid path such as a/../c:/b into the valid path c:\b. This transformation of a relative if invalid path into an absolute path could enable a directory...

phpmyfaq -- multiple vulnerabilities

phpmyfaq developers report: a bypass to flood admin with FAQ proposals stored XSS in questions stored HTML injections weak passwords...

GnuTLS -- timing sidechannel in RSA decryption

The GnuTLS project reports: A vulnerability was found that the response times to malformed RSA ciphertexts in ClientKeyExchange differ from response times of ciphertexts with correct PKCS1 v1.5 padding. Only TLS ciphertext processing is affected...

PostgreSQL server -- Client memory disclosure when connecting, with Kerberos, to modified server.

PostgreSQL Project reports: A modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. When a libpq client application has a Kerberos credential cache and doesn't explicitly disable option gssencmode, a server can cause libpq to...

py-cryptography -- includes a vulnerable copy of OpenSSL

pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 0.8.1-39.0.0 are vulnerable to a security issue. More details about the vulnerabilities themselves can be found in https://www.openssl.org/news/secadv/20221213.txt and...

FreeBSD -- GELI silently omits the keyfile if read from stdin

Problem Description: When GELI reads a key file from a standard input, it doesn't store it anywhere. If the user tries to initialize multiple providers at once, for the second and subsequent devices the standard input stream will be already empty. In this case, GELI silently uses a NULL key as th...

LibreSSL -- Arbitrary memory read

The OpenBSD project reports: A malicious certificate revocation list or timestamp response token would allow an attacker to read arbitrary memory...

OpenSSL -- Multiple vulnerabilities

The OpenSSL project reports: X.400 address type confusion in X.509 GeneralName CVE-2023-0286 High: There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1STRING but the public structure definition for...

chromium -- multiple vulnerabilities

Chrome Releases reports: This release contains 15 security fixes, including: 1402270 High CVE-2023-0696: Type Confusion in V8. Reported by Haein Lee at KAIST Hacking Lab on 2022-12-18 1341541 High CVE-2023-0697: Inappropriate implementation in Full screen mode. Reported by Ahmed ElMasry on...

py-cryptography -- allows programmers to misuse an API

alex reports: Previously, Cipher.updateinto would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects such as bytes to be mutated, thus violating fundamental rules of Python. This is a soundness bug -- it allows...

phpMyAdmin -- XSS vulnerability in drag-and-drop upload

phpMyAdmin Team reports: PMASA-2023-1 XSS vulnerability in drag-and-drop upload...

xorg-server -- Security issue in the X server

The X.org project reports: CVE-2023-0494/ZDI-CAN-19596: X.Org Server DeepCopyPointerClasses use-after-free A dangling pointer in DeepCopyPointerClasses can be exploited by ProcXkbSetDeviceInfo and ProcXkbGetDeviceInfo to read/write into freed memory...

Django -- multiple vulnerabilities

Django reports: CVE-2023-24580: Potential denial-of-service vulnerability in file uploads...

Django -- multiple vulnerabilities

Django reports: CVE-2023-23969: Potential denial-of-service via Accept-Language headers...

zeek -- potential DoS vulnerabilities

Tim Wojtulewicz of Corelight reports: A missing field in the SMB FSControl script-land record could cause a heap buffer overflow when receiving packets containing those header types. Receiving a series of packets that start with HTTP/1.0 and then switch to HTTP/0.9 could cause Zeek to spend a lar...

Gitlab -- Multiple Vulnerabilities

Gitlab reports: Denial of Service via arbitrarily large Issue descriptions CSRF via file upload allows an attacker to take over a repository Sidekiq background job DoS by uploading malicious CI job artifact zips Sidekiq background job DoS by uploading a malicious Helm package...

Grafana -- Stored XSS in TraceView panel

Grafana Labs reports: During an internal audit of Grafana on January 30, a member of the engineering team found a stored XSS vulnerability affecting the TraceView panel. The stored XSS vulnerability was possible because the value of a span’s attributes/resources were not properly sanitized, and...

py-cinder -- unauthorized data access

Utkarsh Gupta reports: An issue was discovered in OpenStack Cinder before 19.1.2, 20.x before 20.0.2, and 21.0.0; Glance before 23.0.1, 24.x before 24.1.1, and 25.0.0; and Nova before 24.1.2, 25.x before 25.0.2, and 26.0.0. By supplying a specially created VMDK flat image that references a specif...

libde256 -- multiple vulnerabilities

Libde265 developer reports: This release fixes the known CVEs below. Many of them are actually caused by the same underlying issues that manifest in different ways...

Grafana -- Stored XSS in geomap panel plugin via attribution

Grafana Labs reports: During an internal audit of Grafana on January 25, a member of the security team found a stored XSS vulnerability affecting the core geomap plugin. The stored XSS vulnerability was possible because map attributions weren’t properly sanitized, allowing arbitrary JavaScript to...

