ISHACK AI BOT

Gentoo Linux: CVE-2023-5485: QtWebEngine: Multiple Vulnerabilities Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:P/A:N) Published 10/11/2023 Created 11/28/2023 Added 11/27/2023 Modified 01/28/2025 Description Inappropriate implementation in Autofill in Google Chrome prior to 118.0.5993.70 allowed a remote attacker to bypass autofill restrictions via a crafted HTML page. (Chromium security severity: Low) Solution(s) gentoo-linux-upgrade-dev-qt-qtwebengine gentoo-linux-upgrade-www-client-chromium gentoo-linux-upgrade-www-client-google-chrome gentoo-linux-upgrade-www-client-microsoft-edge References https://attackerkb.com/topics/cve-2023-5485 CVE - 2023-5485 202311-11 202312-07 202401-34

Alpine Linux: CVE-2023-5476: Use After Free Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 10/11/2023 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description Use after free in Blink History in Google Chrome prior to 118.0.5993.70 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) Solution(s) alpine-linux-upgrade-qt6-qtwebengine References https://attackerkb.com/topics/cve-2023-5476 CVE - 2023-5476 https://security.alpinelinux.org/vuln/CVE-2023-5476

Amazon Linux 2023: CVE-2023-38545: Important priority package update for curl Severity 8 CVSS (AV:N/AC:H/Au:N/C:C/I:C/A:C) Published 10/11/2023 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. When curl is asked to pass along the host name to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that host name can be is 255 bytes. If the host name is detected to be longer, curl switches to local name resolving and instead passes on the resolved address only. Due to this bug, the local variable that means "let the host resolve the name" could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long host name to the target buffer instead of copying just the resolved address there. The target buffer being a heap based buffer, and the host name coming from the URL that curl has been told to operate with. A heap-based buffer overflow flaw was found in the SOCKS5 proxy handshake in the Curl package. If Curl is unable to resolve the address itself, it passes the hostname to the SOCKS5 proxy. However, the maximum length of the hostname that can be passed is 255 bytes. If the hostname is longer, then Curl switches to the local name resolving and passes the resolved address only to the proxy. The local variable that instructs Curl to "let the host resolve the name" could obtain the wrong value during a slow SOCKS5 handshake, resulting in the too-long hostname being copied to the target buffer instead of the resolved address, which was not the intended behavior. Solution(s) amazon-linux-2023-upgrade-curl amazon-linux-2023-upgrade-curl-debuginfo amazon-linux-2023-upgrade-curl-debugsource amazon-linux-2023-upgrade-curl-minimal amazon-linux-2023-upgrade-curl-minimal-debuginfo amazon-linux-2023-upgrade-libcurl amazon-linux-2023-upgrade-libcurl-debuginfo amazon-linux-2023-upgrade-libcurl-devel amazon-linux-2023-upgrade-libcurl-minimal amazon-linux-2023-upgrade-libcurl-minimal-debuginfo References https://attackerkb.com/topics/cve-2023-38545 CVE - 2023-38545 https://alas.aws.amazon.com/AL2023/ALAS-2023-377.html

