6581 matches found
hiredis -- integer/buffer overflow
hiredis maintainers report: Hiredis is vulnurable to integer overflow if provided maliciously crafted or corrupted RESP mult-bulk protocol data. When parsing multi-bulk array-like replies, hiredis fails to check if count sizeofredisReply can be represented in SIZEMAX. If it can not, and the callo...
chromium -- multiple vulnerabilities
Chrome Releases/Stable updates reports: This release contains 4 security fixes, including: 1245578 High CVE-2021-37974: Use after free in Safe Browsing. Reported by Weipeng Jiang @Krace from Codesafe Team of Legendsec at Qi'anxin Group on 2021-09-01 1252918 High CVE-2021-37975: Use after free in...
Gitlab -- vulnerabilities
Gitlab reports: Stored XSS in merge request creation page Denial-of-service attack in Markdown parser Stored Cross-Site Scripting vulnerability in the GitLab Flavored Markdown DNS Rebinding vulnerability in Gitea importer Exposure of trigger tokens on project exports Improper access control for...
Cleartext leak in libudisks
From libudisks 2.9.4 NEWS: udiskslinuxblock: Fix leaking cleartext block interface...
libmysoft -- Heap-based buffer overflow vulnerability
Zhengjie Du reports: There are some heap-buffer-overflows in mysofa2json of libmysofa. They are in function loudness, mysofacheck and readOHDRHeaderMessageDataLayout...
OpenSSH -- OpenSSH 6.2 through 8.7 failed to correctly initialise supplemental groups when executing an AuthorizedKeysCommand or AuthorizedPrincipalsCommand
OpenBSD Project reports: sshd8 from OpenSSH 6.2 through 8.7 failed to correctly initialise supplemental groups when executing an AuthorizedKeysCommand or AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or AuthorizedPrincipalsCommandUser directive has been set to run the command as ...
chromium -- use after free in Portals
Chrome Releases reports: 1251727 High CVE-2021-37973 : Use after free in Portals. Reported by Clement Lecigne from Google TAG, with technical assistance from Sergei Glazunov and Mark Brand from Google Project Zero on 2021-09-21 Google is aware that an exploit for CVE-2021-37973 exists in the wild...
chromium -- multiple vulnerabilities
Chrome Releases reports: This update contains 19 security fixes, including: 1243117 High CVE-2021-37956: Use after free in Offline use. Reported by Huyna at Viettel Cyber Security on 2021-08-24 1242269 High CVE-2021-37957: Use after free in WebGPU. Reported by Looben Yang on 2021-08-23 1223290 Hi...
webkit2-gtk3 -- multiple vulnerabilities
The WebKitGTK project reports vulnerabilities: CVE-2021-30858: Processing maliciously crafted web content may lead to arbitrary code execution...
Apache httpd -- multiple vulnerabilities
The Apache project reports: moderate: Request splitting via HTTP/2 method injection and modproxy CVE-2021-33193 moderate: NULL pointer dereference in httpd core CVE-2021-34798 moderate: modproxyuwsgi out of bound read CVE-2021-36160 low: apescapequotes buffer overflow CVE-2021-39275 high: modprox...
cURL -- Multiple vulnerabilities
The cURL project reports: UAF and double-free in MQTT sending CVE-2021-22945 Protocol downgrade required TLS bypassed CVE-2021-22946 STARTTLS protocol injection via MITM CVE-2021-22945...
seatd-launch -- privilege escalation with SUID
Kenny Levinsen reports: seatd-launch used execlp, which reads the PATH environment variable to search for the requested executable, to execute seatd. This meant that the caller could freely control what executable was loaded by adding a user-writable directory to PATH. If seatd-launch had the SUI...
Grafana -- Snapshot authentication bypass
Grafana Labs reports: Unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key If the snapshot "publicmode" configuration setting is set to true vs default of false,...
tcpslice -- heap-based use-after-free in extract_slice()
The Tcpdump Group reports: heap-based use-after-free in extractslice...
chromium -- multiple vulnerabilities
Chrome Releases reports: This release includes 11 security fixes, including: 1237533 High CVE-2021-30625: Use after free in Selection API. Reported by Marcin Towalski of Cisco Talos on 2021-08-06 1241036 High CVE-2021-30626: Out of bounds memory access in ANGLE. Reported by Jeonghoon Shin of Theo...
py39-rencode -- infinite loop that could lead to Denial of Service
NIST reports: The rencode package through 1.0.6 for Python allows an infinite loop in typecode decoding such as via ;\x2f\x7f, enabling a remote attack that consumes CPU and memory...
cryptopp -- ElGamal implementation allows plaintext recovery
Crypto++ 8.6 release notes reports: The ElGamal implementation in Crypto++ through 8.5 allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the...
