Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2023.7563
ICS Advisory | ICSA-23-348-10 Siemens SIMATIC S7-1500 CPU
1518(F)-4 PN/DP MFP V3.1
18 December 2023
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Siemens SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP V3.1
Publisher: ICS-CERT
Operating System: Network Appliance
Resolution: Mitigation
CVE Names: CVE-2023-45871 CVE-2023-45853 CVE-2023-45322
CVE-2023-44487 CVE-2023-42755 CVE-2023-42754
CVE-2023-40283 CVE-2023-39615 CVE-2023-39194
CVE-2023-39193 CVE-2023-39192 CVE-2023-39189
CVE-2023-39128 CVE-2023-38546 CVE-2023-38545
CVE-2023-38408 CVE-2023-35945 CVE-2023-35001
CVE-2023-34969 CVE-2023-34319 CVE-2023-32665
CVE-2023-32643 CVE-2023-32636 CVE-2023-32611
CVE-2023-31085 CVE-2023-29499 CVE-2023-29491
CVE-2023-29469 CVE-2023-29383 CVE-2023-28531
CVE-2023-28484 CVE-2023-27538 CVE-2023-27537
CVE-2023-27536 CVE-2023-27535 CVE-2023-27534
CVE-2023-27533 CVE-2023-27371 CVE-2023-26604
CVE-2023-25139 CVE-2023-25136 CVE-2023-24329
CVE-2023-23916 CVE-2023-23915 CVE-2023-23914
CVE-2023-5981 CVE-2023-5717 CVE-2023-5678
CVE-2023-5156 CVE-2023-4921 CVE-2023-4911
CVE-2023-4813 CVE-2023-4807 CVE-2023-4806
CVE-2023-4623 CVE-2023-4527 CVE-2023-4039
CVE-2023-4016 CVE-2023-3817 CVE-2023-3772
CVE-2023-3611 CVE-2023-3609 CVE-2023-3446
CVE-2023-3212 CVE-2023-2953 CVE-2023-2650
CVE-2023-1206 CVE-2023-1077 CVE-2023-0687
CVE-2023-0466 CVE-2023-0465 CVE-2023-0464
CVE-2023-0361 CVE-2023-0286 CVE-2023-0215
CVE-2022-48560 CVE-2022-48522 CVE-2022-48303
CVE-2022-46908 CVE-2022-45873 CVE-2022-45061
CVE-2022-43680 CVE-2022-43552 CVE-2022-43551
CVE-2022-42916 CVE-2022-42915 CVE-2022-42898
CVE-2022-40674 CVE-2022-40304 CVE-2022-40303
CVE-2022-37454 CVE-2022-37434 CVE-2022-35737
CVE-2022-35260 CVE-2022-35252 CVE-2022-32221
CVE-2022-32208 CVE-2022-32207 CVE-2022-32206
CVE-2022-32205 CVE-2022-30115 CVE-2022-29824
CVE-2022-29155 CVE-2022-28321 CVE-2022-27943
CVE-2022-27782 CVE-2022-27781 CVE-2022-27780
CVE-2022-27779 CVE-2022-27778 CVE-2022-27776
CVE-2022-27775 CVE-2022-27774 CVE-2022-26488
CVE-2022-25315 CVE-2022-25314 CVE-2022-25313
CVE-2022-25236 CVE-2022-25235 CVE-2022-24407
CVE-2022-23990 CVE-2022-23852 CVE-2022-23308
CVE-2022-23219 CVE-2022-23218 CVE-2022-22827
CVE-2022-22826 CVE-2022-22825 CVE-2022-22824
CVE-2022-22823 CVE-2022-22822 CVE-2022-22576
CVE-2022-4450 CVE-2022-4304 CVE-2022-3821
CVE-2022-3715 CVE-2022-2509 CVE-2022-2274
CVE-2022-2097 CVE-2022-2068 CVE-2022-1473
CVE-2022-1434 CVE-2022-1343 CVE-2022-1304
CVE-2022-1292 CVE-2022-1271 CVE-2022-0778
CVE-2022-0563 CVE-2022-0391 CVE-2021-46848
CVE-2021-46828 CVE-2021-46195 CVE-2021-46143
CVE-2021-45960 CVE-2021-43618 CVE-2021-43396
CVE-2021-41617 CVE-2021-38604 CVE-2021-37750
CVE-2021-37600 CVE-2021-36690 CVE-2021-36222
CVE-2021-36087 CVE-2021-36086 CVE-2021-36085
CVE-2021-36084 CVE-2021-35942 CVE-2021-33910
CVE-2021-33574 CVE-2021-33560 CVE-2021-33294
CVE-2021-32292 CVE-2021-31239 CVE-2021-28861
CVE-2021-28363 CVE-2021-28153 CVE-2021-28041
CVE-2021-27645 CVE-2021-27219 CVE-2021-27218
CVE-2021-27212 CVE-2021-23336 CVE-2021-22947
CVE-2021-22946 CVE-2021-22945 CVE-2021-22926
CVE-2021-22925 CVE-2021-22924 CVE-2021-22923
CVE-2021-22922 CVE-2021-22901 CVE-2021-22898
CVE-2021-22897 CVE-2021-22890 CVE-2021-22876
CVE-2021-20305 CVE-2021-20232 CVE-2021-20231
CVE-2021-20227 CVE-2021-20193 CVE-2021-4209
CVE-2021-4189 CVE-2021-4122 CVE-2021-3999
CVE-2021-3998 CVE-2021-3997 CVE-2021-3826
CVE-2021-3737 CVE-2021-3733 CVE-2021-3580
CVE-2021-3541 CVE-2021-3537 CVE-2021-3520
CVE-2021-3518 CVE-2021-3517 CVE-2021-3516
CVE-2021-3426 CVE-2021-3326 CVE-2021-3177
CVE-2020-36230 CVE-2020-36229 CVE-2020-36228
CVE-2020-36227 CVE-2020-36226 CVE-2020-36225
CVE-2020-36224 CVE-2020-36223 CVE-2020-36222
CVE-2020-36221 CVE-2020-35527 CVE-2020-35525
CVE-2020-29573 CVE-2020-29562 CVE-2020-29363
CVE-2020-29362 CVE-2020-29361 CVE-2020-28196
CVE-2020-27618 CVE-2020-26116 CVE-2020-25710
CVE-2020-25709 CVE-2020-25692 CVE-2020-24977
CVE-2020-24659 CVE-2020-22218 CVE-2020-21913
CVE-2020-21047 CVE-2020-19909 CVE-2020-19190
CVE-2020-19189 CVE-2020-19188 CVE-2020-19187
CVE-2020-19186 CVE-2020-19185 CVE-2020-15801
CVE-2020-15778 CVE-2020-15523 CVE-2020-15358
CVE-2020-14422 CVE-2020-14145 CVE-2020-13871
CVE-2020-13777 CVE-2020-13776 CVE-2020-13632
CVE-2020-13631 CVE-2020-13630 CVE-2020-13529
CVE-2020-13435 CVE-2020-13434 CVE-2020-12762
CVE-2020-12723 CVE-2020-12243 CVE-2020-12062
CVE-2020-11656 CVE-2020-11655 CVE-2020-11501
CVE-2020-10878 CVE-2020-10735 CVE-2020-10543
CVE-2020-10531 CVE-2020-10029 CVE-2020-9327
CVE-2020-8492 CVE-2020-8315 CVE-2020-8286
CVE-2020-8285 CVE-2020-8284 CVE-2020-8231
CVE-2020-8177 CVE-2020-8169 CVE-2020-7595
CVE-2020-6096 CVE-2020-1752 CVE-2020-1751
CVE-2020-1712 CVE-2019-1010180 CVE-2019-1010025
CVE-2019-1010024 CVE-2019-1010023 CVE-2019-1010022
CVE-2019-25013 CVE-2019-20907 CVE-2019-20795
CVE-2019-20388 CVE-2019-20367 CVE-2019-20218
CVE-2019-19959 CVE-2019-19956 CVE-2019-19926
CVE-2019-19925 CVE-2019-19924 CVE-2019-19923
CVE-2019-19906 CVE-2019-19880 CVE-2019-19646
CVE-2019-19645 CVE-2019-19603 CVE-2019-19317
CVE-2019-19244 CVE-2019-19242 CVE-2019-19126
CVE-2019-18348 CVE-2019-18276 CVE-2019-18224
CVE-2019-17595 CVE-2019-17594 CVE-2019-17543
CVE-2019-17498 CVE-2019-16905 CVE-2019-16168
CVE-2019-16056 CVE-2019-15903 CVE-2019-15847
CVE-2019-13627 CVE-2019-13565 CVE-2019-13057
CVE-2019-12904 CVE-2019-12900 CVE-2019-12290
CVE-2019-11360 CVE-2019-11340 CVE-2019-10160
CVE-2019-9948 CVE-2019-9947 CVE-2019-9937
CVE-2019-9936 CVE-2019-9923 CVE-2019-9740
CVE-2019-9674 CVE-2019-9636 CVE-2019-9169
CVE-2019-8457 CVE-2019-7309 CVE-2019-6488
CVE-2019-6111 CVE-2019-6110 CVE-2019-6109
CVE-2019-5482 CVE-2019-5481 CVE-2019-5443
CVE-2019-5436 CVE-2019-5435 CVE-2019-5188
CVE-2019-5094 CVE-2019-5018 CVE-2019-3863
CVE-2019-3862 CVE-2019-3861 CVE-2019-3860
CVE-2019-3859 CVE-2019-3858 CVE-2019-3857
CVE-2019-3856 CVE-2019-3855 CVE-2018-25032
CVE-2018-20843 CVE-2018-20482 CVE-2018-19591
CVE-2018-18928 CVE-2018-14567 CVE-2018-14404
CVE-2018-12886 CVE-2018-9251 CVE-2018-0495
CVE-2017-1000082 CVE-2017-18258 CVE-2017-17512
CVE-2017-16932 CVE-2017-16931 CVE-2017-9050
CVE-2017-9049 CVE-2017-9048 CVE-2017-9047
CVE-2017-7376 CVE-2017-7375 CVE-2017-0663
CVE-2016-10739 CVE-2016-10228 CVE-2016-10009
CVE-2016-9318 CVE-2016-5131 CVE-2016-4658
CVE-2016-3709 CVE-2016-3189 CVE-2016-1839
CVE-2015-20107 CVE-2015-8035 CVE-2014-7209
CVE-2013-4235 CVE-2013-0340
Original Bulletin:
https://www.cisa.gov/news-events/ics-advisories/icsa-23-348-10
Comment: CVSS (Max): 9.8 CVE-2023-45853 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: NIST
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
ICS Advisory (ICSA-23-348-10)
Siemens SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP V3.1
Release Date
December 14, 2023
As of January 10, 2023, CISA will no longer be updating ICS security advisories
for Siemens product vulnerabilities beyond the initial advisory. For the most
up-to-date information on vulnerabilities in this advisory, please see Siemens'
ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
1. EXECUTIVE SUMMARY
o CVSS v3 9.8
o ATTENTION : Exploitable remotely/low attack complexity
o Vendor : Siemens
o Equipment : SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP V3.1
o Vulnerabilities : Improper Restriction of XML External Entity Reference,
Time-of-check Time-of-use (TOCTOU) Race Condition, Command Injection,
Missing Encryption of Sensitive Data, Cross-site Scripting, Improper
Restriction of Operations within the Bounds of a Memory Buffer, Use After
Free, Improper Input Validation, Out-of-bounds Write, Out-of-bounds Read,
Infinite Loop, Improper Neutralization of Special Elements in Output Used
by a Downstream Component ('Injection'), Allocation of Resources Without
Limits or Throttling, Observable Discrepancy, Generation of Error Message
Containing Sensitive Information, NULL Pointer Dereference, Integer
Overflow or Wraparound, Uncontrolled Search Path Element, Double Free,
Improper Encoding or Escaping of Output, Inappropriate Encoding for Output
Context, Path Traversal, Improper Resource Shutdown or Release,
Uncontrolled Resource Consumption, CRLF Injection, Encoding Error, Exposure
of Resource to Wrong Sphere, Insufficient Entropy, Divide By Zero, Improper
Check for Dropped Privileges, Improper Initialization, Incorrect Conversion
between Numeric Types, Uncontrolled Recursion, Improper Check for Unusual
or Exceptional Conditions, Improper Handling of Exceptional Conditions,
Unrestricted Upload of File with Dangerous Type, Missing Release of
Resource after Effective Lifetime, Missing Release of Memory after
Effective Lifetime, Exposure of Sensitive Information to an Unauthorized
Actor, Use of Insufficiently Random Values, Signed to Unsigned Conversion
Error, Improper Certificate Validation, Incorrect Type Conversion or Cast,
Classic Buffer Overflow, Authentication Bypass by Spoofing, Improper
Privilege Management, Use of a Broken or Risky Cryptographic Algorithm,
Incorrect Calculation, OS Command Injection, Untrusted Search Path,
Reachable Assertion, Wrap or Wraparound, Release of Invalid Pointer or
Reference, Type Confusion, XML Entity Expansion, Off-by-one Error,
Insufficient Verification of Data Authenticity, Unchecked Return Value,
Missing Initialization of Resource, Improper Validation of Integrity Check
Value, Insufficiently Protected Credentials, Use of Incorrectly-Resolved
Name or Reference, Use of Uninitialized Resource, Cleartext Transmission of
Sensitive Information, Improper Link Resolution Before File Access ('Link
Following'), Open Redirect, Inadequate Encryption Strength, Improper
Authentication, SQL Injection, Server-Side Request Forgery (SSRF),
Incorrect Default Permissions, Expected Behavior Violation, Improper
Validation of Syntactic Correctness of Input, Stack-based Buffer Overflow,
Improper Validation of Array Index, Inefficient Algorithmic Complexity,
Inefficient Regular Expression Complexity, Excessive Iteration, Heap-based
Buffer Overflow, Protection Mechanism Failure, Deserialization of Untrusted
Data
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could result in sensitive
information disclosure, tampering and deletion, or a denial-of-service
condition.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following products of Siemens, are affected:
o SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0): All versions
prior to V3.1.0
o SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0): All versions
prior to V3.1.0
o SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0): All versions
prior to V3.1.0
o SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0): All versions
prior to V3.1.0
o SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0): All versions
prior to V3.1.0
3.2 Vulnerability Overview
3.2.1 IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE CWE-611
expat 2.1.0 and earlier does not properly handle entities expansion unless an
application developer uses the XML_SetEntityDeclHandler function, which allows
remote attackers to cause a denial-of-service (resource consumption), send HTTP
requests to intranet servers, or read arbitrary files via a crafted XML
document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that
because expat already provides the ability to disable external entity
expansion, the responsibility for resolving this issue lies with application
developers; according to this argument, this entry should be REJECTed, and each
affected application would need its own CVE.
CVE-2013-0340 has been assigned to this vulnerability. A CVSS v3 base score of
9.1 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:N/A:H ).
3.2.2 TIME-OF-CHECK TIME-OF-USE (TOCTOU) RACE CONDITION CWE-367
shadow: TOCTOU (time-of-check time-of-use) race condition when copying and
removing directory trees
CVE-2013-4235 has been assigned to this vulnerability. A CVSS v3 base score of
4.7 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:H/PR:L/UI:N
/S:U/C:N/I:H/A:N ).
3.2.3 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND ('COMMAND
INJECTION') CWE-77
run-mailcap in the Debian mime-support package before 3.52-1+deb7u1 allows
context-dependent attackers to execute arbitrary commands via shell
metacharacters in a filename.
CVE-2014-7209 has been assigned to this vulnerability. A CVSS v3 base score of
9.0 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:L/UI:R
/S:C/C:H/I:H/A:H ).
3.2.4 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND ('COMMAND
INJECTION') CWE-77
In Python (aka CPython) up to 3.10.8, the mailcap module does not add escape
characters into commands discovered in the system mailcap file. This may allow
attackers to inject shell commands into applications that call
mailcap.findmatch with untrusted input (if they lack validation of
user-provided filenames or arguments). The fix is also back-ported to 3.7, 3.8,
3.9.
CVE-2015-20107 has been assigned to this vulnerability. A CVSS v3 base score of
7.6 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:L/UI:N
/S:U/C:L/I:H/A:L ).
3.2.5 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311
Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote
attackers to cause a denial-of-service (crash) via a crafted bzip2 file,
related to block ends set to before the start of the block.
CVE-2016-3189 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:R
/S:U/C:N/I:N/A:H ).
3.2.6 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE
SCRIPTING') CWE-79
A possible cross-site scripting vulnerability exists in libxml after commit
960f0e2.
CVE-2016-3709 has been assigned to this vulnerability. A CVSS v3 base score of
6.1 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:R
/S:C/C:L/I:L/A:N ).
3.2.7 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER
CWE-119
xpointer.c in libxml2 before 2.9.5 (as used in Apple iOS before 10, OS X before
10.12, tvOS before 10, and watchOS before 3, and other products) does not
forbid namespace nodes in XPointer ranges, which allows remote attackers to
execute arbitrary code or cause a denial-of-service (use-after-free and memory
corruption) via a crafted XML document.
CVE-2016-4658 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.8 USE AFTER FREE CWE-416
Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome
before 52.0.2743.82, allows remote attackers to cause a denial-of-service or
possibly have unspecified other impact via vectors related to the XPointer
range-to function.
CVE-2016-5131 has been assigned to this vulnerability. A CVSS v3 base score of
8.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:R
/S:U/C:H/I:H/A:H ).
3.2.9 IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE CWE-611
libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other
products, does not offer a flag directly indicating that the current document
may be read but other files may not be opened, which makes it easier for remote
attackers to conduct XML External Entity (XXE) attacks via a crafted document.
CVE-2016-9318 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:N/UI:R
/S:U/C:H/I:N/A:N ).
3.2.10 IMPROPER INPUT VALIDATION CWE-20
The iconv program in the GNU C Library (aka glibc or libc6) 2.31 and earlier,
when invoked with multiple suffixes in the destination encoding (TRANSLATE or
IGNORE) along with the -c option, enters an infinite loop when processing
invalid multi-byte input sequences, leading to a denial of service.
CVE-2016-10228 has been assigned to this vulnerability. A CVSS v3 base score of
5.9 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.11 IMPROPER INPUT VALIDATION CWE-20
In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo
function would successfully parse a string that contained an IPv4 address
followed by whitespace and arbitrary characters, which could lead applications
to incorrectly assume that it had parsed a valid string, without the
possibility of embedded HTTP headers or other potentially dangerous substrings.
CVE-2016-10739 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:L/I:L/A:L ).
3.2.12 OUT-OF-BOUNDS WRITE CWE-787
A remote code execution vulnerability in libxml2 could enable an attacker using
a specially crafted file to execute arbitrary code within the context of an
unprivileged process. This issue is rated as High due to the possibility of
remote code execution in an application that uses this library.
CVE-2017-0663 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:N/UI:R
/S:U/C:H/I:H/A:H ).
3.2.13 IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE CWE-611
A flaw in libxml2 allows remote XML entity inclusion with default parser flags
(i.e., when the caller did not request entity substitution, DTD validation,
external DTD subset loading, or default DTD attributes). Depending on the
context, this may expose a higher-risk attack surface in libxml2 not usually
reachable with default parser flags, and expose content from local files, HTTP,
or FTP servers (which might be otherwise unreachable).
CVE-2017-7375 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.14 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER
CWE-119
Buffer overflow in libxml2 allows remote attackers to execute arbitrary code by
leveraging an incorrect limit for port values when handling redirects.
CVE-2017-7376 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.15 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER
CWE-119
A buffer overflow vulnerability was discovered in libxml2
20904-GITv2.9.4-16-g0741801. This could allow an attacker to write about "size"
many bytes beyond the allocated memory. This vulnerability causes programs that
use libxml2, such as PHP, to crash.
CVE-2017-9047 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.16 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER
CWE-119
libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a stack-based buffer
overflow. This vulnerability causes programs that use libxml2, such as PHP, to
crash.
CVE-2017-9048 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.17 OUT-OF-BOUNDS READ CWE-125
libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer
over-read in the xmlDictComputeFastKey function in dict.c. This vulnerability
causes programs that use libxml2, such as PHP, to crash. This vulnerability
exists because of an incomplete fix for libxml2 Bug 759398.
CVE-2017-9049 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.18 OUT-OF-BOUNDS READ CWE-125
libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer
over-read in the xmlDictAddString function in dict.c. This vulnerability causes
programs that use libxml2, such as PHP, to crash. This vulnerability exists
because of an incomplete fix for CVE-2016-1839.
CVE-2017-9050 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.19 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER
CWE-119
parser.c in libxml2 before 2.9.5 mishandles parameter-entity references because
the NEXTL macro calls the xmlParserHandlePEReference function in the case of a
'%' character in a DTD name.
CVE-2017-16931 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.20 LOOP WITH UNREACHABLE EXIT CONDITION ('INFINITE LOOP') CWE-835
parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in
parameter entities.
CVE-2017-16932 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.21 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS IN OUTPUT USED BY A
DOWNSTREAM COMPONENT ('INJECTION') CWE-74
sensible-browser in sensible-utils before 0.0.11 does not validate strings
before launching the program specified by the BROWSER environment variable,
which allows remote attackers to conduct argument-injection attacks via a
crafted URL, as demonstrated by a --proxy-pac-file argument.
CVE-2017-17512 has been assigned to this vulnerability. A CVSS v3 base score of
8.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:R
/S:U/C:H/I:H/A:H ).
3.2.22 ALLOCATION OF RESOURCES WITHOUT LIMITS OR THROTTLING CWE-770
The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers
to cause a denial of service (memory consumption) via a crafted LZMA file,
because the decoder functionality does not restrict memory usage to what is
required for a legitimate file.
