ISHACK AI BOT

MFSA2023-41 Firefox: Security Vulnerabilities fixed in Firefox 118 (CVE-2023-5170) Severity 7 CVSS (AV:N/AC:M/Au:N/C:C/I:N/A:N) Published 09/26/2023 Created 09/28/2023 Added 09/27/2023 Modified 01/28/2025 Description In canvas rendering, a compromised content process could have caused a surface to change unexpectedly, leading to a memory leak of a privileged process. This memory leak could be used to effect a sandbox escape if the correct data was leaked. This vulnerability affects Firefox < 118. Solution(s) mozilla-firefox-upgrade-118_0 References https://attackerkb.com/topics/cve-2023-5170 CVE - 2023-5170 http://www.mozilla.org/security/announce/2023/mfsa2023-41.html

OS X update for BOM (CVE-2023-40455) Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 09/27/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

OS X update for Calendar (CVE-2023-40406) Severity 5 CVSS (AV:L/AC:M/Au:N/C:C/I:N/A:N) Published 09/27/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

OS X update for Bluetooth (CVE-2023-40400) Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 09/27/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

MFSA2023-42 Firefox: Security Vulnerabilities fixed in Firefox ESR 115.3 (CVE-2023-5171) Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 09/26/2023 Created 09/28/2023 Added 09/27/2023 Modified 01/28/2025 Description During Ion compilation, a Garbage Collection could have resulted in a use-after-free condition, allowing an attacker to write two NUL bytes, and cause a potentially exploitable crash. This vulnerability affects Firefox < 118, Firefox ESR < 115.3, and Thunderbird < 115.3. Solution(s) mozilla-firefox-esr-upgrade-115_3 References https://attackerkb.com/topics/cve-2023-5171 CVE - 2023-5171 http://www.mozilla.org/security/announce/2023/mfsa2023-42.html

MFSA2023-41 Firefox: Security Vulnerabilities fixed in Firefox 118 (CVE-2023-5174) Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 09/26/2023 Created 09/28/2023 Added 09/27/2023 Modified 01/28/2025 Description If Windows failed to duplicate a handle during process creation, the sandbox code may have inadvertently freed a pointer twice, resulting in a use-after-free and a potentially exploitable crash. *This bug only affects Firefox on Windows when run in non-standard configurations (such as using `runas`). Other operating systems are unaffected.* This vulnerability affects Firefox < 118, Firefox ESR < 115.3, and Thunderbird < 115.3. Solution(s) mozilla-firefox-upgrade-118_0 References https://attackerkb.com/topics/cve-2023-5174 CVE - 2023-5174 http://www.mozilla.org/security/announce/2023/mfsa2023-41.html

MFSA2023-41 Firefox: Security Vulnerabilities fixed in Firefox 118 (CVE-2023-5173) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:C/A:N) Published 09/26/2023 Created 09/28/2023 Added 09/27/2023 Modified 01/28/2025 Description In a non-standard configuration of Firefox, an integer overflow could have occurred based on network traffic (possibly under influence of a local unprivileged webpage), leading to an out-of-bounds write to privileged process memory. *This bug only affects Firefox if a non-standard preference allowing non-HTTPS Alternate Services (`network.http.altsvc.oe`) is enabled.* This vulnerability affects Firefox < 118. Solution(s) mozilla-firefox-upgrade-118_0 References https://attackerkb.com/topics/cve-2023-5173 CVE - 2023-5173 http://www.mozilla.org/security/announce/2023/mfsa2023-41.html

MFSA2023-41 Firefox: Security Vulnerabilities fixed in Firefox 118 (CVE-2023-5176) Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 09/26/2023 Created 09/28/2023 Added 09/27/2023 Modified 01/28/2025 Description Memory safety bugs present in Firefox 117, Firefox ESR 115.2, and Thunderbird 115.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 118, Firefox ESR < 115.3, and Thunderbird < 115.3. Solution(s) mozilla-firefox-upgrade-118_0 References https://attackerkb.com/topics/cve-2023-5176 CVE - 2023-5176 http://www.mozilla.org/security/announce/2023/mfsa2023-41.html

