FreeBSD -- SAE confirm missing state validation

Problem Description: When hostapd is used to operate an access point with SAE Simultaneous Authentication of Equals; also known as WPA3-Personal, an invalid authentication sequence could result in the hostapd process terminating due to a NULL pointer dereference when processing SAE confirm messag...

FreeBSD -- EAP-pwd side-channel attack

Problem Description: Potential side channel attacks in the SAE implementations used by both hostapd and wpasupplicant see CVE-2019-9494 and VU871675. EAP-pwd uses a similar design for deriving PWE from the password and while a specific attack against EAP-pwd is not yet known to be tested, there i...

Gitlab -- Group Runner Registration Token Exposure

Gitlab reports: Group Runner Registration Token Exposure...

libxslt -- security framework bypass

Mitre report: libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded...

webkit2-gtk3 -- Multiple vulnerabilities

The WebKitGTK project reports many vulnerabilities, including several arbitrary code execution vulnerabilities...

jenkins -- multiple vulnerabilities

Jenkins Security Advisory: Description Medium SECURITY-1289 Jenkins accepted cached legacy CLI authentication Medium SECURITY-1327 XSS vulnerability in form validation button...

dovecot -- json encoder crash

Aki Tuomi reports: CVE-2019-10691: Trying to login with 8bit username containing invalid UTF8 input causes auth process to crash if auth policy is enabled. This could be used rather easily to cause a DoS. Similar crash also happens during mail delivery when using invalid UTF8 in From or Subject...

Flash Player -- multiple vulnerabilities

Adobe reports: This update resolves a use-after-free vulnerability that could lead to arbitrary code execution CVE-2019-7096. This update resolves an out-of-bounds read vulnerability that could lead to information disclosure CVE-2019-7108...

PHP -- Multiple vulnerabilities in EXIF module

The PHP project reports: Heap-buffer-overflow in phpifdget32s CVE-2019-11034 Heap-buffer-overflow in exifiifaddvalue CVE-2019-11035...

Apache -- Multiple vulnerabilities

The Apache httpd Project reports: Apache HTTP Server privilege escalation from modules' scripts CVE-2019-0211 important modauthdigest access control bypass CVE-2019-0217 important modssl access control bypass CVE-2019-0215 important modhttp2, possible crash on late upgrade CVE-2019-0197 low...

Gitlab -- Multiple vulnerabilities

Gitlab reports: DoS potential for regex in CI/CD refs Related branches visible in issues for guests Persistent XSS at merge request resolve conflicts Improper authorization control "move issue" Guest users of private projects have access to releases DoS potential on project languages page Recurit...

Istio -- Security vulnerabilities

Istio reports: Two security vulnerabilities have recently been identified in the Envoy proxy. The vulnerabilities are centered on the fact that Envoy did not normalize HTTP URI paths and did not fully validate HTTP/1.1 header values. These vulnerabilities impact Istio features that rely on Envoy ...

clamav -- multiple vulnerabilities

Clamav reports: An out-of-bounds heap read condition may occur when scanning PDF documents An out-of-bounds heap read condition may occur when scanning PE files An out-of-bounds heap write condition may occur when scanning OLE2 files An out-of-bounds heap read condition may occur when scanning...

Jupyter notebook -- open redirect vulnerability

Jupyter blog: Login pages tend to take a parameter for redirecting back to a page after successful login, e.g. /login?next=/notebooks/mynotebook.ipynb, so that you aren't disrupted too much if you try to visit a page, but have to authenticate first. An Open Redirect Vulnerability is when a...

Kubectl -- Potential directory traversal

Kubernetes.io reports: A security issue was discovered with the Kubernetes kubectl cp command that could enable a directory traversal replacing or deleting files on a user’s workstation...

GnuTLS -- double free, invalid pointer access

The GnuTLS project reports: Tavis Ormandy from Google Project Zero found a memory corruption double free vulnerability in the certificate verification API. Any client or server application that verifies X.509 certificates with GnuTLS 3.5.8 or later is affected. It was found using the TLS fuzzer...

Ghostscript -- Security bypass vulnerability

Cedric Buissart Red Hat reports: It was found that the superexec operator was available in the internal dictionary in ghostscript before 9.27. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by...

znc -- Denial of Service

Mitre reports: ZNC before 1.7.3-rc1 allows an existing remote user to cause a Denial of Service crash via invalid encoding...

drupal -- Drupal core - Moderately critical - Cross Site Scripting

Drupal Security Team reports: Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting XSS vulnerability...