WeeChat -- Crash when decoding a malformed websocket frame in relay plugin.
The WeeChat project reports: Crash when decoding a malformed websocket frame in relay plugin...
MPD5 PPPoE Server remotely exploitable crash
Version 5.92 contains security fix for PPPoE servers. Insufficient validation of incoming PPPoE Discovery request specially crafted by unauthenticated user might lead to unexpected termination of the process. The problem affects mpd versions since 5.0. Installations not using PPPoE server...
Pillow -- Regular Expression Denial of Service (ReDoS)
GitHub Advisory Database reports: Uncontrolled Resource Consumption in pillow. The package pillow from 0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service ReDoS via the getrgb function. References: https://nvd.nist.gov/vuln/detail/CVE-2021-23437...
Gitlab -- Vulnerabilities
Gitlab reports: Stored XSS in DataDog Integration Invited group members continue to have project access even after invited group is deleted Specially crafted requests to apollouploadserver middleware leads to denial of service Privilege escalation of an external user through project token Missing...
py-matrix-synapse -- several vulnerabilities
Matrix developers report: This release patches two moderate severity issues which could reveal metadata about private rooms: CVE-2021-39164: Enumerating a private room's list of members and their display names. CVE-2021-39163: Disclosing a private room's name, avatar, topic, and number of members...
chromium -- multiple vulnerabilities
Chrome Releases reports: This release contains 27 security fixes, including: 1233975 High CVE-2021-30606: Use after free in Blink. Reported by Nan Wang @eternalsakura13 and koocola @alocook of 360 Alpha Lab on 2021-07-28 1235949 High CVE-2021-30607: Use after free in Permissions. Reported by...
Node.js -- August 2021 Security Releases (2)
Node.js reports: npm 6 update - node-tar, arborist, npm cli modules These are vulnerabilities in the node-tar, arborist, and npm cli modules which are related to the initial reports and subsequent remediation of node-tar vulnerabilities CVE-2021-32803 and CVE-2021-32804. Subsequent internal...
Python -- multiple vulnerabilities
Python reports: bpo-42278: Replaced usage of tempfile.mktemp with TemporaryDirectory to avoid a potential race condition. bpo-44394: Update the vendored copy of libexpat to 2.4.1 from 2.2.8 to get the fix for the CVE-2013-0340 "Billion Laughs" vulnerability. This copy is most used on Windows and...
Python -- multiple vulnerabilities
Python reports: bpo-44394: Update the vendored copy of libexpat to 2.4.1 from 2.2.8 to get the fix for the CVE-2013-0340 "Billion Laughs" vulnerability. This copy is most used on Windows and macOS. bpo-43124: Made the internal putcmd function in smtplib sanitize input for presence of \r and \n...
Python -- multiple vulnerabilities
Python reports: bpo-42278: Replaced usage of tempfile.mktemp with TemporaryDirectory to avoid a potential race condition. bpo-41180: Add auditing events to the marshal module, and stop raising code.init events for every unmarshalled code object. Directly instantiated code objects will continue to...
consul -- rpc: authorize raft requests
Hashicorp reports: HashiCorp Consul Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only functionality, enabling privilege escalation...
zeek -- several vulnerabilities
Tim Wojtulewicz of Corelight reports: Paths from log stream make it into system unchecked, potentially leading to commands being run on the system unintentionally. This requires either bad scripting or a malicious package to be installed, and is considered low severity. Fix potential unbounded...
libssh -- possible heap-buffer overflow vulnerability
libssh security advisories: The SSH protocol keeps track of two shared secrets during the lifetime of the session. One of them is called secrethash and and the other sessionid. Initially, both of them are the same, but after key re-exchange, previous sessionid is kept and used as an input to new...
py-tflite -- denial of service vulnerability
Yakun Zhang of Baidu Security reports: An attacker can craft a TFLite model that would trigger a null pointer dereference, which would result in a crash and denial of service...
FreeBSD -- libfetch out of bounds read
Problem Description: The passive mode in FTP communication allows an out of boundary read while libfetch uses strtol to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for p == '\0' one byte too late because...
OpenSSL -- multiple vulnerabilities
The OpenSSL project reports: SM2 Decryption Buffer Overflow CVE-2021-3711: High Read buffer overruns processing ASN.1 strings CVE-2021-3712: Moderate...