Amazon Linux 2023: CVE-2023-22025: Medium priority package update for java-21-amazon-corretto (Multiple Advisories) Severity 3 CVSS (AV:N/AC:H/Au:N/C:N/I:P/A:N) Published 09/26/2023 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, product of Oracle Java SE (component: Hotspot).Supported versions that are affected are Oracle Java SE: 8u381-perf, 17.0.8, 21; Oracle GraalVM for JDK: 17.0.8, 21; Oracle GraalVM Enterprise Edition: 21.3.7 and22.3.3. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition,.Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). Solution(s) amazon-linux-2023-upgrade-java-17-amazon-corretto amazon-linux-2023-upgrade-java-17-amazon-corretto-devel amazon-linux-2023-upgrade-java-17-amazon-corretto-headless amazon-linux-2023-upgrade-java-17-amazon-corretto-javadoc amazon-linux-2023-upgrade-java-17-amazon-corretto-jmods amazon-linux-2023-upgrade-java-21-amazon-corretto amazon-linux-2023-upgrade-java-21-amazon-corretto-devel amazon-linux-2023-upgrade-java-21-amazon-corretto-headless amazon-linux-2023-upgrade-java-21-amazon-corretto-javadoc amazon-linux-2023-upgrade-java-21-amazon-corretto-jmods References https://attackerkb.com/topics/cve-2023-22025 CVE - 2023-22025 https://alas.aws.amazon.com/AL2023/ALAS-2023-399.html https://alas.aws.amazon.com/AL2023/ALAS-2023-400.html

Oracle Linux: CVE-2023-5169: ELSA-2023-5434:firefox security update (IMPORTANT) (Multiple Advisories) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 09/26/2023 Created 10/06/2023 Added 10/05/2023 Modified 01/07/2025 Description A compromised content process could have provided malicious data in a `PathRecording` resulting in an out-of-bounds write, leading to a potentially exploitable crash in a privileged process. This vulnerability affects Firefox &lt; 118, Firefox ESR &lt; 115.3, and Thunderbird &lt; 115.3. A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes this flaw as: A compromised content process could have provided malicious data in a `PathRecording`, resulting in an out-of-bounds write, leading to a potentially exploitable crash in a privileged process. Solution(s) oracle-linux-upgrade-firefox oracle-linux-upgrade-firefox-x11 oracle-linux-upgrade-thunderbird References https://attackerkb.com/topics/cve-2023-5169 CVE - 2023-5169 ELSA-2023-5434 ELSA-2023-5433 ELSA-2023-5435 ELSA-2023-5475 ELSA-2023-5477 ELSA-2023-5428 View more

Oracle Linux: CVE-2023-5176: ELSA-2023-5434:firefox security update (IMPORTANT) (Multiple Advisories) Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 09/26/2023 Created 10/06/2023 Added 10/05/2023 Modified 01/07/2025 Description Memory safety bugs present in Firefox 117, Firefox ESR 115.2, and Thunderbird 115.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox &lt; 118, Firefox ESR &lt; 115.3, and Thunderbird &lt; 115.3. A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes this flaw as: Memory safety bugs are present in Firefox 117, Firefox ESR 115.2, and Thunderbird 115.2. Some of these bugs showed evidence of memory corruption, and we presume that with enough effort, some of these could have been exploited to run arbitrary code. Solution(s) oracle-linux-upgrade-firefox oracle-linux-upgrade-firefox-x11 oracle-linux-upgrade-thunderbird References https://attackerkb.com/topics/cve-2023-5176 CVE - 2023-5176 ELSA-2023-5434 ELSA-2023-5433 ELSA-2023-5435 ELSA-2023-5475 ELSA-2023-5477 ELSA-2023-5428 View more

VMware Photon OS: CVE-2023-4156 Severity 4 CVSS (AV:L/AC:L/Au:N/C:P/I:N/A:P) Published 09/25/2023 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description A heap out-of-bounds read flaw was found in builtin.c in the gawk package. This issue may lead to a crash and could be used to read sensitive information. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2023-4156 CVE - 2023-4156

