Report Name: Linux Patch Wednesday October 2024
Generated: 2024-10-17 00:09:45

Product Name	Prevalence	U	C	H	M	L	A	Comment
HTTP/2	0.9			1	2		3	HTTP/2 is a major revision of the HTTP network protocol used by the World Wide Web
Linux Kernel	0.9			2	52	38	92	The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
CUPS	0.8	4		1			5	CUPS is a modular printing system for Unix-like computer operating systems which allows a computer to act as a print server
Chromium	0.8			2	6		8	Chromium is a free and open-source web browser project, mainly developed and maintained by Google
GLPI	0.8			3			3	GLPI is an open source IT Asset Management, issue tracking system and service desk system
GNOME desktop	0.8			2			2	GNOME originally an acronym for GNU Network Object Model Environment, is a free and open-source desktop environment for Linux and other Unix-like operating systems
Mozilla Firefox	0.8	1		4	8		13	Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation
Node.js	0.8			1			1	Node.js is a cross-platform, open-source server environment that can run on Windows, Linux, Unix, macOS, and more
OpenSSL	0.8				1		1	A software library for applications that secure communications over computer networks against eavesdropping or need to identify the party at the other end
PHP	0.8		1		3		4	PHP is a general-purpose scripting language geared towards web development. It was originally created by Danish-Canadian programmer Rasmus Lerdorf in 1993 and released in 1995.
Safari	0.8			1	1		2	Safari is a web browser developed by Apple. It is built into Apple's operating systems, including macOS, iOS, iPadOS and their upcoming VisionOS, and uses Apple's open-source browser engine WebKit, which was derived from KHTML.
.NET and Visual Studio	0.7			1	1		2	.NET and Visual Studio
Apache Tomcat	0.7				1		1	Apache Tomcat is a free and open-source implementation of the Jakarta Servlet, Jakarta Expression Language, and WebSocket technologies
BIND	0.7				1		1	BIND is a suite of software for interacting with the Domain Name System
Curl	0.7				1		1	Curl is a command-line tool for transferring data specified with URL syntax
MediaWiki	0.7					1	1	MediaWiki is a free server-based wiki software, licensed under the GNU General Public License (GPL)
QEMU	0.7				2		2	QEMU is a generic and open source machine & userspace emulator and virtualizer
SQLite	0.7			1			1	SQLite is a database engine written in the C programming language
Eclipse Mosquitto	0.6				1		1	Eclipse Mosquitto provides a lightweight server implementation of the MQTT protocol that is suitable for all situations from full power machines to embedded and low power machines
Jenkins	0.6			1		3	4	Jenkins is an open source automation server. It helps automate the parts of software development related to building, testing, and deploying, facilitating continuous integration, and continuous delivery.
Oracle Java SE	0.6				4	2	6	Oracle Java SE
Perl	0.6				1	1	2	Perl is a family of two high-level, general-purpose, interpreted, dynamic programming languages
Puma	0.6			1			1	Puma is a Ruby/Rack web server built for parallelism
Python	0.6				1		1	Python is a high-level, general-purpose programming language
Redis	0.6				3		3	Redis is an open-source in-memory storage, used as a distributed, in-memory key–value database, cache and message broker, with optional durability
Vault	0.6				2		2	Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets critical in modern computing
Wireshark	0.6				2		2	Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education
.NET, .NET Framework, and Visual Studio	0.5				3		3	.NET, .NET Framework, and Visual Studio
Cacti	0.5			1	3		4	Cacti is an open source operational monitoring and fault management framework
DOMPurify	0.5			1			1	DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG
Freeimage	0.5				1		1	Product detected by a:freeimage_project:freeimage (exists in CPE dict)
Jose4j	0.5			1			1	The jose.4.j library is a robust and easy to use open source implementation of JSON Web Token (JWT) and the JOSE specification suite (JWS, JWE, and JWK)
Libarchive	0.5				2		2	Multi-format archive and compression library
LinuxPTP	0.5				1		1	Product detected by a:linuxptp_project:linuxptp (exists in CPE dict)
NVIDIA CUDA Toolkit	0.5				3		3	The NVIDIA CUDA Toolkit provides a development environment for creating high-performance, GPU-accelerated applications
Nomad	0.5				1		1	Product detected by a:hashicorp:nomad (exists in CPE dict)
Znuny	0.5				2		2	Znuny/Znuny LTS is a fork of the ((OTRS)) Community Edition, one of the most flexible web-based ticketing systems used for Customer Service, Help Desk, IT Service Management
build_of_apache_camel_-_hawtio	0.5				1		1	Product detected by a:redhat:build_of_apache_camel_-_hawtio (does NOT exist in CPE dict)
build_of_keycloak	0.5				1		1	Product detected by a:redhat:build_of_keycloak (does NOT exist in CPE dict)
exiftags	0.5			1			1	Product detected by a:aertherwide:exiftags (exists in CPE dict)
ion	0.5				1		1	Product detected by a:amazon:ion (does NOT exist in CPE dict)
lemonldap::ng	0.5				1		1	Product detected by a:lemonldap-ng:lemonldapng (does NOT exist in CPE dict)
logiops	0.5				1		1	Product detected by a:pixlone:logiops (does NOT exist in CPE dict)
media_software_development_kit	0.5				5		5	Product detected by a:intel:media_software_development_kit (does NOT exist in CPE dict)
rollup	0.5			1			1	Product detected by a:rollupjs:rollup (does NOT exist in CPE dict)
Unknown Product	0				24	28	52	Unknown Product

Vulnerability Type	Criticality	U	C	H	M	L	A
Remote Code Execution	1.0	2	1	11	3		17
Authentication Bypass	0.98			1	3		4
Code Injection	0.97			2			2
Command Injection	0.97	3			1		4
XXE Injection	0.97				1		1
Security Feature Bypass	0.9			7	11		18
Elevation of Privilege	0.85			1	10		11
Arbitrary File Reading	0.83			1			1
Information Disclosure	0.83				5	1	6
Cross Site Scripting	0.8			2	8		10
Open Redirect	0.75				1		1
Denial of Service	0.7			1	25	5	31
Path Traversal	0.7				1		1
Incorrect Calculation	0.5				4	1	5
Memory Corruption	0.5				40	5	45
Spoofing	0.4				1		1
Unknown Vulnerability Type	0				29	61	90

Source	U	C	H	M	L	A
almalinux	4		5	14	5	28
debian	5	1	18	108	52	184
oraclelinux	4		6	16	7	33
redhat	4		8	23	8	43
redos		1	5	20	16	42
ubuntu	4		8	17	1	30

Urgent (5)

1. Remote Code Execution - CUPS (CVE-2024-47175) - Urgent [847]

Description: CUPS is a standards-based, open-source printing system, and `libppd` can be used for legacy PPD file support. The `libppd` function `ppdCreatePPDFromIPP2` does not sanitize IPP attributes when creating the PPD buffer. When used in combination with other functions such as `cfGetPrinterAttributes5`, can result in user controlled input and ultimately code execution via Foomatic. This vulnerability can be part of an exploit chain leading to remote code execution (RCE), as described in CVE-2024-47176.

almalinux: CVE-2024-47175 was patched at 2024-09-27, 2024-10-01

debian: CVE-2024-47175 was patched at 2024-09-29, 2024-10-16

oraclelinux: CVE-2024-47175 was patched at 2024-09-30, 2024-10-01

redhat: CVE-2024-47175 was patched at 2024-09-27, 2024-10-01, 2024-10-02, 2024-10-03

ubuntu: CVE-2024-47175 was patched at 2024-09-26, 2024-10-01, 2024-10-07

2. Command Injection - CUPS (CVE-2024-47076) - Urgent [842]

Description: {'nvd_cve_data_all': 'CUPS is a standards-based, open-source printing system, and `libcupsfilters` contains the code of the filters of the former `cups-filters` package as library functions to be used for the data format conversion tasks needed in Printer Applications. The `cfGetPrinterAttributes5` function in `libcupsfilters` does not sanitize IPP attributes returned from an IPP server. When these IPP attributes are used, for instance, to generate a PPD file, this can lead to attacker controlled data to be provided to the rest of the CUPS system.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'CUPS is a standards-based, open-source printing system, and `libcupsfilters` contains the code of the filters of the former `cups-filters` package as library functions to be used for the data format conversion tasks needed in Printer Applications. The `cfGetPrinterAttributes5` function in `libcupsfilters` does not sanitize IPP attributes returned from an IPP server. When these IPP attributes are used, for instance, to generate a PPD file, this can lead to attacker controlled data to be provided to the rest of the CUPS system.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

almalinux: CVE-2024-47076 was patched at 2024-09-27, 2024-10-01

debian: CVE-2024-47076 was patched at 2024-09-29, 2024-10-16

oraclelinux: CVE-2024-47076 was patched at 2024-09-30, 2024-10-01

redhat: CVE-2024-47076 was patched at 2024-09-27, 2024-10-01, 2024-10-02, 2024-10-03

ubuntu: CVE-2024-47076 was patched at 2024-09-26, 2024-10-09

3. Command Injection - CUPS (CVE-2024-47177) - Urgent [842]

Description: CUPS is a standards-based, open-source printing system, and cups-filters provides backends, filters, and other software for CUPS 2.x to use on non-Mac OS systems. Any value passed to `FoomaticRIPCommandLine` via a PPD file will be executed as a user controlled command. When combined with other logic bugs as described in CVE_2024-47176, this can lead to remote command execution.