FreeBSD -- Remote code execution in ggatec(8)
Problem Description: The ggatec8 daemon does not validate the size of a response before writing it to a fixed-sized buffer. This allows to overwrite the stack of ggatec8. Impact: A malicious ggated8 or an attacker in a priviledged network position can overwrite the stack with crafted content and...
FreeBSD -- Missing error handling in bhyve(8) device models
Problem Description: Certain VirtIO-based device models failed to handle errors when fetching I/O descriptors. Such errors could be triggered by a malicious guest. As a result, the device model code could be tricked into operating on uninitialized I/O vectors, leading to memory corruption. Impact...
Matrix clients -- several vulnerabilities
Matrix developers report: Today we are disclosing a critical security issue affecting multiple Matrix clients and libraries including Element Web/Desktop/Android, FluffyChat, Nheko, Cinny, and SchildiChat. Specifically, in certain circumstances it may be possible to trick vulnerable clients into...
go -- archive/zip: overflow in preallocation check can cause OOM panic
The Go project reports: An oversight in the previous fix still allows for an OOM panic when the indicated directory size in the archive header is so large that subtracting it from the archive size overflows a uint64, effectively bypassing the check that the number of files in the archive is...
chromium -- multiple vulnerabilities
Chrome Releases reports: This release contains 9 security fixes, including: 1234764 High CVE-2021-30598: Type Confusion in V8. Reported by Manfred Paul on 2021-07-30 1234770 High CVE-2021-30599: Type Confusion in V8. Reported by Manfred Paul on 2021-07-30 1231134 High CVE-2021-30600: Use after fr...
PostgreSQL server -- Memory disclosure in certain queries
The PostgreSQL Project reports: A purpose-crafted query can read arbitrary bytes of server memory. In the default configuration, any authenticated database user can complete this attack at will. The attack does not require the ability to create objects. If server settings include...
Node.js -- August 2021 Security Releases
Node.js reports: cares upgrade - Improper handling of untypical characters in domain names High CVE-2021-22931 Node.js was vulnerable to Remote Code Execution, XSS, application crashes due to missing input validation of host names returned by Domain Name Servers in the Node.js DNS library which c...
fetchmail -- STARTTLS bypass vulnerabilities
Problem: In certain circumstances, fetchmail 6.4.21 and older would not encrypt the session using STARTTLS/STLS, and might not have cleared session state across the TLS negotiation...
couchdb -- user privilege escalation
Cory Sabol reports: A malicious user with permission to create documents in a database is able to attach a HTML attachment to a document. If a CouchDB admin opens that attachment in a browser, e.g. via the CouchDB admin interface Fauxton, any JavaScript code embedded in that HTML attachment will ...
lynx -- SSL certificate validation error
Axel Beckert reports: ... I was able to capture the password given on the commandline in traffic of an TLS handshake using tcpdump and analysing it with Wireshark:...
Gitlab -- Gitlab
Gitlab reports: Stored XSS in Mermaid when viewing Markdown files Stored XSS in default branch name Perform Git actions with an impersonation token even if impersonation is disabled Tag and branch name confusion allows Developer to access protected CI variables New subscriptions generate OAuth...
chromium -- multiple vulnerabilities
Chrome Releases reports: This release contains 10 security fixes, including: 1227777 High CVE-2021-30590: Heap buffer overflow in Bookmarks. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2021-07-09 1229298 High CVE-2021-30591: Use after free in File System API. Reported by SorryMybad...
mod_auth_mellon -- Redirect URL validation bypass
Jakub Hrozek reports: Version 0.17.0 and older of modauthmellon allows the redirect URL validation to be bypassed by specifying an URL formatted as ///fishing-site.example.com/logout.html...
Node.js -- July 2021 Security Releases (2)
Node.js reports: Use after free on close http2 on stream canceling High CVE-2021-22930 Node.js is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior...
powerdns -- remotely triggered crash
powerdns reports: PowerDNS Security Advisory 2021-01: Specific query crashes Authoritative Server...
gitea -- multiple vulnerabilities
The Gitea Team reports for release 1.14.6: Bump github.com/markbates/goth from v1.67.1 to v1.68.0 16538 16540 Switch to maintained JWT lib 16532 16535 Upgrade to latest version of golang-jwt as forked for 1.14 16590 16607...
pjsip -- Race condition in SSL socket server
pjsip reports: There are a couple of issues found in the SSL socket: A race condition between callback and destroy, due to the accepted socket having no group lock. SSL socket parent/listener may get destroyed during handshake...