FreeBSD -- zlib heap buffer overflow

Problem Description: zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. Impact: Applications that call inflateGetHeader may be vulnerable to a buffer overflow. Note that inflateGetHeader is not used by anything in...

chromium -- multiple vulnerabilities

Chrome Releases reports: This release contains 24 security fixes, including: 1340253 Critical CVE-2022-3038: Use after free in Network Service. Reported by Sergei Glazunov of Google Project Zero on 2022-06-28 1343348 High CVE-2022-3039: Use after free in WebSQL. Reported by Nan Wang@eternalsakura...

advancecomp -- Multiple vulnerabilities

GitHub advisories reports: Multiple vulnerabilities found in advancecomp including: Three segmentation faults. Heap buffer overflow via leuint32read at /lib/endianrw.h. Three more heap buffer overflows...

powerdns-recursor -- denial of service

PowerDNS Team reports: PowerDNS Security Advisory 2022-02: incomplete exception handling related to protobuf message generation...

gitea -- multiple issues

The Gitea team reports: Remove ReverseProxy authentication from the API Support Go Vulnerability Management Forbid HTML string tooltips...

zeek -- potential DoS vulnerabilities

Tim Wojtulewicz of Corelight reports: Fix a possible overflow and crash in the ARP analyzer when receiving a specially crafted packet. Due to the possibility of this happening with packets received from the network, this is a potential DoS vulnerability. Fix a possible overflow and crash in the...

rpm4 -- Multiple Vulnerabilities

rpm project reports: Fix intermediate symlinks not verified CVE-2021-35939. Fix subkey binding signatures not checked on PGP public keys CVE-2021-3521. Refactor file and directory operations to use fd-based APIs throughout CVE-2021-35938...

Gitlab -- Remote Code Execution

Gitlab reports: Remote Command Execution via Github import...

MariaDB -- Multiple vulnerabilities

The MariaDB project reports: Multiple vulnerabilities, mostly segfaults, in the server component...

gitea -- multiple issues

The Gitea team reports: Double check CloneURL is acceptable Add more checks in migration code...

chromium -- multiple vulnerabilities

Chrome Releases reports: This release contains 11 security fixes, including: 1349322 Critical CVE-2022-2852: Use after free in FedCM. Reported by Sergei Glazunov of Google Project Zero on 2022-08-02 1337538 High CVE-2022-2854: Use after free in SwiftShader. Reported by Cassidy Kim of Amber Securi...

dendrite -- Incorrect parsing of the event default power level in event auth

Dendrite team reports: The power level parsing within gomatrixserverlib was failing to parse the "eventsdefault" key of the m.room.powerlevels event, defaulting the event default power level to zero in all cases. In rooms where the "eventsdefault" power level had been changed, this could result i...

Grafana -- Privilege escalation

Grafana Labs reports: On August 9 an internal security review identified a vulnerability in the Grafana which allows an escalation from Admin privileges to Server Admin when Auth proxy authentication is used. Auth proxy allows to authenticate a user by only providing the username or email in a...

FreeBSD -- Out of bound read in elf_note_prpsinfo()

Problem Description: When dumping core and saving process information, procgetargv might return an sbuf which have a sbuflen of 0 or -1, which is not properly handled. Impact: An out-of-bound read can happen when user constructs a specially crafted psstring, which in turn can cause the kernel to...

FreeBSD -- Memory disclosure by stale virtual memory mapping

Problem Description: A particular case of memory sharing is mishandled in the virtual memory system. This is very similar to SA-21:08.vm, but with a different root cause. Impact: An unprivileged local user process can maintain a mapping of a page after it is freed, allowing that process to read...

varnish -- Denial of Service Vulnerability

Varnish Cache Project reports: A denial of service attack can be performed against Varnish Cache servers by specially formatting the reason phrase of the backend response status line. In order to execute an attack, the attacker would have to be able to influence the HTTP/1 responses that the...

FreeBSD -- Missing bounds check in 9p message handling

Problem Description: The implementation of lib9p's handling of RWALK messages was missing a bounds check needed when unpacking the message contents. The missing check means that the receipt of a specially crafted message will cause lib9p to overwrite unrelated memory. Impact: The bug can be...