debian: CVE-2024-47177 was patched at 2024-10-16

4. Remote Code Execution - Mozilla Firefox (CVE-2024-9680) - Urgent [829]

Description: An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild. This vulnerability affects Firefox < 131.0.2, Firefox ESR < 128.3.1, Firefox ESR < 115.16.1, Thunderbird < 131.0.1, Thunderbird < 128.3.1, and Thunderbird < 115.16.0.

almalinux: CVE-2024-9680 was patched at 2024-10-10, 2024-10-14

debian: CVE-2024-9680 was patched at 2024-10-10, 2024-10-12, 2024-10-16

oraclelinux: CVE-2024-9680 was patched at 2024-10-10, 2024-10-11, 2024-10-14

redhat: CVE-2024-9680 was patched at 2024-10-10, 2024-10-14, 2024-10-15, 2024-10-16

ubuntu: CVE-2024-9680 was patched at 2024-10-14

5. Command Injection - CUPS (CVE-2024-47176) - Urgent [818]

Description: CUPS is a standards-based, open-source printing system, and `cups-browsed` contains network printing functionality including, but not limited to, auto-discovering print services and shared printers. `cups-browsed` binds to `INADDR_ANY:631`, causing it to trust any packet from any source, and can cause the `Get-Printer-Attributes` IPP request to an attacker controlled URL. When combined with other vulnerabilities, such as CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177, an attacker can execute arbitrary commands remotely on the target machine without authentication when a malicious printer is printed to.

almalinux: CVE-2024-47176 was patched at 2024-09-27, 2024-10-01

debian: CVE-2024-47176 was patched at 2024-09-29, 2024-10-16

oraclelinux: CVE-2024-47176 was patched at 2024-09-30, 2024-10-01

redhat: CVE-2024-47176 was patched at 2024-09-27, 2024-10-01, 2024-10-02, 2024-10-03

ubuntu: CVE-2024-47176 was patched at 2024-09-26, 2024-10-01, 2024-10-07, 2024-10-09

Critical (1)

6. Remote Code Execution - PHP (CVE-2024-8926) - Critical [621]

Description: In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using a certain non-standard configurations of Windows codepages, the fixes for  CVE-2024-4577 https://github.com/advisories/GHSA-vxpp-6299-mxw3  may still be bypassed and the same command injection related to Windows "Best Fit" codepage behavior can be achieved. This may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.

debian: CVE-2024-8926 was patched at 2024-10-02, 2024-10-16

redos: CVE-2024-8926 was patched at 2024-10-15

High (26)

7. Elevation of Privilege - Linux Kernel (CVE-2024-46848) - High [587]

Description: In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: Limit the period on Haswell Running the ltp test cve-2015-3290 concurrently reports the following warnings. perfevents: irq loop stuck! WARNING: CPU: 31 PID: 32438 at arch/x86/events/intel/core.c:3174 intel_pmu_handle_irq+0x285/0x370 Call Trace: <NMI> ? __warn+0xa4/0x220 ? intel_pmu_handle_irq+0x285/0x370 ? __report_bug+0x123/0x130 ? intel_pmu_handle_irq+0x285/0x370 ? __report_bug+0x123/0x130 ? intel_pmu_handle_irq+0x285/0x370 ? report_bug+0x3e/0xa0 ? handle_bug+0x3c/0x70 ? exc_invalid_op+0x18/0x50 ? asm_exc_invalid_op+0x1a/0x20 ? irq_work_claim+0x1e/0x40 ? intel_pmu_handle_irq+0x285/0x370 perf_event_nmi_handler+0x3d/0x60 nmi_handle+0x104/0x330 Thanks to Thomas Gleixner's analysis, the issue is caused by the low initial period (1) of the frequency estimation algorithm, which triggers the defects of the HW, specifically erratum HSW11 and HSW143. (For the details, please refer https://lore.kernel.org/lkml/87plq9l5d2.ffs@tglx/) The HSW11 requires a period larger than 100 for the INST_RETIRED.ALL event, but the initial period in the freq mode is 1. The erratum is the same as the BDM11, which has been supported in the kernel. A minimum period of 128 is enforced as well on HSW. HSW143 is regarding that the fixed counter 1 may overcount 32 with the Hyper-Threading is enabled. However, based on the test, the hardware has more issues than it tells. Besides the fixed counter 1, the message 'interrupt took too long' can be observed on any counter which was armed with a period < 32 and two events expired in the same NMI. A minimum period of 32 is enforced for the rest of the events. The recommended workaround code of the HSW143 is not implemented. Because it only addresses the issue for the fixed counter. It brings extra overhead through extra MSR writing. No related overcounting issue has been reported so far.

debian: CVE-2024-46848 was patched at 2024-10-03, 2024-10-16

8. Arbitrary File Reading - Jenkins (CVE-2024-43044) - High [581]

Description: Jenkins 2.470 and earlier, LTS 2.452.3 and earlier allows agent processes to read arbitrary files from the Jenkins controller file system by using the `ClassLoaderProxy#fetchJar` method in the Remoting library.

redos: CVE-2024-43044 was patched at 2024-09-19

9. Denial of Service - CUPS (CVE-2024-47850) - High [579]

Description: CUPS cups-browsed before 2.5b1 will send an HTTP POST request to an arbitrary destination and port in response to a single IPP UDP packet requesting a printer to be added, a different vulnerability than CVE-2024-47176. (The request is meant to probe the new printer but can be used to create DDoS amplification attacks.)

debian: CVE-2024-47850 was patched at 2024-10-16

redhat: CVE-2024-47850 was patched at 2024-09-27, 2024-10-01, 2024-10-02, 2024-10-03

10. Cross Site Scripting - DOMPurify (CVE-2024-47875) - High [571]

Description: DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to nesting-based mXSS. This vulnerability is fixed in 2.5.0 and 3.1.3.

debian: CVE-2024-47875 was patched at 2024-10-13, 2024-10-16

11. Remote Code Execution - exiftags (CVE-2024-42851) - High [571]

Description: Buffer Overflow vulnerability in open source exiftags v.1.01 allows a local attacker to execute arbitrary code via the paresetag function.

debian: CVE-2024-42851 was patched at 2024-10-16

12. Remote Code Execution - Cacti (CVE-2024-43363) - High [559]

Description: Cacti is an open source performance and fault management framework. An admin user can create a device with a malicious hostname containing php code and repeat the installation process (completing only step 5 of the installation process is enough, no need to complete the steps before or after it) to use a php file as the cacti log file. After having the malicious hostname end up in the logs (log poisoning), one can simply go to the log file url to execute commands to achieve RCE. This issue has been addressed in version 1.2.28 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

debian: CVE-2024-43363 was patched at 2024-10-16

13. Security Feature Bypass - Puma (CVE-2024-45614) - High [546]

Description: Puma is a Ruby/Rack web server built for parallelism. In affected versions clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users relying on proxy set variables is affected. v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win. Users are advised to upgrade. Nginx has a underscores_in_headers configuration variable to discard these headers at the proxy level as a mitigation. Any users that are implicitly trusting the proxy defined headers for security should immediately cease doing so until upgraded to the fixed versions.

debian: CVE-2024-45614 was patched at 2024-10-16

redos: CVE-2024-45614 was patched at 2024-10-01

ubuntu: CVE-2024-45614 was patched at 2024-09-24

14. Security Feature Bypass - Jose4j (CVE-2023-51775) - High [541]

Description: {'nvd_cve_data_all': 'The jose4j component before 0.9.4 for Java allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'The jose4j component before 0.9.4 for Java allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

redhat: CVE-2023-51775 was patched at 2024-10-14

15. Cross Site Scripting - rollup (CVE-2024-47068) - High [523]

Description: Rollup is a module bundler for JavaScript. Versions prior to 3.29.5 and 4.22.4 are susceptible to a DOM Clobbering vulnerability when bundling scripts with properties from `import.meta` (e.g., `import.meta.url`) in `cjs`/`umd`/`iife` format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an `img` tag with an unsanitized `name` attribute) are present. Versions 3.29.5 and 4.22.4 contain a patch for the vulnerability.

debian: CVE-2024-47068 was patched at 2024-10-16

16. Remote Code Execution - Mozilla Firefox (CVE-2024-9402) - High [454]

Description: Memory safety bugs present in Firefox 130, Firefox ESR 128.2, and Thunderbird 128.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Thunderbird < 128.3, and Thunderbird < 131.