Gitlab -- Vulnerability

Gitlab reports: Project Runner Token Exposed Through Issues Quick Actions...

mozilla -- multiple vulnerabilities

Mozilla Foundation reports: CVE-2019-9790: Use-after-free when removing in-use DOM elements CVE-2019-9791: Type inference is incorrect for constructors entered through on-stack replacement with IonMonkey CVE-2019-9792: IonMonkey leaks JSOPTIMIZEDOUT magic value to script CVE-2019-9793: Improper...

PowerDNS -- Insufficient validation in the HTTP remote backend

PowerDNS developers report: An issue has been found in PowerDNS Authoritative Server when the HTTP remote backend is used in RESTful mode without post=1 set, allowing a remote user to cause the HTTP backend to connect to an attacker-specified host instead of the configured one, via a crafted DNS...

PuTTY -- security fixes in new release

The PuTTY team reports: New in 0.71: Security fixes found by an EU-funded bug bounty programme: + a remotely triggerable memory overwrite in RSA key exchange, which can occur before host key verification + potential recycling of random numbers used in cryptography + on Unix, remotely triggerable...

suricata -- buffer over-read

Mitre reports: An issue was discovered in Suricata 4.1.x before 4.1.4. If the input of the function SSHParseBanner is composed only of a \n character, then the program runs into a heap-based buffer over-read. This occurs because the erroneous search for \r results in an integer underflow...

Gitlab -- Vulnerability

Gitlab reports: Public project in a private group makes the group page publicly accessible...

libssh2 -- multiple issues

libssh2 developers report: Defend against possible integer overflows in compmethodzlibdecomp. Defend against writing beyond the end of the payload in libssh2transportread. Sanitize paddinglength - libssh2transportread. This prevents an underflow resulting in a potential out-of-bounds read if a...

python 3.7 -- multiple vulnerabilities

Python changelog: bpo-37463: ssl.matchhostname no longer accepts IPv4 addresses with additional text after the address and only quad-dotted notation without trailing whitespaces. Some inetaton implementations ignore whitespace and all data after whitespace, e.g.'127.0.0.1 whatever'. bpo-35907:...

Rails -- Action View vulnerabilities

Ruby on Rails blog: Rails 4.2.11.1, 5.0.7.2, 5.1.6.2, 5.2.2.1, and 6.0.0.beta3 have been released! These contain the following important security fixes. It is recommended that users upgrade as soon as possible: CVE-2019-5418 File Content Disclosure in Action View CVE-2019-5419 Denial of Service...

python 3.6 -- multiple vulnerabilities

Python changelog: bpo-35907: CVE-2019-9948: Avoid file reading by disallowing local-file:// and localfile:// URL schemes in URLopener.open and URLopener.retrieve of urllib.request. bpo-36742: Fixes mishandling of pre-normalization characters in urlsplit. bpo-30458: Address CVE-2019-9740 by...

wordpress -- multiple issues

wordpress developers reports: Hosts can now offer a button for their users to update PHP. The recommended PHP version used by the Update PHP notice can now be filtered...

gitea -- XSS vulnerability

Gitea Team reports: Fix potential XSS vulnerability in repository description...

tcpreplay -- Multiple vulnerabilities

fklassen on Github reports: This release fixes the following security issues: memory access in dochecksum NULL pointer dereference getlayer4v6 NULL pointer dereference getipv6l4proto...

Dovecot -- Multiple vulnerabilities

Aki Tuomi reports: Submission-login crashes with signal 11 due to null pointer access when authentication is aborted by disconnecting. This can lead to denial-of-service attack by persistent attackers. Aki Tuomi reports: Submission-login crashes when authentication is started over TLS secured...

Jupyter notebook -- cross-site inclusion (XSSI) vulnerability

Jupyter notebook Changelog: 5.7.6 contains a security fix for a cross-site inclusion XSSI vulnerability, where files at a known URL could be included in a page from an unauthorized website if the user is logged into a Jupyter server. The fix involves setting the X-Content-Type-Options: nosniff...

py-bleach -- regular expression denial-of-service

Bleach developers reports: bleach.clean behavior parsing style attributes could result in a regular expression denial of service ReDoS. Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to ReDoS. For example, bleach.clean..., attributes='a': 'style'...

