Tomas | Docs | FAQ | Premium Support Security Vulnerabilities

CVE-2023-42124

Avast Premium Security Sandbox Protection Incorrect Authorization Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Avast Premium Security. An attacker must first obtain the ability to execute low-privileged code on...

Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to a code execution vulnerability in Node.js ( CVE-2024-27980)

Summary Potential code execution vulnerability in Node.js ( CVE-2024-27980) has been identified that may affect IBM Watson Assistant for IBM Cloud Pak for Data. The vulnerability has been addressed. Refer to details for additional information. Vulnerability Details ** CVEID: CVE-2024-27980 ...

(RHSA-2024:2132) Moderate: fence-agents security and bug fix update

The fence-agents packages provide a collection of scripts for handling remote power management for cluster devices. They allow failed or unreachable nodes to be forcibly restarted and removed from the cluster. Security Fix(es): urllib3: Request body not stripped after redirect from 303 status...

Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to sensitive information exposure in Kubernetes [CVE-2020-8565]

Summary IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to sensitive information exposure in Kubernetes, caused by a flaw when kube-apiserver is using logLevel >= 9 [CVE-2020-8565]. Kubernetes is included in the Speech utilities used by our service. This...

Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to sensitive information exposure in Kubernetes [CVE-2019-11250]

Summary IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to sensitive information exposure in Kubernetes, caused by storing credentials in the log by the client-go library [CVE-2019-11250]. Kubernetes is included in the Speech utilities used by our service. This...

Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service in ISC BIND [CVE-2023-50868]

Summary IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service in ISC BIND, caused by an error when preparing an NSEC3 closest encloser proof. [CVE-2023-50868]. ISC BIND is included as a Base OS package used by our Service Runtimes. This vulnerabilitiy....

AIX is affected by a denial of service due to Python (CVE-2024-0450)

IBM SECURITY ADVISORY First Issued: Mon Jun 24 15:07:51 CDT 2024 The most recent version of this document is available here: https://aix.software.ibm.com/aix/efixes/security/python_advisory10.asc Security Bulletin: AIX is affected by a denial of service due to Python (CVE-2024-0450)...

CVE-2021-4160 BN_mod_exp may produce incorrect results on MIPS

There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of the TLS 1.3 default curves. Impact was not analyzed in detail, because the pre-requisites for attack are considered unlikely and include reusing private keys. Analysis...

Medium: iperf3

Issue Overview: It is possible for a malicious or malfunctioning client to send less than the expected amount of data to the server. If this happens, the server will hang indefinitely waiting for the remainder (or until the connection gets closed). Because iperf3 is deliberately designed to...

Security Bulletin: Multiple vulnerabilities in IBM WebSphere Application Server Liberty, OpenSSL, libcurl, and Apache Xerces C++ XML parser may affect IBM Storage Protect Backup-Archive Client

Summary IBM Storage Protect Backup-Archive Client can be affected by security flaws in IBM WebSphere Application Server Liberty, OpenSSL, libcurl, and Apache Xerces C++ XML parser. The flaws can lead to server-side request forgery, bypass of security restrictions, denial of service, and arbitrary.....

Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to VMware Tanzu Spring Boot arbitrary denial of service vulnerability ( CVE-2023-34053)

Summary Potential VMware Tanzu Spring Boot arbitrary denial of service vulnerability (CVE-2023-34053) has been identified that may affect IBM Watson Assistant for IBM Cloud Pak for Data. The vulnerability have been addressed. Refer to details for additional information. Vulnerability Details **...

CVE-2018-5276

In Malwarebytes Premium 3.3.1.2183, the driver file (FARFLT.SYS) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9c40e018. NOTE: the vendor reported that they "have not been able to reproduce the...

CVE-2018-5276

In Malwarebytes Premium 3.3.1.2183, the driver file (FARFLT.SYS) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9c40e018. NOTE: the vendor reported that they "have not been able to reproduce the...

K000140042: libldap vulnerability CVE-2020-15719

Security Advisory Description libldap in certain third-party OpenLDAP packages has a certificate-validation flaw when the third-party package is asserting RFC6125 support. It considers CN even when there is a non-matching subjectAltName (SAN). This is fixed in, for example, openldap-2.4.46-10.el8.....

CVE-2022-36071

SFTPGo is configurable SFTP server with optional HTTP/S, FTP/S and WebDAV support. SFTPGo WebAdmin and WebClient support login using TOTP (Time-based One Time Passwords) as a secondary authentication factor. Because TOTPs are often configured on mobile devices that can be lost, stolen or damaged,.....

CVE-2022-48754

In the Linux kernel, the following vulnerability has been resolved: phylib: fix potential use-after-free Commit bafbdd527d56 ("phylib: Add device reset GPIO support") added call to phy_device_reset(phydev) after the put_device() call in phy_detach(). The comment before the put_device() call says...