CVE-2017-18258 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:R
/S:U/C:N/I:N/A:H ).
3.2.23 OBSERVABLE DISCREPANCY CWE-203
Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache
side-channel attack on ECDSA signatures that can be mitigated through the use
of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in
cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP.
CVE-2018-0495 has been assigned to this vulnerability. A CVSS v3 base score of
4.7 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:H/PR:L/UI:N
/S:U/C:H/I:N/A:N ).
3.2.24 GENERATION OF ERROR MESSAGE CONTAINING SENSITIVE INFORMATION CWE-209
stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c
in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances)
generate instruction sequences when targeting ARM targets that spill the
address of the stack protector guard, which allows an attacker to bypass the
protection of -fstack-protector, -fstack-protector-all,
- -fstack-protector-strong, and -fstack-protector-explicit against stack overflow
by controlling what the stack canary is compared against.
CVE-2018-12886 has been assigned to this vulnerability. A CVSS v3 base score of
8.1 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.25 NULL POINTER DEREFERENCE CWE-476
A NULL pointer dereference vulnerability exists in the
xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an
invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications
processing untrusted XSL format inputs with the use of the libxml2 library may
be vulnerable to a denial of service attack due to a crash of the application.
CVE-2018-14404 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.26 LOOP WITH UNREACHABLE EXIT CONDITION ('INFINITE LOOP') CWE-835
libxml2 2.9.8, if --with-lzma allows remote attackers to cause a
denial-of-service (infinite loop) via a crafted XML file that triggers
LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than
CVE-2015-8035 and CVE-2018-9251.
CVE-2018-14567 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:R
/S:U/C:N/I:N/A:H ).
3.2.27 INTEGER OVERFLOW OR WRAPAROUND CWE-190
International Components for Unicode (ICU) for C/C++ 63.1 has an integer
overflow in number::impl::DecimalQuantity::toScientificString() in i18n/
number_decimalquantity.cpp.
CVE-2018-18928 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.28 IMPROPER INPUT VALIDATION CWE-20
In the GNU C Library (aka glibc or libc6) through 2.28, attempting to resolve a
crafted hostname via getaddrinfo() leads to the allocation of a socket
descriptor that is not closed. This is related to the if_nametoindex()
function.
CVE-2018-19591 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.29 LOOP WITH UNREACHABLE EXIT CONDITION ('INFINITE LOOP') CWE-835
GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during
read access, which allows local users to cause a denial of service (infinite
read loop in sparse_dump_region in sparse.c) by modifying a file that is
supposed to be archived by a different user's process (e.g., a system backup
running as root).
CVE-2018-20482 has been assigned to this vulnerability. A CVSS v3 base score of
4.7 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:H/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.30 IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE CWE-611
In libexpat in Expat before 2.2.7, XML input including XML names that contain a
large number of colons could make the XML parser consume a high amount of RAM
and CPU resources while processing (enough to be usable for denial-of-service
attacks).
CVE-2018-20843 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.31 OUT-OF-BOUNDS WRITE CWE-787
zlib before 1.2.12 allows memory corruption when deflating (i.e., when
compressing) if the input has many distant matches.
CVE-2018-25032 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.32 OUT-OF-BOUNDS WRITE CWE-787
An integer overflow flaw which could lead to an out of bounds write was
discovered in libssh2 before 1.8.1 in the way packets are read from the server.
A remote attacker who compromises a SSH server may be able to execute code on
the client system when a user connects to the server.
CVE-2019-3855 has been assigned to this vulnerability. A CVSS v3 base score of
8.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:R
/S:U/C:H/I:H/A:H ).
3.2.33 OUT-OF-BOUNDS WRITE CWE-787
An integer overflow flaw, which could lead to an out of bounds write, was
discovered in libssh2 before 1.8.1 in the way keyboard prompt requests are
parsed. A remote attacker who compromises a SSH server may be able to execute
code on the client system when a user connects to the server.
CVE-2019-3856 has been assigned to this vulnerability. A CVSS v3 base score of
8.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:R
/S:U/C:H/I:H/A:H ).
3.2.34 OUT-OF-BOUNDS WRITE CWE-787
An integer overflow flaw which could lead to an out of bounds write was
discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST packets
with an exit signal are parsed. A remote attacker who compromises a SSH server
may be able to execute code on the client system when a user connects to the
server.
CVE-2019-3857 has been assigned to this vulnerability. A CVSS v3 base score of
8.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:R
/S:U/C:H/I:H/A:H ).
3.2.35 OUT-OF-BOUNDS READ CWE-125
An out of bounds read flaw was discovered in libssh2 before 1.8.1 when a
specially crafted SFTP packet is received from the server. A remote attacker
who compromises a SSH server may be able to cause a denial-of-service or read
data in the client memory.
CVE-2019-3858 has been assigned to this vulnerability. A CVSS v3 base score of
9.1 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:N/A:H ).
3.2.36 OUT-OF-BOUNDS READ CWE-125
An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the
_libssh2_packet_require and _libssh2_packet_requirev functions. A remote
attacker who compromises a SSH server may be able to cause a denial-of-service
or read data in the client memory.
CVE-2019-3859 has been assigned to this vulnerability. A CVSS v3 base score of
9.1 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:N/A:H ).
3.2.37 OUT-OF-BOUNDS READ CWE-125
An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way
SFTP packets with empty payloads are parsed. A remote attacker who compromises
a SSH server may be able to cause a denial-of-service or read data in the
client memory.
CVE-2019-3860 has been assigned to this vulnerability. A CVSS v3 base score of
9.1 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:N/A:H ).
3.2.38 OUT-OF-BOUNDS READ CWE-125
An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way
SSH packets with a padding length value greater than the packet length are
parsed. A remote attacker who compromises a SSH server may be able to cause a
denial-of-service or read data in the client memory.
CVE-2019-3861 has been assigned to this vulnerability. A CVSS v3 base score of
9.1 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:N/A:H ).
3.2.39 OUT-OF-BOUNDS READ CWE-125
An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way
SSH_MSG_CHANNEL_REQUEST packets with an exit status message and no payload are
parsed. A remote attacker who compromises a SSH server may be able to cause a
denial-of-service or read data in the client memory.
CVE-2019-3862 has been assigned to this vulnerability. A CVSS v3 base score of
9.1 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:N/A:H ).
3.2.40 OUT-OF-BOUNDS WRITE CWE-787
A flaw was found in libssh2 before 1.8.1. A server could send a multiple
keyboard interactive response messages whose total length are greater than
unsigned char max characters. This value is used as an index to copy memory
causing in an out of bounds memory write error.
CVE-2019-3863 has been assigned to this vulnerability. A CVSS v3 base score of
8.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:R
/S:U/C:H/I:H/A:H ).
3.2.41 USE AFTER FREE CWE-416
An exploitable use after free vulnerability exists in the window function
functionality of Sqlite3 3.26.0. A specially crafted SQL command can cause a
use after free vulnerability, potentially resulting in remote code execution.
An attacker can send a malicious SQL command to trigger this vulnerability.
CVE-2019-5018 has been assigned to this vulnerability. A CVSS v3 base score of
8.1 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.42 OUT-OF-BOUNDS WRITE CWE-787
An exploitable code execution vulnerability exists in the quota file
functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause
an out-of-bounds write on the heap, resulting in code execution. An attacker
can corrupt a partition to trigger this vulnerability.
CVE-2019-5094 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:H/PR:H/UI:N
/S:C/C:H/I:H/A:H ).
3.2.43 OUT-OF-BOUNDS WRITE CWE-787
A code execution vulnerability exists in the directory rehashing functionality
of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an
out-of-bounds write on the stack, resulting in code execution. An attacker can
corrupt a partition to trigger this vulnerability.
CVE-2019-5188 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:H/PR:H/UI:N
/S:C/C:H/I:H/A:H ).
3.2.44 INTEGER OVERFLOW OR WRAPAROUND CWE-190
An integer overflow in curl's URL API results in a buffer overflow in libcurl
7.62.0 to and including 7.64.1.
CVE-2019-5435 has been assigned to this vulnerability. A CVSS v3 base score of
3.7 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/UI:N
/S:U/C:N/I:N/A:L ).
3.2.45 OUT-OF-BOUNDS WRITE CWE-787
A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary
code execution in libcurl versions 7.19.4 through 7.64.1.
CVE-2019-5436 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.2.46 UNCONTROLLED SEARCH PATH ELEMENT CWE-427
A non-privileged user or program can put code and a config file in a known
non-privileged path (under C:/usr/local/) that will make curl <= 7.65.1
automatically run the code (as an openssl "engine") on invocation. If that curl
is invoked by a privileged user it can do anything it wants.
CVE-2019-5443 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:N/UI:R
/S:U/C:H/I:H/A:H ).
3.2.47 DOUBLE FREE CWE-415
Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.
CVE-2019-5481 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.48 OUT-OF-BOUNDS WRITE CWE-787
Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.
CVE-2019-5482 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.49 IMPROPER ENCODING OR ESCAPING OF OUTPUT CWE-116
An issue was discovered in OpenSSH 7.9. Due to missing character encoding in
the progress display, a malicious server (or Man-in-The-Middle attacker) can
employ crafted object names to manipulate the client output, e.g., by using
ANSI control codes to hide additional files being transferred. This affects
refresh_progress_meter() in progressmeter.c.
CVE-2019-6109 has been assigned to this vulnerability. A CVSS v3 base score of
6.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/UI:R
/S:U/C:H/I:H/A:N ).
3.2.50 INAPPROPRIATE ENCODING FOR OUTPUT CONTEXT CWE-838
In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from
the server, a malicious server (or Man-in-The-Middle attacker) can manipulate
the client output, for example to use ANSI control codes to hide additional
files being transferred.
CVE-2019-6110 has been assigned to this vulnerability. A CVSS v3 base score of
6.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/UI:R
/S:U/C:H/I:H/A:N ).
3.2.51 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY ('PATH
TRAVERSAL') CWE-22
An issue was discovered in OpenSSH 7.9. Due to the scp implementation being
derived from 1983 rcp, the server chooses which files/directories are sent to
the client. However, the scp client only performs cursory validation of the
object name returned (only directory traversal attacks are prevented). A
malicious scp server (or Man-in-The-Middle attacker) can overwrite arbitrary
files in the scp client target directory. If recursive operation (-r) is
performed, the server can manipulate subdirectories as well (for example, to
overwrite the .ssh/authorized_keys file).
CVE-2019-6111 has been assigned to this vulnerability. A CVSS v3 base score of
5.9 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/UI:N
/S:U/C:N/I:H/A:N ).
3.2.52 IMPROPER RESOURCE SHUTDOWN OR RELEASE CWE-404
The string component in the GNU C Library (aka glibc or libc6) through 2.28,
when running on the x32 architecture, incorrectly attempts to use a 64-bit
register for size_t in assembly codes, which can lead to a segmentation fault
or possibly unspecified other impact, as demonstrated by a crash in
__memmove_avx_unaligned_erms in sysdeps/x86_64/multiarch/
memmove-vec-unaligned-erms.S during a memcpy.
CVE-2019-6488 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.2.53 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311
In the GNU C Library (aka glibc or libc6) through 2.29, the memcmp function for
the x32 architecture can incorrectly return zero (indicating that the inputs
are equal) because the RDX most significant bit is mishandled.
CVE-2019-7309 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.54 OUT-OF-BOUNDS READ CWE-125
SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound
read in the rtreenode() function when handling invalid rtree tables.
CVE-2019-8457 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.55 OUT-OF-BOUNDS READ CWE-125
In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in
posix/regexec.c has a heap-based buffer over-read via an attempted
case-insensitive regular-expression match.
CVE-2019-9169 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.56 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311
Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by improper
handling of unicode encoding (with an incorrect netloc) during NFKC
normalization. A specially crafted URL could be incorrectly parsed to locate
cookies or authentication data and send that information to a different host
than when parsed correctly.
CVE-2019-9636 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.57 UNCONTROLLED RESOURCE CONSUMPTION CWE-400
Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a
denial-of-service (resource consumption) via a ZIP bomb.
CVE-2019-9674 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.58 IMPROPER NEUTRALIZATION OF CRLF SEQUENCES ('CRLF INJECTION') CWE-93
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in
Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a
url parameter, as demonstrated by the first argument to urllib.request.urlopen
with \r\n (specifically in the query string after a ? character) followed by an
HTTP header or a Redis command.
CVE-2019-9740 has been assigned to this vulnerability. A CVSS v3 base score of
6.1 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:R
/S:C/C:L/I:L/A:N ).
3.2.59 NULL POINTER DEREFERENCE CWE-476
pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer
dereference when parsing certain archives that have malformed extended headers.
CVE-2019-9923 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.60 OUT-OF-BOUNDS READ CWE-125
In SQLite 3.27.2, running fts5 prefix queries inside a transaction could
trigger a heap-based buffer over-read in fts5HashEntrySort in sqlite3.c, which
may lead to an information leak. This is related to ext/fts5/fts5_hash.c.
CVE-2019-9936 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:N/A:N ).
3.2.61 NULL POINTER DEREFERENCE CWE-476
In SQLite 3.27.2, interleaving reads and writes in a single transaction with an
fts5 virtual table will lead to a NULL Pointer Dereference in fts5ChunkIterate
in sqlite3.c. This is related to ext/fts5/fts5_hash.c and ext/fts5/
fts5_index.c.
CVE-2019-9937 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.62 IMPROPER NEUTRALIZATION OF CRLF SEQUENCES ('CRLF INJECTION') CWE-93
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in
Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a
url parameter, as demonstrated by the first argument to urllib.request.urlopen
with \r\n (specifically in the path component of a URL that lacks a ?
character) followed by an HTTP header or a Redis command. This is similar to
the CVE-2019-9740 query string issue.
CVE-2019-9947 has been assigned to this vulnerability. A CVSS v3 base score of
6.1 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:R
/S:C/C:L/I:L/A:N ).
3.2.63 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY ('PATH
TRAVERSAL') CWE-22
urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which
makes it easier for remote attackers to bypass protection mechanisms that
blacklist file: URIs, as demonstrated by triggering a urllib.urlopen
('local_file:///etc/passwd') call.
CVE-2019-9948 has been assigned to this vulnerability. A CVSS v3 base score of
9.1 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:N ).
3.2.64 ENCODING ERROR CWE-172
A security regression of CVE-2019-9636 was discovered in python affecting
versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still
allows an attacker to exploit CVE-2019-9636 by abusing the user and password
parts of a URL. When an application parses user-supplied URLs to store cookies,
authentication credentials, or other kind of information, it is possible for an
attacker to provide specially crafted URLs to make the application locate
host-related information (e.g. cookies, authentication data) and send them to a
different host than where it should, unlike if the URLs had been correctly
parsed. The result of an attack may vary based on the application.
CVE-2019-10160 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.65 OUT-OF-BOUNDS WRITE CWE-787
A buffer overflow in iptables-restore in netfilter iptables 1.8.2 allows an
attacker to (at least) crash the program or potentially gain code execution via
a specially crafted iptables-save file. This is related to add_param_to_argv in
xshared.c.
CVE-2019-11360 has been assigned to this vulnerability. A CVSS v3 base score of
4.2 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:H/UI:R
/S:U/C:N/I:N/A:H ).
3.2.66 IMPROPER INPUT VALIDATION CWE-20
GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specified in
RFC3490 Section 4.2 when converting A-labels to U-labels. This makes it
possible in some circumstances for one domain to impersonate another. By
creating a malicious domain that matches a target domain except for the
inclusion of certain punycoded Unicode characters (that would be discarded when
converted first to a Unicode label and then back to an ASCII label), arbitrary
domains can be impersonated.
CVE-2019-12290 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:H/A:N ).
3.2.67 OUT-OF-BOUNDS WRITE CWE-787
BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds
write when there are many selectors.
CVE-2019-12900 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.68 EXPOSURE OF RESOURCE TO WRONG SPHERE CWE-668
In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a
flush-and-reload side-channel attack because physical addresses are available
to other processes. (The C implementation is used on platforms where an
assembly-language implementation is unavailable.) NOTE: the vendor's position
is that the issue report cannot be validated because there is no description of
an attack
CVE-2019-12904 has been assigned to this vulnerability. A CVSS v3 base score of
5.9 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/UI:N
/S:U/C:H/I:N/A:N ).
3.2.69 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311
An issue was discovered in the server in OpenLDAP before 2.4.48. When the
server administrator delegates rootDN (database admin) privileges for certain
databases but wants to maintain isolation (e.g., for multi-tenant deployments),
slapd does not properly stop a rootDN from requesting authorization as an
identity from another database during a SASL bind or with a proxyAuthz (RFC
4370) control. (It is not a common configuration to deploy a system where the
server administrator and a DB administrator enjoy different levels of trust.)
CVE-2019-13057 has been assigned to this vulnerability. A CVSS v3 base score of
4.9 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:H/UI:N
/S:U/C:H/I:N/A:N ).
3.2.70 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311
An issue was discovered in OpenLDAP 2.x before 2.4.48. When using SASL
authentication and session encryption, and relying on the SASL security layers
in slapd access controls, it is possible to obtain access that would otherwise
be denied via a simple bind for any identity covered in those ACLs. After the
first SASL bind is completed, the sasl_ssf value is retained for all new
non-SASL connections. Depending on the ACL configuration, this can affect
different types of operations (searches, modifications, etc.). In other words,
a successful authorization step completed by one user affects the authorization
requirement for a different user.
CVE-2019-13565 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:N/A:N ).
3.2.71 OBSERVABLE DISCREPANCY CWE-203
It was discovered that there was a ECDSA timing attack in the libgcrypt20
cryptographic library. Version affected: 1.8.4-5, 1.7.6-2+deb9u3, and
1.6.3-2+deb8u4. Versions fixed: 1.8.5-2 and 1.6.3-2+deb8u7.
CVE-2019-13627 has been assigned to this vulnerability. A CVSS v3 base score of
6.3 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:H/PR:N/UI:R
/S:U/C:H/I:H/A:N ).
3.2.72 INSUFFICIENT ENTROPY CWE-331
The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could
optimize multiple calls of the __builtin_darn intrinsic into a single call,
thus reducing the entropy of the random number generator. This occurred because
a volatile operation was not specified. For example, within a single execution
of a program, the output of every __builtin_darn() call may be the same.
CVE-2019-15847 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:N/A:N ).
3.2.73 OUT-OF-BOUNDS READ CWE-125
In libexpat before 2.2.8, crafted XML input could fool the parser into changing
from DTD parsing to document parsing too early; a consecutive call to
XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a
heap-based buffer over-read.
CVE-2019-15903 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.74 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311
An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x
through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email
addresses that contain multiple @ characters. An application that uses the
email module and implements some kind of checks on the From/To headers of a
message could be tricked into accepting an email address that should be denied.
An attack may be the same as in CVE-2019-11340; however, this CVE applies to
Python more generally.
CVE-2019-16056 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:N/A:N ).
3.2.75 DIVIDE BY ZERO CWE-369
In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a
browser or other application because of missing validation of a sqlite_stat1 sz
field, aka a "severe division by zero in the query planner."
CVE-2019-16168 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:R
/S:U/C:N/I:N/A:H ).
3.2.76 INTEGER OVERFLOW OR WRAPAROUND CWE-190
OpenSSH 7.7 through 7.9 and 8.x before 8.1, when compiled with an experimental
key type, has a pre-authentication integer overflow if a client or server is
configured to use a crafted XMSS key. This leads to memory corruption and local
code execution because of an error in the XMSS key parsing algorithm. NOTE: the
XMSS implementation is considered experimental in all released OpenSSH
versions, and there is no supported way to enable it when building portable
OpenSSH.
CVE-2019-16905 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.2.77 INTEGER OVERFLOW OR WRAPAROUND CWE-190
In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in
packet.c has an integer overflow in a bounds check, enabling an attacker to
specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A
crafted SSH server may be able to disclose sensitive information or cause a
denial of service condition on the client system when a user connects to the
server.
CVE-2019-17498 has been assigned to this vulnerability. A CVSS v3 base score of
8.1 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:R
/S:U/C:H/I:N/A:H ).
3.2.78 OUT-OF-BOUNDS WRITE CWE-787
LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to
LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with
a large input. (This issue can also lead to data corruption.) NOTE: the vendor
states "only a few specific / uncommon usages of the API are at risk."
CVE-2019-17543 has been assigned to this vulnerability. A CVSS v3 base score of
8.1 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.79 OUT-OF-BOUNDS READ CWE-125
There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/
comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVE-2019-17594 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:L/I:L/A:L ).
3.2.80 OUT-OF-BOUNDS READ CWE-125
There is a heap-based buffer over-read in the fmt_entry function in tinfo/
comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVE-2019-17595 has been assigned to this vulnerability. A CVSS v3 base score of
5.4 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:R
/S:U/C:L/I:N/A:L ).
3.2.81 OUT-OF-BOUNDS WRITE CWE-787
idn2_to_ascii_4i in lib/lookup.c in GNU libidn2 before 2.1.1 has a heap-based
buffer overflow via a long domain string.
CVE-2019-18224 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.82 IMPROPER CHECK FOR DROPPED PRIVILEGES CWE-273
An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0
patch 11. By default, if Bash is run with its effective UID not equal to its
real UID, it will drop privileges by setting its effective UID to its real UID.
However, it does so incorrectly. On Linux and other systems that support "saved
UID" functionality, the saved UID is not dropped. An attacker with command
execution in the shell can use "enable -f" for runtime loading of a new
builtin, which can be a shared object that calls setuid() and therefore regains
privileges. However, binaries running with an effective UID of 0 are
unaffected.
