OpenSearch -- Log4Shell

OpenSearch reports: A recently published security issue CVE-2021-44228 affects several versions of the broadly-used Apache Log4j library. Some software in the OpenSearch project includes versions of Log4j referenced in this CVE. While, at time of writing, the team has not found a reproduceable...

Rundeck3 -- Log4J RCE vulnerability

The Rundeck project reports: This release updates both Community and Enterprise with the latest Log4J to address CVE-2021-44832 by updating it to 2.17.1...

bastillion -- log4j vulnerability

FreeBSD port maintainer reports: Bastillion uses log4j...

openhab -- log4j remote code injection

Openhab reports: Any openHAB instance that is publicly available or which consumes untrusted content from remote servers is potentially a target of this attack...

graylog -- include log4j patches

Apache Software Foundation repos: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or paramters can execute arbitrary code from attacker-controller LDAP servers when message lookup substitution i...

Solr -- Apache Log4J

Solr reports: Apache Solr affected by Apache Log4J...

Grafana -- Directory Traversal

GitHub Security Labs reports: A vulnerability through which authenticated users could read out fully lowercase or fully uppercase .md files through directory traversal. Doing our own follow-up investigation we found a related vulnerability through which authenticated users could read out arbitrar...

Privoxy -- Multiple vulnerabilities (memory leak, XSS)

Privoxy reports: cgierrornotemplate: Encode the template name to prevent XSS cross-site scripting when Privoxy is configured to servce the user-manual itself. Commit 0e668e9409c. OVE-20211102-0001. CVE-2021-44543. Reported by: Artem Ivanov geturlspecparam: Free memory of compiled pattern spec...

py39-celery -- command injection vulnerability

Snyk reports: This affects the package celery before 5.2.2. It by default trusts the messages and metadata stored in backends result stores. When reading task metadata from the backend, the data is deserialized. Given that an attacker can gain access to, or somehow manipulate the metadata within ...

Grafana -- Directory Traversal

GitHub Security Labs reports: A vulnerability through which authenticated users could read out fully lowercase or fully uppercase .md files through directory traversal. Doing our own follow-up investigation we found a related vulnerability through which authenticated users could read out arbitrar...

go -- multiple vulnerabilities

The Go project reports: net/http: limit growth of header canonicalization cache. An attacker can cause unbounded memory growth in a Go server accepting HTTP/2 requests. syscall: don’t close fd 0 on ForkExec error. When a Go program running on a Unix system is out of file descriptors and calls...

Gitlab -- Multiple Vulnerabilities

Gitlab reports: Group members with developer role can escalate their privilege to maintainer on projects that they import When user registration is limited, external users that aren't developers shouldn't have access to the CI Lint API Collision in access memoization leads to potential elevated...

chromium -- multiple vulnerabilities

Chrome Releases reports: This release contains 22 security fixes, including: 1267661 High CVE-2021-4052: Use after free in web apps. Reported by Wei Yuan of MoyunSec VLab on 2021-11-07 1267791 High CVE-2021-4053: Use after free in UI. Reported by Rox on 2021-11-08 1265806 High CVE-2021-4079: Out ...

Grafana -- Path Traversal

Grafana Labs reports: Grafana is vulnerable to directory traversal, allowing access to local files. We have confirmed this for versions v8.0.0-beta1 to v8.3.0. Thanks to our defense-in-depth approach, at no time has Grafana Cloud been vulnerable. The vulnerable URL path is: /public/plugins/ where...

Matrix clients -- several vulnerabilities

Matrix developers report: Today we are releasing security updates to libolm, matrix-js-sdk, and several clients including Element Web / Desktop. Users are encouraged to upgrade as soon as possible. These releases mitigate a buffer overflow in olmsessiondescribe, a libolm debugging function used b...

mediawiki -- multiple vulnerabilities

Mediawiki reports: T292763. CVE-2021-44854 REST API incorrectly publicly caches autocomplete search results from private wikis. T271037, CVE-2021-44856 Title blocked in AbuseFilter can be created via Special:ChangeContentModel. T297322, CVE-2021-44857 Unauthorized users can use action=mcrundo to...

NSS -- Memory corruption

The Mozilla project reports: Memory corruption in NSS via DER-encoded DSA and RSA-PSS signatures Critical NSS Network Security Services versions prior to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures. Applications using NSS for handling...

node_exporter -- bypass security with cache poisoning

Prometheus team reports: Prometheus and its exporters can be secured by a web.yml file that specifies usernames and hashed passwords for basic authentication. Passwords are hashed with bcrypt, which means that even if you have access to the hash, it is very hard to find the original password back...