Oracle Linux: CVE-2023-40661: ELSA-2023-7876:opensc security update (MODERATE) (Multiple Advisories) Severity 6 CVSS (AV:L/AC:L/Au:N/C:P/I:P/A:C) Published 09/25/2023 Created 12/21/2023 Added 12/19/2023 Modified 01/07/2025 Description Several memory vulnerabilities were identified within the OpenSC packages, particularly in the card enrollment process using pkcs15-init when a user or administrator enrolls cards. To take advantage of these flaws, an attacker must have physical access to the computer system and employ a custom-crafted USB device or smart card to manipulate responses to APDUs. This manipulation can potentially allow compromise key generation, certificate loading, and other card management operations during enrollment. Solution(s) oracle-linux-upgrade-opensc References https://attackerkb.com/topics/cve-2023-40661 CVE - 2023-40661 ELSA-2023-7876 ELSA-2023-7879

Huawei EulerOS: CVE-2023-4156: gawk security update Severity 6 CVSS (AV:L/AC:M/Au:N/C:C/I:N/A:C) Published 09/25/2023 Created 01/11/2024 Added 01/10/2024 Modified 01/28/2025 Description A heap out-of-bounds read flaw was found in builtin.c in the gawk package. This issue may lead to a crash and could be used to read sensitive information. Solution(s) huawei-euleros-2_0_sp10-upgrade-gawk References https://attackerkb.com/topics/cve-2023-4156 CVE - 2023-4156 EulerOS-SA-2023-3208

Huawei EulerOS: CVE-2023-42753: kernel security update Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 09/25/2023 Created 01/11/2024 Added 01/10/2024 Modified 01/28/2025 Description An array indexing vulnerability was found in the netfilter subsystem of the Linux kernel. A missing macro could lead to a miscalculation of the `h->nets` array offset, providing attackers with the primitive to arbitrarily increment/decrement a memory buffer out-of-bound. This issue may allow a local user to crash the system or potentially escalate their privileges on the system. Solution(s) huawei-euleros-2_0_sp9-upgrade-kernel huawei-euleros-2_0_sp9-upgrade-kernel-tools huawei-euleros-2_0_sp9-upgrade-kernel-tools-libs huawei-euleros-2_0_sp9-upgrade-python3-perf References https://attackerkb.com/topics/cve-2023-42753 CVE - 2023-42753 EulerOS-SA-2023-3336

Huawei EulerOS: CVE-2023-4156: gawk security update Severity 6 CVSS (AV:L/AC:M/Au:N/C:C/I:N/A:C) Published 09/25/2023 Created 01/11/2024 Added 01/10/2024 Modified 01/28/2025 Description A heap out-of-bounds read flaw was found in builtin.c in the gawk package. This issue may lead to a crash and could be used to read sensitive information. Solution(s) huawei-euleros-2_0_sp11-upgrade-gawk References https://attackerkb.com/topics/cve-2023-4156 CVE - 2023-4156 EulerOS-SA-2023-3028

Debian: CVE-2023-4156: gawk -- security update Severity 6 CVSS (AV:L/AC:M/Au:N/C:C/I:N/A:C) Published 09/25/2023 Created 07/31/2024 Added 07/30/2024 Modified 01/28/2025 Description A heap out-of-bounds read flaw was found in builtin.c in the gawk package. This issue may lead to a crash and could be used to read sensitive information. Solution(s) debian-upgrade-gawk References https://attackerkb.com/topics/cve-2023-4156 CVE - 2023-4156

Debian: CVE-2023-5158: linux -- security update Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 09/25/2023 Created 07/31/2024 Added 07/30/2024 Modified 01/28/2025 Description A flaw was found in vringh_kiov_advance in drivers/vhost/vringh.c in the host side of a virtio ring in the Linux Kernel. This issue may result in a denial of service from guest to host via zero length descriptor. Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2023-5158 CVE - 2023-5158

Debian: CVE-2023-42753: linux -- security update Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 09/25/2023 Created 10/24/2023 Added 10/23/2023 Modified 01/28/2025 Description An array indexing vulnerability was found in the netfilter subsystem of the Linux kernel. A missing macro could lead to a miscalculation of the `h->nets` array offset, providing attackers with the primitive to arbitrarily increment/decrement a memory buffer out-of-bound. This issue may allow a local user to crash the system or potentially escalate their privileges on the system. Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2023-42753 CVE - 2023-42753 DLA-3623-1

