ISHACK AI BOT

Ubuntu: (Multiple Advisories) (CVE-2023-4875): Mutt vulnerabilities Severity 6 CVSS (AV:N/AC:M/Au:S/C:N/I:N/A:C) Published 09/09/2023 Created 09/18/2023 Added 09/18/2023 Modified 01/28/2025 Description Null pointer dereference when composing from a specially crafted draft message in Mutt >1.5.2 <2.2.12 Solution(s) ubuntu-pro-upgrade-mutt ubuntu-pro-upgrade-mutt-patched References https://attackerkb.com/topics/cve-2023-4875 CVE - 2023-4875 USN-6374-1 USN-6374-2

Red Hat: CVE-2023-4875: mutt: null pointer dereference (Multiple Advisories) Severity 7 CVSS (AV:N/AC:L/Au:S/C:N/I:N/A:C) Published 09/09/2023 Created 05/01/2024 Added 05/01/2024 Modified 09/03/2024 Description Null pointer dereference when composing from a specially crafted draft message in Mutt >1.5.2 <2.2.12 Solution(s) redhat-upgrade-mutt redhat-upgrade-mutt-debuginfo redhat-upgrade-mutt-debugsource References CVE-2023-4875 RHSA-2024:2290 RHSA-2024:3058

Huawei EulerOS: CVE-2023-4874: mutt security update Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 09/09/2023 Created 02/13/2024 Added 02/12/2024 Modified 01/28/2025 Description Null pointer dereference when viewing a specially crafted email in Mutt >1.5.2 <2.2.12 Solution(s) huawei-euleros-2_0_sp5-upgrade-mutt References https://attackerkb.com/topics/cve-2023-4874 CVE - 2023-4874 EulerOS-SA-2024-1153

Red Hat: CVE-2023-41915: pmix: race condition allows attackers to obtain ownership of arbitrary files (Multiple Advisories) Severity 8 CVSS (AV:N/AC:H/Au:N/C:C/I:C/A:C) Published 09/09/2023 Created 05/01/2024 Added 05/01/2024 Modified 11/26/2024 Description OpenPMIx PMIx before 4.2.6 and 5.0.x before 5.0.1 allows attackers to obtain ownership of arbitrary files via a race condition during execution of library code with UID 0. Solution(s) redhat-upgrade-pmix redhat-upgrade-pmix-debuginfo redhat-upgrade-pmix-debugsource redhat-upgrade-pmix-devel redhat-upgrade-pmix-pmi redhat-upgrade-pmix-pmi-debuginfo redhat-upgrade-pmix-pmi-devel redhat-upgrade-pmix-tools redhat-upgrade-pmix-tools-debuginfo References CVE-2023-41915 RHSA-2024:2199 RHSA-2024:3008

Amazon Linux AMI 2: CVE-2023-4875: Security patch for mutt (ALAS-2023-2265) Severity 6 CVSS (AV:N/AC:M/Au:S/C:N/I:N/A:C) Published 09/09/2023 Created 10/06/2023 Added 10/06/2023 Modified 01/28/2025 Description Null pointer dereference when composing from a specially crafted draft message in Mutt >1.5.2 <2.2.12 Solution(s) amazon-linux-ami-2-upgrade-mutt amazon-linux-ami-2-upgrade-mutt-debuginfo References https://attackerkb.com/topics/cve-2023-4875 AL2/ALAS-2023-2265 CVE - 2023-4875

Rocky Linux: CVE-2023-4875: mutt (RLSA-2024-3058) Severity 6 CVSS (AV:N/AC:M/Au:S/C:N/I:N/A:C) Published 09/09/2023 Created 06/17/2024 Added 06/17/2024 Modified 01/28/2025 Description Null pointer dereference when composing from a specially crafted draft message in Mutt >1.5.2 <2.2.12 Solution(s) rocky-upgrade-mutt rocky-upgrade-mutt-debuginfo rocky-upgrade-mutt-debugsource References https://attackerkb.com/topics/cve-2023-4875 CVE - 2023-4875 https://errata.rockylinux.org/RLSA-2024:3058