CVE-2019-18276 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.2.83 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS IN OUTPUT USED BY A
DOWNSTREAM COMPONENT ('INJECTION') CWE-74
An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in
Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a
url parameter, as demonstrated by the first argument to urllib.request.urlopen
with \r\n (specifically in the host component of a URL) followed by an HTTP
header. This is similar to the CVE-2019-9740 query string issue and the
CVE-2019-9947 path string issue. (This is not exploitable when glibc has
CVE-2016-10739 fixed.).
CVE-2019-18348 has been assigned to this vulnerability. A CVSS v3 base score of
6.1 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:R
/S:C/C:L/I:L/A:N ).
3.2.84 IMPROPER INITIALIZATION CWE-665
On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to
ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program
execution after a security transition, allowing local attackers to restrict the
possible mapping addresses for loaded libraries and thus bypass ASLR for a
setuid program.
CVE-2019-19126 has been assigned to this vulnerability. A CVSS v3 base score of
3.3 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:L/I:N/A:N ).
3.2.85 NULL POINTER DEREFERENCE CWE-476
SQLite 3.30.1 mishandles pExpr->y.pTab, as demonstrated by the TK_COLUMN case
in sqlite3ExprCodeTarget in expr.c.
CVE-2019-19242 has been assigned to this vulnerability. A CVSS v3 base score of
5.9 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.86 IMPROPER INPUT VALIDATION CWE-20
Select in select.c in SQLite 3.30.1 allows a crash if a sub-select uses both
DISTINCT and window functions, and also has certain ORDER BY usage.
CVE-2019-19244 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.87 INCORRECT CONVERSION BETWEEN NUMERIC TYPES CWE-681
lookupName in resolve.c in SQLite 3.30.1 omits bits from the colUsed bitmask in
the case of a generated column, which allows attackers to cause a
denial-of-service or possibly have unspecified other impact.
CVE-2019-19317 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.88 IMPROPER INPUT VALIDATION CWE-20
SQLite 3.30.1 mishandles certain SELECT statements with a nonexistent VIEW,
leading to an application crash.
CVE-2019-19603 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.89 UNCONTROLLED RECURSION CWE-674
alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion
via certain types of self-referential views in conjunction with ALTER TABLE
statements.
CVE-2019-19645 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.90 IMPROPER CHECK FOR UNUSUAL OR EXCEPTIONAL CONDITIONS CWE-754
pragma.c in SQLite through 3.30.1 mishandles NOT NULL in an integrity_check
PRAGMA command in certain cases of generated columns.
CVE-2019-19646 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.91 NULL POINTER DEREFERENCE CWE-476
exprListAppendList in window.c in SQLite 3.30.1 allows attackers to trigger an
invalid pointer dereference because constant integer values in ORDER BY clauses
of window definitions are mishandled.
CVE-2019-19880 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.92 OUT-OF-BOUNDS WRITE CWE-787
cyrus-sasl (aka Cyrus SASL) 2.1.27 has an out-of-bounds write leading to
unauthenticated remote denial-of-service in OpenLDAP via a malformed LDAP
packet. The OpenLDAP crash is ultimately caused by an off-by-one error in
_sasl_add_string in common.c in cyrus-sasl.
CVE-2019-19906 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.93 NULL POINTER DEREFERENCE CWE-476
flattenSubquery in select.c in SQLite 3.30.1 mishandles certain uses of SELECT
DISTINCT involving a LEFT JOIN in which the right-hand side is a view. This can
cause a NULL pointer dereference (or incorrect results).
CVE-2019-19923 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.94 IMPROPER HANDLING OF EXCEPTIONAL CONDITIONS CWE-755
SQLite 3.30.1 mishandles certain parser-tree rewriting, related to expr.c,
vdbeaux.c, and window.c. This is caused by incorrect sqlite3WindowRewrite()
error handling.
CVE-2019-19924 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:L/A:N ).
3.2.95 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434
zipfileUpdate in ext/misc/zipfile.c in SQLite 3.30.1 mishandles a NULL pathname
during an update of a ZIP archive.
CVE-2019-19925 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.96 NULL POINTER DEREFERENCE CWE-476
multiSelect in select.c in SQLite 3.30.1 mishandles certain errors during
parsing, as demonstrated by errors from sqlite3WindowRewrite() calls. NOTE:
this vulnerability exists because of an incomplete fix for CVE-2019-19880.
CVE-2019-19926 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.97 MISSING RELEASE OF RESOURCE AFTER EFFECTIVE LIFETIME CWE-772
xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a
memory leak related to newDoc->oldNs.
CVE-2019-19956 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.98 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311
ext/misc/zipfile.c in SQLite 3.30.1 mishandles certain uses of INSERT INTO in
situations involving embedded '\0' characters in filenames, leading to a
memory-management error that can be detected by (for example) valgrind.
CVE-2019-19959 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:H/A:N ).
3.2.99 IMPROPER HANDLING OF EXCEPTIONAL CONDITIONS CWE-755
selectExpander in select.c in SQLite 3.30.1 proceeds with WITH stack unwinding
even after a parsing error.
CVE-2019-20218 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.100 OUT-OF-BOUNDS READ CWE-125
nlist.c in libbsd before 0.10.0 has an out-of-bounds read during a comparison
for a symbol name from the string table (strtab).
CVE-2019-20367 has been assigned to this vulnerability. A CVSS v3 base score of
9.1 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:N/A:H ).
3.2.101 MISSING RELEASE OF MEMORY AFTER EFFECTIVE LIFETIME CWE-401
xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an
xmlSchemaValidateStream memory leak.
CVE-2019-20388 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.102 USE AFTER FREE CWE-416
iproute2 before 5.1.0 has a use-after-free in get_netnsid_from_name in ip/
ipnetns.c. NOTE: security relevance may be limited to certain uses of setuid
that, although not a default, are sometimes a configuration option offered to
end users. Even when setuid is used, other factors (such as C library
configuration) may block exploitability.
CVE-2019-20795 has been assigned to this vulnerability. A CVSS v3 base score of
4.4 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:H/UI:N
/S:U/C:N/I:N/A:H ).
3.2.103 LOOP WITH UNREACHABLE EXIT CONDITION ('INFINITE LOOP') CWE-835
In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR
archive leading to an infinite loop when opened by tarfile.open, because
_proc_pax lacks header validation.
CVE-2019-20907 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.104 OUT-OF-BOUNDS READ CWE-125
The iconv feature in the GNU C Library (aka glibc or libc6) through 2.32, when
processing invalid multi-byte input sequences in the EUC-KR encoding, may have
a buffer over-read.
CVE-2019-25013 has been assigned to this vulnerability. A CVSS v3 base score of
5.9 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.105 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER
CWE-119
GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may
bypass stack guard protection. The component is: nptl. The attack vector is:
Exploit stack buffer overflow vulnerability and use this bypass vulnerability
to bypass stack guard. NOTE: Upstream comments indicate "this is being treated
as a non-security bug and no real threat.
CVE-2019-1010022 has been assigned to this vulnerability. A CVSS v3 base score
of 9.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:N/S:U/C:H/I:H/A:H ).
3.2.106 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311
GNU Libc current is affected by: Re-mapping current loaded library with
malicious ELF file. The impact is: In worst case attacker may evaluate
privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF
files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream
comments indicate "this is being treated as a non-security bug and no real
threat."
CVE-2019-1010023 has been assigned to this vulnerability. A CVSS v3 base score
of 8.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:R/S:U/C:H/I:H/A:H ).
3.2.107 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200
GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may
bypass ASLR using cache of thread stack and heap. The component is: glibc.
NOTE: Upstream comments indicate "this is being treated as a non-security bug
and no real threat."
CVE-2019-1010024 has been assigned to this vulnerability. A CVSS v3 base score
of 5.3 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:N/S:U/C:L/I:N/A:N ).
3.2.108 USE OF INSUFFICIENTLY RANDOM VALUES CWE-330
GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may
guess the heap addresses of pthread_created thread. The component is: glibc.
NOTE: the vendor's position is "ASLR bypass itself is not a vulnerability."
CVE-2019-1010025 has been assigned to this vulnerability. A CVSS v3 base score
of 5.3 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/
UI:N/S:U/C:L/I:N/A:N ).
3.2.109 OUT-OF-BOUNDS READ CWE-125
GNU gdb All versions is affected by: Buffer Overflow - Out of bound memory
access. The impact is: Deny of Service, Memory Disclosure, and Possible Code
Execution. The component is: The main gdb module. The attack vector is: Open an
ELF for debugging. The fixed version is: Not fixed yet.
CVE-2019-1010180 has been assigned to this vulnerability. A CVSS v3 base score
of 7.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:N/
UI:R/S:U/C:H/I:H/A:H ).
3.2.110 USE AFTER FREE CWE-416
A heap use-after-free vulnerability was found in systemd before version
v245-rc1, where asynchronous Polkit queries are performed while handling dbus
messages. A local unprivileged attacker can abuse this flaw to crash systemd
services or potentially execute code and elevate their privileges, by sending
specially crafted dbus messages.
CVE-2020-1712 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.2.111 OUT-OF-BOUNDS WRITE CWE-787
An out-of-bounds write vulnerability was found in glibc before 2.31 when
handling signal trampolines on PowerPC. Specifically, the backtrace function
did not properly check the array bounds when storing the frame address,
resulting in a denial of service or potential code execution. The highest
threat from this vulnerability is to system availability.
CVE-2020-1751 has been assigned to this vulnerability. A CVSS v3 base score of
5.1 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:H/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.112 USE AFTER FREE CWE-416
A use-after-free vulnerability introduced in glibc upstream version 2.14 was
found in the way the tilde expansion was carried out. Directory paths
containing an initial tilde followed by a valid username were affected by this
issue. A local attacker could exploit this flaw by creating a specially crafted
path that, when processed by the glob function, would potentially lead to
arbitrary code execution. This was fixed in version 2.32.
CVE-2020-1752 has been assigned to this vulnerability. A CVSS v3 base score of
7.0 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:H/PR:N/UI:R
/S:U/C:H/I:H/A:H ).
3.2.113 SIGNED TO UNSIGNED CONVERSION ERROR CWE-195
An exploitable signed comparison vulnerability exists in the ARMv7 memcpy()
implementation of GNU glibc 2.30.9000. Calling memcpy() (on ARMv7 targets that
utilize the GNU glibc implementation) with a negative value for the 'num'
parameter results in a signed comparison vulnerability. If an attacker
underflows the 'num' parameter to memcpy(), this vulnerability could lead to
undefined behavior such as writing to out-of-bounds memory and potentially
remote code execution. Furthermore, this memcpy() implementation allows for
program execution to continue in scenarios where a segmentation fault or crash
should have occurred. The dangers occur in that subsequent execution and
iterations of this code will be executed with this corrupted data.
CVE-2020-6096 has been assigned to this vulnerability. A CVSS v3 base score of
8.1 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.114 LOOP WITH UNREACHABLE EXIT CONDITION ('INFINITE LOOP') CWE-835
xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop
in a certain end-of-file situation.
CVE-2020-7595 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.115 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200
The libcurl library versions 7.62.0 to and including 7.70.0 are vulnerable to
an information disclosure vulnerability that can lead to a partial password
being leaked over the network and to the DNS server(s).
CVE-2020-8169 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:N/A:N ).
3.2.116 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS IN OUTPUT USED BY A
DOWNSTREAM COMPONENT ('INJECTION') CWE-74
curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for
files and other resources that can lead too overwriting a local file when the
- -J flag is used.
CVE-2020-8177 has been assigned to this vulnerability. A CVSS v3 base score of
7.1 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:N/I:H/A:H ).
3.2.117 USE AFTER FREE CWE-416
Due to use of a dangling pointer, libcurl 7.29.0 through 7.71.1 can use the
wrong connection when sending data.
CVE-2020-8231 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:N/A:N ).
3.2.118 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200
A malicious server can use the FTP PASV response to trick curl 7.73.0 and
earlier into connecting back to a given IP address and port, and this way
potentially make curl extract information about services that are otherwise
private and not disclosed, for example doing port scanning and service banner
extractions.
CVE-2020-8284 has been assigned to this vulnerability. A CVSS v3 base score of
3.7 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/UI:N
/S:U/C:L/I:N/A:N ).
3.2.119 UNCONTROLLED RECURSION CWE-674
curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion due
to a stack overflow issue in FTP wildcard match parsing.
CVE-2020-8285 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.120 IMPROPER CERTIFICATE VALIDATION CWE-295
The libcurl library versions 7.41.0 to and including 7.73.0 are vulnerable to
an improper check for certificate revocation due to insufficient verification
of the OCSP response. This vulnerability could allow an attacker to pass a
revoked certificate as valid.
CVE-2020-8286 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:H/A:N ).
3.2.121 UNCONTROLLED SEARCH PATH ELEMENT CWE-427
In Python (CPython) 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through
3.8.1, an insecure dependency load upon launch on Windows 7 may result in an
attacker's copy of api-ms-win-core-path-l1-1-0.dll being loaded and used
instead of the system's copy. Windows 8 and later are unaffected.
CVE-2020-8315 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:N/UI:R
/S:U/C:N/I:H/A:N ).
3.2.122 UNCONTROLLED RESOURCE CONSUMPTION CWE-400
Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through
3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct regular
expression denial-of-service (ReDoS) attacks against a client because of
urllib.request.AbstractBasicAuthHandler catastrophic backtracking.
CVE-2020-8492 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:R
/S:U/C:N/I:N/A:H ).
3.2.123 NULL POINTER DEREFERENCE CWE-476
In SQLite 3.31.1, isAuxiliaryVtabOperator allows attackers to trigger a NULL
pointer dereference and segmentation fault because of generated column
optimizations.
CVE-2020-9327 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.124 OUT-OF-BOUNDS WRITE CWE-787
The GNU C Library (aka glibc or libc6) before 2.32 could overflow an on-stack
buffer during range reduction if an input to an 80-bit long double function
contains a non-canonical bit pattern, a seen when passing a
0x5d414141414141410000 value to sinl on x86 targets. This is related to sysdeps
/ieee754/ldbl-96/e_rem_pio2l.c.
CVE-2020-10029 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.125 OUT-OF-BOUNDS WRITE CWE-787
An issue was discovered in International Components for Unicode (ICU) for C/C++
through 66.1. An integer overflow, leading to a heap-based buffer overflow,
exists in the UnicodeString::doAppend() function in common/unistr.cpp.
CVE-2020-10531 has been assigned to this vulnerability. A CVSS v3 base score of
8.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:R
/S:U/C:H/I:H/A:H ).
3.2.126 OUT-OF-BOUNDS WRITE CWE-787
Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow
because nested regular expression quantifiers have an integer overflow.
CVE-2020-10543 has been assigned to this vulnerability. A CVSS v3 base score of
8.2 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:L/A:H ).
3.2.127 INCORRECT TYPE CONVERSION OR CAST CWE-704
A flaw was found in python. In algorithms with quadratic time complexity using
non-binary bases, when using int("text"), a system could take 50ms to parse an
int string with 100,000 digits and 5s for 1,000,000 digits (float, decimal,
int.from_bytes(), and int() for binary bases 2, 4, 8, 16, and 32 are not
affected). The highest threat from this vulnerability is to system
availability.
CVE-2020-10735 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.128 INTEGER OVERFLOW OR WRAPAROUND CWE-190
Perl before 5.30.3 has an integer overflow related to mishandling of a
"PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could
lead to malformed bytecode with a possibility of instruction injection.
CVE-2020-10878 has been assigned to this vulnerability. A CVSS v3 base score of
8.6 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:L/I:L/A:H ).
3.2.129 USE OF INSUFFICIENTLY RANDOM VALUES CWE-330
GnuTLS 3.6.x before 3.6.13 uses incorrect cryptography for DTLS. The earliest
affected version is 3.6.3 (2018-07-16) because of an error in a 2017-10-06
commit. The DTLS client always uses 32 '\0' bytes instead of a random value,
and thus contributes no randomness to a DTLS negotiation. This breaks the
security guarantees of the DTLS protocol.
CVE-2020-11501 has been assigned to this vulnerability. A CVSS v3 base score of
7.4 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/UI:N
/S:U/C:H/I:H/A:N ).
3.2.130 IMPROPER INITIALIZATION CWE-665
SQLite through 3.31.1 allows attackers to cause a denial-of-service
(segmentation fault) via a malformed window-function query because the AggInfo
object's initialization is mishandled.
CVE-2020-11655 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.131 USE AFTER FREE CWE-416
In SQLite through 3.31.1, the ALTER TABLE implementation has a use-after-free,
as demonstrated by an ORDER BY clause that belongs to a compound SELECT
statement.
CVE-2020-11656 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.132 IMPROPER INPUT VALIDATION CWE-20
The scp client in OpenSSH 8.2 incorrectly sends duplicate responses to the
server upon a utimes system call failure, which allows a malicious unprivileged
user on the remote server to overwrite arbitrary files in the client's download
directory by creating a crafted subdirectory anywhere on the remote server. The
victim must use the command scp -rp to download a file hierarchy containing,
anywhere inside, this crafted subdirectory. NOTE: the vendor points out that
"this attack can achieve no more than a hostile peer is already able to achieve
within the scp protocol" and "utimes does not fail under normal circumstances.
CVE-2020-12062 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:H/A:N ).
3.2.133 UNCONTROLLED RECURSION CWE-674
In filter.c in slapd in OpenLDAP before 2.4.50, LDAP search filters with nested
boolean expressions can result in denial of service (daemon crash).
CVE-2020-12243 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.134 BUFFER COPY WITHOUT CHECKING SIZE OF INPUT ('CLASSIC BUFFER OVERFLOW')
CWE-120
regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular
expression because of recursive S_study_chunk calls.
CVE-2020-12723 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.135 INTEGER OVERFLOW OR WRAPAROUND CWE-190
json-c through 0.14 has an integer overflow and out-of-bounds write via a large
JSON file, as demonstrated by printbuf_memappend.
CVE-2020-12762 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:N/UI:R
/S:U/C:H/I:H/A:H ).
3.2.136 INTEGER OVERFLOW OR WRAPAROUND CWE-190
SQLite through 3.32.0 has an integer overflow in sqlite3_str_vappendf in
printf.c.
CVE-2020-13434 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.137 NULL POINTER DEREFERENCE CWE-476
SQLite through 3.32.0 has a segmentation fault in sqlite3ExprCodeTarget in
expr.c.
CVE-2020-13435 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.138 AUTHENTICATION BYPASS BY SPOOFING CWE-290
An exploitable denial-of-service vulnerability exists in Systemd 245. A
specially crafted DHCP FORCERENEW packet can cause a server running the DHCP
client to be vulnerable to a DHCP ACK spoofing attack. An attacker can forge a
pair of FORCERENEW and DCHP ACK packets to reconfigure the server.
CVE-2020-13529 has been assigned to this vulnerability. A CVSS v3 base score of
6.1 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:A/AC:H/PR:N/UI:N
/S:C/C:N/I:N/A:H ).
3.2.139 USE AFTER FREE CWE-416
ext/fts3/fts3.c in SQLite before 3.32.0 has a use-after-free in
fts3EvalNextRow, related to the snippet feature.
CVE-2020-13630 has been assigned to this vulnerability. A CVSS v3 base score of
7.0 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:H/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.2.140 IMPROPER INPUT VALIDATION CWE-20
SQLite before 3.32.0 allows a virtual table to be renamed to the name of one of
its shadow tables, related to alter.c and build.c.
CVE-2020-13631 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:N/I:H/A:N ).
3.2.141 NULL POINTER DEREFERENCE CWE-476
ext/fts3/fts3_snippet.c in SQLite before 3.32.0 has a NULL pointer dereference
via a crafted matchinfo() query.
CVE-2020-13632 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.142 IMPROPER PRIVILEGE MANAGEMENT CWE-269
systemd through v245 mishandles numerical usernames such as ones composed of
decimal digits or 0x followed by hex digits, as demonstrated by use of root
privileges when privileges of the 0x0 user account were intended. NOTE: this
issue exists because of an incomplete fix for CVE-2017-1000082.
CVE-2020-13776 has been assigned to this vulnerability. A CVSS v3 base score of
6.7 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:H/PR:L/UI:R
/S:U/C:H/I:H/A:H ).
3.2.143 USE OF A BROKEN OR RISKY CRYPTOGRAPHIC ALGORITHM CWE-327
GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting a session
ticket (a loss of confidentiality in TLS 1.2, and an authentication bypass in
TLS 1.3). The earliest affected version is 3.6.4 (2018-09-24) because of an
error in a 2018-09-18 commit. Until the first key rotation, the TLS server
always uses wrong data in place of an encryption key derived from an
application.
CVE-2020-13777 has been assigned to this vulnerability. A CVSS v3 base score of
7.4 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/UI:N
/S:U/C:H/I:H/A:N ).
3.2.144 USE AFTER FREE CWE-416
SQLite 3.32.2 has a use-after-free in resetAccumulator in select.c because the
parse tree rewrite for window functions is too late.
CVE-2020-13871 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.145 OBSERVABLE DISCREPANCY CWE-203
The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy
leading to an information leak in the algorithm negotiation. This allows
man-in-the-middle attackers to target initial connection attempts (where no
host key for the server has been cached by the client). NOTE: some reports
state that 8.5 and 8.6 are also affected.
CVE-2020-14145 has been assigned to this vulnerability. A CVSS v3 base score of
5.9 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/UI:N
/S:U/C:H/I:N/A:N ).
3.2.146 INCORRECT CALCULATION CWE-682
Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the
IPv4Interface and IPv6Interface classes, which might allow a remote attacker to
cause a denial of service if an application is affected by the performance of a
dictionary containing IPv4Interface or IPv6Interface objects, and this attacker
can cause many dictionary entries to be created. This is fixed in: v3.5.10,
v3.5.10rc1; v3.6.12; v3.7.9; v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1;
v3.9.0, v3.9.0b4, v3.9.0b5, v3.9.0rc1, v3.9.0rc2.