almalinux: CVE-2024-9402 was patched at 2024-10-02, 2024-10-07

oraclelinux: CVE-2024-9402 was patched at 2024-10-02, 2024-10-03, 2024-10-07

redhat: CVE-2024-9402 was patched at 2024-10-02, 2024-10-03, 2024-10-07, 2024-10-09, 2024-10-16

ubuntu: CVE-2024-9402 was patched at 2024-10-07

17. Code Injection - GLPI (CVE-2023-46727) - High [449]

Description: GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, GLPI inventory endpoint can be used to drive a SQL injection attack. Version 10.0.11 contains a patch for the issue. As a workaround, disable native inventory.

redos: CVE-2023-46727 was patched at 2024-10-08

18. Security Feature Bypass - Node.js (CVE-2024-48949) - High [448]

Description: The verify function in lib/elliptic/eddsa/index.js in the Elliptic package before 6.5.6 for Node.js omits "sig.S().gte(sig.eddsa.curve.n) || sig.S().isNeg()" validation.

debian: CVE-2024-48949 was patched at 2024-10-16

19. Remote Code Execution - GLPI (CVE-2023-46726) - High [442]

Description: GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, on PHP 7.4 only, the LDAP server configuration form can be used to execute arbitrary code previously uploaded as a GLPI document. Version 10.0.11 contains a patch for the issue.

redos: CVE-2023-46726 was patched at 2024-10-08

20. Remote Code Execution - Mozilla Firefox (CVE-2024-9401) - High [442]

Description: Memory safety bugs present in Firefox 130, Firefox ESR 115.15, Firefox ESR 128.2, and Thunderbird 128.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Firefox ESR < 115.16, Thunderbird < 128.3, and Thunderbird < 131.

almalinux: CVE-2024-9401 was patched at 2024-10-02, 2024-10-07

debian: CVE-2024-9401 was patched at 2024-10-04, 2024-10-12, 2024-10-16

oraclelinux: CVE-2024-9401 was patched at 2024-10-02, 2024-10-03, 2024-10-07

redhat: CVE-2024-9401 was patched at 2024-10-02, 2024-10-03, 2024-10-07, 2024-10-09, 2024-10-16

ubuntu: CVE-2024-9401 was patched at 2024-10-07

21. Remote Code Execution - .NET and Visual Studio (CVE-2024-38229) - High [438]

Description: .NET and Visual Studio Remote Code Execution Vulnerability

almalinux: CVE-2024-38229 was patched at 2024-10-09

oraclelinux: CVE-2024-38229 was patched at 2024-10-09

redhat: CVE-2024-38229 was patched at 2024-10-09

ubuntu: CVE-2024-38229 was patched at 2024-10-08

22. Remote Code Execution - Linux Kernel (CVE-2024-46813) - High [435]

Description: In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check link_index before accessing dc->links[] [WHY & HOW] dc->links[] has max size of MAX_LINKS and NULL is return when trying to access with out-of-bound index. This fixes 3 OVERRUN and 1 RESOURCE_LEAK issues reported by Coverity.

debian: CVE-2024-46813 was patched at 2024-10-16

23. Remote Code Execution - GNOME desktop (CVE-2024-36474) - High [430]

Description: An integer overflow vulnerability exists in the Compound Document Binary File format parser of the GNOME Project G Structured File Library (libgsf) version v1.14.52. A specially crafted file can result in an integer overflow when processing the directory from the file that allows for an out-of-bounds index to be used when reading and writing to an array. This can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

debian: CVE-2024-36474 was patched at 2024-10-05, 2024-10-16

ubuntu: CVE-2024-36474 was patched at 2024-10-10

24. Remote Code Execution - GNOME desktop (CVE-2024-42415) - High [430]

Description: An integer overflow vulnerability exists in the Compound Document Binary File format parser of v1.14.52 of the GNOME Project G Structured File Library (libgsf). A specially crafted file can result in an integer overflow that allows for a heap-based buffer overflow when processing the sector allocation table. This can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

debian: CVE-2024-42415 was patched at 2024-10-05, 2024-10-16

ubuntu: CVE-2024-42415 was patched at 2024-10-10

25. Remote Code Execution - SQLite (CVE-2024-35515) - High [426]

Description: Insecure deserialization in sqlitedict up to v2.1.0 allows attackers to execute arbitrary code.

debian: CVE-2024-35515 was patched at 2024-10-16

26. Code Injection - GLPI (CVE-2023-43813) - High [425]

Description: GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, the saved search feature can be used to perform a SQL injection. Version 10.0.11 contains a patch for the issue.

redos: CVE-2023-43813 was patched at 2024-10-08

27. Security Feature Bypass - Mozilla Firefox (CVE-2024-9392) - High [425]

Description: A compromised content process could have allowed for the arbitrary loading of cross-origin pages. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Firefox ESR < 115.16, Thunderbird < 128.3, and Thunderbird < 131.

almalinux: CVE-2024-9392 was patched at 2024-10-02, 2024-10-07

debian: CVE-2024-9392 was patched at 2024-10-04, 2024-10-12, 2024-10-16

oraclelinux: CVE-2024-9392 was patched at 2024-10-02, 2024-10-03, 2024-10-07

redhat: CVE-2024-9392 was patched at 2024-10-02, 2024-10-03, 2024-10-07, 2024-10-09, 2024-10-16

ubuntu: CVE-2024-9392 was patched at 2024-10-07

28. Authentication Bypass - HTTP/2 (CVE-2024-45397) - High [420]

Description: h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. When an HTTP request using TLS/1.3 early data on top of TCP Fast Open or QUIC 0-RTT packets is received and the IP-address-based access control is used, the access control does not detect and prohibit HTTP requests conveyed by packets with a spoofed source address. This behavior allows attackers on the network to execute HTTP requests from addresses that are otherwise rejected by the address-based access control. The vulnerability has been addressed in commit 15ed15a. Users may disable the use of TCP FastOpen and QUIC to mitigate the issue.

debian: CVE-2024-45397 was patched at 2024-10-16

29. Remote Code Execution - Mozilla Firefox (CVE-2024-9403) - High [419]

Description: Memory safety bugs present in Firefox 130. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 131 and Thunderbird < 131.

almalinux: CVE-2024-9403 was patched at 2024-10-02, 2024-10-07

oraclelinux: CVE-2024-9403 was patched at 2024-10-03, 2024-10-07

redhat: CVE-2024-9403 was patched at 2024-10-02, 2024-10-03, 2024-10-07, 2024-10-09, 2024-10-16

ubuntu: CVE-2024-9403 was patched at 2024-10-07

30. Security Feature Bypass - Chromium (CVE-2018-20072) - High [413]

Description: Insufficient data validation in PDF in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to perform out of bounds memory access via a crafted PDF file. (Chromium security severity: Low)

debian: CVE-2018-20072 was patched at 2024-10-16

31. Security Feature Bypass - Chromium (CVE-2024-9121) - High [413]

Description: {'nvd_cve_data_all': 'Inappropriate implementation in V8 in Google Chrome prior to 129.0.6668.70 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Inappropriate implementation in V8 in Google Chrome prior to 129.0.6668.70 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

debian: CVE-2024-9121 was patched at 2024-09-26, 2024-10-16

32. Security Feature Bypass - Safari (CVE-2024-44187) - High [413]

Description: A cross-origin issue existed with "iframe" elements. This was addressed with improved tracking of security origins. This issue is fixed in Safari 18, visionOS 2, watchOS 11, macOS Sequoia 15, iOS 18 and iPadOS 18, tvOS 18. A malicious website may exfiltrate data cross-origin.

debian: CVE-2024-44187 was patched at 2024-10-14, 2024-10-16

oraclelinux: CVE-2024-44187 was patched at 2024-10-16

redhat: CVE-2024-44187 was patched at 2024-10-16

Medium (143)

33. Authentication Bypass - Curl (CVE-2024-47174) - Medium [386]

Description: Nix is a package manager for Linux and other Unix systems. Starting in version 1.11 and prior to versions 2.18.8 and 2.24.8, `<nix/fetchurl.nix>` did not verify TLS certificates on HTTPS connections. This could lead to connection details such as full URLs or credentials leaking in case of a man-in-the-middle (MITM) attack. `<nix/fetchurl.nix>` is also known as the builtin derivation builder `builtin:fetchurl`. It's not to be confused with the evaluation-time function `builtins.fetchurl`, which was not affected by this issue. A user may be affected by the risk of leaking credentials if they have a `netrc` file for authentication, or rely on derivations with `impureEnvVars` set to use credentials from the environment. In addition, the commonplace trust-on-first-use (TOFU) technique of updating dependencies by specifying an invalid hash and obtaining it from a remote store was also vulnerable to a MITM injecting arbitrary store objects. This also applied to the impure derivations experimental feature. Note that this may also happen when using Nixpkgs fetchers to obtain new hashes when not using the fake hash method, although that mechanism is not implemented in Nix itself but rather in Nixpkgs using a fixed-output derivation. The behavior was introduced in version 1.11 to make it consistent with the Nixpkgs `pkgs.fetchurl` and to make `<nix/fetchurl.nix>` work in the derivation builder sandbox, which back then did not have access to the CA bundles by default. Nowadays, CA bundles are bind-mounted on Linux. This issue has been fixed in Nix 2.18.8 and 2.24.8. As a workaround, implement (authenticated) fetching with `pkgs.fetchurl` from Nixpkgs, using `impureEnvVars` and `curlOpts` as needed.