ImageMagick -- multiple vulnerabilities

cvedetails.com reports: CVE-2019-7175: In ImageMagick before 7.0.8-25, some memory leaks exist in DecodeImage in coders/pcd.c. CVE-2019-7395: In ImageMagick before 7.0.8-25, a memory leak exists in WritePSDChannel in coders/psd.c. CVE-2019-7396: In ImageMagick before 7.0.8-25, a memory leak exist...

OpenSSL -- ChaCha20-Poly1305 nonce vulnerability

The OpenSSL project reports: Low: ChaCha20-Poly1305 with long nonces CVE-2019-1543 ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for every encryption operation. RFC 7539 specifies that the nonce value IV should be 96 bits 12 bytes. OpenSSL allows a variable nonce length a...

rt -- XSS via jQuery

BestPractical reports: The version of jQuery used in RT 4.2 and 4.4 has a Cross-site Scripting XSS vulnerability when using cross-domain Ajax requests. This vulnerability is assigned CVE-2015-9251. RT does not use this jQuery feature so it is not directly vulnerable. jQuery version 1.12 no longer...

RubyGems -- multiple vulnerabilities

RubyGems Security Advisories: CVE-2019-8320: Delete directory using symlink when decompressing tar CVE-2019-8321: Escape sequence injection vulnerability in 'verbose' CVE-2019-8322: Escape sequence injection vulnerability in 'gem owner' CVE-2019-8323: Escape sequence injection vulnerability in AP...

Gitlab -- Multiple vulnerabilities

Gitlab reports: Arbitrary file read via MergeRequestDiff CSRF add Kubernetes cluster integration Blind SSRF in prometheus integration Merge request information disclosure IDOR milestone name information disclosure Burndown chart information disclosure Private merge request titles in public projec...

py-twisted -- multiple vulnerabilities

Twisted developers reports: All HTTP clients in twisted.web.client now raise a ValueError when called with a method and/or URL that contain invalid characters. This mitigates CVE-2019-12387. Thanks to Alex Brasetvik for reporting this vulnerability. The HTTP/2 server implementation now enforces T...

Node.js -- multiple vulnerabilities

Node.js reports: Updates are now available for all active Node.js release lines. In addition to fixes for security flaws in Node.js, they also include upgrades of Node.js 6 and 8 to OpenSSL 1.0.2r which contains a fix for a moderate severity security vulnerability. For these releases, we have...

mybb -- vulnerabilities

mybb Team reports: Medium risk: Reset Password reflected XSS Medium risk: ModCP Profile Editor username reflected XSS Low risk: Predictable CSRF token for guest users Low risk: ACP Stylesheet Properties XSS Low risk: Reset Password username enumeration via email...

glpi -- stored XSS

MITRE Corporation reports: inc/user.class.php in GLPI before 9.4.3 allows XSS via a user picture...

drupal -- Drupal core - Highly critical - Remote Code Execution

Drupal Security Team Some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases...

OpenSSL -- Padding oracle vulnerability

The OpenSSL project reports: 0-byte record padding oracle CVE-2019-1559 Moderate If an application encounters a fatal protocol error and then calls SSLshutdown twice once to send a closenotify, and once to receive one then OpenSSL can respond differently to the calling application if a 0 byte...

libsndfile -- out-of-bounds read memory access

RedHat reports: It was discovered the fix for CVE-2018-19758 was not complete and still allows a read beyond the limits of a buffer in wavwriteheader function in wav.c. A local attacker may use this flaw to make the application crash...

mozilla -- multiple vulnerabilities

Mozilla Foundation reports: CVE-2018-18356: Use-after-free in Skia CVE-2019-5785: Integer overflow in Skia CVE-2018-18511: Cross-origin theft of images with ImageBitmapRenderingContext...

TightVNC -- Muliple Vulnerabilities

MITRE reports: TightVNC code version 1.3.10 contains global buffer overflow in HandleCoRREBBP macro function, which can potentially result code execution. This attack appear to be exploitable via network connectivity. TightVNC code version 1.3.10 contains global buffer overflow in HandleCoRREBBP...

Flash Player -- information disclosure

Adobe reports: This update resolves an out-of-bounds vulnerability that could lead to information disclosure CVE-2019-7090...