CVE-2020-14422 has been assigned to this vulnerability. A CVSS v3 base score of
5.9 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.147 OUT-OF-BOUNDS WRITE CWE-787
In SQLite before 3.32.3, select.c mishandles query-flattener optimization,
leading to a multiSelectOrderBy heap overflow because of misuse of transitive
properties for constant propagation.
CVE-2020-15358 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.148 UNCONTROLLED SEARCH PATH ELEMENT CWE-427
In Python 3.6 through 3.6.10, 3.7 through 3.7.8, 3.8 through 3.8.4rc1, and 3.9
through 3.9.0b4 on Windows, a Trojan horse python3.dll might be used in cases
where CPython is embedded in a native application. This occurs because
python3X.dll may use an invalid search path for python3.dll loading (after
Py_SetPath has been used). NOTE: this issue CANNOT occur when using python.exe
from a standard (non-embedded) Python installation on Windows.
CVE-2020-15523 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:N/UI:R
/S:U/C:H/I:H/A:H ).
3.2.149 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND ('OS
COMMAND INJECTION') CWE-78
scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote
function, as demonstrated by backtick characters in the destination argument.
NOTE: the vendor reportedly has stated that they intentionally omit validation
of "anomalous argument transfers" because that could "stand a great chance of
breaking existing workflows."
CVE-2020-15778 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:N/UI:R
/S:U/C:H/I:H/A:H ).
3.2.150 UNTRUSTED SEARCH PATH CWE-426
In Python 3.8.4, sys.path restrictions specified in a python38._pth file are
ignored, allowing code to be loaded from arbitrary locations. The
'executable-name'._pth file (e.g., the python._pth file) is not affected.
CVE-2020-15801 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.151 OUT-OF-BOUNDS WRITE CWE-787
Buffer Overflow vulnerability in one_one_mapping function in progs/
dump_entry.c:1373 in ncurses 6.1 allows remote attackers to cause a
denial-of-service via crafted command.
CVE-2020-19185 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:R
/S:U/C:N/I:N/A:H ).
3.2.152 OUT-OF-BOUNDS WRITE CWE-787
Buffer Overflow vulnerability in _nc_find_entry function in tinfo/
comp_hash.c:66 in ncurses 6.1 allows remote attackers to cause a
denial-of-service via crafted command.
CVE-2020-19186 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:R
/S:U/C:N/I:N/A:H ).
3.2.153 OUT-OF-BOUNDS WRITE CWE-787
Buffer Overflow vulnerability in fmt_entry function in progs/dump_entry.c:1100
in ncurses 6.1 allows remote attackers to cause a denial-of-service via crafted
command.
CVE-2020-19187 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:R
/S:U/C:N/I:N/A:H ).
3.2.154 OUT-OF-BOUNDS WRITE CWE-787
Buffer Overflow vulnerability in fmt_entry function in progs/dump_entry.c:1116
in ncurses 6.1 allows remote attackers to cause a denial-of-service via crafted
command.
CVE-2020-19188 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:R
/S:U/C:N/I:N/A:H ).
3.2.155 OUT-OF-BOUNDS WRITE CWE-787
Buffer Overflow vulnerability in postprocess_terminfo function in tinfo/
parse_entry.c:997 in ncurses 6.1 allows remote attackers to cause a
denial-of-service via crafted command.
CVE-2020-19189 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:R
/S:U/C:N/I:N/A:H ).
3.2.156 OUT-OF-BOUNDS WRITE CWE-787
Buffer Overflow vulnerability in _nc_find_entry in tinfo/comp_hash.c:70 in
ncurses 6.1 allows remote attackers to cause a denial-of-service via crafted
command.
CVE-2020-19190 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:R
/S:U/C:N/I:N/A:H ).
3.2.157 INTEGER OVERFLOW OR WRAPAROUND CWE-190
Integer overflow vulnerability in tool_operate.c in curl 7.65.2 via a large
value as the retry delay. NOTE: many parties report that this has no direct
security impact on the curl user; however, it may (in theory) cause a denial of
service to associated systems or networks if, for example, --retry-delay is
misinterpreted as a value much smaller than what was intended. This is not
especially plausible because the overflow only happens if the user was trying
to specify that curl should wait weeks (or longer) before trying to recover
from a transient error.
CVE-2020-19909 has been assigned to this vulnerability. A CVSS v3 base score of
3.3 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:L ).
3.2.158 OUT-OF-BOUNDS WRITE CWE-787
The libcpu component which is used by libasm of elfutils version 0.177 (git
47780c9e), suffers from denial-of-service vulnerability caused by application
crashes due to out-of-bounds write (CWE-787), off-by-one error (CWE-193) and
reachable assertion (CWE-617); to exploit the vulnerability, the attackers need
to craft certain ELF files which bypass the missing bound checks.
CVE-2020-21047 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:N/UI:R
/S:U/C:N/I:N/A:H ).
3.2.159 USE AFTER FREE CWE-416
International Components for Unicode (ICU-20850) v66.1 was discovered to
contain a use after free bug in the pkg_createWithAssemblyCode function in the
file tools/pkgdata/pkgdata.cpp.
CVE-2020-21913 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:N/UI:R
/S:U/C:N/I:N/A:H ).
3.2.160 OUT-OF-BOUNDS WRITE CWE-787
An issue was discovered in function _libssh2_packet_add in libssh2 1.10.0
allows attackers to access out of bounds memory.
CVE-2020-22218 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.161 OUT-OF-BOUNDS WRITE CWE-787
An issue was discovered in GnuTLS before 3.6.15. A server can trigger a NULL
pointer dereference in a TLS 1.3 client if a no_renegotiation alert is sent
with unexpected timing, and then an invalid second handshake occurs. The crash
happens in the application's error handling path, where the gnutls_deinit
function is called after detecting a handshake failure.
CVE-2020-24659 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.162 OUT-OF-BOUNDS READ CWE-125
GNOME project libxml2 v2.9.10 has a global buffer over-read vulnerability in
xmlEncodeEntitiesInternal at libxml2/entities.c. The issue has been fixed in
commit 50f06b3e.
CVE-2020-24977 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:L/I:N/A:L ).
3.2.163 NULL POINTER DEREFERENCE CWE-476
A NULL pointer dereference was found in OpenLDAP server and was fixed in
openldap 2.4.55, during a request for renaming RDNs. An unauthenticated
attacker could remotely crash the slapd process by sending a specially crafted
request, causing a denial-of-service.
CVE-2020-25692 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.164 REACHABLE ASSERTION CWE-617
A flaw was found in OpenLDAP. This flaw allows an attacker who can send a
malicious packet to be processed by OpenLDAP's slapd server, to trigger an
assertion failure. The highest threat from this vulnerability is to system
availability.
CVE-2020-25709 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.165 REACHABLE ASSERTION CWE-617
A flaw was found in OpenLDAP in versions before 2.4.56. This flaw allows an
attacker who sends a malicious packet processed by OpenLDAP to force a failed
assertion in csnNormalize23(). The highest threat from this vulnerability is to
system availability.
CVE-2020-25710 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.166 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS IN OUTPUT USED BY A
DOWNSTREAM COMPONENT ('INJECTION') CWE-74
http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before
3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls
the HTTP request method, as demonstrated by inserting CR and LF control
characters in the first argument of HTTPConnection.request.
CVE-2020-26116 has been assigned to this vulnerability. A CVSS v3 base score of
7.2 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:C/C:L/I:L/A:N ).
3.2.167 LOOP WITH UNREACHABLE EXIT CONDITION ('INFINITE LOOP') CWE-835
The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier,
when processing invalid multi-byte input sequences in IBM1364, IBM1371,
IBM1388, IBM1390, and IBM1399 encodings, fails to advance the input state,
which could lead to an infinite loop in applications, resulting in a
denial-of-service, a different vulnerability from CVE-2016-10228.
CVE-2020-27618 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.168 UNCONTROLLED RECURSION CWE-674
MIT Kerberos 5 (aka krb5) before 1.17.2 and 1.18.x before 1.18.3 allows
unbounded recursion via an ASN.1-encoded Kerberos message because the lib/krb5/
asn.1/asn1_encode.c support for BER indefinite lengths lacks a recursion limit.
CVE-2020-28196 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.169 INTEGER OVERFLOW OR WRAPAROUND CWE-190
An issue was discovered in p11-kit 0.21.1 through 0.23.21. Multiple integer
overflows have been discovered in the array allocations in the p11-kit library
and the p11-kit list command, where overflow checks are missing before calling
realloc or calloc.
CVE-2020-29361 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.170 OUT-OF-BOUNDS READ CWE-125
An issue was discovered in p11-kit 0.21.1 through 0.23.21. A heap-based buffer
over-read has been discovered in the RPC protocol used by thep11-kit server/
remote commands and the client library. When the remote entity supplies a byte
array through a serialized PKCS#11 function call, the receiving entity may
allow the reading of up to 4 bytes of memory past the heap allocation.
CVE-2020-29362 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:L/I:N/A:N ).
3.2.171 OUT-OF-BOUNDS WRITE CWE-787
An issue was discovered in p11-kit 0.23.6 through 0.23.21. A heap-based buffer
overflow has been discovered in the RPC protocol used by p11-kit server/remote
commands and the client library. When the remote entity supplies a serialized
byte array in a CK_ATTRIBUTE, the receiving entity may not allocate sufficient
length for the buffer to store the deserialized value.
CVE-2020-29363 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.172 REACHABLE ASSERTION CWE-617
The iconv function in the GNU C Library (aka glibc or libc6) 2.30 to 2.32, when
converting UCS4 text containing an irreversible character, fails an assertion
in the code path and aborts the program, potentially resulting in a
denial-of-service.
CVE-2020-29562 has been assigned to this vulnerability. A CVSS v3 base score of
4.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:L/UI:R
/S:U/C:N/I:N/A:H ).
3.2.173 OUT-OF-BOUNDS WRITE CWE-787
sysdeps/i386/ldbl2mpn.c in the GNU C Library (aka glibc or libc6) before 2.23
on x86 targets has a stack-based buffer overflow if the input to any of the
printf family of functions is an 80-bit long double with a non-canonical bit
pattern, as seen when passing a \x00\x04\x00\x00\x00\x00\x00\x00\x00\x04 value
to sprintf. NOTE: the issue does not affect glibc by default in 2016 or later
(i.e., 2.23 or later) because of commits made in 2015 for inlining of C99 math
functions through use of GCC built-ins. In other words, the reference to 2.23
is intentional despite the mention of "Fixed for glibc 2.33" in the 26649
reference.
CVE-2020-29573 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.174 NULL POINTER DEREFERENCE CWE-476
In SQlite 3.31.1, a potential null pointer derreference was found in the
INTERSEC query processing.
CVE-2020-35525 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.175 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER
CWE-119
In SQLite 3.31.1, there is an out of bounds access problem through ALTER TABLE
for views that have a nested FROM clause.
CVE-2020-35527 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.176 INTEGER UNDERFLOW (WRAP OR WRAPAROUND) CWE-191
An integer underflow was discovered in OpenLDAP before 2.4.57 leading to slapd
crashes in the Certificate Exact Assertion processing, resulting in
denial-of-service (schema_init.c serialNumberAndIssuerCheck).
CVE-2020-36221 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.177 REACHABLE ASSERTION CWE-617
A flaw was discovered in OpenLDAP before 2.4.57 leading to an assertion failure
in slapd in the saslAuthzTo validation, resulting in denial-of-service.
CVE-2020-36222 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.178 OUT-OF-BOUNDS READ CWE-125
A flaw was discovered in OpenLDAP before 2.4.57 leading to a slapd crash in the
Values Return Filter control handling, resulting in denial-of-service (double
free and out-of-bounds read).
CVE-2020-36223 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.179 RELEASE OF INVALID POINTER OR REFERENCE CWE-763
A flaw was discovered in OpenLDAP before 2.4.57 leading to an invalid pointer
free and slapd crash in the saslAuthzTo processing, resulting in
denial-of-service.
CVE-2020-36224 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.180 DOUBLE FREE CWE-415
A flaw was discovered in OpenLDAP before 2.4.57 leading to a double free and
slapd crash in the saslAuthzTo processing, resulting in denial-of-service.
CVE-2020-36225 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.181 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311
A flaw was discovered in OpenLDAP before 2.4.57 leading to a memch->bv_len
miscalculation and slapd crash in the saslAuthzTo processing, resulting in
denial-of-service.
CVE-2020-36226 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.182 LOOP WITH UNREACHABLE EXIT CONDITION ('INFINITE LOOP') CWE-835
A flaw was discovered in OpenLDAP before 2.4.57 leading to an infinite loop in
slapd with the cancel_extop Cancel operation, resulting in denial-of-service.
CVE-2020-36227 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.183 INTEGER UNDERFLOW (WRAP OR WRAPAROUND) CWE-191
An integer underflow was discovered in OpenLDAP before 2.4.57 leading to a
slapd crash in the Certificate List Exact Assertion processing, resulting in
denial-of-service.
CVE-2020-36228 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.184 ACCESS OF RESOURCE USING INCOMPATIBLE TYPE ('TYPE CONFUSION') CWE-843
A flaw was discovered in ldap_X509dn2bv in OpenLDAP before 2.4.57 leading to a
slapd crash in the X.509 DN parsing in ad_keystring, resulting in
denial-of-service.
CVE-2020-36229 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.185 REACHABLE ASSERTION CWE-617
A flaw was discovered in OpenLDAP before 2.4.57 leading in an assertion failure
in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in
denial-of-service.
CVE-2020-36230 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.186 BUFFER COPY WITHOUT CHECKING SIZE OF INPUT ('CLASSIC BUFFER OVERFLOW')
CWE-120
Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/
callproc.c, which may lead to remote code execution in certain Python
applications that accept floating-point numbers as untrusted input, as
demonstrated by a 1e300 argument to c_double.from_param. This occurs because
sprintf is used unsafely.
CVE-2021-3177 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.187 REACHABLE ASSERTION CWE-617
The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier,
when processing invalid input sequences in the ISO-2022-JP-3 encoding, fails an
assertion in the code path and aborts the program, potentially resulting in a
denial-of-service.
CVE-2021-3326 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.188 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY ('PATH
TRAVERSAL') CWE-22
There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers
or is able to convince another local or adjacent user to start a pydoc server
could access the server and use it to disclose sensitive information belonging
to the other user that they would not normally be able to access. The highest
risk of this flaw is to data confidentiality. This flaw affects Python versions
before 3.8.9, Python versions before 3.9.3 and Python versions before 3.10.0a7.
CVE-2021-3426 has been assigned to this vulnerability. A CVSS v3 base score of
5.7 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:A/AC:L/PR:L/UI:N
/S:U/C:H/I:N/A:N ).
3.2.189 USE AFTER FREE CWE-416
There's a flaw in libxml2's xmllint in versions before 2.9.11. An attacker who
is able to submit a crafted file to be processed by xmllint could trigger a
use-after-free. The greatest impact of this flaw is to confidentiality,
integrity, and availability.
CVE-2021-3516 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:N/UI:R
/S:U/C:H/I:H/A:H ).
3.2.190 OUT-OF-BOUNDS WRITE CWE-787
There is a flaw in the xml entity encoding functionality of libxml2 in versions
before 2.9.11. An attacker who is able to supply a crafted file to be processed
by an application linked with the affected functionality of libxml2 could
trigger an out-of-bounds read. The most likely impact of this flaw is to
application availability, with some potential impact to confidentiality and
integrity if an attacker is able to use memory information to further exploit
the application.
CVE-2021-3517 has been assigned to this vulnerability. A CVSS v3 base score of
8.6 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:L/I:L/A:H ).
3.2.191 USE AFTER FREE CWE-416
There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to
submit a crafted file to be processed by an application linked with libxml2
could trigger a use-after-free. The greatest impact from this flaw is to
confidentiality, integrity, and availability.
CVE-2021-3518 has been assigned to this vulnerability. A CVSS v3 base score of
8.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:R
/S:U/C:H/I:H/A:H ).
3.2.192 INTEGER OVERFLOW OR WRAPAROUND CWE-190
There's a flaw in lz4. An attacker who submits a crafted file to an application
linked with lz4 may be able to trigger an integer overflow, leading to calling
of memmove() on a negative size argument, causing an out-of-bounds write and/or
a crash. The greatest impact of this flaw is to availability, with some
potential impact to confidentiality and integrity as well.
CVE-2021-3520 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.193 NULL POINTER DEREFERENCE CWE-476
A vulnerability found in libxml2 in versions before 2.9.11 shows that it did
not propagate errors while parsing XML mixed content, causing a NULL
dereference. If an untrusted XML document was parsed in recovery mode and
post-validated, the flaw could be used to crash the application. The highest
threat from this vulnerability is to system availability.
CVE-2021-3537 has been assigned to this vulnerability. A CVSS v3 base score of
5.9 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.194 IMPROPER RESTRICTION OF RECURSIVE ENTITY REFERENCES IN DTDS ('XML
ENTITY EXPANSION') CWE-776
A flaw was found in libxml2. Exponential entity expansion attack its possible
bypassing all existing protection mechanisms and leading to denial-of-service.
CVE-2021-3541 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.195 IMPROPER INPUT VALIDATION CWE-20
A flaw was found in the way nettle's RSA decryption functions handled specially
crafted ciphertext. An attacker could use this flaw to provide a manipulated
ciphertext leading to application crash and denial-of-service.
CVE-2021-3580 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.196 UNCONTROLLED RESOURCE CONSUMPTION CWE-400
There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who
controls a malicious HTTP server that an HTTP client (such as web browser)
connects to, could trigger a Regular Expression Denial of Service (ReDOS)
during an authentication request with a specially crafted payload that is sent
by the server to the client. The greatest threat that this flaw poses is to
application availability.
CVE-2021-3733 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.197 UNCONTROLLED RESOURCE CONSUMPTION CWE-400
A flaw was found in python. An improperly handled HTTP response in the HTTP
client code of python may allow a remote attacker, who controls the HTTP
server, to make the client script enter an infinite loop, consuming CPU time.
The highest threat from this vulnerability is to system availability.
CVE-2021-3737 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.198 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER
CWE-119
Heap/stack buffer overflow in the dlang_lname function in d-demangle.c in
libiberty allows attackers to potentially cause a denial-of-service
(segmentation fault and crash) via a crafted mangled symbol.
CVE-2021-3826 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.199 UNCONTROLLED RECURSION CWE-674
A flaw was found in systemd. An uncontrolled recursion in systemd-tmpfiles may
lead to a denial-of-service at boot time when too many nested directories are
created in /tmp.
CVE-2021-3997 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.200 OUT-OF-BOUNDS READ CWE-125
A flaw was found in glibc. The realpath() function can mistakenly return an
unexpected value, potentially leading to information leakage and disclosure of
sensitive data.
CVE-2021-3998 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:N/A:N ).
3.2.201 OFF-BY-ONE ERROR CWE-193
A flaw was found in glibc. An off-by-one buffer overflow and underflow in
getcwd() may lead to memory corruption when the size of the buffer is exactly
1. A local attacker who can control the input buffer and size passed to getcwd
() in a setuid program could use this flaw to potentially execute arbitrary
code and escalate their privileges on the system.
CVE-2021-3999 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.2.202 INSUFFICIENT VERIFICATION OF DATA AUTHENTICITY CWE-345
It was found that a specially crafted LUKS header could trick cryptsetup into
disabling encryption during the recovery of the device. An attacker with
physical access to the medium, such as a flash disk, could use this flaw to
force a user into permanently disabling the encryption layer of that medium.
CVE-2021-4122 has been assigned to this vulnerability. A CVSS v3 base score of
4.3 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:P/AC:L/PR:N/UI:R
/S:U/C:N/I:H/A:N ).
3.2.203 UNCHECKED RETURN VALUE CWE-252
A flaw was found in Python, specifically in the FTP (File Transfer Protocol)
client library in PASV (passive) mode. The issue is how the FTP client trusts
the host from the PASV response by default. This flaw allows an attacker to set
up a malicious FTP server that can trick FTP clients into connecting back to a
given IP address and port. This vulnerability could lead to FTP client scanning
ports, which otherwise would not have been possible.
CVE-2021-4189 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:L/I:N/A:N ).
3.2.204 NULL POINTER DEREFERENCE CWE-476
A NULL pointer dereference flaw was found in GnuTLS. As Nettle's hash update
functions internally call memcpy, providing zero-length input may cause
undefined behavior. This flaw leads to a denial-of-service after authentication
in rare circumstances.
CVE-2021-4209 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.205 OUT-OF-BOUNDS READ CWE-125
A flaw was found in the src/list.c of tar 1.33 and earlier. This flaw allows an
attacker who can submit a crafted input file to tar to cause uncontrolled
consumption of memory. The highest threat from this vulnerability is to system
availability.
CVE-2021-20193 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:N/UI:R
/S:U/C:N/I:N/A:H ).
3.2.206 USE AFTER FREE CWE-416
A flaw was found in SQLite's SELECT query functionality (src/select.c). This
flaw allows an attacker who is capable of running SQL queries locally on the
SQLite database to cause a denial-of-service or possible code execution by
triggering a use-after-free. The highest threat from this vulnerability is to
system availability.
CVE-2021-20227 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.207 USE AFTER FREE CWE-416
A flaw was found in gnutls. A use after free issue in client sending key_share
extension may lead to memory corruption and other consequences.
CVE-2021-20231 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.208 USE AFTER FREE CWE-416
A flaw was found in gnutls. A use after free issue in client_send_params in lib
/ext/pre_shared_key.c may lead to memory corruption and other potential
consequences.
CVE-2021-20232 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.209 OUT-OF-BOUNDS WRITE CWE-787
A flaw was found in Nettle in versions before 3.7.2, where several Nettle
signature verification functions (GOST DSA, EDDSA & ECDSA) result in the
Elliptic Curve Cryptography point (ECC) multiply function being called with
out-of-range scalers, possibly resulting in incorrect results. This flaw allows
an attacker to force an invalid signature, causing an assertion failure or
possible validation. The highest threat to this vulnerability is to
confidentiality, integrity, as well as system availability.