FreeBSD -- AIO credential reference count leak

Problem Description: The aioaqueue function, used by the liolistio system call, fails to release a reference to a credential in an error case. Impact: An attacker may cause the reference count to overflow, leading to a use after free UAF...

puppetdb -- Potential SQL injection

Puppet reports: The org.postgresql/postgresql driver has been updated to version 42.4.1 to address CVE-2022-31197, which is an SQL injection risk that according to the CVE report, can only be exploited if an attacker controls the database to the extent that they can adjust relevant tables to have...

samba -- buffer overflow in Heimdal unwrap_des3()

The Samba Team reports: The DES for Samba 4.11 and earlier and Triple-DES decryption routines in the Heimdal GSSAPI library allow a length-limited write buffer overflow on malloc allocated memory when presented with a maliciously small packet...

chromium -- multiple vulnerabilities

Chrome Releases reports: This release contains 27 security fixes, including: 1325699 High CVE-2022-2603: Use after free in Omnibox. Reported by Anonymous on 2022-05-16 1335316 High CVE-2022-2604: Use after free in Safe Browsing. Reported by Nan Wang@eternalsakura13 and Guang Gong of 360 Alpha Lab...

XFCE tumbler -- Vulnerability in the GStreamer plugin

The XFCE project reports: Added mime type check to the gst-thumbnailer plugin to fix an undisclosed vulnerability...

rsync -- client-side arbitrary file write vulnerability

Openwall oss-security reports: We have discovered a critical arbitrary file write vulnerability in the rsync utility that allows malicious remote servers to write arbitrary files inside the directories of connecting peers. The server chooses which files/directories are sent to the client. Due to...

py-flask-security -- user redirect to arbitrary URL vulnerability

Snyk reports: This affects all versions of package Flask-Security. When using the getpostlogoutredirect and getpostloginredirect functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\evil.com/path. This vulnerabilit...

Django -- multiple vulnerabilities

Django reports: CVE-2022-36359: Potential reflected file download vulnerability in FileResponse...

drupal9 -- multiple vulnerabilities

Drupal reports: CVE-2022-31175: Cross-site scripting XSS caused by the editor instance destroying process...

Unbound -- Multiple vulnerabilities

NLnet Labs reports: novel type of the "ghost domain names" attack. The vulnerability works by targeting an Unbound instance. Unbound is queried for a rogue domain name when the cached delegation information is about to expire. The rogue nameserver delays the response so that the cached delegation...

py-Scrapy -- credentials leak vulnerability

When the built-in HTTP proxy downloader middleware processes a request with proxy metadata, and that proxy metadata includes proxy credentials, the built-in HTTP proxy downloader middleware sets the Proxy-Authentication header, but only if that header is not already set. There are third-party...

Gitlab -- multiple vulnerabilities

Gitlab reports: Revoke access to confidential notes todos Pipeline subscriptions trigger new pipelines with the wrong author Ability to gain access to private project through an email invite by using other user's email address as an unverified secondary email Import via git protocol allows to...

samba -- Multiple vulnerabilities

The Samba Team reports: CVE-2022-2031 The KDC and the kpasswd service share a single account and set of keys, allowing them to decrypt each other's tickets. A user who has been requested to change their password can exploit this to obtain and use tickets to other services. CVE-2022-32744 The KDC...

Grafana -- Unauthorized file disclosure

Grafana Labs reports: On July 21, an internal security review identified an unauthorized file disclosure vulnerability in the Grafana Image Renderer plugin when HTTP remote rendering is used. The Chromium browser embedded in the Grafana Image Renderer allows for “printing” of unauthorized files i...

VirtualBox -- Multiple vulnerabilities

Oracle reports: Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently...