Amazon Linux 2023: CVE-2023-38546: Important priority package update for curl (Multiple Advisories) Severity 3 CVSS (AV:N/AC:H/Au:N/C:N/I:P/A:N) Published 10/11/2023 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are met. libcurl performs transfers. In its API, an application creates "easy handles" that are the individual handles for single transfers. libcurl provides a function call that duplicates en easy handle called [curl_easy_duphandle](https://curl.se/libcurl/c/curl_easy_duphandle.html). If a transfer has cookies enabled when the handle is duplicated, the cookie-enable state is also cloned - but without cloning the actual cookies. If the source handle did not read any cookies from a specific file on disk, the cloned version of the handle would instead store the file name as `none` (using the four ASCII letters, no quotes). Subsequent use of the cloned handle that does not explicitly set a source to load cookies from would then inadvertently load cookies from a file named `none` - if such a file exists and is readable in the current directory of the program using libcurl. And if using the correct file format of course. A flaw was found in the Curl package. This flaw allows an attacker to insert cookies into a running program using libcurl if the specific series of conditions are met. Solution(s) amazon-linux-2023-upgrade-curl amazon-linux-2023-upgrade-curl-debuginfo amazon-linux-2023-upgrade-curl-debugsource amazon-linux-2023-upgrade-curl-minimal amazon-linux-2023-upgrade-curl-minimal-debuginfo amazon-linux-2023-upgrade-ecs-service-connect-agent amazon-linux-2023-upgrade-libcurl amazon-linux-2023-upgrade-libcurl-debuginfo amazon-linux-2023-upgrade-libcurl-devel amazon-linux-2023-upgrade-libcurl-minimal amazon-linux-2023-upgrade-libcurl-minimal-debuginfo References https://attackerkb.com/topics/cve-2023-38546 CVE - 2023-38546 https://alas.aws.amazon.com/AL2023/ALAS-2023-377.html https://alas.aws.amazon.com/AL2023/ALAS-2023-420.html

Apache Tomcat: Low: Denial of Service (CVE-2023-42794) Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 10/11/2023 Created 10/11/2023 Added 10/11/2023 Modified 01/28/2025 Description Incomplete Cleanup vulnerability in Apache Tomcat. The internal fork of Commons FileUpload packaged with Apache Tomcat 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93 included an unreleased, in progress refactoring that exposed a potential denial of service on Windows if a web application opened a stream for an uploaded file but failed to close the stream. The file would never be deleted from disk creating the possibility of an eventual denial of service due to the disk being full. Users are recommended to upgrade to version 9.0.81 onwards or 8.5.94 onwards, which fixes the issue. Solution(s) apache-tomcat-upgrade-8_5_94 apache-tomcat-upgrade-9_0_81 References https://attackerkb.com/topics/cve-2023-42794 CVE - 2023-42794 http://tomcat.apache.org/security-8.html http://tomcat.apache.org/security-9.html

Gentoo Linux: CVE-2023-5473: QtWebEngine: Multiple Vulnerabilities Severity 7 CVSS (AV:N/AC:M/Au:N/C:P/I:P/A:P) Published 10/11/2023 Created 11/28/2023 Added 11/27/2023 Modified 01/28/2025 Description Use after free in Cast in Google Chrome prior to 118.0.5993.70 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Low) Solution(s) gentoo-linux-upgrade-dev-qt-qtwebengine gentoo-linux-upgrade-www-client-chromium gentoo-linux-upgrade-www-client-google-chrome gentoo-linux-upgrade-www-client-microsoft-edge References https://attackerkb.com/topics/cve-2023-5473 CVE - 2023-5473 202311-11 202312-07 202401-34

Gentoo Linux: CVE-2023-5474: QtWebEngine: Multiple Vulnerabilities Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 10/11/2023 Created 11/28/2023 Added 11/27/2023 Modified 01/28/2025 Description Heap buffer overflow in PDF in Google Chrome prior to 118.0.5993.70 allowed a remote attacker who convinced a user to engage in specific user interactions to potentially exploit heap corruption via a crafted PDF file. (Chromium security severity: Medium) Solution(s) gentoo-linux-upgrade-dev-qt-qtwebengine gentoo-linux-upgrade-www-client-chromium gentoo-linux-upgrade-www-client-google-chrome gentoo-linux-upgrade-www-client-microsoft-edge References https://attackerkb.com/topics/cve-2023-5474 CVE - 2023-5474 202311-11 202312-07 202401-34