CVE-2021-20305 has been assigned to this vulnerability. A CVSS v3 base score of
8.1 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.210 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200
curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Private
Personal Information to an Unauthorized Actor" by leaking credentials in the
HTTP Referer: header. libcurl does not strip off user credentials from the URL
when automatically populating the Referer: HTTP request header field in
outgoing HTTP requests, and therefore risks leaking sensitive data to the
server that is the target of the second HTTP request.
CVE-2021-22876 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:L/I:N/A:N ).
3.2.211 AUTHENTICATION BYPASS BY SPOOFING CWE-290
curl 7.63.0 to and including 7.75.0 includes vulnerability that allows a
malicious HTTPS proxy to MITM a connection due to bad handling of TLS 1.3
session tickets. When using a HTTPS proxy and TLS 1.3, libcurl can confuse
session tickets arriving from the HTTPS proxy but work as if they arrived from
the remote server and then wrongly "short-cut" the host handshake. When
confusing the tickets, a HTTPS proxy can trick libcurl to use the wrong session
ticket resume for the host and thereby circumvent the server TLS certificate
check and make a MITM attack to be possible to perform unnoticed. Note that
such a malicious HTTPS proxy needs to provide a certificate that curl will
accept for the MITMed server for an attack to work - unless curl has been told
to ignore the server certificate check.
CVE-2021-22890 has been assigned to this vulnerability. A CVSS v3 base score of
3.7 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/UI:N
/S:U/C:N/I:L/A:N ).
3.2.212 EXPOSURE OF RESOURCE TO WRONG SPHERE CWE-668
curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong
session due to a mistake in the code for CURLOPT_SSL_CIPHER_LIST when libcurl
is built to use the Schannel TLS library. The selected cipher set was stored in
a single "static" variable in the library, which has the surprising side-effect
that if an application sets up multiple concurrent transfers, the last one that
sets the ciphers will accidentally control the set used by all transfers. In a
worst-case scenario, this weakens transport security significantly.
CVE-2021-22897 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:L/I:N/A:N ).
3.2.213 MISSING INITIALIZATION OF RESOURCE CWE-909
curl 7.7 through 7.76.1 suffers from an information disclosure when the -t
command line option, known as CURLOPT_TELNETOPTIONS in libcurl, is used to send
variable=content pairs to TELNET servers. Due to a flaw in the option parser
for sending NEW_ENV variables, libcurl could be made to pass on uninitialized
data from a stack based buffer to the server, resulting in potentially
revealing sensitive internal information to the server using a clear-text
network protocol.
CVE-2021-22898 has been assigned to this vulnerability. A CVSS v3 base score of
3.1 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/UI:R
/S:U/C:L/I:N/A:N ).
3.2.214 USE AFTER FREE CWE-416
curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability
resulting in already freed memory being used when a TLS 1.3 session ticket
arrives over a connection. A malicious server can use this in rare unfortunate
circumstances to potentially reach remote code execution in the client. When
libcurl at run-time sets up support for TLS 1.3 session tickets on a connection
using OpenSSL, it stores pointers to the transfer in-memory object for later
retrieval when a session ticket arrives. If the connection is used by multiple
transfers (like with a reused HTTP/1.1 connection or multiplexed HTTP/2
connection) that first transfer object might be freed before the new session is
established on that connection and then the function will access a memory
buffer that might be freed. When using that memory, libcurl might even call a
function pointer in the object, making it possible for a remote code execution
if the server could somehow manage to get crafted memory content into the
correct place in memory.
CVE-2021-22901 has been assigned to this vulnerability. A CVSS v3 base score of
8.1 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.215 IMPROPER VALIDATION OF INTEGRITY CHECK VALUE CWE-354
When curl is instructed to download content using the metalink feature, the
contents is verified against a hash provided in the metalink XML file.The
metalink XML file points out to the client how to get the same content from a
set of different URLs, potentially hosted by different servers and the client
can then download the file from one or several of them. In a serial or parallel
manner.If one of the servers hosting the contents has been breached and the
contents of the specific file on that server is replaced with a modified
payload, curlshould detect this when the hash of the file mismatches after a
completed download. It should remove the contents and instead try getting the
contents from another URL. This is not done, and instead such a hash mismatch
is only mentioned in text and the potentially malicious content is kept in the
file on disk.
CVE-2021-22922 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:R
/S:U/C:N/I:H/A:N ).
3.2.216 INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522
When curl is instructed to get content using the metalink feature, and a user
name and password are used to download the metalink XML file, those same
credentials are then subsequently passed on to each of the servers from which
curl will download or try to download the contents from. Often contrary to the
user's expectations and intentions and without telling the user it happened.
CVE-2021-22923 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/UI:R
/S:U/C:H/I:N/A:N ).
3.2.217 USE OF INCORRECTLY-RESOLVED NAME OR REFERENCE CWE-706
libcurl keeps previously used connections in a connection pool for subsequent
transfers to reuse, if one of them matches the setup. Due to errors in the
logic, the config matching function did not take 'issuercert' into account and
it compared the involved paths case insensitively , which could lead to libcurl
reusing wrong connections. File paths are, or can be, case sensitive on many
systems but not all, and can even vary depending on used file systems. The
comparison also didn't include the 'issuer cert' which a transfer can set to
qualify how to verify the server certificate.
CVE-2021-22924 has been assigned to this vulnerability. A CVSS v3 base score of
3.7 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/UI:N
/S:U/C:L/I:N/A:N ).
3.2.218 USE OF UNINITIALIZED RESOURCE CWE-908
curl supports the -t command line option, known as CURLOPT_TELNETOPTIONS in
libcurl. This rarely used option is used to send variable=content pairs to
TELNET servers. Due to flaw in the option parser for sending NEW_ENV variables,
libcurl could be made to pass on uninitialized data from a stack based buffer
to the server. Therefore potentially revealing sensitive internal information
to the server using a clear-text network protocol. This could happen because
curl did not call and use sscanf() correctly when parsing the string provided
by the application.
CVE-2021-22925 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:L/I:N/A:N ).
3.2.219 IMPROPER CERTIFICATE VALIDATION CWE-295
libcurl-using applications can ask for a specific client certificate to be used
in a transfer. This is done with the CURLOPT_SSLCERT option ( --cert with the
command line tool).When libcurl is built to use the macOS native TLS library
Secure Transport, an application can ask for the client certificate by name or
with a file name - using the same option. If the name exists as a file, it will
be used instead of by name.If the application runs with a current working
directory that is writable by other users (like /tmp ), a malicious user can
create a file name with the same name as the app wants to use by name, and
thereby trick the application to use the file based cert instead of the one
referred to by name making libcurl send the wrong client certificate in the TLS
connection handshake.
CVE-2021-22926 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.220 DOUBLE FREE CWE-415
When sending data to an MQTT server, libcurl <= 7.73.0 and 7.78.0 could in some
circumstances erroneously keep a pointer to an already freed memory area and
both use that again in a subsequent call to send data and also free it again .
CVE-2021-22945 has been assigned to this vulnerability. A CVSS v3 base score of
9.1 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:N/A:H ).
3.2.221 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319
A user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful upgrade to
TLS when speaking to an IMAP, POP3 or FTP server ( --ssl-reqd on the command
line or CURLOPT_USE_SSL set to CURLUSESSL_CONTROL or CURLUSESSL_ALL
withlibcurl). This requirement could be bypassed if the server would return a
properly crafted but perfectly legitimate response.This flaw would then make
curl silently continue its operations withoutTLS contrary to the instructions
and expectations, exposing possibly sensitive data in clear text over the
network.
CVE-2021-22946 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:N/A:N ).
3.2.222 INSUFFICIENT VERIFICATION OF DATA AUTHENTICITY CWE-345
When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to
retrieve data using STARTTLS to upgrade to TLS security, the server can respond
and send back multiple responses at once that curl caches. curl would then
upgrade to TLS but not flush the in-queue of cached responses but instead
continue using and trustingthe responses it got before the TLS handshake as if
they were authenticated.Using this flaw, it allows a Man-In-The-Middle attacker
to first inject the fake responses, then pass-through the TLS traffic from the
legitimate server and trick curl into sending data back to the user thinking
the attacker's injected data comes from the TLS-protected server.
CVE-2021-22947 has been assigned to this vulnerability. A CVSS v3 base score of
5.9 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/UI:N
/S:U/C:N/I:H/A:N ).
3.2.223 IMPROPER INPUT VALIDATION CWE-20
The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before
3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable
to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by
using a vector called parameter cloaking. When the attacker can separate query
parameters using a semicolon (;), they can cause a difference in the
interpretation of the request between the proxy (running with default
configuration) and the server. This can result in malicious requests being
cached as completely safe ones, as the proxy would usually not see the
semicolon as a separator, and therefore would not include it in a cache key of
an unkeyed parameter.
CVE-2021-23336 has been assigned to this vulnerability. A CVSS v3 base score of
5.9 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/UI:R
/S:U/C:N/I:L/A:H ).
3.2.224 REACHABLE ASSERTION CWE-617
In OpenLDAP through 2.4.57 and 2.5.x through 2.5.1alpha, an assertion failure
in slapd can occur in the issuerAndThisUpdateCheck function via a crafted
packet, resulting in a denial-of-service (daemon exit) via a short timestamp.
This is related to schema_init.c and checkTime.
CVE-2021-27212 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.225 INCORRECT CONVERSION BETWEEN NUMERIC TYPES CWE-681
An issue was discovered in GNOME GLib before 2.66.7 and 2.67.x before 2.67.4.
If g_byte_array_new_take() was called with a buffer of 4GB or more on a 64-bit
platform, the length would be truncated modulo 2**32, causing unintended length
truncation.
CVE-2021-27218 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.226 INCORRECT CONVERSION BETWEEN NUMERIC TYPES CWE-681
An issue was discovered in GNOME GLib before 2.66.6 and 2.67.x before 2.67.3.
The function g_bytes_new has an integer overflow on 64-bit platforms due to an
implicit cast from 64 bits to 32 bits. The overflow could potentially lead to
memory corruption.
CVE-2021-27219 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.227 DOUBLE FREE CWE-415
The nameserver caching daemon (nscd) in the GNU C Library (aka glibc or libc6)
2.29 through 2.33, when processing a request for netgroup lookup, may crash due
to a double-free, potentially resulting in degraded service or Denial of
Service on the local system. This is related to netgroupcache.c.
CVE-2021-27645 has been assigned to this vulnerability. A CVSS v3 base score of
2.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:H/PR:L/UI:N
/S:U/C:N/I:N/A:L ).
3.2.228 DOUBLE FREE CWE-415
ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few
less-common scenarios, such as unconstrained agent-socket access on a legacy
operating system, or the forwarding of an agent to an attacker-controlled host.
CVE-2021-28041 has been assigned to this vulnerability. A CVSS v3 base score of
7.1 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:L/UI:R
/S:U/C:H/I:H/A:H ).
3.2.229 IMPROPER LINK RESOLUTION BEFORE FILE ACCESS ('LINK FOLLOWING') CWE-59
An issue was discovered in GNOME GLib before 2.66.8. When g_file_replace() is
used with G_FILE_CREATE_REPLACE_DESTINATION to replace a path that is a
dangling symlink, it incorrectly also creates the target of the symlink as an
empty file, which could conceivably have security relevance if the symlink is
attacker-controlled. (If the path is a symlink to a file that already exists,
then the contents of that file correctly remain unchanged.)
CVE-2021-28153 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:L/A:N ).
3.2.230 IMPROPER CERTIFICATE VALIDATION CWE-295
The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate
validation in some cases involving HTTPS to HTTPS proxies. The initial
connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config)
doesn't verify the hostname of the certificate. This means certificates for
different servers that still validate properly with the default urllib3
SSLContext will be silently accepted.
CVE-2021-28363 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:L/I:L/A:N ).
3.2.231 URL REDIRECTION TO UNTRUSTED SITE ('OPEN REDIRECT') CWE-601
Python 3.x through 3.10 has an open redirection vulnerability in lib/http/
server.py due to no protection against multiple (/) at the beginning of URI
path which may leads to information disclosure.
CVE-2021-28861 has been assigned to this vulnerability. A CVSS v3 base score of
7.4 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:R
/S:C/C:H/I:N/A:N ).
3.2.232 OUT-OF-BOUNDS READ CWE-125
An issue found in SQLite SQLite3 v.3.35.4 that could allow a remote attacker to
cause a denial of service via the appendvfs.c function.
CVE-2021-31239 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.233 OUT-OF-BOUNDS WRITE CWE-787
An issue was discovered in json-c from 20200420 (post 0.14 unreleased code)
through 0.15-20200726. A stack-buffer-overflow exists in the auxiliary sample
program json_parse which is located in the function parseit.
CVE-2021-32292 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.234 LOOP WITH UNREACHABLE EXIT CONDITION ('INFINITE LOOP') CWE-835
In elfutils 0.183, an infinite loop was found in the function handle_symtab in
readelf.c .Which allows attackers to cause a denial-of-service (infinite loop)
via crafted file.
CVE-2021-33294 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:N/UI:R
/S:U/C:N/I:N/A:H ).
3.2.235 OBSERVABLE DISCREPANCY CWE-203
Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption
because it lacks exponent blinding to address a side-channel attack against
mpi_powm, and the window size is not chosen appropriately. This, for example,
affects use of ElGamal in OpenPGP.
CVE-2021-33560 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:N/A:N ).
3.2.236 USE AFTER FREE CWE-416
The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33
has a use-after-free. It may use the notification thread attributes object
(passed through its struct sigevent parameter) after it has been freed by the
caller, leading to a denial-of-service (application crash) or possibly
unspecified other impact.
CVE-2021-33574 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.237 ALLOCATION OF RESOURCES WITHOUT LIMITS OR THROTTLING CWE-770
The use of alloca function with an uncontrolled size in function
unit_name_path_escape allows a local attacker, able to mount a filesystem on a
very long path, to crash systemd and the whole system by allocating a very
large space in the stack.
CVE-2021-33910 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.238 INTEGER OVERFLOW OR WRAPAROUND CWE-190
The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or
read arbitrary memory in parse_param (in posix/wordexp.c) when called with an
untrusted, crafted pattern, potentially resulting in a denial-of-service or
disclosure of information. This occurs because atoi was used but strtoul should
have been used to ensure correct calculations.
CVE-2021-35942 has been assigned to this vulnerability. A CVSS v3 base score of
9.1 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:N/A:H ).
3.2.239 USE AFTER FREE CWE-416
The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms
(called from __cil_verify_classpermission and __cil_pre_verify_helper).
CVE-2021-36084 has been assigned to this vulnerability. A CVSS v3 base score of
3.3 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:N/UI:R
/S:U/C:N/I:N/A:L ).
3.2.240 USE AFTER FREE CWE-416
The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms
(called from __verify_map_perm_classperms and hashtab_map).
CVE-2021-36085 has been assigned to this vulnerability. A CVSS v3 base score of
3.3 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:L ).
3.2.241 USE AFTER FREE CWE-416
The CIL compiler in SELinux 3.2 has a use-after-free in
cil_reset_classpermission (called from cil_reset_classperms_set and
cil_reset_classperms_list).
CVE-2021-36086 has been assigned to this vulnerability. A CVSS v3 base score of
3.3 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:L ).
3.2.242 OUT-OF-BOUNDS READ CWE-125
The CIL compiler in SELinux 3.2 has a heap-based buffer over-read in
ebitmap_match_any (called indirectly from cil_check_neverallow). This occurs
because there is sometimes a lack of checks for invalid statements in an
optional block.
CVE-2021-36087 has been assigned to this vulnerability. A CVSS v3 base score of
3.3 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:L ).
3.2.243 NULL POINTER DEREFERENCE CWE-476
ec_verify in kdc/kdc_preauth_ec.c in the Key Distribution Center (KDC) in MIT
Kerberos 5 (aka krb5) before 1.18.4 and 1.19.x before 1.19.2 allows remote
attackers to cause a NULL pointer dereference and daemon crash. This occurs
because a return value is not properly managed in a certain situation.
CVE-2021-36222 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.244 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311
A segmentation fault can occur in the sqlite3.exe command-line component of
SQLite 3.36.0 via the idxGetTableInfo function when there is a crafted SQL
query.
CVE-2021-36690 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.245 INTEGER OVERFLOW OR WRAPAROUND CWE-190
An integer overflow in util-linux through 2.37.1 can potentially cause a buffer
overflow if an attacker were able to use system resources in a way that leads
to a large number in the /proc/sysvipc/sem file.
CVE-2021-37600 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:N/UI:R
/S:U/C:N/I:N/A:H ).
3.2.246 NULL POINTER DEREFERENCE CWE-476
The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.5
and 1.19.x before 1.19.3 has a NULL pointer dereference in kdc/do_tgs_req.c via
a FAST inner body that lacks a server field.
CVE-2021-37750 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.247 NULL POINTER DEREFERENCE CWE-476
In librt in the GNU C Library (aka glibc) through 2.34, sysdeps/unix/sysv/linux
/mq_notify.c mishandles certain NOTIFY_REMOVED data, leading to a NULL pointer
dereference. NOTE: this vulnerability was introduced as a side effect of the
CVE-2021-33574 fix.
CVE-2021-38604 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.248 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311
sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default
configurations are used, allows privilege escalation because supplemental
groups are not initialized as expected. Helper programs for
AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges
associated with group memberships of the sshd process, if the configuration
specifies running the command as a different user.
CVE-2021-41617 has been assigned to this vulnerability. A CVSS v3 base score of
7.0 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:H/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.2.249 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311
In iconvdata/iso-2022-jp-3.c in the GNU C Library (aka glibc) 2.34, remote
attackers can force iconv() to emit a spurious '\0' character via crafted
ISO-2022-JP-3 data that is accompanied by an internal state reset. This may
affect data integrity in certain iconv() use cases.
CVE-2021-43396 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:H/A:N ).
3.2.250 INTEGER OVERFLOW OR WRAPAROUND CWE-190
GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/
inp_raw.c integer overflow and resultant buffer overflow via crafted input,
leading to a segmentation fault on 32-bit platforms.
CVE-2021-43618 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.251 UNCONTROLLED RESOURCE CONSUMPTION CWE-400
In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in
the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g.,
allocating too few bytes, or only freeing memory).
CVE-2021-45960 has been assigned to this vulnerability. A CVSS v3 base score of
8.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.2.252 INTEGER OVERFLOW OR WRAPAROUND CWE-190
In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer
overflow exists for m_groupSize.
CVE-2021-46143 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:N/UI:R
/S:U/C:H/I:H/A:H ).
3.2.253 UNCONTROLLED RECURSION CWE-674
GCC v12.0 was discovered to contain an uncontrolled recursion via the component
libiberty/rust-demangle.c. This vulnerability allows attackers to cause a
denial-of-service (DoS) by consuming excessive CPU and memory resources.
CVE-2021-46195 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:N/UI:R
/S:U/C:N/I:N/A:H ).
3.2.254 ALLOCATION OF RESOURCES WITHOUT LIMITS OR THROTTLING CWE-770
In libtirpc before 1.3.3rc1, remote attackers could exhaust the file
descriptors of a process that uses libtirpc because idle TCP connections are
mishandled. This can, in turn, lead to an svc_run infinite loop without
accepting new connections.
CVE-2021-46828 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.255 OFF-BY-ONE ERROR CWE-193
GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that
affects asn1_encode_simple_der.
CVE-2021-46848 has been assigned to this vulnerability. A CVSS v3 base score of
9.1 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:N/A:H ).
3.2.256 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS IN OUTPUT USED BY A
DOWNSTREAM COMPONENT ('INJECTION') CWE-74
A flaw was found in Python, specifically within the urllib.parse module. This
module helps break Uniform Resource Locator (URL) strings into components. The
issue involves how the urlparse method does not sanitize input and allows
characters like '\r' and '\n' in the URL path. This flaw allows an attacker to
input a crafted URL, leading to injection attacks. This flaw affects Python
versions prior to 3.10.0b1, 3.9.5, 3.8.11, 3.7.11 and 3.6.14.
CVE-2022-0391 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:H/A:N ).
3.2.257 GENERATION OF ERROR MESSAGE CONTAINING SENSITIVE INFORMATION CWE-209
A flaw was found in the util-linux chfn and chsh utilities when compiled with
Readline support. The Readline library uses an "INPUTRC" environment variable
to get a path to the library config file. When the library cannot parse the
specified file, it prints an error message containing data from the file. This
flaw allows an unprivileged user to read root-owned files, potentially leading
to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.
CVE-2022-0563 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:H/I:N/A:N ).
3.2.258 LOOP WITH UNREACHABLE EXIT CONDITION ('INFINITE LOOP') CWE-835
The BN_mod_sqrt() function in openSSL, which computes a modular square root,
contains a bug that can cause it to loop forever for non-prime moduli.
Internally this function is used when parsing certificates that contain
elliptic curve public keys in compressed form or explicit elliptic curve
parameters with a base point encoded in compressed form. It is possible to
trigger the infinite loop by crafting a certificate that has invalid explicit
curve parameters. Since certificate parsing happens prior to verification of
the certificate signature, any process that parses an externally supplied
certificate may thus be subject to a denial of service attack. The infinite
loop can also be reached when parsing crafted private keys as they can contain
explicit elliptic curve parameters.
CVE-2022-0778 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.259 IMPROPER INPUT VALIDATION CWE-20
An arbitrary file write vulnerability was found in GNU gzip's zgrep utility.