debian: CVE-2024-47174 was patched at 2024-10-16

34. Authentication Bypass - Unknown Product (CVE-2024-8805) - Medium [383]

Description: {'nvd_cve_data_all': '', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'This candidate has been reserved by an organization or individual " "that will use it when announcing a new security problem. When the candidate has been " "publicized, the details for this candidate will be provided.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

debian: CVE-2024-8805 was patched at 2024-10-16

35. Open Redirect - build_of_keycloak (CVE-2024-8883) - Medium [383]

Description: A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking.

redhat: CVE-2024-8883 was patched at 2024-09-19

36. Security Feature Bypass - Vault (CVE-2023-4680) - Medium [379]

Description: HashiCorp Vault and Vault Enterprise transit secrets engine allowed authorized users to specify arbitrary nonces, even with convergent encryption disabled. The encrypt endpoint, in combination with an offline attack, could be used to decrypt arbitrary ciphertext and potentially derive the authentication subkey when using transit secrets engine without convergent encryption. Introduced in 1.6.0 and fixed in 1.14.3, 1.13.7, and 1.12.11.

redos: CVE-2023-4680 was patched at 2024-10-15

37. Denial of Service - Mozilla Firefox (CVE-2024-9399) - Medium [377]

Description: A website configured to initiate a specially crafted WebTransport session could crash the Firefox process leading to a denial of service condition. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Thunderbird < 128.3, and Thunderbird < 131.

almalinux: CVE-2024-9399 was patched at 2024-10-02, 2024-10-07

oraclelinux: CVE-2024-9399 was patched at 2024-10-03, 2024-10-07

redhat: CVE-2024-9399 was patched at 2024-10-02, 2024-10-03, 2024-10-07, 2024-10-09, 2024-10-16

ubuntu: CVE-2024-9399 was patched at 2024-10-07

38. Information Disclosure - build_of_apache_camel_-_hawtio (CVE-2024-7885) - Medium [374]

Description: {'nvd_cve_data_all': 'A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. This issue occurs when the parseProxyProtocolV1 method processes multiple requests on the same HTTP connection. As a result, different requests may share the same StringBuilder instance, potentially leading to information leakage between requests or responses. In some cases, a value from a previous request or response may be erroneously reused, which could lead to unintended data exposure. This issue primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. This issue occurs when the parseProxyProtocolV1 method processes multiple requests on the same HTTP connection. As a result, different requests may share the same StringBuilder instance, potentially leading to information leakage between requests or responses. In some cases, a value from a previous request or response may be erroneously reused, which could lead to unintended data exposure. This issue primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

redhat: CVE-2024-7885 was patched at 2024-10-01, 2024-10-07

39. Remote Code Execution - Redis (CVE-2024-31449) - Medium [373]

Description: Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to trigger a stack buffer overflow in the bit library, which may potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This problem has been fixed in Redis versions 6.2.16, 7.2.6, and 7.4.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

debian: CVE-2024-31449 was patched at 2024-10-16

40. Information Disclosure - Python (CVE-2024-47532) - Medium [367]

Description: RestrictedPython is a restricted execution environment for Python to run untrusted code. A user can gain access to protected (and potentially sensible) information indirectly via AttributeError.obj and the string module. The problem will be fixed in version 7.3. As a workaround, If the application does not require access to the module string, it can remove it from RestrictedPython.Utilities.utility_builtins or otherwise do not make it available in the restricted execution environment.

debian: CVE-2024-47532 was patched at 2024-10-16

41. Denial of Service - .NET and Visual Studio (CVE-2024-43485) - Medium [360]

Description: .NET and Visual Studio Denial of Service Vulnerability

almalinux: CVE-2024-43485 was patched at 2024-10-09

oraclelinux: CVE-2024-43485 was patched at 2024-10-09

redhat: CVE-2024-43485 was patched at 2024-10-09, 2024-10-14

ubuntu: CVE-2024-43485 was patched at 2024-10-08

42. Denial of Service - Linux Kernel (CVE-2024-46834) - Medium [358]

Description: In the Linux kernel, the following vulnerability has been resolved: ethtool: fail closed if we can't get max channel used in indirection tables Commit 0d1b7d6c9274 ("bnxt: fix crashes when reducing ring count with active RSS contexts") proves that allowing indirection table to contain channels with out of bounds IDs may lead to crashes. Currently the max channel check in the core gets skipped if driver can't fetch the indirection table or when we can't allocate memory. Both of those conditions should be extremely rare but if they do happen we should try to be safe and fail the channel change.

debian: CVE-2024-46834 was patched at 2024-10-16

43. Elevation of Privilege - logiops (CVE-2024-45752) - Medium [354]

Description: logiops through 0.3.4, in its default configuration, allows any unprivileged user to configure its logid daemon via an unrestricted D-Bus service, including setting malicious keyboard macros. This allows for privilege escalation with minimal user interaction.

debian: CVE-2024-45752 was patched at 2024-10-16

44. Denial of Service - Mozilla Firefox (CVE-2024-9397) - Medium [353]

Description: A missing delay in directory upload UI could have made it possible for an attacker to trick a user into granting permission via clickjacking. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Thunderbird < 128.3, and Thunderbird < 131.

almalinux: CVE-2024-9397 was patched at 2024-10-02, 2024-10-07

oraclelinux: CVE-2024-9397 was patched at 2024-10-03, 2024-10-07

redhat: CVE-2024-9397 was patched at 2024-10-02, 2024-10-03, 2024-10-07, 2024-10-09, 2024-10-16

ubuntu: CVE-2024-9397 was patched at 2024-10-07

45. Memory Corruption - Mozilla Firefox (CVE-2024-9396) - Medium [353]

Description: It is currently unknown if this issue is exploitable but a condition may arise where the structured clone of certain objects could lead to memory corruption. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Thunderbird < 128.3, and Thunderbird < 131.

almalinux: CVE-2024-9396 was patched at 2024-10-02, 2024-10-07

oraclelinux: CVE-2024-9396 was patched at 2024-10-03, 2024-10-07

redhat: CVE-2024-9396 was patched at 2024-10-02, 2024-10-03, 2024-10-07, 2024-10-09, 2024-10-16

ubuntu: CVE-2024-9396 was patched at 2024-10-07

46. Memory Corruption - Mozilla Firefox (CVE-2024-9400) - Medium [353]

Description: A potential memory corruption vulnerability could be triggered if an attacker had the ability to trigger an OOM at a specific moment during JIT compilation. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Thunderbird < 128.3, and Thunderbird < 131.

almalinux: CVE-2024-9400 was patched at 2024-10-02, 2024-10-07

oraclelinux: CVE-2024-9400 was patched at 2024-10-03, 2024-10-07

redhat: CVE-2024-9400 was patched at 2024-10-02, 2024-10-03, 2024-10-07, 2024-10-09, 2024-10-16

ubuntu: CVE-2024-9400 was patched at 2024-10-07

47. Security Feature Bypass - BIND (CVE-2024-9407) - Medium [348]

Description: A vulnerability exists in the bind-propagation option of the Dockerfile RUN --mount instruction. The system does not properly validate the input passed to this option, allowing users to pass arbitrary parameters to the mount instruction. This issue can be exploited to mount sensitive directories from the host into a container during the build process and, in some cases, modify the contents of those mounted files. Even if SELinux is used, this vulnerability can bypass its protection by allowing the source directory to be relabeled to give the container access to host files.

debian: CVE-2024-9407 was patched at 2024-10-16

48. Denial of Service - HTTP/2 (CVE-2024-45403) - Medium [346]

Description: h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. When h2o is configured as a reverse proxy and HTTP/3 requests are cancelled by the client, h2o might crash due to an assertion failure. The crash can be exploited by an attacker to mount a Denial-of-Service attack. By default, the h2o standalone server automatically restarts, minimizing the impact. However, HTTP requests that were served concurrently will still be disrupted. The vulnerability has been addressed in commit 1ed32b2. Users may disable the use of HTTP/3 to mitigate the issue.

debian: CVE-2024-45403 was patched at 2024-10-16

49. Incorrect Calculation - Linux Kernel (CVE-2024-46852) - Medium [346]

Description: In the Linux kernel, the following vulnerability has been resolved: dma-buf: heaps: Fix off-by-one in CMA heap fault handler Until VM_DONTEXPAND was added in commit 1c1914d6e8c6 ("dma-buf: heaps: Don't track CMA dma-buf pages under RssFile") it was possible to obtain a mapping larger than the buffer size via mremap and bypass the overflow check in dma_buf_mmap_internal. When using such a mapping to attempt to fault past the end of the buffer, the CMA heap fault handler also checks the fault offset against the buffer size, but gets the boundary wrong by 1. Fix the boundary check so that we don't read off the end of the pages array and insert an arbitrary page in the mapping.