Huawei EulerOS: CVE-2023-4874: mutt security update Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 09/09/2023 Created 01/11/2024 Added 01/10/2024 Modified 01/28/2025 Description Null pointer dereference when viewing a specially crafted email in Mutt >1.5.2 <2.2.12 Solution(s) huawei-euleros-2_0_sp11-upgrade-mutt References https://attackerkb.com/topics/cve-2023-4874 CVE - 2023-4874 EulerOS-SA-2023-3280

Gentoo Linux: CVE-2023-4573: Mozilla Thunderbird: Multiple Vulnerabilities Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 09/11/2023 Created 02/22/2024 Added 02/21/2024 Modified 01/28/2025 Description When receiving rendering data over IPC `mStream` could have been destroyed when initialized, which could have led to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox < 117, Firefox ESR < 102.15, Firefox ESR < 115.2, Thunderbird < 102.15, and Thunderbird < 115.2. Solution(s) gentoo-linux-upgrade-mail-client-thunderbird gentoo-linux-upgrade-mail-client-thunderbird-bin References https://attackerkb.com/topics/cve-2023-4573 CVE - 2023-4573 202402-25

Gentoo Linux: CVE-2023-4576: Mozilla Thunderbird: Multiple Vulnerabilities Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 09/11/2023 Created 02/22/2024 Added 02/21/2024 Modified 01/28/2025 Description On Windows, an integer overflow could occur in `RecordedSourceSurfaceCreation` which resulted in a heap buffer overflow potentially leaking sensitive data that could have led to a sandbox escape. *This bug only affects Firefox on Windows. Other operating systems are unaffected.* This vulnerability affects Firefox < 117, Firefox ESR < 102.15, Firefox ESR < 115.2, Thunderbird < 102.15, and Thunderbird < 115.2. Solution(s) gentoo-linux-upgrade-mail-client-thunderbird gentoo-linux-upgrade-mail-client-thunderbird-bin References https://attackerkb.com/topics/cve-2023-4576 CVE - 2023-4576 202402-25

Gentoo Linux: CVE-2023-4577: Mozilla Thunderbird: Multiple Vulnerabilities Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 09/11/2023 Created 02/22/2024 Added 02/21/2024 Modified 01/28/2025 Description When `UpdateRegExpStatics` attempted to access `initialStringHeap` it could already have been garbage collected prior to entering the function, which could potentially have led to an exploitable crash. This vulnerability affects Firefox < 117, Firefox ESR < 115.2, and Thunderbird < 115.2. Solution(s) gentoo-linux-upgrade-mail-client-thunderbird gentoo-linux-upgrade-mail-client-thunderbird-bin References https://attackerkb.com/topics/cve-2023-4577 CVE - 2023-4577 202402-25

Gentoo Linux: CVE-2023-4584: Mozilla Thunderbird: Multiple Vulnerabilities Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 09/11/2023 Created 02/22/2024 Added 02/21/2024 Modified 01/28/2025 Description Memory safety bugs present in Firefox 116, Firefox ESR 102.14, Firefox ESR 115.1, Thunderbird 102.14, and Thunderbird 115.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 117, Firefox ESR < 102.15, Firefox ESR < 115.2, Thunderbird < 102.15, and Thunderbird < 115.2. Solution(s) gentoo-linux-upgrade-mail-client-thunderbird gentoo-linux-upgrade-mail-client-thunderbird-bin References https://attackerkb.com/topics/cve-2023-4584 CVE - 2023-4584 202402-25