OpenEXR -- Heap-buffer-overflow in Imf_3_1::LineCompositeTask::execute

Cary Phillips reports: OpenEXR Version 3.1.4 is a patch release that ... addresses one public security vulnerability: CVE-2021-45942 Heap-buffer-overflow in Imf31::LineCompositeTask::execute and several specific OSS-fuzz issues...

mailman < 2.1.38 -- CSRF vulnerability of list mod or member against list admin page

Mark Sapiro reports: A list moderator or list member can potentially carry out a CSRF attack by getting a list admin to visit a crafted web page...

rubygem-cgi -- cookie prefix spoofing in CGI::Cookie.parse

oooooooq reports: The old versions of CGI::Cookie.parse applied URL decoding to cookie names. An attacker could exploit this vulnerability to spoof security prefixes in cookie names, which may be able to trick a vulnerable application. By this fix, CGI::Cookie.parse no longer decodes cookie names...

rubygem-cgi -- buffer overrun in CGI.escape_html

chamal reports: A security vulnerability that causes buffer overflow when you pass a very large string 700 MB to CGI.escapehtml on a platform where long type takes 4 bytes, typically, Windows...

py-matrix-synapse -- several vulnerabilities

Matrix developers report: This release patches one high severity issue affecting Synapse installations 1.47.0 and earlier using the media repository. An attacker could cause these Synapses to download a remote file and store it in a directory outside the media repository. Note that: This only...

rubygem-date -- Regular Expression Denial of Service Vunlerability of Date Parsing Methods

Stanislav Valkanov reports: Date's parsing methods including Date.parse are using Regexps internally, some of which are vulnerable against regular expression denial of service. Applications and libraries that apply such methods to untrusted input may be affected...

chromium -- multiple vulnerabilities

Chrome Releases reports: This release contains 25 security fixes, including: 1263620 High CVE-2021-38008: Use after free in media. Reported by Marcin Towalski of Cisco Talos on 2021-10-26 1260649 High CVE-2021-38009: Inappropriate implementation in cache. Reported by Luan Herrera @lbherrera on...

graylog -- remote code execution in log4j from user-controlled log input

Apache Software Foundation reports: It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map MDC input data when the logging configuration uses a non-default...

Roundcube -- Multiple vulnerabilities

The Roundcube project reports: XSS issue in handling attachment filename extension in mimetype mismatch warning possible SQL injection via some session variables...

samba -- Multiple Vulnerabilities

The Samba Team reports: CVE-2020-25717: A user in an AD Domain could become root on domain members. CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued by an RODC. CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in Kerberos tickets. CVE-2020-25721:...

puppet -- Silent Configuration Failure

Puppet reports: A flaw was discovered in Puppet Agent where the agent may silently ignore Augeas settings or may be vulnerable to a Denial of Service condition prior to the first pluginsync...

routinator -- multiple vulnerabilities

nlnetlabs reports: Release 0.10.2 contains fixes for the following issues: Medium CVE-2021-43172: Infinite length chain of RRDP repositories. Credit: Koen van Hove. Date: 2021-11-09 Medium CVE-2021-43173: Hanging RRDP request. Credit: Koen van Hove. Date: 2021-11-09 Medium CVE-2021-43174: gzip...

puppet -- Unsafe HTTP Redirect

Puppet reports: A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a different host. This is similar to CVE-2018-1000007...

PostgreSQL -- Possible man-in-the-middle attacks

The PostgreSQL Project reports: CVE-2021-23214: A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could be abused to send faked SQL commands to the server, although...

zydis -- heap buffer overflow

Zyantific reports: Zydis users of versions v3.2.0 and older that use the string functions provided in zycore in order to append untrusted user data to the formatter buffer within their custom formatter hooks can run into heap buffer overflows. Older versions of Zydis failed to properly initialize...

go -- multiple vulnerabilities

The Go project reports: debug/macho fails out when loading a file that contains a dynamic symbol table command that indicates a larger number of symbols than exist in the loaded symbol table. Previously, opening a zip with Reader.Open could result in a panic if the zip contained a file whose name...

jenkins -- multiple vulnerabilities

Jenkins Security Advisory: Description Critical SECURITY-2455 / CVE-2021-21685, CVE-2021-21686, CVE-2021-21687, CVE-2021-21688, CVE-2021-21689, CVE-2021-21690, CVE-2021-21691, CVE-2021-21692, CVE-2021-21693, CVE-2021-21694, CVE-2021-21695 Multiple vulnerabilities allow bypassing path filtering of...