debian: CVE-2024-46852 was patched at 2024-10-03, 2024-10-16

50. Memory Corruption - Linux Kernel (CVE-2024-46796) - Medium [346]

Description: In the Linux kernel, the following vulnerability has been resolved: smb: client: fix double put of @cfile in smb2_set_path_size() If smb2_compound_op() is called with a valid @cfile and returned -EINVAL, we need to call cifs_get_writable_path() before retrying it as the reference of @cfile was already dropped by previous call. This fixes the following KASAN splat when running fstests generic/013 against Windows Server 2022: CIFS: Attempting to mount //w22-fs0/scratch run fstests generic/013 at 2024-09-02 19:48:59 ================================================================== BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200 Write of size 8 at addr ffff88811f1a3730 by task kworker/3:2/176 CPU: 3 UID: 0 PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Workqueue: cifsoplockd cifs_oplock_break [cifs] Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 ? detach_if_pending+0xab/0x200 print_report+0x156/0x4d9 ? detach_if_pending+0xab/0x200 ? __virt_addr_valid+0x145/0x300 ? __phys_addr+0x46/0x90 ? detach_if_pending+0xab/0x200 kasan_report+0xda/0x110 ? detach_if_pending+0xab/0x200 detach_if_pending+0xab/0x200 timer_delete+0x96/0xe0 ? __pfx_timer_delete+0x10/0x10 ? rcu_is_watching+0x20/0x50 try_to_grab_pending+0x46/0x3b0 __cancel_work+0x89/0x1b0 ? __pfx___cancel_work+0x10/0x10 ? kasan_save_track+0x14/0x30 cifs_close_deferred_file+0x110/0x2c0 [cifs] ? __pfx_cifs_close_deferred_file+0x10/0x10 [cifs] ? __pfx_down_read+0x10/0x10 cifs_oplock_break+0x4c1/0xa50 [cifs] ? __pfx_cifs_oplock_break+0x10/0x10 [cifs] ? lock_is_held_type+0x85/0xf0 ? mark_held_locks+0x1a/0x90 process_one_work+0x4c6/0x9f0 ? find_held_lock+0x8a/0xa0 ? __pfx_process_one_work+0x10/0x10 ? lock_acquired+0x220/0x550 ? __list_add_valid_or_report+0x37/0x100 worker_thread+0x2e4/0x570 ? __kthread_parkme+0xd1/0xf0 ? __pfx_worker_thread+0x10/0x10 kthread+0x17f/0x1c0 ? kthread+0xda/0x1c0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x60 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 1118: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 cifs_new_fileinfo+0xc8/0x9d0 [cifs] cifs_atomic_open+0x467/0x770 [cifs] lookup_open.isra.0+0x665/0x8b0 path_openat+0x4c3/0x1380 do_filp_open+0x167/0x270 do_sys_openat2+0x129/0x160 __x64_sys_creat+0xad/0xe0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 83: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x70 poison_slab_object+0xe9/0x160 __kasan_slab_free+0x32/0x50 kfree+0xf2/0x300 process_one_work+0x4c6/0x9f0 worker_thread+0x2e4/0x570 kthread+0x17f/0x1c0 ret_from_fork+0x31/0x60 ret_from_fork_asm+0x1a/0x30 Last potentially related work creation: kasan_save_stack+0x30/0x50 __kasan_record_aux_stack+0xad/0xc0 insert_work+0x29/0xe0 __queue_work+0x5ea/0x760 queue_work_on+0x6d/0x90 _cifsFileInfo_put+0x3f6/0x770 [cifs] smb2_compound_op+0x911/0x3940 [cifs] smb2_set_path_size+0x228/0x270 [cifs] cifs_set_file_size+0x197/0x460 [cifs] cifs_setattr+0xd9c/0x14b0 [cifs] notify_change+0x4e3/0x740 do_truncate+0xfa/0x180 vfs_truncate+0x195/0x200 __x64_sys_truncate+0x109/0x150 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f

redos: CVE-2024-46796 was patched at 2024-10-09

51. Memory Corruption - Linux Kernel (CVE-2024-46831) - Medium [346]

Description: In the Linux kernel, the following vulnerability has been resolved: net: microchip: vcap: Fix use-after-free error in kunit test This is a clear use-after-free error. We remove it, and rely on checking the return code of vcap_del_rule.

redos: CVE-2024-46831 was patched at 2024-10-09

52. Memory Corruption - Linux Kernel (CVE-2024-46844) - Medium [346]

Description: In the Linux kernel, the following vulnerability has been resolved: um: line: always fill *error_out in setup_one_line() The pointer isn't initialized by callers, but I have encountered cases where it's still printed; initialize it in all possible cases in setup_one_line().

debian: CVE-2024-46844 was patched at 2024-10-03, 2024-10-16

53. Memory Corruption - Linux Kernel (CVE-2024-46845) - Medium [346]

Description: In the Linux kernel, the following vulnerability has been resolved: tracing/timerlat: Only clear timer if a kthread exists The timerlat tracer can use user space threads to check for osnoise and timer latency. If the program using this is killed via a SIGTERM, the threads are shutdown one at a time and another tracing instance can start up resetting the threads before they are fully closed. That causes the hrtimer assigned to the kthread to be shutdown and freed twice when the dying thread finally closes the file descriptors, causing a use-after-free bug. Only cancel the hrtimer if the associated thread is still around. Also add the interface_lock around the resetting of the tlat_var->kthread. Note, this is just a quick fix that can be backported to stable. A real fix is to have a better synchronization between the shutdown of old threads and the starting of new ones.

redos: CVE-2024-46845 was patched at 2024-10-09

54. Memory Corruption - Linux Kernel (CVE-2024-46849) - Medium [346]

Description: In the Linux kernel, the following vulnerability has been resolved: ASoC: meson: axg-card: fix 'use-after-free' Buffer 'card->dai_link' is reallocated in 'meson_card_reallocate_links()', so move 'pad' pointer initialization after this function when memory is already reallocated. Kasan bug report: ================================================================== BUG: KASAN: slab-use-after-free in axg_card_add_link+0x76c/0x9bc Read of size 8 at addr ffff000000e8b260 by task modprobe/356 CPU: 0 PID: 356 Comm: modprobe Tainted: G O 6.9.12-sdkernel #1 Call trace: dump_backtrace+0x94/0xec show_stack+0x18/0x24 dump_stack_lvl+0x78/0x90 print_report+0xfc/0x5c0 kasan_report+0xb8/0xfc __asan_load8+0x9c/0xb8 axg_card_add_link+0x76c/0x9bc [snd_soc_meson_axg_sound_card] meson_card_probe+0x344/0x3b8 [snd_soc_meson_card_utils] platform_probe+0x8c/0xf4 really_probe+0x110/0x39c __driver_probe_device+0xb8/0x18c driver_probe_device+0x108/0x1d8 __driver_attach+0xd0/0x25c bus_for_each_dev+0xe0/0x154 driver_attach+0x34/0x44 bus_add_driver+0x134/0x294 driver_register+0xa8/0x1e8 __platform_driver_register+0x44/0x54 axg_card_pdrv_init+0x20/0x1000 [snd_soc_meson_axg_sound_card] do_one_initcall+0xdc/0x25c do_init_module+0x10c/0x334 load_module+0x24c4/0x26cc init_module_from_file+0xd4/0x128 __arm64_sys_finit_module+0x1f4/0x41c invoke_syscall+0x60/0x188 el0_svc_common.constprop.0+0x78/0x13c do_el0_svc+0x30/0x40 el0_svc+0x38/0x78 el0t_64_sync_handler+0x100/0x12c el0t_64_sync+0x190/0x194