Gentoo Linux: CVE-2023-4578: Mozilla Thunderbird: Multiple Vulnerabilities Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 09/11/2023 Created 02/22/2024 Added 02/21/2024 Modified 01/28/2025 Description When calling `JS::CheckRegExpSyntax` a Syntax Error could have been set which would end in calling `convertToRuntimeErrorAndClear`. A path in the function could attempt to allocate memory when none is available which would have caused a newly created Out of Memory exception to be mishandled as a Syntax Error. This vulnerability affects Firefox < 117, Firefox ESR < 115.2, and Thunderbird < 115.2. Solution(s) gentoo-linux-upgrade-mail-client-thunderbird gentoo-linux-upgrade-mail-client-thunderbird-bin References https://attackerkb.com/topics/cve-2023-4578 CVE - 2023-4578 202402-25

Gentoo Linux: CVE-2023-4579: Mozilla Firefox: Multiple Vulnerabilities Severity 3 CVSS (AV:N/AC:H/Au:N/C:N/I:P/A:N) Published 09/11/2023 Created 01/09/2024 Added 01/08/2024 Modified 01/28/2025 Description Search queries in the default search engine could appear to have been the currently navigated URL if the search query itself was a well formed URL. This could have led to a site spoofing another if it had been maliciously set as the default search engine. This vulnerability affects Firefox < 117. Solution(s) gentoo-linux-upgrade-www-client-firefox gentoo-linux-upgrade-www-client-firefox-bin References https://attackerkb.com/topics/cve-2023-4579 CVE - 2023-4579 202401-10

Gentoo Linux: CVE-2023-4580: Mozilla Thunderbird: Multiple Vulnerabilities Severity 7 CVSS (AV:N/AC:M/Au:N/C:C/I:N/A:N) Published 09/11/2023 Created 02/22/2024 Added 02/21/2024 Modified 01/28/2025 Description Push notifications stored on disk in private browsing mode were not being encrypted potentially allowing the leak of sensitive information. This vulnerability affects Firefox < 117, Firefox ESR < 115.2, and Thunderbird < 115.2. Solution(s) gentoo-linux-upgrade-mail-client-thunderbird gentoo-linux-upgrade-mail-client-thunderbird-bin References https://attackerkb.com/topics/cve-2023-4580 CVE - 2023-4580 202402-25

Gentoo Linux: CVE-2023-4581: Mozilla Thunderbird: Multiple Vulnerabilities Severity 4 CVSS (AV:N/AC:M/Au:N/C:P/I:N/A:N) Published 09/11/2023 Created 02/22/2024 Added 02/21/2024 Modified 01/30/2025 Description Excel `.xll` add-in files did not have a blocklist entry in Firefox's executable blocklist which allowed them to be downloaded without any warning of their potential harm. This vulnerability affects Firefox < 117, Firefox ESR < 102.15, Firefox ESR < 115.2, Thunderbird < 102.15, and Thunderbird < 115.2. Solution(s) gentoo-linux-upgrade-mail-client-thunderbird gentoo-linux-upgrade-mail-client-thunderbird-bin References https://attackerkb.com/topics/cve-2023-4581 CVE - 2023-4581 202402-25

Oracle Linux: CVE-2023-41915: ELSA-2024-3008:pmix security update (IMPORTANT) (Multiple Advisories) Severity 8 CVSS (AV:N/AC:H/Au:N/C:C/I:C/A:C) Published 09/10/2023 Created 05/22/2024 Added 05/07/2024 Modified 01/07/2025 Description OpenPMIx PMIx before 4.2.6 and 5.0.x before 5.0.1 allows attackers to obtain ownership of arbitrary files via a race condition during execution of library code with UID 0. OpenPMIx PMIx is vulnerable to a race condition during execution of library code with UID 0, which allows attackers to obtain ownership of arbitrary files. Solution(s) oracle-linux-upgrade-pmix oracle-linux-upgrade-pmix-devel oracle-linux-upgrade-pmix-pmi oracle-linux-upgrade-pmix-pmi-devel oracle-linux-upgrade-pmix-tools References https://attackerkb.com/topics/cve-2023-41915 CVE - 2023-41915 ELSA-2024-3008 ELSA-2024-2199