Amazon Linux 2023: CVE-2023-42755: Important priority package update for kernel Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 09/25/2023 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description A flaw was found in the IPv4 Resource Reservation Protocol (RSVP) classifier in the Linux kernel. The xprt pointer may go beyond the linear part of the skb, leading to an out-of-bounds read in the `rsvp_classify` function. This issue may allow a local user to crash the system and cause a denial of service. Solution(s) amazon-linux-2023-upgrade-bpftool amazon-linux-2023-upgrade-bpftool-debuginfo amazon-linux-2023-upgrade-kernel amazon-linux-2023-upgrade-kernel-debuginfo amazon-linux-2023-upgrade-kernel-debuginfo-common-aarch64 amazon-linux-2023-upgrade-kernel-debuginfo-common-x86-64 amazon-linux-2023-upgrade-kernel-devel amazon-linux-2023-upgrade-kernel-headers amazon-linux-2023-upgrade-kernel-libbpf amazon-linux-2023-upgrade-kernel-libbpf-devel amazon-linux-2023-upgrade-kernel-libbpf-static amazon-linux-2023-upgrade-kernel-livepatch-6-1-55-75-123 amazon-linux-2023-upgrade-kernel-tools amazon-linux-2023-upgrade-kernel-tools-debuginfo amazon-linux-2023-upgrade-kernel-tools-devel amazon-linux-2023-upgrade-perf amazon-linux-2023-upgrade-perf-debuginfo amazon-linux-2023-upgrade-python3-perf amazon-linux-2023-upgrade-python3-perf-debuginfo References https://attackerkb.com/topics/cve-2023-42755 CVE - 2023-42755 https://alas.aws.amazon.com/AL2023/ALAS-2023-356.html

Debian: CVE-2022-4245: plexus-utils2 -- security update Severity 4 CVSS (AV:N/AC:L/Au:S/C:P/I:N/A:N) Published 09/25/2023 Created 07/31/2024 Added 07/30/2024 Modified 01/28/2025 Description A flaw was found in codehaus-plexus. The org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --> sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection. Solution(s) debian-upgrade-plexus-utils2 References https://attackerkb.com/topics/cve-2022-4245 CVE - 2022-4245

Oracle Linux: CVE-2023-6240: ELSA-2024-2758:kernel security and bug fix update (MODERATE) (Multiple Advisories) Severity 6 CVSS (AV:N/AC:H/Au:N/C:C/I:P/A:N) Published 09/25/2023 Created 05/22/2024 Added 05/09/2024 Modified 01/07/2025 Description A Marvin vulnerability side-channel leakage was found in the RSA decryption operation in the Linux Kernel. This issue may allow a network attacker to decrypt ciphertexts or forge signatures, limiting the services that use that private key. Solution(s) oracle-linux-upgrade-kernel References https://attackerkb.com/topics/cve-2023-6240 CVE - 2023-6240 ELSA-2024-2758 ELSA-2024-3618

Huawei EulerOS: CVE-2023-4156: gawk security update Severity 6 CVSS (AV:L/AC:M/Au:N/C:C/I:N/A:C) Published 09/25/2023 Created 01/11/2024 Added 01/10/2024 Modified 01/28/2025 Description A heap out-of-bounds read flaw was found in builtin.c in the gawk package. This issue may lead to a crash and could be used to read sensitive information. Solution(s) huawei-euleros-2_0_sp9-upgrade-gawk References https://attackerkb.com/topics/cve-2023-4156 CVE - 2023-4156 EulerOS-SA-2023-2894