When zgrep is applied on the attacker's chosen file name (for example, a
crafted file name), this can overwrite an attacker's content to an arbitrary
attacker-selected file. This flaw occurs due to insufficient validation when
processing filenames with two or more newlines where selected content and the
target file names are embedded in crafted multi-line file names. This flaw
allows a remote, low privileged attacker to force zgrep to write arbitrary
files on the system.
CVE-2022-1271 has been assigned to this vulnerability. A CVSS v3 base score of
8.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.2.260 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND ('OS
COMMAND INJECTION') CWE-78
The c_rehash script does not properly sanitise shell metacharacters to prevent
command injection.
CVE-2022-1292 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.261 OUT-OF-BOUNDS WRITE CWE-787
An out-of-bounds read/write vulnerability was found in e2fsprogs 1.46.5. This
issue leads to a segmentation fault and possibly arbitrary code execution via a
specially crafted filesystem.
CVE-2022-1304 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:N/UI:R
/S:U/C:H/I:H/A:H ).
3.2.262 IMPROPER CERTIFICATE VALIDATION CWE-295
Under certain circumstances, the command line OCSP verify function reports
successful verification when the verification in fact failed. In this case the
incorrect successful response will also be accompanied by error messages
showing the failure and contradicting the apparently successful result.
CVE-2022-1343 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:L/A:N ).
3.2.263 USE OF A BROKEN OR RISKY CRYPTOGRAPHIC ALGORITHM CWE-327
When using the RC4-MD5 ciphersuite, which is disabled by default, an attacker
is able to modify data in transit due to an incorrect use of the AAD data as
the MAC key in OpenSSL 3.0. An attacker is not able to decrypt any
communication.
CVE-2022-1434 has been assigned to this vulnerability. A CVSS v3 base score of
5.9 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/UI:N
/S:U/C:N/I:H/A:N ).
3.2.264 IMPROPER RESOURCE SHUTDOWN OR RELEASE CWE-404
The used OpenSSL version improperly reuses memory when decoding certificates or
keys. This can lead to a process termination and denial-of-service for long
lived processes.
CVE-2022-1473 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.265 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND ('OS
COMMAND INJECTION') CWE-78
In addition to the c_rehash shell command injection identified in
CVE-2022-1292, further circumstances where the c_rehash script does not
properly sanitise shell metacharacters to prevent command injection were found
by code review. When the CVE-2022-1292 was fixed it was not discovered that
there are other places in the script where the file names of certificates being
hashed were possibly passed to a command executed through the shell. This
script is distributed by some operating systems in a manner where it is
automatically executed. On such operating systems, an attacker could execute
arbitrary commands with the privileges of the script. Use of the c_rehash
script is considered obsolete and should be replaced by the OpenSSL rehash
command line tool.
CVE-2022-2068 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.266 INADEQUATE ENCRYPTION STRENGTH CWE-326
AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised
implementation will not encrypt the entirety of the data under some
circumstances. This could reveal sixteen bytes of data that was preexisting in
the memory that wasn't written. In the special case of "in place" encryption,
sixteen bytes of the plaintext would be revealed. Since OpenSSL does not
support OCB based cipher suites for TLS and DTLS, they are both unaffected.
CVE-2022-2097 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:L/I:N/A:N ).
3.2.267 OUT-OF-BOUNDS WRITE CWE-787
The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation
for X86_64 CPUs supporting the AVX512IFMA instructions. This issue makes the
RSA implementation with 2048 bit private keys incorrect on such machines and
memory corruption will happen during the computation. As a consequence of the
memory corruption an attacker may be able to trigger a remote code execution on
the machine performing the computation. SSL/TLS servers or other servers using
2048 bit RSA private keys running on machines supporting AVX512IFMA
instructions of the X86_64 architecture are affected by this issue.
CVE-2022-2274 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.268 DOUBLE FREE CWE-415
A vulnerability found in gnutls. This security flaw happens because of a double
free error occurs during verification of pkcs7 signatures in
gnutls_pkcs7_verify function.
CVE-2022-2509 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.269 OUT-OF-BOUNDS WRITE CWE-787
A flaw was found in the bash package, where a heap-buffer overflow can occur in
valid parameter_transform. This issue may lead to memory problems.
CVE-2022-3715 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.2.270 OFF-BY-ONE ERROR CWE-193
An off-by-one Error issue was discovered in Systemd in format_timespan()
function of time-util.c. An attacker could supply specific values for time and
accuracy that leads to buffer overrun in format_timespan(), leading to a
denial-of-service.
CVE-2022-3821 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.271 INADEQUATE ENCRYPTION STRENGTH CWE-326
A timing based side channel exists in the OpenSSL RSA Decryption implementation
which could be sufficient to recover a plaintext across a network in a
Bleichenbacher style attack. To achieve a successful decryption an attacker
would have to be able to send a very large number of trial messages for
decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5,
RSA-OEAP and RSASVE. For example, in a TLS connection, RSA is commonly used by
a client to send an encrypted pre-master secret to the server. An attacker that
had observed a genuine connection between a client and a server could use this
flaw to send trial messages to the server and record the time taken to process
them. After a sufficiently large number of messages the attacker could recover
the pre-master secret used for the original connection and thus be able to
decrypt the application data sent over that connection.
CVE-2022-4304 has been assigned to this vulnerability. A CVSS v3 base score of
5.9 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/UI:N
/S:U/C:N/I:H/A:N ).
3.2.272 DOUBLE FREE CWE-415
The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and
decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data.
If the function succeeds then the "name_out", "header" and "data" arguments are
populated with pointers to buffers containing the relevant decoded data. The
caller is responsible for freeing those buffers. It is possible to construct a
PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex
() will return a failure code but will populate the header argument with a
pointer to a buffer that has already been freed. If the caller also frees this
buffer then a double free will occur. This will most likely lead to a crash.
This could be exploited by an attacker who has the ability to supply malicious
PEM files for parsing to achieve a denial of service attack. The functions
PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and
therefore these functions are also directly affected. These functions are also
called indirectly by a number of other OpenSSL functions including
PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also
vulnerable. Some OpenSSL internal uses of these functions are not vulnerable
because the caller does not free the header argument if PEM_read_bio_ex()
returns a failure code. These locations include the PEM_read_bio_TYPE()
functions as well as the decoders introduced in OpenSSL 3.0. The OpenSSL
asn1parse command line application is also impacted by this issue.
CVE-2022-4450 has been assigned to this vulnerability. A CVSS v3 base score of
5.9 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.273 IMPROPER AUTHENTICATION CWE-287
An improper authentication vulnerability exists in curl 7.33.0 to and including
7.82.0 which might allow reuse OAUTH2-authenticated connections without
properly making sure that the connection was authenticated with the same
credentials as set for this transfer. This affects SASL-enabled protocols:
SMPTP(S), IMAP(S), POP3(S) and LDAP(S) (openldap only).
CVE-2022-22576 has been assigned to this vulnerability. A CVSS v3 base score of
8.1 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:L/UI:N
/S:U/C:H/I:H/A:N ).
3.2.274 INTEGER OVERFLOW OR WRAPAROUND CWE-190
addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer
overflow.
CVE-2022-22822 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.275 INTEGER OVERFLOW OR WRAPAROUND CWE-190
build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer
overflow.
CVE-2022-22823 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.276 INTEGER OVERFLOW OR WRAPAROUND CWE-190
defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an
integer overflow.
CVE-2022-22824 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.277 INTEGER OVERFLOW OR WRAPAROUND CWE-190
lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer
overflow.
CVE-2022-22825 has been assigned to this vulnerability. A CVSS v3 base score of
8.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:R
/S:U/C:H/I:H/A:H ).
3.2.278 INTEGER OVERFLOW OR WRAPAROUND CWE-190
nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an
integer overflow.
CVE-2022-22826 has been assigned to this vulnerability. A CVSS v3 base score of
8.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:R
/S:U/C:H/I:H/A:H ).
3.2.279 INTEGER OVERFLOW OR WRAPAROUND CWE-190
storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer
overflow.
CVE-2022-22827 has been assigned to this vulnerability. A CVSS v3 base score of
8.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:R
/S:U/C:H/I:H/A:H ).
3.2.280 BUFFER COPY WITHOUT CHECKING SIZE OF INPUT ('CLASSIC BUFFER OVERFLOW')
CWE-120
The deprecated compatibility function svcunix_create in the sunrpc module of
the GNU C Library (aka glibc) through 2.34 copies its path argument on the
stack without validating its length, which may result in a buffer overflow,
potentially resulting in a denial-of-service or (if an application is not built
with a stack protector enabled) arbitrary code execution.
CVE-2022-23218 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.281 BUFFER COPY WITHOUT CHECKING SIZE OF INPUT ('CLASSIC BUFFER OVERFLOW')
CWE-120
The deprecated compatibility function clnt_create in the sunrpc module of the
GNU C Library (aka glibc) through 2.34 copies its hostname argument on the
stack without validating its length, which may result in a buffer overflow,
potentially resulting in a denial-of-service or (if an application is not built
with a stack protector enabled) arbitrary code execution.
CVE-2022-23219 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.282 USE AFTER FREE CWE-416
valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF
attributes.
CVE-2022-23308 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.283 INTEGER OVERFLOW OR WRAPAROUND CWE-190
Expat (aka libexpat) before 2.4.4 has a signed integer overflow in
XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES.
CVE-2022-23852 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.284 INTEGER OVERFLOW OR WRAPAROUND CWE-190
Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog
function.
CVE-2022-23990 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.285 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN SQL COMMAND
('SQL INJECTION') CWE-89
In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does not
escape the password for a SQL INSERT or UPDATE statement.
CVE-2022-24407 has been assigned to this vulnerability. A CVSS v3 base score of
8.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.2.286 IMPROPER ENCODING OR ESCAPING OF OUTPUT CWE-116
xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of
encoding, such as checks for whether a UTF-8 character is valid in a certain
context.
CVE-2022-25235 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.287 EXPOSURE OF RESOURCE TO WRONG SPHERE CWE-668
xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert
namespace-separator characters into namespace URIs.
CVE-2022-25236 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.288 UNCONTROLLED RESOURCE CONSUMPTION CWE-400
In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion
in build_model via a large nesting depth in the DTD element.
CVE-2022-25313 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:R
/S:U/C:N/I:N/A:H ).
3.2.289 INTEGER OVERFLOW OR WRAPAROUND CWE-190
In Expat (aka libexpat) before 2.4.5, there is an integer overflow in
copyString.
CVE-2022-25314 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.290 INTEGER OVERFLOW OR WRAPAROUND CWE-190
In Expat (aka libexpat) before 2.4.5, there is an integer overflow in
storeRawNames.
CVE-2022-25315 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.291 UNTRUSTED SEARCH PATH CWE-426
In Python before 3.10.3 on Windows, local users can gain privileges because the
search path is inadequately secured. The installer may allow a local attacker
to add user-writable directories to the system search path. To exploit, an
administrator must have installed Python for all users and enabled PATH
entries. A non-administrative user can trigger a repair that incorrectly adds
user-writable paths into PATH, enabling search-path hijacking of other users
and system services. This affects Python (CPython) through 3.7.12, 3.8.x
through 3.8.12, 3.9.x through 3.9.10, and 3.10.x through 3.10.2.
CVE-2022-26488 has been assigned to this vulnerability. A CVSS v3 base score of
7.0 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:H/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.2.292 INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522
An insufficiently protected credentials vulnerability exists in curl 4.9 to and
include curl 7.82.0 are affected that could allow an attacker to extract
credentials when follows HTTP(S) redirects is used with authentication could
leak credentials to other services that exist on different protocols or port
numbers.
CVE-2022-27774 has been assigned to this vulnerability. A CVSS v3 base score of
5.7 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:L/UI:R
/S:U/C:H/I:N/A:N ).
3.2.293 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311
An information disclosure vulnerability exists in curl 7.65.0 to 7.82.0 are
vulnerable that by using an IPv6 address that was in the connection pool but
with a different zone id it could reuse a connection instead.
CVE-2022-27775 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:N/A:N ).
3.2.294 INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522
A insufficiently protected credentials vulnerability in fixed in curl 7.83.0
might leak authentication or cookie header data on HTTP redirects to the same
host but another port number.
CVE-2022-27776 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:R
/S:U/C:H/I:N/A:N ).
3.2.295 USE OF INCORRECTLY-RESOLVED NAME OR REFERENCE CWE-706
A use of incorrectly resolved name vulnerability fixed in 7.83.1 might remove
the wrong file when --no-clobber is used together with --remove-on-error .
CVE-2022-27778 has been assigned to this vulnerability. A CVSS v3 base score of
8.1 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:R
/S:U/C:N/I:H/A:H ).
3.2.296 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311
libcurl wrongly allows cookies to be set for Top Level Domains (TLDs) if the
host name is provided with a trailing dot.curl can be told to receive and send
cookies. curl's "cookie engine" can bebuilt with or without Public Suffix List
awareness. If PSL support not provided, a more rudimentary check exists to at
least prevent cookies from being set on TLDs. This check was broken if the host
name in the URL uses a trailing dot.This can allow arbitrary sites to set
cookies that then would get sent to a different and unrelated site or domain.
CVE-2022-27779 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:L/I:N/A:N ).
3.2.297 SERVER-SIDE REQUEST FORGERY (SSRF) CWE-918
The curl URL parser wrongly accepts percent-encoded URL separators like '/'
when decoding the host name part of a URL, making it a different URL using the
wrong host name when it is later retrieved. This flaw can be used to circumvent
filters, checks and more.
CVE-2022-27780 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:H/A:N ).
3.2.298 UNCONTROLLED RESOURCE CONSUMPTION CWE-400
libcurl provides the CURLOPT_CERTINFO option to allow applications to request
details to be returned about a server's certificate chain.Due to an erroneous
function, a malicious server could make libcurl built with NSS get stuck in a
never-ending busy-loop when trying to retrieve that information.
CVE-2022-27781 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.299 IMPROPER CERTIFICATE VALIDATION CWE-295
libcurl would reuse a previously created connection even when a TLS or SSH
related option had been changed that should have prohibited reuse.libcurl keeps
previously used connections in a connection pool for subsequent transfers to
reuse if one of them matches the setup. However, several TLS and SSH settings
were left out from the configuration match checks, making them match too
easily.
CVE-2022-27782 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:H/A:N ).
3.2.300 UNCONTROLLED RECURSION CWE-674
libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in
demangle_const, as demonstrated by nm-new.
CVE-2022-27943 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:N/UI:R
/S:U/C:N/I:N/A:H ).
3.2.301 IMPROPER AUTHENTICATION CWE-287
The Linux-PAM package before 1.5.2-6.1 for openSUSE Tumbleweed allows
authentication bypass for SSH logins. The pam_access.so module doesn't
correctly restrict login if a user tries to connect from an IP address that is
not resolvable via DNS. In such conditions, a user with denied access to a
machine can still get access. NOTE: the relevance of this issue is largely
limited to openSUSE Tumbleweed and openSUSE Factory; it does not affect
Linux-PAM upstream.
CVE-2022-28321 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.302 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN SQL COMMAND
('SQL INJECTION') CWE-89
In OpenLDAP 2.x before 2.5.12 and 2.6.x before 2.6.2, a SQL injection
vulnerability exists in the experimental back-sql backend to slapd, via a SQL
statement within an LDAP query. This can occur during an LDAP search operation
when the search filter is processed, due to a lack of proper escaping.
CVE-2022-29155 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.303 INTEGER OVERFLOW OR WRAPAROUND CWE-190
In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf )
and tree.c (xmlBuffer ) don't check for integer overflows. This can result in
out-of-bounds memory writes. Exploitation requires a victim to open a crafted,
multi-gigabyte XML file. Other software using libxml2's buffer functions, for
example libxslt through 1.1.35, is affected as well.
CVE-2022-29824 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:R
/S:U/C:N/I:N/A:H ).
3.2.304 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319
Using its HSTS support, curl can be instructed to use HTTPS directly instead of
using an insecure clear-text HTTP step even when HTTP is provided in the URL.
This mechanism could be bypassed if the host name in the given URL used a
trailing dot while not using one when it built the HSTS cache. Or the other way
around - by having the trailing dot in the HSTS cache and not using the
trailing dot in the URL.
CVE-2022-30115 has been assigned to this vulnerability. A CVSS v3 base score of
4.3 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:L/UI:N
/S:U/C:L/I:N/A:N ).
3.2.305 ALLOCATION OF RESOURCES WITHOUT LIMITS OR THROTTLING CWE-770
A malicious server can serve excessive amounts of "Set-Cookie:" headers in a
HTTP response to curl and curl versions prior to 7.84.0 stores all of them. A
sufficiently large amount of (big) cookies make subsequent HTTP requests to
this, or other servers to which the cookies match, create requests that become
larger than the threshold that curl uses internally to avoid sending crazy
large requests (1048576 bytes) and instead returns an error. This denial state
might remain for as long as the same cookies are kept, match and haven't
expired.
CVE-2022-32205 has been assigned to this vulnerability. A CVSS v3 base score of
4.3 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:R
/S:U/C:N/I:N/A:L ).
3.2.306 ALLOCATION OF RESOURCES WITHOUT LIMITS OR THROTTLING CWE-770
curl versions prior to 7.84.0 supports "chained" HTTP compression algorithms,
meaning that a server response can be compressed multiple times and potentially
with different algorithms. The number of acceptable "links" in this
"decompression chain" was unbounded, allowing a malicious server to insert a
virtually unlimited number of compression steps.The use of such a decompression
chain could result in a "malloc bomb", making curl end up spending enormous
amounts of allocated heap memory, or trying to and returning out of memory
errors.
CVE-2022-32206 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:R
/S:U/C:N/I:N/A:H ).
3.2.307 INCORRECT DEFAULT PERMISSIONS CWE-276
When curl versions prior to 7.84.0 saves cookies, alt-svc and hsts data to
local files, it makes the operation atomic by finalizing the operation with a
rename from a temporary name to the final target file name.In that rename
operation, it might accidentally widen the permissions for the target file,
leaving the updated file accessible to more users than intended.
CVE-2022-32207 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.308 OUT-OF-BOUNDS WRITE CWE-787
When curl versions prior to 7.84.0 does FTP transfers secured by krb5, it
handles message verification failures wrongly. This flaw makes it possible for
a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to
the client.
CVE-2022-32208 has been assigned to this vulnerability. A CVSS v3 base score of
5.9 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/UI:N
/S:U/C:H/I:N/A:N ).
3.2.309 EXPECTED BEHAVIOR VIOLATION CWE-440
When doing HTTP(S) transfers, libcurl might erroneously use the read callback (
CURLOPT_READFUNCTION ) to ask for data to send, even when the
CURLOPT_POSTFIELDS option has been set, if the same handle previously was used
to issue a PUT request which used that callback. This flaw may surprise the
application and cause it to misbehave and either send off the wrong data or use
memory after free or similar in the subsequent POST request. The problem exists
in the logic for a reused handle when it is changed from a PUT to a POST.
CVE-2022-32221 has been assigned to this vulnerability. A CVSS v3 base score of
8.2 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:L/A:N ).
3.2.310 IMPROPER VALIDATION OF SYNTACTIC CORRECTNESS OF INPUT CWE-1286
When curl is used to retrieve and parse cookies from a HTTP(S) server, it
accepts cookies using control codes that when later are sent back to a HTTP
server might make the server return 400 responses. Effectively allowing a
"sister site" to deny service to all siblings.
CVE-2022-35252 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.311 STACK-BASED BUFFER OVERFLOW CWE-121
curl can be told to parse a .netrc file for credentials. If that file ends in a
line with 4095 consecutive non-white space letters and no newline, curl would
first read past the end of the stack-based buffer, and if the read works, write
a zero byte beyond its boundary.This will in most cases cause a segfault or
similar, but circumstances might also cause different outcomes.If a malicious
user can provide a custom netrc file to an application or otherwise affect its
contents, this flaw could be used as denial-of-service.
CVE-2022-35260 has been assigned to this vulnerability. A CVSS v3 base score of
8.6 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:L/I:L/A:H ).
3.2.312 IMPROPER VALIDATION OF ARRAY INDEX CWE-129
SQLite 1.0.12 through 3.39.x before 3.39.2 sometimes allows an array-bounds
overflow if billions of bytes are used in a string argument to a C API.
CVE-2022-35737 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.313 OUT-OF-BOUNDS WRITE CWE-787
zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in
inflate in inflate.c via a large gzip header extra field. NOTE: only
applications that call inflateGetHeader are affected. Some common applications
bundle the affected zlib source code but may be unable to call inflateGetHeader
(e.g., see the nodejs/node reference).
CVE-2022-37434 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.314 INTEGER OVERFLOW OR WRAPAROUND CWE-190
The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer
overflow and resultant buffer overflow that allows attackers to execute
arbitrary code or eliminate expected cryptographic properties. This occurs in
the sponge function interface.
CVE-2022-37454 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.315 INTEGER OVERFLOW OR WRAPAROUND CWE-190
An issue was discovered in libxml2 before 2.10.3. When parsing a multi-gigabyte
XML document with the XML_PARSE_HUGE parser option enabled, several integer
counters can overflow. This results in an attempt to access an array at a
negative 2GB offset, typically leading to a segmentation fault.
CVE-2022-40303 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.316 DOUBLE FREE CWE-415
An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity
definitions can corrupt a hash table key, potentially leading to subsequent
logic errors. In one case, a double-free can be provoked.
CVE-2022-40304 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:N/UI:R
/S:U/C:H/I:H/A:H ).
3.2.317 USE AFTER FREE CWE-416
libexpat before 2.4.9 has a use-after-free in the doContent function in
xmlparse.c.
CVE-2022-40674 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.318 INTEGER OVERFLOW OR WRAPAROUND CWE-190
PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1
has integer overflows that may lead to remote code execution (in KDC, kadmind,
or a GSS or Kerberos application server) on 32-bit platforms (which have a
resultant heap-based buffer overflow), and cause a denial of service on other
platforms.