debian: CVE-2024-46849 was patched at 2024-10-03, 2024-10-16

55. Memory Corruption - Linux Kernel (CVE-2024-46853) - Medium [346]

Description: In the Linux kernel, the following vulnerability has been resolved: spi: nxp-fspi: fix the KASAN report out-of-bounds bug Change the memcpy length to fix the out-of-bounds issue when writing the data that is not 4 byte aligned to TX FIFO. To reproduce the issue, write 3 bytes data to NOR chip. dd if=3b of=/dev/mtd0 [ 36.926103] ================================================================== [ 36.933409] BUG: KASAN: slab-out-of-bounds in nxp_fspi_exec_op+0x26ec/0x2838 [ 36.940514] Read of size 4 at addr ffff00081037c2a0 by task dd/455 [ 36.946721] [ 36.948235] CPU: 3 UID: 0 PID: 455 Comm: dd Not tainted 6.11.0-rc5-gc7b0e37c8434 #1070 [ 36.956185] Hardware name: Freescale i.MX8QM MEK (DT) [ 36.961260] Call trace: [ 36.963723] dump_backtrace+0x90/0xe8 [ 36.967414] show_stack+0x18/0x24 [ 36.970749] dump_stack_lvl+0x78/0x90 [ 36.974451] print_report+0x114/0x5cc [ 36.978151] kasan_report+0xa4/0xf0 [ 36.981670] __asan_report_load_n_noabort+0x1c/0x28 [ 36.986587] nxp_fspi_exec_op+0x26ec/0x2838 [ 36.990800] spi_mem_exec_op+0x8ec/0xd30 [ 36.994762] spi_mem_no_dirmap_read+0x190/0x1e0 [ 36.999323] spi_mem_dirmap_write+0x238/0x32c [ 37.003710] spi_nor_write_data+0x220/0x374 [ 37.007932] spi_nor_write+0x110/0x2e8 [ 37.011711] mtd_write_oob_std+0x154/0x1f0 [ 37.015838] mtd_write_oob+0x104/0x1d0 [ 37.019617] mtd_write+0xb8/0x12c [ 37.022953] mtdchar_write+0x224/0x47c [ 37.026732] vfs_write+0x1e4/0x8c8 [ 37.030163] ksys_write+0xec/0x1d0 [ 37.033586] __arm64_sys_write+0x6c/0x9c [ 37.037539] invoke_syscall+0x6c/0x258 [ 37.041327] el0_svc_common.constprop.0+0x160/0x22c [ 37.046244] do_el0_svc+0x44/0x5c [ 37.049589] el0_svc+0x38/0x78 [ 37.052681] el0t_64_sync_handler+0x13c/0x158 [ 37.057077] el0t_64_sync+0x190/0x194 [ 37.060775] [ 37.062274] Allocated by task 455: [ 37.065701] kasan_save_stack+0x2c/0x54 [ 37.069570] kasan_save_track+0x20/0x3c [ 37.073438] kasan_save_alloc_info+0x40/0x54 [ 37.077736] __kasan_kmalloc+0xa0/0xb8 [ 37.081515] __kmalloc_noprof+0x158/0x2f8 [ 37.085563] mtd_kmalloc_up_to+0x120/0x154 [ 37.089690] mtdchar_write+0x130/0x47c [ 37.093469] vfs_write+0x1e4/0x8c8 [ 37.096901] ksys_write+0xec/0x1d0 [ 37.100332] __arm64_sys_write+0x6c/0x9c [ 37.104287] invoke_syscall+0x6c/0x258 [ 37.108064] el0_svc_common.constprop.0+0x160/0x22c [ 37.112972] do_el0_svc+0x44/0x5c [ 37.116319] el0_svc+0x38/0x78 [ 37.119401] el0t_64_sync_handler+0x13c/0x158 [ 37.123788] el0t_64_sync+0x190/0x194 [ 37.127474] [ 37.128977] The buggy address belongs to the object at ffff00081037c2a0 [ 37.128977] which belongs to the cache kmalloc-8 of size 8 [ 37.141177] The buggy address is located 0 bytes inside of [ 37.141177] allocated 3-byte region [ffff00081037c2a0, ffff00081037c2a3) [ 37.153465] [ 37.154971] The buggy address belongs to the physical page: [ 37.160559] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x89037c [ 37.168596] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 37.175149] page_type: 0xfdffffff(slab) [ 37.179021] raw: 0bfffe0000000000 ffff000800002500 dead000000000122 0000000000000000 [ 37.186788] raw: 0000000000000000 0000000080800080 00000001fdffffff 0000000000000000 [ 37.194553] page dumped because: kasan: bad access detected [ 37.200144] [ 37.201647] Memory state around the buggy address: [ 37.206460] ffff00081037c180: fa fc fc fc fa fc fc fc fa fc fc fc fa fc fc fc [ 37.213701] ffff00081037c200: fa fc fc fc 05 fc fc fc 03 fc fc fc 02 fc fc fc [ 37.220946] >ffff00081037c280: 06 fc fc fc 03 fc fc fc fc fc fc fc fc fc fc fc [ 37.228186] ^ [ 37.232473] ffff00081037c300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.239718] ffff00081037c380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.246962] ============================================================== ---truncated---

debian: CVE-2024-46853 was patched at 2024-10-03, 2024-10-16

56. Elevation of Privilege - .NET, .NET Framework, and Visual Studio (CVE-2024-38081) - Medium [342]

Description: .NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability

redos: CVE-2024-38081 was patched at 2024-09-19

57. Memory Corruption - Chromium (CVE-2021-38023) - Medium [341]

Description: Use after free in Extensions in Google Chrome prior to 92.0.4515.107 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

debian: CVE-2021-38023 was patched at 2024-10-16

58. Memory Corruption - Chromium (CVE-2024-9120) - Medium [341]

Description: Use after free in Dawn in Google Chrome on Windows prior to 129.0.6668.70 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

debian: CVE-2024-9120 was patched at 2024-09-26, 2024-10-16

59. Memory Corruption - Chromium (CVE-2024-9122) - Medium [341]

Description: Type Confusion in V8 in Google Chrome prior to 129.0.6668.70 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

debian: CVE-2024-9122 was patched at 2024-09-26, 2024-10-16

60. Memory Corruption - Chromium (CVE-2024-9602) - Medium [341]

Description: Type Confusion in V8 in Google Chrome prior to 129.0.6668.100 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)

debian: CVE-2024-9602 was patched at 2024-10-09, 2024-10-16

61. Memory Corruption - Chromium (CVE-2024-9603) - Medium [341]

Description: Type Confusion in V8 in Google Chrome prior to 129.0.6668.100 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

debian: CVE-2024-9603 was patched at 2024-10-09, 2024-10-16

62. Security Feature Bypass - PHP (CVE-2024-8925) - Medium [341]

Description: {'nvd_cve_data_all': 'In PHP versions\xa08.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, erroneous parsing of multipart form data contained in an HTTP POST request could lead to legitimate data not being processed. This could lead to malicious attacker able to control part of the submitted data being able to exclude portion of other data, potentially leading to erroneous application behavior.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In PHP versions\xa08.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, erroneous parsing of multipart form data contained in an HTTP POST request could lead to legitimate data not being processed. This could lead to malicious attacker able to control part of the submitted data being able to exclude portion of other data, potentially leading to erroneous application behavior.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

debian: CVE-2024-8925 was patched at 2024-10-02, 2024-10-16

redos: CVE-2024-8925 was patched at 2024-10-15

ubuntu: CVE-2024-8925 was patched at 2024-10-01

63. Security Feature Bypass - PHP (CVE-2024-9026) - Medium [341]

Description: {'nvd_cve_data_all': 'In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using PHP-FPM SAPI and it is\xa0configured to catch workers output through catch_workers_output = yes,\xa0it may be possible to pollute the final log or\xa0remove up to 4 characters from the log messages by manipulating log message content. Additionally, if\xa0PHP-FPM is configured to use syslog output, it may be possible to further remove log data using the same vulnerability.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using PHP-FPM SAPI and it is\xa0configured to catch workers output through catch_workers_output = yes,\xa0it may be possible to pollute the final log or\xa0remove up to 4 characters from the log messages by manipulating log message content. Additionally, if\xa0PHP-FPM is configured to use syslog output, it may be possible to further remove log data using the same vulnerability.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

debian: CVE-2024-9026 was patched at 2024-10-02, 2024-10-16

redos: CVE-2024-9026 was patched at 2024-10-15

ubuntu: CVE-2024-9026 was patched at 2024-10-01

64. Memory Corruption - Freeimage (CVE-2024-31570) - Medium [339]

Description: libfreeimage in FreeImage 3.4.0 through 3.18.0 has a stack-based buffer overflow in the PluginXPM.cpp Load function via an XPM file.

debian: CVE-2024-31570 was patched at 2024-10-16

65. Memory Corruption - Linux Kernel (CVE-2024-46858) - Medium [334]

Description: In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: Fix uaf in __timer_delete_sync There are two paths to access mptcp_pm_del_add_timer, result in a race condition: CPU1 CPU2 ==== ==== net_rx_action napi_poll netlink_sendmsg __napi_poll netlink_unicast process_backlog netlink_unicast_kernel __netif_receive_skb genl_rcv __netif_receive_skb_one_core netlink_rcv_skb NF_HOOK genl_rcv_msg ip_local_deliver_finish genl_family_rcv_msg ip_protocol_deliver_rcu genl_family_rcv_msg_doit tcp_v4_rcv mptcp_pm_nl_flush_addrs_doit tcp_v4_do_rcv mptcp_nl_remove_addrs_list tcp_rcv_established mptcp_pm_remove_addrs_and_subflows tcp_data_queue remove_anno_list_by_saddr mptcp_incoming_options mptcp_pm_del_add_timer mptcp_pm_del_add_timer kfree(entry) In remove_anno_list_by_saddr(running on CPU2), after leaving the critical zone protected by "pm.lock", the entry will be released, which leads to the occurrence of uaf in the mptcp_pm_del_add_timer(running on CPU1). Keeping a reference to add_timer inside the lock, and calling sk_stop_timer_sync() with this reference, instead of "entry->add_timer". Move list_del(&entry->list) to mptcp_pm_del_add_timer and inside the pm lock, do not directly access any members of the entry outside the pm lock, which can avoid similar "entry->x" uaf.