CVE-2022-48754

In the Linux kernel, the following vulnerability has been resolved: phylib: fix potential use-after-free Commit bafbdd527d56 ("phylib: Add device reset GPIO support") added call to phy_device_reset(phydev) after the put_device() call in phy_detach(). The comment before the put_device() call...

openSUSE Security Update : wireshark (openSUSE-2019-1045)

This update for wireshark fixes the following issues : Update to Wireshark 2.4.11 (bsc#1117740). Security issues fixed : CVE-2018-19625: The Wireshark dissection engine could crash (wnpa-sec-2018-51) CVE-2018-19626: The DCOM dissector could crash (wnpa-sec-2018-52) CVE-2018-19623:...

CVE-2024-38612

In the Linux kernel, the following vulnerability has been resolved: ipv6: sr: fix invalid unregister error path The error path of seg6_init() is wrong in case CONFIG_IPV6_SEG6_LWTUNNEL is not defined. In that case if seg6_hmac_init() fails, the genl_unregister_family() isn't called. This issue...

CVE-2024-36394

SysAid - CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command...

CVE-2024-38620

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: HCI: Remove HCI_AMP support Since BT_HS has been remove HCI_AMP controllers no longer has any use so remove it along with the capability of creating AMP controllers. Since we no longer need to differentiate between...

Security Bulletin: Multiple vulnerabilities in angular.js affect IBM Business Automation Workflow.

Summary IBM Business Automation Workflow packages a vulnerable copy of angular.js. Vulnerability Details ** CVEID: CVE-2023-26117 DESCRIPTION: **AngularJS is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the $resource service. By providing...

Exploit for Use of a Broken or Risky Cryptographic Algorithm in Vmware Aria Operations For Networks

CVE-2023-34039 POC for CVE-2023-34039 VMWare Aria Operations...

Grafana folders admin only permission privilege escalation

Today we are releasing Grafana 9.1.6, 9.0.9, 8.5.13. This patch release includes a Moderate severity security fix for CVE-2022-36062 that affects Grafana instances which are using Grafana role-based access control (RBAC). Release 9.1.6, latest patch, also containing security fix: Download Grafana.....

Scale-Out Backup Repository Offload task fails with "There is not enough space on the disk"

Veeam Support Knowledge Base answer to: Scale-Out Backup Repository Offload task fails with "There is not enough space on the...

BeyondTrust Secure Remote Access Base <=6.0.1 - Cross-Site Scripting

BeyondTrust Secure Remote Access Base through 6.0.1 contains a cross-site scripting vulnerability which allows remote attackers to inject arbitrary web script or...

CVE-2021-4160

There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of the TLS 1.3 default curves. Impact was not analyzed in detail, because the pre-requisites for attack are considered unlikely and include reusing private keys. Analysis...

Security Bulletin: IBM Storage Fusion HCI is vulnerable to unauthorized access due to a flaw in Ceph RGW.

Summary Ceph is used by IBM Storage Fusion HCI if IBM Storage Fusion HCI is configured with the Data Foundation service. CVE-2023-43040. Vulnerability Details ** CVEID: CVE-2023-43040 DESCRIPTION: **IBM Spectrum Fusion HCI could allow an attacker to perform unauthorized actions in RGW for Ceph...

[SECURITY] Fedora 40 Update: qt6-qtwayland-6.7.1-1.fc40

Qt6 - Wayland platform support and QtCompositor...

CVE-2023-35885

CloudPanel 2 before 2.3.1 has insecure file-manager cookie...

Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to open redirect vulnerability in VMware Tanzu Spring Framework ( CVE-2024-22243)

Summary Potential open redirect vulnerability in VMware Tanzu Spring Framework ( CVE-2024-22243) has been identified that may affect IBM Watson Assistant for IBM Cloud Pak for Data. The vulnerability has been addressed. Refer to details for additional information. Vulnerability Details ** CVEID:...

CVE-2024-33881

An issue was discovered in VirtoSoftware Virto Bulk File Download 5.5.44 for SharePoint 2019. The Virto.SharePoint.FileDownloader/Api/Download.ashx isCompleted method allows an NTLMv2 hash leak via a UNC share pathname in the path...

[SECURITY] Fedora 39 Update: ntpd-rs-1.1.2-2.fc39

Full-featured implementation of NTP with NTS...

CVE-2022-40152

Those using Woodstox to parse XML data may be vulnerable to Denial of Service attacks (DOS) if DTD support is enabled. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service...

[SECURITY] Fedora 40 Update: qt5-qt3d-5.15.14-1.fc40

Qt 3D provides functionality for near-realtime simulation systems with support for 2D and 3D rendering in both Qt C++ and Qt Quick...

Security Bulletin: Vulnerabilities in IBM WebSphere Application Server and WebSphere Application Server Liberty affect IBM Watson Explorer ( CVE-2024-22329, CVE-2023-50312)

Summary IBM WebSphere Application Server and IBM WebSphere Application Server Liberty is used by IBM Watson Explorer. IBM Watson Explorer has addressed the applicable CVE ( CVE-2024-22329, CVE-2023-50312). Vulnerability Details ** CVEID: CVE-2024-22329 DESCRIPTION: **IBM WebSphere Application...