Amazon Linux 2023: CVE-2023-41915: Medium priority package update for pmix Severity 8 CVSS (AV:N/AC:H/Au:N/C:C/I:C/A:C) Published 09/10/2023 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description OpenPMIx PMIx before 4.2.6 and 5.0.x before 5.0.1 allows attackers to obtain ownership of arbitrary files via a race condition during execution of library code with UID 0. OpenPMIx PMIx is vulnerable to a race condition during execution of library code with UID 0, which allows attackers to obtain ownership of arbitrary files. Solution(s) amazon-linux-2023-upgrade-pmix amazon-linux-2023-upgrade-pmix-debuginfo amazon-linux-2023-upgrade-pmix-debugsource amazon-linux-2023-upgrade-pmix-devel amazon-linux-2023-upgrade-pmix-pmi amazon-linux-2023-upgrade-pmix-pmi-debuginfo amazon-linux-2023-upgrade-pmix-pmi-devel amazon-linux-2023-upgrade-pmix-tools amazon-linux-2023-upgrade-pmix-tools-debuginfo References https://attackerkb.com/topics/cve-2023-41915 CVE - 2023-41915 https://alas.aws.amazon.com/AL2023/ALAS-2023-363.html

SUSE: CVE-2023-4875: SUSE Linux Security Advisory Severity 6 CVSS (AV:N/AC:M/Au:S/C:N/I:N/A:C) Published 09/09/2023 Created 09/21/2023 Added 09/21/2023 Modified 01/28/2025 Description Null pointer dereference when composing from a specially crafted draft message in Mutt >1.5.2 <2.2.12 Solution(s) suse-upgrade-mutt suse-upgrade-mutt-doc suse-upgrade-mutt-lang References https://attackerkb.com/topics/cve-2023-4875 CVE - 2023-4875

SUSE: CVE-2023-41915: SUSE Linux Security Advisory Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 09/09/2023 Created 09/30/2023 Added 09/29/2023 Modified 01/28/2025 Description OpenPMIx PMIx before 4.2.6 and 5.0.x before 5.0.1 allows attackers to obtain ownership of arbitrary files via a race condition during execution of library code with UID 0. Solution(s) suse-upgrade-libmca_common_dstore1 suse-upgrade-libpmix2 suse-upgrade-pmix suse-upgrade-pmix-devel suse-upgrade-pmix-headers suse-upgrade-pmix-mca-params suse-upgrade-pmix-plugin-munge suse-upgrade-pmix-plugins suse-upgrade-pmix-test References https://attackerkb.com/topics/cve-2023-41915 CVE - 2023-41915 DSA-5547

Debian: CVE-2023-4874: mutt -- security update Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 09/09/2023 Created 09/13/2023 Added 09/12/2023 Modified 01/28/2025 Description Null pointer dereference when viewing a specially crafted email in Mutt >1.5.2 <2.2.12 Solution(s) debian-upgrade-mutt References https://attackerkb.com/topics/cve-2023-4874 CVE - 2023-4874 DSA-5494-1

Alma Linux: CVE-2023-41915: Important: pmix security update (Multiple Advisories) Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 09/09/2023 Created 05/08/2024 Added 05/08/2024 Modified 01/28/2025 Description OpenPMIx PMIx before 4.2.6 and 5.0.x before 5.0.1 allows attackers to obtain ownership of arbitrary files via a race condition during execution of library code with UID 0. Solution(s) alma-upgrade-pmix alma-upgrade-pmix-devel alma-upgrade-pmix-pmi alma-upgrade-pmix-pmi-devel alma-upgrade-pmix-tools References https://attackerkb.com/topics/cve-2023-41915 CVE - 2023-41915 https://errata.almalinux.org/8/ALSA-2024-3008.html https://errata.almalinux.org/9/ALSA-2024-2199.html