debian: CVE-2024-46858 was patched at 2024-10-03, 2024-10-16

66. Denial of Service - Wireshark (CVE-2024-9780) - Medium [332]

Description: ITS dissector crash in Wireshark 4.4.0 allows denial of service via packet injection or crafted capture file

debian: CVE-2024-9780 was patched at 2024-10-16

67. Denial of Service - Wireshark (CVE-2024-9781) - Medium [332]

Description: AppleTalk and RELOAD Framing dissector crash in Wireshark 4.4.0 and 4.2.0 to 4.2.7 allows denial of service via packet injection or crafted capture file

debian: CVE-2024-9781 was patched at 2024-10-16

68. Security Feature Bypass - Oracle Java SE (CVE-2024-21098) - Medium [332]

Description: {'nvd_cve_data_all': 'Vulnerability in the Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Compiler). Supported versions that are affected are Oracle GraalVM for JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: 20.3.13 and 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Vulnerability in the Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Compiler). Supported versions that are affected are Oracle GraalVM for JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: 20.3.13 and 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

redos: CVE-2024-21098 was patched at 2024-10-15

69. Denial of Service - .NET, .NET Framework, and Visual Studio (CVE-2024-43483) - Medium [327]

Description: .NET, .NET Framework, and Visual Studio Denial of Service Vulnerability

almalinux: CVE-2024-43483 was patched at 2024-10-09

oraclelinux: CVE-2024-43483 was patched at 2024-10-09

redhat: CVE-2024-43483 was patched at 2024-10-09, 2024-10-14

ubuntu: CVE-2024-43483 was patched at 2024-10-08

70. Denial of Service - .NET, .NET Framework, and Visual Studio (CVE-2024-43484) - Medium [327]

Description: .NET, .NET Framework, and Visual Studio Denial of Service Vulnerability

almalinux: CVE-2024-43484 was patched at 2024-10-09

oraclelinux: CVE-2024-43484 was patched at 2024-10-09

redhat: CVE-2024-43484 was patched at 2024-10-09, 2024-10-14

ubuntu: CVE-2024-43484 was patched at 2024-10-08

71. Denial of Service - LinuxPTP (CVE-2024-42861) - Medium [327]

Description: An issue in IEEE 802.1AS linuxptp v.4.2 and before allowing a remote attacker to cause a denial of service via a crafted Pdelay_Req message to the time synchronization function

debian: CVE-2024-42861 was patched at 2024-10-16

72. Denial of Service - ion (CVE-2024-21634) - Medium [327]

Description: Amazon Ion is a Java implementation of the Ion data notation. Prior to version 1.10.5, a potential denial-of-service issue exists in `ion-java` for applications that use `ion-java` to deserialize Ion text encoded data, or deserialize Ion text or binary encoded data into the `IonValue` model and then invoke certain `IonValue` methods on that in-memory representation. An actor could craft Ion data that, when loaded by the affected application and/or processed using the `IonValue` model, results in a `StackOverflowError` originating from the `ion-java` library. The patch is included in `ion-java` 1.10.5. As a workaround, do not load data which originated from an untrusted source or that could have been tampered with.

redhat: CVE-2024-21634 was patched at 2024-10-01

73. Denial of Service - QEMU (CVE-2024-8354) - Medium [324]

Description: A flaw was found in QEMU. An assertion failure was present in the usb_ep_get() function in hw/net/core.c when trying to get the USB endpoint from a USB device. This flaw may allow a malicious unprivileged guest user to crash the QEMU process on the host and cause a denial of service condition.

debian: CVE-2024-8354 was patched at 2024-10-16

74. Information Disclosure - QEMU (CVE-2024-8612) - Medium [324]

Description: A flaw was found in QEMU, in the virtio-scsi, virtio-blk, and virtio-crypto devices. The size for virtqueue_push as set in virtio_scsi_complete_req / virtio_blk_req_complete / virito_crypto_req_complete could be larger than the true size of the data which has been sent to guest. Once virtqueue_push() finally calls dma_memory_unmap to ummap the in_iov, it may call the address_space_write function to write back the data. Some uninitialized data may exist in the bounce.buffer, leading to an information leak.

debian: CVE-2024-8612 was patched at 2024-10-16

75. Incorrect Calculation - Linux Kernel (CVE-2024-46806) - Medium [322]

Description: In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix the warning division or modulo by zero Checks the partition mode and returns an error for an invalid mode.

debian: CVE-2024-46806 was patched at 2024-10-16

76. Incorrect Calculation - Linux Kernel (CVE-2024-47661) - Medium [322]

Description: In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Avoid overflow from uint32_t to uint8_t [WHAT & HOW] dmub_rb_cmd's ramping_boundary has size of uint8_t and it is assigned 0xFFFF. Fix it by changing it to uint8_t with value of 0xFF. This fixes 2 INTEGER_OVERFLOW issues reported by Coverity.

debian: CVE-2024-47661 was patched at 2024-10-16

77. Memory Corruption - Linux Kernel (CVE-2023-52459) - Medium [322]

Description: In the Linux kernel, the following vulnerability has been resolved: media: v4l: async: Fix duplicated list deletion The list deletion call dropped here is already called from the helper function in the line before. Having a second list_del() call results in either a warning (with CONFIG_DEBUG_LIST=y): list_del corruption, c46c8198->next is LIST_POISON1 (00000100) If CONFIG_DEBUG_LIST is disabled the operation results in a kernel error due to NULL pointer dereference.

redos: CVE-2023-52459 was patched at 2024-10-02

78. Memory Corruption - Linux Kernel (CVE-2024-26587) - Medium [322]

Description: In the Linux kernel, the following vulnerability has been resolved: net: netdevsim: don't try to destroy PHC on VFs PHC gets initialized in nsim_init_netdevsim(), which is only called if (nsim_dev_port_is_pf()). Create a counterpart of nsim_init_netdevsim() and move the mock_phc_destroy() there. This fixes a crash trying to destroy netdevsim with VFs instantiated, as caught by running the devlink.sh test: BUG: kernel NULL pointer dereference, address: 00000000000000b8 RIP: 0010:mock_phc_destroy+0xd/0x30 Call Trace: <TASK> nsim_destroy+0x4a/0x70 [netdevsim] __nsim_dev_port_del+0x47/0x70 [netdevsim] nsim_dev_reload_destroy+0x105/0x120 [netdevsim] nsim_drv_remove+0x2f/0xb0 [netdevsim] device_release_driver_internal+0x1a1/0x210 bus_remove_device+0xd5/0x120 device_del+0x159/0x490 device_unregister+0x12/0x30 del_device_store+0x11a/0x1a0 [netdevsim] kernfs_fop_write_iter+0x130/0x1d0 vfs_write+0x30b/0x4b0 ksys_write+0x69/0xf0 do_syscall_64+0xcc/0x1e0 entry_SYSCALL_64_after_hwframe+0x6f/0x77

oraclelinux: CVE-2024-26587 was patched at 2024-09-23

redos: CVE-2024-26587 was patched at 2024-10-02

79. Memory Corruption - Linux Kernel (CVE-2024-26604) - Medium [322]

Description: In the Linux kernel, the following vulnerability has been resolved: Revert "kobject: Remove redundant checks for whether ktype is NULL" This reverts commit 1b28cb81dab7c1eedc6034206f4e8d644046ad31. It is reported to cause problems, so revert it for now until the root cause can be found.

redos: CVE-2024-26604 was patched at 2024-10-02

80. Memory Corruption - Linux Kernel (CVE-2024-46802) - Medium [322]

Description: In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: added NULL check at start of dc_validate_stream [Why] prevent invalid memory access [How] check if dc and stream are NULL

debian: CVE-2024-46802 was patched at 2024-10-03, 2024-10-16

81. Memory Corruption - Linux Kernel (CVE-2024-46803) - Medium [322]

Description: In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Check debug trap enable before write dbg_ev_file In interrupt context, write dbg_ev_file will be run by work queue. It will cause write dbg_ev_file execution after debug_trap_disable, which will cause NULL pointer access. v2: cancel work "debug_event_workarea" before set dbg_ev_file as NULL.

debian: CVE-2024-46803 was patched at 2024-10-16

82. Memory Corruption - Linux Kernel (CVE-2024-46805) - Medium [322]

Description: In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix the waring dereferencing hive Check the amdgpu_hive_info *hive that maybe is NULL.