Grafana -- Incorrect Access Control

Grafana Labs reports: When the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance, Grafana 8.0 introduced a mechanism which allowed users with the Organization Admin role to list, add, remove, and update users’ roles in other...

mailman -- 2.1.37 fixes XSS via user options, and moderator offline brute-force vuln against list admin password

Mark Sapiro reports: A potential XSS attack via the user options page has been reported by Harsh Jaiswal. This is fixed. CVE-2021-43331 LP: 1949401. A potential for for a list moderator to carry out an off-line brute force attack to obtain the list admin password has been reported by Andre Protas...

chromium -- multiple vulnerabilities

Chrome Releases reports: This release contains 8 security fixes, including: 1259864 High CVE-2021-37997 : Use after free in Sign-In. Reported by Wei Yuan of MoyunSec VLab on 2021-10-14 1259587 High CVE-2021-37998 : Use after free in Garbage Collection. Reported by Cassidy Kim of Amber Security La...

Gitlab -- Multiple Vulnerabilities

Gitlab reports: Stored XSS via ipynb files Pipeline schedules on imported projects can be set to automatically active after import Potential Denial of service via Workhorse Improper Access Control allows Merge Request creator to bypass locked status Projects API discloses ID and name of private...

Teeworlds -- Buffer Overflow

NVD reports: Teeworlds up to and including 0.7.5 is vulnerable to Buffer Overflow. A map parser does not validate mChannels value coming from a map file, leading to a buffer overflow. A malicious server may offer a specially crafted map that will overwrite client's stack causing denial of service...

The Update Framwork -- path traversal vulnerability

NVD reports: python-tuf is a Python reference implementation of The Update Framework TUF. In both clients tuf/client and tuf/ngclient, there is a path traversal vulnerability that in the worst case can overwrite files ending in .json anywhere on the client system on a call to getonevalidtargetinf...

Plex Media Server -- security vulnerability

Plex Security Team reports: We have recently been made aware of a security vulnerability in Plex Media Server versions prior to 1.25.0 that could allow a local Windows user to obtain administrator privileges without authorization. To be clear, this required the user to already have local, physica...

Grafana -- XSS

Grafana Labs reports: If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim’s browser. The user visiting the malicious link must be unauthenticated, and the link must be for a page th...

gitea -- multiple vulnerabilities

The Gitea Team reports for release 1.15.5: Upgrade Bluemonday to v1.0.16 17372 17374 Ensure correct SSH permissions check for private and restricted users 17370 17373...

libcaca -- Multiple vulnerabilities

Sam Hocevar reports: Multiple memory leaks and invalid memory accesses: CVE-2018-20545: Illegal WRITE memory access at common-image.c CVE-2018-20546: Illegal READ memory access at caca/dither.c CVE-2018-20547: Illegal READ memory access at caca/dither.c CVE-2018-20548: Illegal WRITE memory access...

chromium -- multiple vulnerabilities

Chrome Releases reports: This release contains 19 security fixes, including: 1246631 High CVE-2021-37981: Heap buffer overflow in Skia. Reported by Yangkang @dnpushme of 360 ATA on 2021-09-04 1248661 High CVE-2021-37982: Use after free in Incognito. Reported by Weipeng Jiang @Krace from Codesafe...

mailman -- brute-force vuln on list admin password, and CSRF vuln in releases before 2.1.35

Mark Sapiro reports: A potential for for a list member to carry out an off-line brute force attack to obtain the list admin password has been reported by Andre Protas, Richard Cloke and Andy Nuttall of Apple. This is fixed. A CSRF attack via the user options page could allow takeover of a users...

MySQL -- Multiple vulnerabilities

Oracle reports: This Critical Patch Update contains 66 new security patches for Oracle MySQL. 8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The highest CVSS v3.1 Base Score of vulnerabilitie...

minio -- policy restriction issue

minio developers report: Looks like policy restriction was not working properly for normal users when they are not svc or STS accounts. svc accounts are now properly fixed to get right permissions when its inherited, so we do not have to set 'owner = true' sts accounts have always been using righ...

Node.js -- October 2021 Security Releases

Node.js reports: HTTP Request Smuggling due to spaced in headers MediumCVE-2021-22959 The http parser accepts requests with a space SP right after the header name before the colon. This can lead to HTTP Request Smuggling HRS. HTTP Request Smuggling when parsing the body MediumCVE-2021-22960 The...