Alma Linux: CVE-2023-39321: Moderate: container-tools:4.0 security update (Multiple Advisories) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 09/08/2023 Created 12/20/2023 Added 12/19/2023 Modified 01/28/2025 Description Processing an incomplete post-handshake message for a QUIC connection can cause a panic. Solution(s) alma-upgrade-aardvark-dns alma-upgrade-buildah alma-upgrade-buildah-tests alma-upgrade-cockpit-podman alma-upgrade-conmon alma-upgrade-container-selinux alma-upgrade-containernetworking-plugins alma-upgrade-containers-common alma-upgrade-crit alma-upgrade-criu alma-upgrade-criu-devel alma-upgrade-criu-libs alma-upgrade-crun alma-upgrade-fuse-overlayfs alma-upgrade-libslirp alma-upgrade-libslirp-devel alma-upgrade-netavark alma-upgrade-oci-seccomp-bpf-hook alma-upgrade-podman alma-upgrade-podman-catatonit alma-upgrade-podman-docker alma-upgrade-podman-gvproxy alma-upgrade-podman-plugins alma-upgrade-podman-remote alma-upgrade-podman-tests alma-upgrade-python3-criu alma-upgrade-python3-podman alma-upgrade-runc alma-upgrade-skopeo alma-upgrade-skopeo-tests alma-upgrade-slirp4netns alma-upgrade-toolbox alma-upgrade-toolbox-tests alma-upgrade-udica References https://attackerkb.com/topics/cve-2023-39321 CVE - 2023-39321 https://errata.almalinux.org/8/ALSA-2024-0121.html https://errata.almalinux.org/9/ALSA-2023-7762.html https://errata.almalinux.org/9/ALSA-2023-7763.html https://errata.almalinux.org/9/ALSA-2023-7764.html https://errata.almalinux.org/9/ALSA-2023-7765.html https://errata.almalinux.org/9/ALSA-2023-7766.html View more

Rapid7 Insight Agent: CVE-2023-4807: Message authentication code corruption Severity 6 CVSS (AV:L/AC:H/Au:S/C:C/I:C/A:C) Published 09/08/2023 Created 03/20/2024 Added 03/19/2024 Modified 04/23/2024 Description Rapid7 Insight Agent versions below 4.0.6.14 suffer from a Message authentication code corruption vulnerability. Solution(s) rapid7-insightagent-upgrade-4_0_6_14 References https://attackerkb.com/topics/cve-2023-4807 CVE - 2023-4807 https://docs.rapid7.com/release-notes/insightagent/20240314/

SUSE: CVE-2023-39322: SUSE Linux Security Advisory Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 09/08/2023 Created 09/21/2023 Added 09/21/2023 Modified 01/28/2025 Description QUIC connections do not set an upper bound on the amount of data buffered when reading post-handshake messages, allowing a malicious QUIC connection to cause unbounded memory growth. With fix, connections now consistently reject messages larger than 65KiB in size. Solution(s) suse-upgrade-go1-21 suse-upgrade-go1-21-doc suse-upgrade-go1-21-openssl suse-upgrade-go1-21-openssl-doc suse-upgrade-go1-21-openssl-race suse-upgrade-go1-21-race References https://attackerkb.com/topics/cve-2023-39322 CVE - 2023-39322

Amazon Linux AMI 2: CVE-2023-39318: Security patch for golang (ALAS-2023-2313) Severity 6 CVSS (AV:N/AC:M/Au:N/C:P/I:P/A:N) Published 09/08/2023 Created 11/01/2023 Added 11/01/2023 Modified 01/30/2025 Description The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This may cause the template parser to improperly interpret the contents of <script> contexts, causing actions to be improperly escaped. This may be leveraged to perform an XSS attack. Solution(s) amazon-linux-ami-2-upgrade-golang amazon-linux-ami-2-upgrade-golang-bin amazon-linux-ami-2-upgrade-golang-docs amazon-linux-ami-2-upgrade-golang-misc amazon-linux-ami-2-upgrade-golang-shared amazon-linux-ami-2-upgrade-golang-src amazon-linux-ami-2-upgrade-golang-tests References https://attackerkb.com/topics/cve-2023-39318 AL2/ALAS-2023-2313 CVE - 2023-39318