CVE-2022-42898 has been assigned to this vulnerability. A CVSS v3 base score of
8.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.2.319 DOUBLE FREE CWE-415
curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for
a transfer with a non-HTTP(S) URL, it sets up the connection to the remote
server by issuing a CONNECT request to the proxy, and then tunnels the rest of
the protocol through. An HTTP proxy might refuse this request (HTTP proxies
often only allow outgoing connections to specific port numbers, like 443 for
HTTPS) and instead return a non-200 status code to the client. Due to flaws in
the error/cleanup handling, this could trigger a double free in curl if one of
the following schemes were used in the URL for the transfer: dict, gopher,
gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is
7.77.0.
CVE-2022-42915 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.320 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319
In curl before 7.86.0, the HSTS check could be bypassed to trick it into
staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS
directly (instead of using an insecure cleartext HTTP step) even when HTTP is
provided in the URL. This mechanism could be bypassed if the host name in the
given URL uses IDN characters that get replaced with ASCII counterparts as part
of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL
STOP) instead of the common ASCII full stop of U+002E (.). The earliest
affected version is 7.77.0 2021-05-26.
CVE-2022-42916 has been assigned to this vulnerability. A CVSS v3 base score of
9.1 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:N ).
3.2.321 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319
A vulnerability exists in curl versions prior to 7.87.0 HSTS check that could
be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be
instructed to use HTTPS instead of using an insecure clear-text HTTP step even
when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed
if the host name in the given URL first uses IDN characters that get replaced
to ASCII counterparts as part of the IDN conversion. Like using the character
UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop
U+002E (.). Then in a subsequent request, it does not detect the HSTS state and
makes a clear text transfer. Because it would store the info IDN encoded but
look for it IDN decoded.
CVE-2022-43551 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:N/A:N ).
3.2.322 USE AFTER FREE CWE-416
curl can be asked to tunnel virtually all protocols it supports through an HTTP
proxy. HTTP proxies can (and often do) deny such tunnel operations using an
appropriate HTTP error response code. When getting denied to tunnel the
specific protocols SMB or TELNET, curl would use a heap-allocated struct after
it had been freed, in its transfer shutdown code path.
CVE-2022-43552 has been assigned to this vulnerability. A CVSS v3 base score of
5.9 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.323 USE AFTER FREE CWE-416
In libexpat through 2.4.9, there is a use-after free caused by overeager
destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory
situations.
CVE-2022-43680 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.324 INEFFICIENT ALGORITHMIC COMPLEXITY CWE-407
An issue was discovered in Python before 3.11.1. An unnecessary quadratic
algorithm exists in one path when processing some inputs to the IDNA (RFC 3490)
decoder, such that a crafted, unreasonably long name being presented to the
decoder could lead to a CPU denial of service. Hostnames are often supplied by
remote servers that could be controlled by a malicious actor; in such a
scenario, they could trigger excessive CPU consumption on the client attempting
to make use of an attacker-supplied supposed hostname. For example, the attack
payload could be placed in the Location header of an HTTP response with status
code 302.
CVE-2022-45061 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.325 UNCONTROLLED RESOURCE CONSUMPTION CWE-400
systemd 250 and 251 allows local users to achieve a systemd-coredump deadlock
by triggering a crash that has a long backtrace. This occurs in
parse_elf_object in shared/elf-util.c. The exploitation methodology is to crash
a binary calling the same function recursively, and put it in a deeply nested
directory to make its backtrace large enough to cause the deadlock. This must
be done 16 times when MaxConnections=16 is set for the systemd/units/
systemd-coredump.socket file.
CVE-2022-45873 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.326 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311
SQLite through 3.40.0, when relying on --safe for execution of an untrusted CLI
script, does not properly implement the azProhibitedFunctions protection
mechanism, and instead allows UDF functions such as WRITEFILE.
CVE-2022-46908 has been assigned to this vulnerability. A CVSS v3 base score of
7.3 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:H/I:H/A:L ).
3.2.327 OUT-OF-BOUNDS READ CWE-125
GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of
uninitialized memory for a conditional jump. Exploitation to change the flow of
control has not been demonstrated. The issue occurs in from_header in list.c
via a V7 archive in which mtime has approximately 11 whitespace characters.
CVE-2022-48303 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:N/UI:R
/S:U/C:N/I:N/A:H ).
3.2.328 OUT-OF-BOUNDS WRITE CWE-787
In Perl 5.34.0, function S_find_uninit_var in sv.c has a stack-based crash that
can lead to remote code execution or local privilege escalation.
CVE-2022-48522 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.329 USE AFTER FREE CWE-416
A use-after-free exists in Python through 3.9 via heappushpop in heapq.
CVE-2022-48560 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.330 USE AFTER FREE CWE-416
The public API function BIO_new_NDEF is a helper function used for streaming
ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the
SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by
end user applications. The function receives a BIO from the caller, prepends a
new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then
returns the new head of the BIO chain to the caller. Under certain conditions,
for example if a CMS recipient public key is invalid, the new filter BIO is
freed and the function returns a NULL result indicating a failure. However, in
this case, the BIO chain is not properly cleaned up and the BIO passed by the
caller still retains internal pointers to the previously freed filter BIO. If
the caller then goes on to call BIO_pop() on the BIO then a use-after-free will
occur. This will most likely result in a crash.
CVE-2023-0215 has been assigned to this vulnerability. A CVSS v3 base score of
5.9 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.331 IMPROPER INPUT VALIDATION CWE-20
There is a type confusion vulnerability relating to X.400 address processing
inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but
the public structure definition for GENERAL_NAME incorrectly specified the type
of the x400Address field as ASN1_TYPE. This field is subsequently interpreted
by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an
ASN1_STRING. When CRL checking is enabled (i.e. the application sets the
X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass
arbitrary pointers to a memcmp call, enabling them to read memory contents or
enact a denial of service. In most cases, the attack requires the attacker to
provide both the certificate chain and CRL, neither of which need to have a
valid signature. If the attacker only controls one of these inputs, the other
input must already contain an X.400 address as a CRL distribution point, which
is uncommon. As such, this vulnerability is most likely to only affect
applications which have implemented their own functionality for retrieving CRLs
over a network.
CVE-2023-0286 has been assigned to this vulnerability. A CVSS v3 base score of
7.4 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/UI:N
/S:U/C:H/I:N/A:H ).
3.2.332 OBSERVABLE DISCREPANCY CWE-203
A timing side-channel in the handling of RSA ClientKeyExchange messages was
discovered in GnuTLS. This side-channel can be sufficient to recover the key
encrypted in the RSA ciphertext across a network in a Bleichenbacher style
attack. To achieve a successful decryption the attacker would need to send a
large amount of specially crafted messages to the vulnerable server. By
recovering the secret from the ClientKeyExchange message, the attacker would be
able to decrypt the application data exchanged over that connection.
CVE-2023-0361 has been assigned to this vulnerability. A CVSS v3 base score of
7.4 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/UI:N
/S:U/C:H/I:H/A:N ).
3.2.333 IMPROPER CERTIFICATE VALIDATION CWE-295
A security vulnerability has been identified in all supported versions of
OpenSSL related to the verification of X.509 certificate chains that include
policy constraints. Attackers may be able to exploit this vulnerability by
creating a malicious certificate chain that triggers exponential use of
computational resources, leading to a denial-of-service (DoS) attack on
affected systems. Policy processing is disabled by default but can be enabled
by passing the -policy argument to the command line utilities or by calling the
X509_VERIFY_PARAM_set1_policies() function.
CVE-2023-0464 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.334 IMPROPER CERTIFICATE VALIDATION CWE-295
Applications that use a non-default option when verifying certificates may be
vulnerable to an attack from a malicious CA to circumvent certain checks.
Invalid certificate policies in leaf certificates are silently ignored by
OpenSSL and other certificate policy checks are skipped for that certificate. A
malicious CA could use this to deliberately assert invalid certificate policies
in order to circumvent policy checking on the certificate altogether. Policy
processing is disabled by default but can be enabled by passing the -policy
argument to the command line utilities or by calling the
X509_VERIFY_PARAM_set1_policies() function.
CVE-2023-0465 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:L/A:N ).
3.2.335 IMPROPER CERTIFICATE VALIDATION CWE-295
The function X509_VERIFY_PARAM_add0_policy() is documented to implicitly enable
the certificate policy check when doing certificate verification. However the
implementation of the function does not enable the check which allows
certificates with invalid or incorrect policies to pass the certificate
verification. As suddenly enabling the policy check could break existing
deployments it was decided to keep the existing behavior of the
X509_VERIFY_PARAM_add0_policy()function. Instead the applications that require
OpenSSL to perform certificate policy check need to use
X509_VERIFY_PARAM_set1_policies() or explicitly enable the policy check by
calling X509_VERIFY_PARAM_set_flags() with the X509_V_FLAG_POLICY_CHECK flag
argument. Certificate policy checks are disabled by default in OpenSSL and are
not commonly used by applications.
CVE-2023-0466 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:L/A:N ).
3.2.336 BUFFER COPY WITHOUT CHECKING SIZE OF INPUT ('CLASSIC BUFFER OVERFLOW')
CWE-120
A vulnerability was found in GNU C Library 2.38. This vulnerability affects the
function __monstartup of the file gmon.c of the component Call Graph Monitor.
The manipulation leads to buffer overflow. It is recommended to apply a patch
to fix this issue.
CVE-2023-0687 has been assigned to this vulnerability. A CVSS v3 base score of
4.6 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:A/AC:H/PR:L/UI:N
/S:U/C:L/I:L/A:L ).
3.2.337 ACCESS OF RESOURCE USING INCOMPATIBLE TYPE ('TYPE CONFUSION') CWE-843
In the Linux kernel, pick_next_rt_entity() may return a type confused entry,
not detected by the BUG_ON condition, as the confused entry will not be NULL,
but list_head.The buggy error condition would lead to a type confused entry
with the list head,which would then be used as a type confused
sched_rt_entity,causing memory corruption.
CVE-2023-1077 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.2.338 UNCONTROLLED RESOURCE CONSUMPTION CWE-400
A hash collision flaw was found in the IPv6 connection lookup table in the
Linux kernel's IPv6 functionality when a user makes a new kind of SYN flood
attack. A user located in the local network or with a high bandwidth connection
can increase the CPU usage of the server that accepts IPV6 connections up to
95%.
CVE-2023-1206 has been assigned to this vulnerability. A CVSS v3 base score of
5.7 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:A/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.339 ALLOCATION OF RESOURCES WITHOUT LIMITS OR THROTTLING CWE-770
Processing some specially crafted ASN.1 object identifiers or data containing
them may be very slow. Applications that use OBJ_obj2txt() directly, or use any
of the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no
message size limit may experience notable to very long delays when processing
those messages, which may lead to a denial-of-service.
CVE-2023-2650 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:R
/S:U/C:N/I:N/A:H ).
3.2.340 NULL POINTER DEREFERENCE CWE-476
A vulnerability was found in openldap. This security flaw causes a null pointer
dereference in ber_memalloc_x() function.
CVE-2023-2953 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.341 NULL POINTER DEREFERENCE CWE-476
A NULL pointer dereference issue was found in the gfs2 file system in the Linux
kernel. It occurs on corrupt gfs2 file systems when the evict code tries to
reference the journal descriptor structure after it has been freed and set to
NULL. A privileged local user could use this flaw to cause a kernel panic.
CVE-2023-3212 has been assigned to this vulnerability. A CVSS v3 base score of
4.4 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:H/UI:N
/S:U/C:N/I:N/A:H ).
3.2.342 INEFFICIENT REGULAR EXPRESSION COMPLEXITY CWE-1333
Checking excessively long DH keys or parameters may be very slow. Applications
that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to
check a DH key or DH parameters may experience long delays. Where the key or
parameters that are being checked have been obtained from an untrusted source
this may lead to a denial-of-service. The function DH_check() performs various
checks on DH parameters. One of those checks confirms that the modulus ('p'
parameter) is not too large. Trying to use a very large modulus is slow and
OpenSSL will not normally use a modulus which is over 10,000 bits in length.
However the DH_check() function checks numerous aspects of the key or
parameters that have been supplied. Some of those checks use the supplied
modulus value even if it has already been found to be too large. An application
that calls DH_check() and supplies a key or parameters obtained from an
untrusted source could be vulnerable to a denial-of-service attack. The
function DH_check() is itself called by a number of other OpenSSL functions. An
application calling any of those other functions may similarly be affected. The
other functions affected by this are DH_check_ex() and EVP_PKEY_param_check().
Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications
when using the '-check' option. The OpenSSL SSL/TLS implementation is not
affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected
by this issue.
CVE-2023-3446 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:L ).
3.2.343 USE AFTER FREE CWE-416
A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32
component can be exploited to achieve local privilege escalation. If
tcf_change_indev() fails, u32_set_parms() will immediately return an error
after incrementing or decrementing the reference counter in tcf_bind_filter().
If an attacker can control the reference counter and set it to zero, they can
cause the reference to be freed, leading to a use-after-free vulnerability.
CVE-2023-3609 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.2.344 OUT-OF-BOUNDS WRITE CWE-787
An out-of-bounds write vulnerability in the Linux kernel's net/sched: sch_qfq
component can be exploited to achieve local privilege escalation. The
qfq_change_agg() function in net/sched/sch_qfq.c allows an out-of-bounds write
because lmax is updated according to packet sizes without bounds checks.
CVE-2023-3611 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.2.345 NULL POINTER DEREFERENCE CWE-476
A flaw was found in the Linux kernel's IP framework for transforming packets
(XFRM subsystem). This issue may allow a malicious user with CAP_NET_ADMIN
privileges to directly dereference a NULL pointer in xfrm_update_ae_params(),
leading to a possible kernel crash and denial of service.
CVE-2023-3772 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.346 EXCESSIVE ITERATION CWE-834
Checking excessively long DH keys or parameters may be very slow. Applications
that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to
check a DH key or DH parameters may experience long delays. Where the key or
parameters that are being checked have been obtained from an untrusted source
this may lead to a denial-of-service. The function DH_check() performs various
checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a
large q parameter value can also trigger an overly long computation during some
of these checks.
CVE-2023-3817 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:L ).
3.2.347 HEAP-BASED BUFFER OVERFLOW CWE-122
Under some circumstances, this weakness allows a user who has access to run the
"ps" utility on a machine, the ability to write almost unlimited amounts of
unfiltered data into the process heap.
CVE-2023-4016 has been assigned to this vulnerability. A CVSS v3 base score of
2.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:H/PR:L/UI:N
/S:U/C:N/I:N/A:L ).
3.2.348 PROTECTION MECHANISM FAILURE CWE-693
A failure in the -fstack-protector feature in GCC-based tool chains that target
AArch64 allows an attacker to exploit an existing buffer overflow in
dynamically-sized local variables in the application without being detected.
This stack-protector failure only applies to C99-style dynamically-sized local
variables or those created using alloca(). The stack-protector operates as
intended for statically-sized local variables. An attacker who can exploit a
buffer overflow without triggering the stack-protector might be able to change
program flow control to cause an uncontrolled loss of availability or to go
further and affect confidentiality or integrity.
CVE-2023-4039 has been assigned to this vulnerability. A CVSS v3 base score of
4.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/UI:N
/S:U/C:L/I:L/A:N ).
3.2.349 OUT-OF-BOUNDS READ CWE-125
A flaw was found in glibc. When the getaddrinfo function is called with the
AF_UNSPEC address family and the system is configured with no-aaaa mode via /
etc/resolv.conf, a DNS response via TCP larger than 2048 bytes can potentially
disclose stack contents through the function returned address data, and may
cause a crash.
CVE-2023-4527 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/UI:N
/S:U/C:L/I:N/A:H ).
3.2.350 USE AFTER FREE CWE-416
A use-after-free vulnerability in the Linux kernel's net/sched: sch_hfsc (HFSC
qdisc traffic control) component can be exploited to achieve local privilege
escalation. This leaves a dangling pointer that can cause a use-after-free.
CVE-2023-4623 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.2.351 USE AFTER FREE CWE-416
A flaw was found in glibc. In an extremely rare situation, the getaddrinfo
function may access memory that has been freed, resulting in an application
crash.
CVE-2023-4806 has been assigned to this vulnerability. A CVSS v3 base score of
5.9 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.352 IMPROPER INPUT VALIDATION CWE-20
The POLY1305 MAC (message authentication code) implementation contains a bug
that might corrupt the internal state of applications on the Windows 64
platform when running on newer X86_64 processors supporting the AVX512-IFMA
instructions. If in an application that uses the OpenSSL library, an attacker
can influence whether the POLY1305 MAC algorithm is used, the application state
might be corrupted with various application dependent consequences.
CVE-2023-4807 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.2.353 USE AFTER FREE CWE-416
A flaw was found in glibc. In an uncommon situation, the gaih_inet function may
use memory that has been freed, resulting in an application crash. This issue
is only exploitable when the getaddrinfo function is called and the hosts
database in /etc/nsswitch.conf is configured with SUCCESS=continue or SUCCESS=
merge.
CVE-2023-4813 has been assigned to this vulnerability. A CVSS v3 base score of
5.9 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.354 STACK-BASED BUFFER OVERFLOW CWE-121
A buffer overflow was discovered in the GNU C Library's dynamic loader ld. so
while processing the GLIBC_TUNABLES environment variable. This issue could
allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment
variables when launching binaries with SUID permission to execute code with
elevated privileges.
CVE-2023-4911 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.2.355 USE AFTER FREE CWE-416
A use-after-free vulnerability in the Linux kernel's net/sched: sch_qfq
component can be exploited to achieve local privilege escalation.When the plug
qdisc is used as a class of the qfq qdisc, sending network packets triggers
use-after-free in qfq_dequeue() due to the incorrect .peek handler of sch_plug
and lack of error checking in agg_dequeue().
CVE-2023-4921 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.2.356 MISSING RELEASE OF MEMORY AFTER EFFECTIVE LIFETIME CWE-401
A flaw was found in the GNU C Library. A recent fix for CVE-2023-4806
introduced the potential for a memory leak, which may result in an application
crash.
CVE-2023-5156 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:L ).
3.2.357 IMPROPER CHECK FOR UNUSUAL OR EXCEPTIONAL CONDITIONS CWE-754
Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH
keys or parameters may be very slow. Applications that use the functions
DH_generate_key() to generate an X9.42 DH key may experience long delays.
Likewise, applications that use DH_check_pub_key(), DH_check_pub_key_ex() or
EVP_PKEY_public_check() to check an X9.42 DH key or X9.42 DH parameters may
experience long delays. Where the key or parameters that are being checked have
been obtained from an untrusted source this may lead to a denial-of-service.
While DH_check() performs all the necessary checks (as of CVE-2023-3817),
DH_check_pub_key() doesn't make any of these checks, and is therefore
vulnerable for excessively large P and Q parameters. Likewise, while
DH_generate_key() performs a check for an excessively large P, it doesn't check
for an excessively large Q.
CVE-2023-5678 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:L ).
3.2.358 OUT-OF-BOUNDS WRITE CWE-787
A heap out-of-bounds write vulnerability in the Linux kernel's Linux Kernel
Performance Events (perf) component can be exploited to achieve local privilege
escalation. If perf_read_group() is called while an event's sibling_list is
smaller than its child's sibling_list, it can increment or write to memory
locations outside of the allocated buffer.
CVE-2023-5717 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.2.359 OBSERVABLE DISCREPANCY CWE-203
A vulnerability was found that the response times to malformed cipher texts in
RSA-PSK ClientKeyExchange differ from response times of cipher texts with
correct PKCS#1 v1.5 padding.
CVE-2023-5981 has been assigned to this vulnerability. A CVSS v3 base score of
5.9 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/UI:N
/S:U/C:H/I:N/A:N ).
3.2.360 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319
A cleartext transmission of sensitive information vulnerability exists in curl
versions prior to v7.88.0 that could cause HSTS functionality fail when
multiple URLs are requested serially. Using its HSTS support, curl can be
instructed to use HTTPS instead of using an insecure clear-text HTTP step even
when HTTP is provided in the URL. This HSTS mechanism would however
surprisingly be ignored by subsequent transfers when done on the same command
line because the state would not be properly carried on.
CVE-2023-23914 has been assigned to this vulnerability. A CVSS v3 base score of
9.1 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:N ).
3.2.361 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319
A cleartext transmission of sensitive information vulnerability exists in curl
versions prior to v7.88.0 that could cause HSTS functionality to behave
incorrectly when multiple URLs are requested in parallel. Using its HSTS
support, curl can be instructed to use HTTPS instead of using an insecure
clear-text HTTP step even when HTTP is provided in the URL. This HSTS mechanism
would however surprisingly fail when multiple transfers are done in parallel as
the HSTS cache file gets overwritten by the most recently completed transfer. A
later HTTP-only transfer to the earlier host name would then not get upgraded
properly to HSTS.
CVE-2023-23915 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:L/I:L/A:N ).
3.2.362 ALLOCATION OF RESOURCES WITHOUT LIMITS OR THROTTLING CWE-770
An allocation of resources without limits or throttling vulnerability exists in
curl versions prior to v7.88.0 based on the "chained" HTTP compression
algorithms, meaning that a server response can be compressed multiple times and
potentially with different algorithms. The number of acceptable "links" in this
"decompression chain" was capped, but the cap was implemented on a per-header
basis allowing a malicious server to insert a virtually unlimited number of
compression steps simply by using many headers. The use of such a decompression
chain could result in a "malloc bomb", making curl end up spending enormous
amounts of allocated heap memory, or trying to and returning out of memory
errors.
CVE-2023-23916 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:R
/S:U/C:N/I:N/A:H ).