Gentoo Linux: CVE-2023-5475: QtWebEngine: Multiple Vulnerabilities Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 10/11/2023 Created 11/28/2023 Added 11/27/2023 Modified 01/28/2025 Description Inappropriate implementation in DevTools in Google Chrome prior to 118.0.5993.70 allowed an attacker who convinced a user to install a malicious extension to bypass discretionary access control via a crafted Chrome Extension. (Chromium security severity: Medium) Solution(s) gentoo-linux-upgrade-dev-qt-qtwebengine gentoo-linux-upgrade-www-client-chromium gentoo-linux-upgrade-www-client-google-chrome gentoo-linux-upgrade-www-client-microsoft-edge References https://attackerkb.com/topics/cve-2023-5475 CVE - 2023-5475 202311-11 202312-07 202401-34

Alpine Linux: CVE-2023-5487: Vulnerability in Multiple Components Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 10/11/2023 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description Inappropriate implementation in Fullscreen in Google Chrome prior to 118.0.5993.70 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension. (Chromium security severity: Medium) Solution(s) alpine-linux-upgrade-qt6-qtwebengine References https://attackerkb.com/topics/cve-2023-5487 CVE - 2023-5487 https://security.alpinelinux.org/vuln/CVE-2023-5487

Gentoo Linux: CVE-2023-5479: QtWebEngine: Multiple Vulnerabilities Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 10/11/2023 Created 11/28/2023 Added 11/27/2023 Modified 01/28/2025 Description Inappropriate implementation in Extensions API in Google Chrome prior to 118.0.5993.70 allowed an attacker who convinced a user to install a malicious extension to bypass an enterprise policy via a crafted HTML page. (Chromium security severity: Medium) Solution(s) gentoo-linux-upgrade-dev-qt-qtwebengine gentoo-linux-upgrade-www-client-chromium gentoo-linux-upgrade-www-client-google-chrome gentoo-linux-upgrade-www-client-microsoft-edge References https://attackerkb.com/topics/cve-2023-5479 CVE - 2023-5479 202311-11 202312-07 202401-34

Gentoo Linux: CVE-2023-5481: QtWebEngine: Multiple Vulnerabilities Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 10/11/2023 Created 11/28/2023 Added 11/27/2023 Modified 01/28/2025 Description Inappropriate implementation in Downloads in Google Chrome prior to 118.0.5993.70 allowed a remote attacker to spoof security UI via a crafted HTML page. (Chromium security severity: Medium) Solution(s) gentoo-linux-upgrade-dev-qt-qtwebengine gentoo-linux-upgrade-www-client-chromium gentoo-linux-upgrade-www-client-google-chrome gentoo-linux-upgrade-www-client-microsoft-edge References https://attackerkb.com/topics/cve-2023-5481 CVE - 2023-5481 202311-11 202312-07 202401-34

Gentoo Linux: CVE-2023-5483: QtWebEngine: Multiple Vulnerabilities Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 10/11/2023 Created 11/28/2023 Added 11/27/2023 Modified 01/28/2025 Description Inappropriate implementation in Intents in Google Chrome prior to 118.0.5993.70 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Medium) Solution(s) gentoo-linux-upgrade-dev-qt-qtwebengine gentoo-linux-upgrade-www-client-chromium gentoo-linux-upgrade-www-client-google-chrome gentoo-linux-upgrade-www-client-microsoft-edge References https://attackerkb.com/topics/cve-2023-5483 CVE - 2023-5483 202311-11 202312-07 202401-34

Gentoo Linux: CVE-2023-5484: QtWebEngine: Multiple Vulnerabilities Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 10/11/2023 Created 11/28/2023 Added 11/27/2023 Modified 01/28/2025 Description Inappropriate implementation in Navigation in Google Chrome prior to 118.0.5993.70 allowed a remote attacker to spoof security UI via a crafted HTML page. (Chromium security severity: Medium) Solution(s) gentoo-linux-upgrade-dev-qt-qtwebengine gentoo-linux-upgrade-www-client-chromium gentoo-linux-upgrade-www-client-google-chrome gentoo-linux-upgrade-www-client-microsoft-edge References https://attackerkb.com/topics/cve-2023-5484 CVE - 2023-5484 202311-11 202312-07 202401-34