MySQL -- Multiple vulnerabilities

Oracle reports: This Critical Patch Update contains 34 new security patches plus additional third party patches noted below for Oracle MySQL. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials...

chromium -- multiple vulnerabilities

Chrome Releases reports: This release contains 11 security fixes, including: 1336266 High CVE-2022-2477: Use after free in Guest View. Reported by anonymous on 2022-06-14 1335861 High CVE-2022-2478: Use after free in PDF. Reported by triplepwns on 2022-06-13 1329987 High CVE-2022-2479: Insufficie...

redis -- Potential remote code execution vulnerability

The Redis core team reports: A specially crafted XAUTOCLAIM command on a stream key in a specific state may result with heap overflow, and potentially remote code execution...

go -- decoding big.Float and big.Rat can panic

The Go project reports: encoding/gob & math/big: decoding big.Float and big.Rat can panic Decoding big.Float and big.Rat types can panic if the encoded message is too short...

git -- privilege escalation

The git project reports: Git is vulnerable to privilege escalation in all platforms. An unsuspecting user could still be affected by the issue reported in CVE-2022-24765, for example when navigating as root into a shared tmp directory that is owned by them, but where an attacker could create a gi...

gitea -- multiple issues

The Gitea team reports: Use git.HOMEPATH for Git HOME directory Add write check for creating Commit status Remove deprecated SSH ciphers from default...

gitea -- multiple issues

The Gitea team reports: Add write check for creating Commit status Check for permission when fetching user controlled issues...

go -- multiple vulnerabilities

The Go project reports: net/http: improper sanitization of Transfer-Encoding header The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating a "chunked" encoding. This could potentially allow for request smuggling, but only if combined with an intermediate server that also...

wolfssl -- multiple issues

wolfSSL blog reports: In release 5.4.0 there were 3 vulnerabilities listed as fixed in wolfSSL. Two relatively new reports, one dealing with a DTLS 1.0/1.2 denial of service attack and the other a ciphertext attack on ECC/DH operations. The last vulnerability listed was a public disclosure of a...

mat2 -- directory traversal/arbitrary file read during ZIP file processing

mat2 aka metadata anonymisation toolkit before 0.13.0 allows ../ directory traversal during the ZIP archive cleaning process. This primarily affects mat2 web instances, in which clients could obtain sensitive information via a crafted archive...

gnutls -- double free vulnerability

The GnuTLS project reports: When gnutlspkcs7verify cannot verify signature against given trust list, it starts creating a chain of certificates starting from identified signer up to known root. During the creation of this chain the signer certificate gets freed which results in double free when t...

OpenSSL -- AES OCB fails to encrypt some bytes

The OpenSSL project reports: AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special...

Node.js -- July 7th 2022 Security Releases

Node.js reports: HTTP Request Smuggling - Flawed Parsing of Transfer-Encoding MediumCVE-2022-32213 The llhttp parser in the http module does not correctly parse and validate Transfer-Encoding headers. This can lead to HTTP Request Smuggling HRS. HTTP Request Smuggling - Improper Delimiting of...

chromium -- multiple vulnerabilities

Chrome Releases reports: This release contains 4 security fixes, including: 1341043 High CVE-2022-2294: Heap buffer overflow in WebRTC. Reported by Jan Vojtesek from the Avast Threat Intelligence team on 2022-07-01 1336869 High CVE-2022-2295: Type Confusion in V8. Reported by avaue and Buff3tts a...

Grafana -- Plugin signature bypass

Grafana Labs reports: On July 4th as a result of an internal security audit we have discovered a bypass in the plugin signature verification by exploiting a versioning flaw. We believe that this vulnerability is rated at CVSS 6.1 CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L...

OpenSSL -- Heap memory corruption with RSA private key operation

The OpenSSL project reports: The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X8664 CPUs supporting the AVX512IFMA instructions. This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during t...

Gitlab -- multiple vulnerabilities

Gitlab reports: Remote Command Execution via Project Imports XSS in ZenTao integration affecting self hosted instances without strict CSP XSS in project settings page Unallowed users can read unprotected CI variables IP allow-list bypass to access Container Registries 2FA status is disclosed to...

py-matrix-synapse -- unbounded recursion in urlpreview

Matrix developers report: This release fixes a vulnerability with Synapse's URL preview feature. URL previews of some web pages can lead to unbounded recursion, causing the request to either fail, or in some cases crash the running Synapse process. Note that: Homeservers with the urlpreviewenable...