Grafana -- Spoofing originalUrl of snapshots

Grafana Labs reports: A third-party penetration test of Grafana found a vulnerability in the snapshot functionality. The value of the originalUrl parameter is automatically generated. The purpose of the presented originalUrl parameter is to provide a user who views the snapshot with the possibili...

chromium -- multiple vulnerabilities

Chrome Releases reports: This release contains 6 security fixes, including: 1376354 High CVE-2023-0471: Use after free in WebTransport. Reported by chichoo Kimchichoo and Cassidy Kim@cassidy6564 on 2022-10-19 1405256 High CVE-2023-0472: Use after free in WebRTC. Reported by Cassidy Kim@cassidy656...

powerdns-recursor -- denial of service

PowerDNS Team reports: PowerDNS Security Advisory 2023-01: unbounded recursion results in program termination...

MySQL -- Multiple vulnerabilities

Oracle reports: This Critical Patch Update contains 37 new security patches for Oracle MySQL. 8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network withouti requiring user credentials...

Apache httpd -- Multiple vulnerabilities

The Apache httpd project reports: moddav out of bounds read, or write of zero byte CVE-2006-20001 moderate modproxyajp Possible request smuggling CVE-2022-36760 moderate modproxy prior to 2.4.55 allows a backend to trigger HTTP response splitting CVE-2022-37436 moderate...

rack -- Multiple vulnerabilities

Aaron Patterson reports: CVE-2022-44570 Carefully crafted input can cause the Range header parsing component in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that deal with Range requests such as streaming applications, or...

git -- Heap overflow in `git archive`, `git log --format` leading to RCE

The git team reports: git log has the ability to display commits using an arbitrary format with its --format specifiers. This functionality is also exposed to git archive via the export-subst gitattribute. When processing the padding operators e.g., %, %, or % , an integer overflow can occur in...

libXpm -- Issues handling XPM files

The X.Org project reports: CVE-2022-46285: Infinite loop on unclosed comments When reading XPM images from a file with libXpm 3.5.14 or older, if a comment in the file is not closed i.e. a C-style comment starts with "/" and is missing the closing "/", the ParseComment function will loop forever...

git -- gitattributes parsing integer overflow

git team reports: gitattributes are used to define unique attributes corresponding to paths in your repository. These attributes are defined by .gitattributes files within your repository. The parser used to read these files has multiple integer overflows, which can occur when parsing either a...

Spotipy -- Path traversal vulnerability

Stéphane Bruckert If a malicious URI is passed to the library, the library can be tricked into performing an operation on a different API endpoint than intended...

redis -- multiple vulnerabilities

The Redis core team reports: CVE-2022-35977 Integer overflow in the Redis SETRANGE and SORT/SORTRO commands can drive Redis to OOM panic. CVE-2023-22458 Integer overflow in the Redis HRANDFIELD and ZRANDMEMBER commands can lead to denial-of-service...

phpmyfaq -- multiple vulnerabilities

phpmyfaq developers report: phpMyFAQ does not implement sufficient checks to avoid a stored XSS in "Add new question" phpMyFAQ does not implement sufficient checks to avoid a stored XSS in admin user page phpMyFAQ does not implement sufficient checks to avoid a stored XSS in FAQ comments phpMyFAQ...

net/eternalterminal -- Multiple vulnerabilities

Mitre reports: etserver and etclient have predictable logfile names in /tmp and they are world-readable logfiles...

security/tor -- SOCKS4(a) inversion bug

The Tor Project reports: TROVE-2022-002: The SafeSocks option for SOCKS4a is inverted leading to SOCKS4 going through This is a report from hackerone: We have classified this as medium considering that tor was not defending in-depth for dangerous SOCKS request and so any user relying on SafeSocks...

cassandra3 -- multiple vulnerabilities

Cassandra tema reports: This release contains 6 security fixes including CVE-2022-24823: When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory CVE-2020-7238: Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles...

chromium -- multiple vulnerabilities

Chrome Releases reports: This release contains 17 security fixes, including: 1353208 High CVE-2023-0128: Use after free in Overview Mode. Reported by Khalil Zhani on 2022-08-16 1382033 High CVE-2023-0129: Heap buffer overflow in Network Service. Reported by asnine on 2022-11-07 1370028 Medium...

net/krill -- DoS vulnerability

MITRE reports: NLnet Labs Krill supports direct access to the RRDP repository content through its built-in web server at the "/rrdp" endpoint. Prior to 0.12.1 a direct query for any existing directory under "/rrdp/", rather than an RRDP file such as "/rrdp/notification.xml" as would be expected,...

Gitlab -- Multiple Vulnerabilities

Gitlab reports: Race condition on gitlab.com enables verified email forgery and third-party account hijacking DOS and high resource consumption of Prometheus server through abuse of Grafana integration proxy endpoint Maintainer can leak sentry token by changing the configured URL Maintainer can...

mantis -- multiple vulnerabilities

Mantis 2.25.6 release reports: Security and maintenance release 0031086: Private issue summary disclosure CVE-2023-22476 0030772: Update bundled moment.js to 2.29.4 CVE-2022-31129 0030791: Allow adding relation type noopener/noreferrer to outgoing links...