Alpine Linux: CVE-2023-5474: Out-of-bounds Write Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 10/11/2023 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description Heap buffer overflow in PDF in Google Chrome prior to 118.0.5993.70 allowed a remote attacker who convinced a user to engage in specific user interactions to potentially exploit heap corruption via a crafted PDF file. (Chromium security severity: Medium) Solution(s) alpine-linux-upgrade-qt6-qtwebengine References https://attackerkb.com/topics/cve-2023-5474 CVE - 2023-5474 https://security.alpinelinux.org/vuln/CVE-2023-5474

Gentoo Linux: CVE-2023-5486: QtWebEngine: Multiple Vulnerabilities Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:P/A:N) Published 10/11/2023 Created 11/28/2023 Added 11/27/2023 Modified 01/28/2025 Description Inappropriate implementation in Input in Google Chrome prior to 118.0.5993.70 allowed a remote attacker to spoof security UI via a crafted HTML page. (Chromium security severity: Low) Solution(s) gentoo-linux-upgrade-dev-qt-qtwebengine gentoo-linux-upgrade-www-client-chromium gentoo-linux-upgrade-www-client-google-chrome gentoo-linux-upgrade-www-client-microsoft-edge References https://attackerkb.com/topics/cve-2023-5486 CVE - 2023-5486 202311-11 202312-07 202401-34

Gentoo Linux: CVE-2023-5218: QtWebEngine: Multiple Vulnerabilities Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 10/11/2023 Created 11/28/2023 Added 11/27/2023 Modified 01/28/2025 Description Use after free in Site Isolation in Google Chrome prior to 118.0.5993.70 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical) Solution(s) gentoo-linux-upgrade-dev-qt-qtwebengine gentoo-linux-upgrade-www-client-chromium gentoo-linux-upgrade-www-client-google-chrome gentoo-linux-upgrade-www-client-microsoft-edge References https://attackerkb.com/topics/cve-2023-5218 CVE - 2023-5218 202311-11 202312-07 202401-34

Alpine Linux: CVE-2023-5475: Vulnerability in Multiple Components Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 10/11/2023 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description Inappropriate implementation in DevTools in Google Chrome prior to 118.0.5993.70 allowed an attacker who convinced a user to install a malicious extension to bypass discretionary access control via a crafted Chrome Extension. (Chromium security severity: Medium) Solution(s) alpine-linux-upgrade-qt6-qtwebengine References https://attackerkb.com/topics/cve-2023-5475 CVE - 2023-5475 https://security.alpinelinux.org/vuln/CVE-2023-5475

Gentoo Linux: CVE-2023-5476: QtWebEngine: Multiple Vulnerabilities Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 10/11/2023 Created 11/28/2023 Added 11/27/2023 Modified 01/28/2025 Description Use after free in Blink History in Google Chrome prior to 118.0.5993.70 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) Solution(s) gentoo-linux-upgrade-dev-qt-qtwebengine gentoo-linux-upgrade-www-client-chromium gentoo-linux-upgrade-www-client-google-chrome gentoo-linux-upgrade-www-client-microsoft-edge References https://attackerkb.com/topics/cve-2023-5476 CVE - 2023-5476 202311-11 202312-07 202401-34

Gentoo Linux: CVE-2023-5487: QtWebEngine: Multiple Vulnerabilities Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 10/11/2023 Created 11/28/2023 Added 11/27/2023 Modified 01/28/2025 Description Inappropriate implementation in Fullscreen in Google Chrome prior to 118.0.5993.70 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension. (Chromium security severity: Medium) Solution(s) gentoo-linux-upgrade-dev-qt-qtwebengine gentoo-linux-upgrade-www-client-chromium gentoo-linux-upgrade-www-client-google-chrome gentoo-linux-upgrade-www-client-microsoft-edge References https://attackerkb.com/topics/cve-2023-5487 CVE - 2023-5487 202311-11 202312-07 202401-34