CVE-2024-24790 vulnerabilities

Vulnerabilities for packages: cni-plugins, local-static-provisioner, gomplate, nats-server, vexctl, nri-elasticsearch, nri-jmx, xcaddy, yam, newrelic-infrastructure-agent, spire-server, ipfs, nri-nginx, telegraf, flannel-cni-plugin, cadvisor, gobump, sbom-scorecard, ytt,...

Security Bulletin: IBM MQ Appliance vulnerable to open redirect (CVE-2024-29041)

Summary IBM MQ Appliance has addressed an open redirect vulnerability. Vulnerability Details CVEID: CVE-2024-29041 DESCRIPTION: Express.js Express could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability. An attacker could exploit this vulnerability using....

Medium: python3-jinja2

Issue Overview: Jinja is an extensible templating engine. The xmlattr filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, /, &gt;, or =, as each would then be interpreted as starting a separate attribute. If an...

Security Bulletin: IBM WebSphere Application Server is vulnerable to cross-site scripting (CVE-2024-35153)

Summary IBM WebSphere Application Server is vulnerable to cross-site scripting in the administrative console. Vulnerability Details ** CVEID: CVE-2024-35153 DESCRIPTION: **IBM WebSphere Application Server is vulnerable to cross-site scripting. This vulnerability allows a privileged user to embed...

Security Bulletin: A vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Buinses Automation Workflow (CVE-2024-37532)

Summary WebSphere Application Server is shipped as a component of IBM Business Automation Workflow. Information about a security vulnerability affecting IBM WebSphere Application Server Traditional have been published in a security bulletin. Vulnerability Details Refer to the security bulletin(s).....

Security Bulletin: IBM Master Data Management is vulnerable to identity spoofing caused by vulnerabilites in IBM WebSphere Application Server

Summary IBM Master Data Management version 11.6 and 12.0 is impacted by vulnerability to identity spoofing in WebSphere Application Server. IBM WebSphere Application Server is vulnerable to identity spoofing by an authenticated user due to improper signature validation. Vulnerability Details **...

Security Bulletin: Multiple vulnerabilities in IBM WebSphere Application Server Liberty and Apache Xerces C++ XML parser may affect IBM Storage Protect for Space Management

Summary IBM Storage Protect for Space Management can be affected by security flaws in IBM WebSphere Application Server Liberty and Apache Xerces C++ XML parser. The flaws can lead to server-side request forgery,, denial of service, and arbitrary code execution, as described in the "Vulnerability...

Security Bulletin: Denial of service and password enumeration might affect IBM Storage Defender – Resiliency Service

Summary IBM Storage Defender – Resiliency Service is vulnerable and can result in data confidentiality and service availabilty issues. The vulnerabilities have been addressed. CVE-2023-45288, CVE-2024-25031, CVE-2024-38322, CVE-2024-33883. Vulnerability Details ** CVEID: CVE-2023-45288 ...

[SECURITY] [DSA 5701-1] chromium security update

Debian Security Advisory DSA-5701-1 [email protected] https://www.debian.org/security/ Andres Salomon May 31, 2024 https://www.debian.org/security/faq Package : chromium CVE ID : CVE-2024-5493 CVE-2024-5494...

Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to VMware Tanzu Spring Boot arbitrary denial of service vulnerability ( CVE-2023-34053)

Summary Potential VMware Tanzu Spring Boot arbitrary denial of service vulnerability (CVE-2023-34053) has been identified that may affect IBM Watson Assistant for IBM Cloud Pak for Data. The vulnerability have been addressed. Refer to details for additional information. Vulnerability Details **...

Brocade Fabric OS switch encrypted passwords in the Brocade SANnav Standby node support save (CVE-2024-29959).

A vulnerability in Brocade SANnav before v2.3.1 and v2.3.0a prints Brocade Fabric OS switch encrypted passwords in the Brocade SANnav Standby node's support...

Security Bulletin: Security vulnerabilities have been identified in WebSphere Liberty Profile shipped with IBM License Metric Tool.

Summary There are security vulnerabilities in IBM WebSphere Application Server Liberty used by IBM License Metric Tool. Vulnerability Details ** CVEID: CVE-2024-22329 DESCRIPTION: **IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.3...

Security Bulletin: IBM Tivoli Composite Application Manager for Application Diagnostics installed IBM WebSphere Application Server is vulnerable to cross-site scripting in the administrative console (CVE-2024-35153).

Summary The security issue described in CVE-2024-35153 has been identified in the WebSphere Application Server included as part of IBM Tivoli Composite Application Manager for Application Diagnostics. Vulnerability Details Refer to the security bulletin(s) listed in the Remediation/Fixes section...

CVE-2024-33881

An issue was discovered in VirtoSoftware Virto Bulk File Download 5.5.44 for SharePoint 2019. The Virto.SharePoint.FileDownloader/Api/Download.ashx isCompleted method allows an NTLMv2 hash leak via a UNC share pathname in the path...