SUSE: CVE-2023-5158: SUSE Linux Security Advisory Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 09/25/2023 Created 12/14/2023 Added 12/13/2023 Modified 01/28/2025 Description A flaw was found in vringh_kiov_advance in drivers/vhost/vringh.c in the host side of a virtio ring in the Linux Kernel. This issue may result in a denial of service from guest to host via zero length descriptor. Solution(s) suse-upgrade-cluster-md-kmp-64kb suse-upgrade-cluster-md-kmp-azure suse-upgrade-cluster-md-kmp-default suse-upgrade-cluster-md-kmp-rt suse-upgrade-dlm-kmp-64kb suse-upgrade-dlm-kmp-azure suse-upgrade-dlm-kmp-default suse-upgrade-dlm-kmp-rt suse-upgrade-dtb-allwinner suse-upgrade-dtb-altera suse-upgrade-dtb-amazon suse-upgrade-dtb-amd suse-upgrade-dtb-amlogic suse-upgrade-dtb-apm suse-upgrade-dtb-apple suse-upgrade-dtb-arm suse-upgrade-dtb-broadcom suse-upgrade-dtb-cavium suse-upgrade-dtb-exynos suse-upgrade-dtb-freescale suse-upgrade-dtb-hisilicon suse-upgrade-dtb-lg suse-upgrade-dtb-marvell suse-upgrade-dtb-mediatek suse-upgrade-dtb-nvidia suse-upgrade-dtb-qcom suse-upgrade-dtb-renesas suse-upgrade-dtb-rockchip suse-upgrade-dtb-socionext suse-upgrade-dtb-sprd suse-upgrade-dtb-xilinx suse-upgrade-gfs2-kmp-64kb suse-upgrade-gfs2-kmp-azure suse-upgrade-gfs2-kmp-default suse-upgrade-gfs2-kmp-rt suse-upgrade-kernel-64kb suse-upgrade-kernel-64kb-devel suse-upgrade-kernel-64kb-extra suse-upgrade-kernel-64kb-livepatch-devel suse-upgrade-kernel-64kb-optional suse-upgrade-kernel-azure suse-upgrade-kernel-azure-devel suse-upgrade-kernel-azure-extra suse-upgrade-kernel-azure-livepatch-devel suse-upgrade-kernel-azure-optional suse-upgrade-kernel-azure-vdso suse-upgrade-kernel-debug suse-upgrade-kernel-debug-devel suse-upgrade-kernel-debug-livepatch-devel suse-upgrade-kernel-debug-vdso suse-upgrade-kernel-default suse-upgrade-kernel-default-base suse-upgrade-kernel-default-base-rebuild suse-upgrade-kernel-default-devel suse-upgrade-kernel-default-extra suse-upgrade-kernel-default-livepatch suse-upgrade-kernel-default-livepatch-devel suse-upgrade-kernel-default-optional suse-upgrade-kernel-default-vdso suse-upgrade-kernel-devel suse-upgrade-kernel-devel-azure suse-upgrade-kernel-devel-rt suse-upgrade-kernel-docs suse-upgrade-kernel-docs-html suse-upgrade-kernel-kvmsmall suse-upgrade-kernel-kvmsmall-devel suse-upgrade-kernel-kvmsmall-livepatch-devel suse-upgrade-kernel-kvmsmall-vdso suse-upgrade-kernel-macros suse-upgrade-kernel-obs-build suse-upgrade-kernel-obs-qa suse-upgrade-kernel-rt suse-upgrade-kernel-rt-devel suse-upgrade-kernel-rt-extra suse-upgrade-kernel-rt-livepatch suse-upgrade-kernel-rt-livepatch-devel suse-upgrade-kernel-rt-optional suse-upgrade-kernel-rt-vdso suse-upgrade-kernel-rt_debug suse-upgrade-kernel-rt_debug-devel suse-upgrade-kernel-rt_debug-livepatch-devel suse-upgrade-kernel-rt_debug-vdso suse-upgrade-kernel-source suse-upgrade-kernel-source-azure suse-upgrade-kernel-source-rt suse-upgrade-kernel-source-vanilla suse-upgrade-kernel-syms suse-upgrade-kernel-syms-azure suse-upgrade-kernel-syms-rt suse-upgrade-kernel-zfcpdump suse-upgrade-kselftests-kmp-64kb suse-upgrade-kselftests-kmp-azure suse-upgrade-kselftests-kmp-default suse-upgrade-kselftests-kmp-rt suse-upgrade-ocfs2-kmp-64kb suse-upgrade-ocfs2-kmp-azure suse-upgrade-ocfs2-kmp-default suse-upgrade-ocfs2-kmp-rt suse-upgrade-reiserfs-kmp-64kb suse-upgrade-reiserfs-kmp-azure suse-upgrade-reiserfs-kmp-default suse-upgrade-reiserfs-kmp-rt References https://attackerkb.com/topics/cve-2023-5158 CVE - 2023-5158

VMware Photon OS: CVE-2023-41419 Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 09/25/2023 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description An issue in Gevent before version 23.9.0 allows a remote attacker to escalate privileges via a crafted script to the WSGIServer component. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2023-41419 CVE - 2023-41419