Gentoo Linux: CVE-2023-5477: QtWebEngine: Multiple Vulnerabilities Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:P/A:N) Published 10/11/2023 Created 11/28/2023 Added 11/27/2023 Modified 01/28/2025 Description Inappropriate implementation in Installer in Google Chrome prior to 118.0.5993.70 allowed a local attacker to bypass discretionary access control via a crafted command. (Chromium security severity: Low) Solution(s) gentoo-linux-upgrade-dev-qt-qtwebengine gentoo-linux-upgrade-www-client-chromium gentoo-linux-upgrade-www-client-google-chrome gentoo-linux-upgrade-www-client-microsoft-edge References https://attackerkb.com/topics/cve-2023-5477 CVE - 2023-5477 202311-11 202312-07 202401-34

SUSE: CVE-2023-5476: SUSE Linux Security Advisory Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 10/11/2023 Created 10/16/2023 Added 10/16/2023 Modified 01/28/2025 Description Use after free in Blink History in Google Chrome prior to 118.0.5993.70 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) Solution(s) suse-upgrade-chromedriver suse-upgrade-chromium suse-upgrade-opera References https://attackerkb.com/topics/cve-2023-5476 CVE - 2023-5476

SUSE: CVE-2023-5483: SUSE Linux Security Advisory Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 10/11/2023 Created 10/16/2023 Added 10/16/2023 Modified 01/28/2025 Description Inappropriate implementation in Intents in Google Chrome prior to 118.0.5993.70 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Medium) Solution(s) suse-upgrade-chromedriver suse-upgrade-chromium suse-upgrade-opera References https://attackerkb.com/topics/cve-2023-5483 CVE - 2023-5483

Amazon Linux AMI 2: CVE-2023-37536: Security patch for xerces-c (ALAS-2023-2327) Severity 9 CVSS (AV:N/AC:L/Au:S/C:C/I:C/A:C) Published 10/11/2023 Created 11/04/2023 Added 11/03/2023 Modified 01/28/2025 Description An integer overflow in xerces-c++ 3.2.3 in BigFix Platform allows remote attackers to cause out-of-bound access via HTTP request. Solution(s) amazon-linux-ami-2-upgrade-xerces-c amazon-linux-ami-2-upgrade-xerces-c-debuginfo amazon-linux-ami-2-upgrade-xerces-c-devel amazon-linux-ami-2-upgrade-xerces-c-doc References https://attackerkb.com/topics/cve-2023-37536 AL2/ALAS-2023-2327 CVE - 2023-37536

SUSE: CVE-2023-5473: SUSE Linux Security Advisory Severity 7 CVSS (AV:N/AC:M/Au:N/C:P/I:P/A:P) Published 10/11/2023 Created 10/16/2023 Added 10/16/2023 Modified 01/28/2025 Description Use after free in Cast in Google Chrome prior to 118.0.5993.70 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Low) Solution(s) suse-upgrade-chromedriver suse-upgrade-chromium suse-upgrade-opera References https://attackerkb.com/topics/cve-2023-5473 CVE - 2023-5473

SUSE: CVE-2023-5535: SUSE Linux Security Advisory Severity 7 CVSS (AV:L/AC:M/Au:N/C:C/I:C/A:C) Published 10/11/2023 Created 11/28/2023 Added 11/27/2023 Modified 01/28/2025 Description Use After Free in GitHub repository vim/vim prior to v9.0.2010. Solution(s) suse-upgrade-gvim suse-upgrade-vim suse-upgrade-vim-data suse-upgrade-vim-data-common suse-upgrade-vim-small References https://attackerkb.com/topics/cve-2023-5535 CVE - 2023-5535