debian: CVE-2024-46805 was patched at 2024-10-03, 2024-10-16

83. Memory Corruption - Linux Kernel (CVE-2024-46807) - Medium [322]

Description: In the Linux kernel, the following vulnerability has been resolved: drm/amd/amdgpu: Check tbo resource pointer Validate tbo resource pointer, skip if NULL

debian: CVE-2024-46807 was patched at 2024-10-03, 2024-10-16

84. Memory Corruption - Linux Kernel (CVE-2024-46808) - Medium [322]

Description: In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add missing NULL pointer check within dpcd_extend_address_range [Why & How] ASSERT if return NULL from kcalloc.

debian: CVE-2024-46808 was patched at 2024-10-16

85. Memory Corruption - Linux Kernel (CVE-2024-46809) - Medium [322]

Description: In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check BIOS images before it is used BIOS images may fail to load and null checks are added before they are used. This fixes 6 NULL_RETURNS issues reported by Coverity.

debian: CVE-2024-46809 was patched at 2024-10-16

86. Memory Corruption - Linux Kernel (CVE-2024-46810) - Medium [322]

Description: In the Linux kernel, the following vulnerability has been resolved: drm/bridge: tc358767: Check if fully initialized before signalling HPD event via IRQ Make sure the connector is fully initialized before signalling any HPD events via drm_kms_helper_hotplug_event(), otherwise this may lead to NULL pointer dereference.

debian: CVE-2024-46810 was patched at 2024-10-03, 2024-10-16

87. Memory Corruption - Linux Kernel (CVE-2024-46819) - Medium [322]

Description: In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: the warning dereferencing obj for nbio_v7_4 if ras_manager obj null, don't print NBIO err data

debian: CVE-2024-46819 was patched at 2024-10-03, 2024-10-16

88. Memory Corruption - Linux Kernel (CVE-2024-46822) - Medium [322]

Description: In the Linux kernel, the following vulnerability has been resolved: arm64: acpi: Harden get_cpu_for_acpi_id() against missing CPU entry In a review discussion of the changes to support vCPU hotplug where a check was added on the GICC being enabled if was online, it was noted that there is need to map back to the cpu and use that to index into a cpumask. As such, a valid ID is needed. If an MPIDR check fails in acpi_map_gic_cpu_interface() it is possible for the entry in cpu_madt_gicc[cpu] == NULL. This function would then cause a NULL pointer dereference. Whilst a path to trigger this has not been established, harden this caller against the possibility.

debian: CVE-2024-46822 was patched at 2024-10-03, 2024-10-16

89. Memory Corruption - Linux Kernel (CVE-2024-46835) - Medium [322]

Description: In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix smatch static checker warning adev->gfx.imu.funcs could be NULL

debian: CVE-2024-46835 was patched at 2024-10-03, 2024-10-16

90. Memory Corruption - Linux Kernel (CVE-2024-46842) - Medium [322]

Description: In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Handle mailbox timeouts in lpfc_get_sfp_info The MBX_TIMEOUT return code is not handled in lpfc_get_sfp_info and the routine unconditionally frees submitted mailbox commands regardless of return status. The issue is that for MBX_TIMEOUT cases, when firmware returns SFP information at a later time, that same mailbox memory region references previously freed memory in its cmpl routine. Fix by adding checks for the MBX_TIMEOUT return code. During mailbox resource cleanup, check the mbox flag to make sure that the wait did not timeout. If the MBOX_WAKE flag is not set, then do not free the resources because it will be freed when firmware completes the mailbox at a later time in its cmpl routine. Also, increase the timeout from 30 to 60 seconds to accommodate boot scripts requiring longer timeouts.

debian: CVE-2024-46842 was patched at 2024-10-16

91. Memory Corruption - Linux Kernel (CVE-2024-46857) - Medium [322]

Description: In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix bridge mode operations when there are no VFs Currently, trying to set the bridge mode attribute when numvfs=0 leads to a crash: bridge link set dev eth2 hwmode vepa [ 168.967392] BUG: kernel NULL pointer dereference, address: 0000000000000030 [...] [ 168.969989] RIP: 0010:mlx5_add_flow_rules+0x1f/0x300 [mlx5_core] [...] [ 168.976037] Call Trace: [ 168.976188] <TASK> [ 168.978620] _mlx5_eswitch_set_vepa_locked+0x113/0x230 [mlx5_core] [ 168.979074] mlx5_eswitch_set_vepa+0x7f/0xa0 [mlx5_core] [ 168.979471] rtnl_bridge_setlink+0xe9/0x1f0 [ 168.979714] rtnetlink_rcv_msg+0x159/0x400 [ 168.980451] netlink_rcv_skb+0x54/0x100 [ 168.980675] netlink_unicast+0x241/0x360 [ 168.980918] netlink_sendmsg+0x1f6/0x430 [ 168.981162] ____sys_sendmsg+0x3bb/0x3f0 [ 168.982155] ___sys_sendmsg+0x88/0xd0 [ 168.985036] __sys_sendmsg+0x59/0xa0 [ 168.985477] do_syscall_64+0x79/0x150 [ 168.987273] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 168.987773] RIP: 0033:0x7f8f7950f917 (esw->fdb_table.legacy.vepa_fdb is null) The bridge mode is only relevant when there are multiple functions per port. Therefore, prevent setting and getting this setting when there are no VFs. Note that after this change, there are no settings to change on the PF interface using `bridge link` when there are no VFs, so the interface no longer appears in the `bridge link` output.

debian: CVE-2024-46857 was patched at 2024-10-03, 2024-10-16

92. Memory Corruption - Linux Kernel (CVE-2024-46860) - Medium [322]

Description: In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7921: fix NULL pointer access in mt7921_ipv6_addr_change When disabling wifi mt7921_ipv6_addr_change() is called as a notifier. At this point mvif->phy is already NULL so we cannot use it here.

debian: CVE-2024-46860 was patched at 2024-10-16

93. Cross Site Scripting - Cacti (CVE-2024-43362) - Medium [321]

Description: Cacti is an open source performance and fault management framework. The `fileurl` parameter is not properly sanitized when saving external links in `links.php` . Morever, the said fileurl is placed in some html code which is passed to the `print` function in `link.php` and `index.php`, finally leading to stored XSS. Users with the privilege to create external links can manipulate the `fileurl` parameter in the http post request while creating external links to perform stored XSS attacks. The vulnerability known as XSS (Cross-Site Scripting) occurs when an application allows untrusted user input to be displayed on a web page without proper validation or escaping. This issue has been addressed in release version 1.2.28. All users are advised to upgrade. There are no known workarounds for this issue.

debian: CVE-2024-43362 was patched at 2024-10-16

94. Cross Site Scripting - lemonldap::ng (CVE-2024-48933) - Medium [321]

Description: A cross-site scripting (XSS) vulnerability in LemonLDAP::NG before 2.19.3 allows remote attackers to inject arbitrary web script or HTML into the login page via a username if userControl has been set to a non-default value that allows special HTML characters.

debian: CVE-2024-48933 was patched at 2024-10-16

95. Security Feature Bypass - Redis (CVE-2024-31227) - Medium [320]

Description: Redis is an open source, in-memory database that persists on disk. An authenticated with sufficient privileges may create a malformed ACL selector which, when accessed, triggers a server panic and subsequent denial of service. The problem exists in Redis 7 prior to versions 7.2.6 and 7.4.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

debian: CVE-2024-31227 was patched at 2024-10-16

96. Elevation of Privilege - media_software_development_kit (CVE-2022-27170) - Medium [318]

Description: Protection mechanism failure in the Intel(R) Media SDK software before version 22.2.2 may allow an authenticated user to potentially enable escalation of privilege via local access.

debian: CVE-2022-27170 was patched at 2024-10-16

97. Elevation of Privilege - media_software_development_kit (CVE-2022-34841) - Medium [318]

Description: Improper buffer restrictions in the Intel(R) Media SDK software before version 22.2.2 may allow an authenticated user to potentially enable escalation of privilege via local access.

debian: CVE-2022-34841 was patched at 2024-10-16

98. Incorrect Calculation - Chromium (CVE-2024-9123) - Medium [317]

Description: Integer overflow in Skia in Google Chrome prior to 129.0.6668.70 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)

debian: CVE-2024-9123 was patched at 2024-09-26, 2024-10-16

99. Security Feature Bypass - Unknown Product (CVE-2024-8698) - Medium [315]

Description: {'nvd_cve_data_all': 'A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Reference element used to specify the signed element. This flaw allows attackers to create crafted responses that can bypass the validation, potentially leading to privilege escalation or impersonation attacks.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Reference element used to specify the signed element. This flaw allows attackers to create crafted responses that can bypass the validation, potentially leading to privilege escalation or impersonation attacks.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

redhat: CVE-2024-8698 was patched at 2024-09-19

100. Spoofing - Safari (CVE-2024-40866) - Medium [311]

Description: The issue was addressed with improved UI. This issue is fixed in Safari 18, macOS Sequoia 15. Visiting a malicious website may lead to address bar spoofing.