3.2.363 IMPROPER INPUT VALIDATION CWE-20
An issue in the urllib.parse component of Python before 3.11.4 allows attackers
to bypass blocklisting methods by supplying a URL that starts with blank
characters.
CVE-2023-24329 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:H/A:N ).
3.2.364 DOUBLE FREE CWE-415
OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during
options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free
can be leveraged, by an unauthenticated remote attacker in the default
configuration, to jump to any location in the sshd address space.
CVE-2023-25136 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/UI:N
/S:U/C:N/I:L/A:H ).
3.2.365 OUT-OF-BOUNDS WRITE CWE-787
Sprintf in the GNU C Library (glibc) 2.37 has a buffer overflow (out-of-bounds
write) in some situations with a correct buffer size. This is unrelated to
CWE-676. It may write beyond the bounds of the destination buffer when
attempting to write a padded, thousands-separated string representation of a
number, if the buffer is allocated the exact size required to represent that
number as a string.
CVE-2023-25139 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.366 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311
Systemd before 247 does not adequately block local privilege escalation for
some Sudo configurations, e.g., plausible sudoers files in which the "systemctl
status" command may be executed. Specifically, systemd does not set LESSSECURE
to 1, and thus other programs may be launched from the less program. This
presents a substantial security risk when running systemctl from Sudo, because
less executes as root when the terminal size is too small to show the complete
systemctl output.
CVE-2023-26604 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.2.367 IMPROPER INPUT VALIDATION CWE-20
GNU libmicrohttpd before 0.9.76 allows remote DoS (Denial of Service) due to
improper parsing of a multipart/form-data boundary in the postprocessor.c
MHD_create_post_processor() method. This allows an attacker to remotely send a
malicious HTTP POST packet that includes one or more '\0' bytes in a multipart/
form-data boundary field, which - assuming a specific heap layout - will result
in an out-of-bounds read and a crash in the find_boundary() function.
CVE-2023-27371 has been assigned to this vulnerability. A CVSS v3 base score of
5.9 has been assigned; the CVSS vector string is ( CVSS:3.1/AC:H/AV:N/A:H ).
3.2.368 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS IN OUTPUT USED BY A
DOWNSTREAM COMPONENT ('INJECTION') CWE-74
A vulnerability in input validation exists in curl versions prior to 8.0 during
communication using the TELNET protocol may allow an attacker to pass on
maliciously crafted user name and "telnet options" during server negotiation.
The lack of proper input scrubbing allows an attacker to send content or
perform option negotiation without the application's intent. This vulnerability
could be exploited if an application allows user input, thereby enabling
attackers to execute arbitrary code on the system.
CVE-2023-27533 has been assigned to this vulnerability. A CVSS v3 base score of
8.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:R
/S:U/C:H/I:H/A:H ).
3.2.369 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY ('PATH
TRAVERSAL') CWE-22
A path traversal vulnerability exists in curl <8.0.0 SFTP implementation causes
the tilde character to be wrongly replaced when used as a prefix in the first
path element, in addition to its intended use as the first element to indicate
a path relative to the user's home directory. Attackers can exploit this flaw
to bypass filtering or execute arbitrary code by crafting a path like /~2/foo
while accessing a server with a specific user.
CVE-2023-27534 has been assigned to this vulnerability. A CVSS v3 base score of
8.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.2.370 IMPROPER AUTHENTICATION CWE-287
An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP
connection reuse feature that can result in wrong credentials being used during
subsequent transfers. Previously created connections are kept in a connection
pool for reuse if they match the current setup. However, certain FTP settings
such as CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER,
CURLOPT_FTP_SSL_CCC, and CURLOPT_USE_SSL were not included in the configuration
match checks, causing them to match too easily. This could lead to libcurl
using the wrong credentials when performing a transfer, potentially allowing
unauthorized access to sensitive information.
CVE-2023-27535 has been assigned to this vulnerability. A CVSS v3 base score of
5.9 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/UI:N
/S:U/C:H/I:N/A:N ).
3.2.371 IMPROPER AUTHENTICATION CWE-287
An authentication bypass vulnerability exists libcurl <8.0.0 in the connection
reuse feature which can reuse previously established connections with incorrect
user permissions due to a failure to check for changes in the
CURLOPT_GSSAPI_DELEGATION option. This vulnerability affects krb5/kerberos/
negotiate/GSSAPI transfers and could potentially result in unauthorized access
to sensitive information. The safest option is to not reuse connections if the
CURLOPT_GSSAPI_DELEGATION option has been changed.
CVE-2023-27536 has been assigned to this vulnerability. A CVSS v3 base score of
5.9 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/UI:N
/S:U/C:H/I:N/A:N ).
3.2.372 DOUBLE FREE CWE-415
A double free vulnerability exists in libcurl <8.0.0 when sharing HSTS data
between separate "handles". This sharing was introduced without considerations
for do this sharing across separate threads but there was no indication of this
fact in the documentation. Due to missing mutexes or thread locks, two threads
sharing the same HSTS data could end up doing a double-free or use-after-free.
CVE-2023-27537 has been assigned to this vulnerability. A CVSS v3 base score of
5.9 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.373 IMPROPER INPUT VALIDATION CWE-20
libcurl would reuse a previously created connection even when an SSH related
option had been changed that should have prohibited reuse. libcurl keeps
previously used connections in a connection pool for subsequent transfers to
reuse if one of them matches the setup. However, two SSH settings were left out
from the configuration match checks, making them match too easily.
CVE-2023-27538 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:H/A:N ).
3.2.374 NULL POINTER DEREFERENCE CWE-476
In libxml2 before 2.10.4, parsing of certain invalid XSD schemas can lead to a
NULL pointer dereference and subsequently a segfault. This occurs in
xmlSchemaFixupComplexType in xmlschemas.c.
CVE-2023-28484 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:R
/S:U/C:N/I:N/A:H ).
3.2.375 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311
ssh-add in OpenSSH before 9.3 adds smartcard keys to ssh-agent without the
intended per-hop destination constraints. The earliest affected version is 8.9.
CVE-2023-28531 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.376 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS IN OUTPUT USED BY A
DOWNSTREAM COMPONENT ('INJECTION') CWE-74
In Shadow 4.13, it is possible to inject control characters into fields
provided to the SUID program chfn (change finger). Although it is not possible
to exploit this directly (e.g., adding a new user fails because \n is in the
block list), it is possible to misrepresent the /etc/passwd file when viewed.
Use of \r manipulations and Unicode characters to work around blocking of the :
character make it possible to give the impression that a new user has been
added. In other words, an adversary may be able to convince a system
administrator to take the system offline (an indirect, social-engineered denial
of service) by demonstrating that "cat /etc/passwd" shows a rogue user account.
CVE-2023-29383 has been assigned to this vulnerability. A CVSS v3 base score of
3.3 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:N/I:L/A:N ).
3.2.377 DOUBLE FREE CWE-415
An issue was discovered in libxml2 before 2.10.4. When hashing empty dict
strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce
non-deterministic values, leading to various logic and memory errors, such as a
double free. This behavior occurs because there is an attempt to use the first
byte of an empty string, and any value is possible (not solely the '\0' value).
CVE-2023-29469 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:R
/S:U/C:N/I:N/A:H ).
3.2.378 OUT-OF-BOUNDS WRITE CWE-787
ncurses before 6.4 20230408, when used by a setuid application, allows local
users to trigger security-relevant memory corruption via malformed data in a
terminfo database file that is found in $HOME/.terminfo or reached via the
TERMINFO or TERM environment variable.
CVE-2023-29491 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.2.379 UNCONTROLLED RESOURCE CONSUMPTION CWE-400
A flaw was found in GLib. GVariant deserialization fails to validate that the
input conforms to the expected format, leading to denial of service.
CVE-2023-29499 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.380 DIVIDE BY ZERO CWE-369
An issue was discovered in drivers/mtd/ubi/cdev.c in the Linux kernel 6.2.
There is a divide-by-zero error in do_div(sz,mtd->erasesize), used indirectly
by ctrl_cdev_ioctl, when mtd->erasesize is 0.
CVE-2023-31085 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.381 UNCONTROLLED RESOURCE CONSUMPTION CWE-400
A flaw was found in GLib. GVariant deserialization is vulnerable to a slowdown
issue where a crafted GVariant can cause excessive processing, leading to
denial of service.
CVE-2023-32611 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:N/UI:R
/S:U/C:N/I:N/A:H ).
3.2.382 UNCONTROLLED RESOURCE CONSUMPTION CWE-400
A flaw was found in glib, where the gvariant deserialization code is vulnerable
to a denial of service introduced by additional input validation added to
resolve CVE-2023-29499. The offset table validation may be very slow. This bug
does not affect any released version of glib but does affect glib distributors
who followed the guidance of glib developers to backport the initial fix for
CVE-2023-29499.
CVE-2023-32636 has been assigned to this vulnerability. A CVSS v3 base score of
4.7 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:H/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.383 HEAP-BASED BUFFER OVERFLOW CWE-122
A flaw was found in GLib. The GVariant deserialization code is vulnerable to a
heap buffer overflow introduced by the fix for CVE-2023-32665. This bug does
not affect any released version of GLib, but does affect GLib distributors who
followed the guidance of GLib developers to backport the initial fix for
CVE-2023-32665.
CVE-2023-32643 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:N/UI:R
/S:U/C:L/I:L/A:L ).
3.2.384 DESERIALIZATION OF UNTRUSTED DATA CWE-502
A flaw was found in GLib. GVariant deserialization is vulnerable to an
exponential blowup issue where a crafted GVariant can cause excessive
processing, leading to denial of service.
CVE-2023-32665 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:N/UI:R
/S:U/C:N/I:N/A:H ).
3.2.385 OUT-OF-BOUNDS WRITE CWE-787
The fix for XSA-423 added logic to Linux's net back driver to deal with a front
end splitting a packet in a way such that not all of the headers would come in
one piece. Unfortunately the logic introduced there didn't account for the
extreme case of the entire packet being split into as many pieces as permitted
by the protocol, yet still being smaller than the area that's specially dealt
with to keep all (possible) headers together. Such an unusual packet would
therefore trigger a buffer overrun in the driver.
CVE-2023-34319 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.2.386 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311
D-Bus before 1.15.6 sometimes allows unprivileged users to crash dbus-daemon.
If a privileged user with control over the dbus-daemon is using the
org.freedesktop.DBus.Monitoring interface to monitor message bus traffic, then
an unprivileged user with the ability to connect to the same dbus-daemon can
cause a dbus-daemon crash under some circumstances via an unreplyable message.
When done on the well-known system bus, this is a denial-of-service
vulnerability. The fixed versions are 1.12.28, 1.14.8, and 1.15.6.
CVE-2023-34969 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.387 OUT-OF-BOUNDS WRITE CWE-787
Linux Kernel nftables Out-Of-Bounds Read/Write Vulnerability; nft_byteorder
poorly handled vm register contents when CAP_NET_ADMIN is in any user or
network namespace
CVE-2023-35001 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.2.388 UNCONTROLLED RESOURCE CONSUMPTION CWE-400
Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy's
HTTP/2 codec may leak a header map and bookkeeping structures upon receiving
RST_STREAM immediately followed by the GOAWAY frames from an upstream server.
In nghttp2, cleanup of pending requests due to receipt of the GOAWAY frame
skips de-allocation of the bookkeeping structure and pending compressed header.
The error return [code path] is taken if connection is already marked for not
sending more requests due to GOAWAY frame. The clean-up code is right after the
return statement, causing memory leak. Denial of service through memory
exhaustion.
CVE-2023-35945 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.389 IMPROPER INPUT VALIDATION CWE-20
The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently
trustworthy search path, leading to remote code execution if an agent is
forwarded to an attacker-controlled system. (Code in /usr/lib is not
necessarily safe for loading into ssh-agent.)
NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.
CVE-2023-38408 has been assigned to this vulnerability. A CVSS v3 base score of
7.7 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:H/UI:R
/S:C/C:H/I:H/A:H ).
3.2.390 HEAP-BASED BUFFER OVERFLOW CWE-122
This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy
handshake. When curl is asked to pass along the hostname to the SOCKS5 proxy to
allow that to resolve the address instead of it getting done by curl itself,
the maximum length that hostname can be is 255 bytes. If the hostname is
detected to be longer than 255 bytes, curl switches to local name resolving and
instead passes on the resolved address only to the proxy. Due to a bug, the
local variable that means "let the host resolve the name" could get the wrong
value during a slow SOCKS5 handshake, and contrary to the intention, copy the
too long hostname to the target buffer instead of copying just the resolved
address there.
CVE-2023-38545 has been assigned to this vulnerability. A CVSS v3 base score of
8.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:R
/S:U/C:H/I:H/A:H ).
3.2.391 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311
This flaw allows an attacker to insert cookies at will into a running
programusing libcurl, if the specific series of conditions are met.libcurl
performs transfers. If a transfer has cookies enabled when the handle is
duplicated, the cookie-enable state is also cloned - but without cloning the
actual cookies. If the source handle did not read any cookies from a specific
file on disk, the cloned version of the handle would instead store the file
name as none .
CVE-2023-38546 has been assigned to this vulnerability. A CVSS v3 base score of
3.7 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/UI:N
/S:U/C:N/I:L/A:N ).
3.2.392 OUT-OF-BOUNDS WRITE CWE-787
GNU gdb (GDB) 13.0.50.20220805-git was discovered to contain a stack overflow
via the function ada_decode at /gdb/ada-lang.c.
CVE-2023-39128 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:N/UI:R
/S:U/C:N/I:N/A:H ).
3.2.393 OUT-OF-BOUNDS READ CWE-125
A flaw was found in the Netfilter subsystem in the Linux kernel. The
nfnl_osf_add_callback function did not validate the user mode controlled
opt_num field. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to
trigger an out-of-bounds read, leading to a crash or information disclosure.
CVE-2023-39189 has been assigned to this vulnerability. A CVSS v3 base score of
5.1 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:H/UI:N
/S:U/C:H/I:N/A:L ).
3.2.394 OUT-OF-BOUNDS READ CWE-125
A flaw was found in the Netfilter subsystem in the Linux kernel. The xt_u32
module did not validate the fields in the xt_u32 structure. This flaw allows a
local privileged attacker to trigger an out-of-bounds read by setting the size
fields with a value beyond the array boundaries, leading to a crash or
information disclosure.
CVE-2023-39192 has been assigned to this vulnerability. A CVSS v3 base score of
6.7 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:H/UI:N
/S:C/C:H/I:N/A:L ).
3.2.395 OUT-OF-BOUNDS READ CWE-125
A flaw was found in the Netfilter subsystem in the Linux kernel. The
sctp_mt_check did not validate the flag_count field. This flaw allows a local
privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, leading
to a crash or information disclosure.
CVE-2023-39193 has been assigned to this vulnerability. A CVSS v3 base score of
6.1 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:H/I:N/A:L ).
3.2.396 OUT-OF-BOUNDS READ CWE-125
A flaw was found in the XFRM subsystem in the Linux kernel. The specific flaw
exists within the processing of state filters, which can result in a read past
the end of an allocated buffer. This flaw allows a local privileged
(CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, potentially leading
to an information disclosure.
CVE-2023-39194 has been assigned to this vulnerability. A CVSS v3 base score of
3.2 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:H/UI:N
/S:C/C:L/I:N/A:N ).
3.2.397 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER
CWE-119
Xmlsoft Libxml2 v2.11.0 was discovered to contain an out-of-bounds read via the
xmlSAX2StartElement() function at /libxml2/SAX2.c. This vulnerability allows
attackers to cause a Denial of Service (DoS) via supplying a crafted XML file.
CVE-2023-39615 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:R
/S:U/C:N/I:N/A:H ).
3.2.398 USE AFTER FREE CWE-416
An issue was discovered in l2cap_sock_release in net/bluetooth/l2cap_sock.c in
the Linux kernel before 6.4.10. There is a use-after-free because the children
of an sk are mishandled.
CVE-2023-40283 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.2.399 NULL POINTER DEREFERENCE CWE-476
A NULL pointer dereference flaw was found in the Linux kernel ipv4 stack. The
socket buffer (skb) was assumed to be associated with a device before calling
__ip_options_compile, which is not always the case if the skb is re-routed by
ipvs. This issue may allow a local user with CAP_NET_ADMIN privileges to crash
the system.
CVE-2023-42754 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.400 OUT-OF-BOUNDS READ CWE-125
A flaw was found in the IPv4 Resource Reservation Protocol (RSVP) classifier in
the Linux kernel. The xprt pointer may go beyond the linear part of the skb,
leading to an out-of-bounds read in the rsvp_classify function. This issue may
allow a local user to crash the system and cause a denial of service.
CVE-2023-42755 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:C/C:N/I:N/A:H ).
3.2.401 UNCONTROLLED RESOURCE CONSUMPTION CWE-400
The HTTP/2 protocol allows a denial of service (server resource consumption)
because request cancellation can reset many streams quickly.
CVE-2023-44487 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.402 USE AFTER FREE CWE-416
libxml2 through 2.11.5 has a use-after-free that can only occur after a certain
memory allocation fails. This occurs in xmlUnlinkNode in tree.c.
CVE-2023-45322 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:R
/S:U/C:N/I:N/A:H ).
3.2.403 INTEGER OVERFLOW OR WRAPAROUND CWE-190
MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based
buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or
extra field. NOTE: MiniZip is not a supported part of the zlib product.
CVE-2023-45853 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.404 BUFFER COPY WITHOUT CHECKING SIZE OF INPUT ('CLASSIC BUFFER OVERFLOW')
CWE-120
An issue was discovered in drivers/net/ethernet/intel/igb/igb_main.c in the IGB
driver in the Linux kernel before 6.5.3. A buffer size may not be adequate for
frames larger than the MTU.
CVE-2023-45871 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned; the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER
Siemens reported these vulnerabilities to CISA.
4. MITIGATIONS
Siemens has identified the following specific workarounds and mitigations users
can apply to reduce risk:
o SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0): Only build and
run applications from trusted sources. Currently no fix is available.
o SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0): Only build and
run applications from trusted sources. Currently no fix is available.
o SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0): Only build and
run applications from trusted sources. Currently no fix is available.
o SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0): Only build and
run applications from trusted sources. Currently no fix is available.
o SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0): Only build and
run applications from trusted sources. Currently no fix is available.
Note: This SSA advises vulnerabilities for firmware version V3.1 only; for
versions prior to V3.1 refer to Siemens
Security Bulletin SSB-439005 .
As a general security measure, Siemens recommends protecting network access to
devices with appropriate mechanisms. To operate the devices in a protected IT
environment, Siemens recommends configuring the environment according to
Siemens' operational guidelines for industrial security and following
recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the
Siemens industrial security webpage .
For more information see the associated Siemens security advisory SSA-398330 in
HTML and CSAF .
CISA recommends users take defensive measures to minimize the risk of
exploitation of these vulnerabilities, such as:
o Minimize network exposure for all control system devices and/or systems,
ensuring they are not accessible from the internet .
o Locate control system networks and remote devices behind firewalls and
isolating them from business networks.
o When remote access is required, use more secure methods, such as Virtual
Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be
updated to the most recent version available, and are only as secure as the
connected devices.
CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage on cisa.gov . Several CISA products detailing cyber defense
best practices are available for reading and download, including Improving
Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies .
CISA encourages organizations to implement recommended cybersecurity strategies
for proactive defense of ICS assets .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage at cisa.gov in the technical information paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing suspected malicious activity should follow established
internal procedures and report findings to CISA for tracking and correlation
against other incidents.
CISA also recommends users take the following measures to protect themselves
from social engineering attacks:
o Do not click web links or open attachments in unsolicited email messages.
o Refer to Recognizing and Avoiding Email Scams for more information on
avoiding email scams.
o Refer to Avoiding Social Engineering and Phishing Attacks for more
information on social engineering attacks.
No known public exploitation specifically targeting these vulnerabilities has
been reported to CISA at this time.
5. UPDATE HISTORY
o December 14, 2023: Initial Publication
This product is provided subject to this Notification and this Privacy & Use
policy.
Vendor
Siemens
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBZX+tKskNZI30y1K9AQiIUQ/+J37Y5iL7eh9GIH5cCSL9K7KEZRqNQkEX
UZvvbNKe2HTDVUhqlE13o+df9R39yJkVATNBSDKHUtnfvyq3GBAyBFXSJO8uFz79
wjrdV7JkWsDGNa9uJ5U//hX6PffE8PzGznb+RG45sFSg+kb66FojHIq3op4ZI/QZ
lUka032qmZD1SEDkjvT9g1xlxcDiybK0ZnKSby+kV9jFquJH4CVSasdthsMPymDQ
oDIpdRp1UUXjFEWSKlxIhza2V/tNOFSNiE1Jdqj3ZuyRb3QNtzdO2FEDsFxhkzhp
gRSahe8ZJ9dGvKWLozsy6hdh+ugMFwlXIQ/3Xpe1kvr/VZBQ0OqfhpzWJr2DKiwk
Ihgh/XcBKO2kUYxSzsi8RHiJmbn+fTZQ2ZIahQvN3v5ay3myxp0AJq1WLXFElVkP
4RMSn5GtXneI4c3D8ySdNW9ODvz8h8cydLB57FwtAKZ0Fm4pQm1fTY7876CcN5J1
xQGBTh8jbhtBP3KrlUEuuixF3B48CxFFCfds0YJzBzPOyH3fyHhoqFTNtApZ++Uv
geBGxPWjzdtvu4YceLEE8iEglYFLEka0NGKWrd7OdiUvLyGV1XlgRPs7Fbu4nUrz
+Yq8+kgM1OEEgdjxkLJO7rrKJE6KarA6Ue4Dgv1WVg1Bh/R1LtH45rNUt/lYnm08
rXa6pmjFUbI=
=QWD7
-----END PGP SIGNATURE-----