ISHACK AI BOT

Amazon Linux AMI 2: CVE-2023-20900: Security patch for open-vm-tools (ALAS-2023-2250) Severity 8 CVSS (AV:A/AC:M/Au:N/C:C/I:C/A:C) Published 08/31/2023 Created 09/21/2023 Added 09/21/2023 Modified 01/28/2025 Description A malicious actor that has been grantedGuest Operation Privileges https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-security/GUID-6A952214-0E5E-4CCF-9D2A-90948FF643EC.html in a target virtual machine may be able to elevate their privileges if that target virtual machine has been assigned a more privilegedGuest Alias https://vdc-download.vmware.com/vmwb-repository/dcr-public/d1902b0e-d479-46bf-8ac9-cee0e31e8ec0/07ce8dbd-db48-4261-9b8f-c6d3ad8ba472/vim.vm.guest.AliasManager.html . Solution(s) amazon-linux-ami-2-upgrade-open-vm-tools amazon-linux-ami-2-upgrade-open-vm-tools-debuginfo amazon-linux-ami-2-upgrade-open-vm-tools-desktop amazon-linux-ami-2-upgrade-open-vm-tools-devel amazon-linux-ami-2-upgrade-open-vm-tools-salt-minion amazon-linux-ami-2-upgrade-open-vm-tools-sdmp amazon-linux-ami-2-upgrade-open-vm-tools-test References https://attackerkb.com/topics/cve-2023-20900 AL2/ALAS-2023-2250 CVE - 2023-20900

Debian: CVE-2023-39353: freerdp2 -- security update Severity 9 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:C) Published 08/31/2023 Created 10/11/2023 Added 10/10/2023 Modified 01/28/2025 Description FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions are subject to a missing offset validation leading to Out Of Bound Read. In the `libfreerdp/codec/rfx.c` file there is no offset validation in `tile->quantIdxY`, `tile->quantIdxCb`, and `tile->quantIdxCr`. As a result crafted input can lead to an out of bounds read access which in turn will cause a crash. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this vulnerability. Solution(s) debian-upgrade-freerdp2 References https://attackerkb.com/topics/cve-2023-39353 CVE - 2023-39353 DLA-3606-1

Amazon Linux AMI 2: CVE-2023-40589: Security patch for freerdp (ALAS-2023-2269) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 08/31/2023 Created 10/06/2023 Added 10/06/2023 Modified 01/28/2025 Description FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. In affected versions there is a Global-Buffer-Overflow in the ncrush_decompress function. Feeding crafted input into this function can trigger the overflow which has only been shown to cause a crash. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this issue. Solution(s) amazon-linux-ami-2-upgrade-freerdp amazon-linux-ami-2-upgrade-freerdp-debuginfo amazon-linux-ami-2-upgrade-freerdp-devel amazon-linux-ami-2-upgrade-freerdp-libs amazon-linux-ami-2-upgrade-libwinpr amazon-linux-ami-2-upgrade-libwinpr-devel References https://attackerkb.com/topics/cve-2023-40589 AL2/ALAS-2023-2269 CVE - 2023-40589

Amazon Linux AMI 2: CVE-2023-39350: Security patch for freerdp (ALAS-2023-2269) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 08/31/2023 Created 10/06/2023 Added 10/06/2023 Modified 01/28/2025 Description FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. This issue affects Clients only. Integer underflow leading to DOS (e.g. abort due to `WINPR_ASSERT` with default compilation flags). When an insufficient blockLen is provided, and proper length validation is not performed, an Integer Underflow occurs, leading to a Denial of Service (DOS) vulnerability. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this vulnerability. Solution(s) amazon-linux-ami-2-upgrade-freerdp amazon-linux-ami-2-upgrade-freerdp-debuginfo amazon-linux-ami-2-upgrade-freerdp-devel amazon-linux-ami-2-upgrade-freerdp-libs amazon-linux-ami-2-upgrade-libwinpr amazon-linux-ami-2-upgrade-libwinpr-devel References https://attackerkb.com/topics/cve-2023-39350 AL2/ALAS-2023-2269 CVE - 2023-39350

FreeBSD: VID-AAEA7B7C-4887-11EE-B164-001B217B3468 (CVE-2023-0120): Gitlab -- Vulnerabilities Severity 4 CVSS (AV:N/AC:L/Au:S/C:N/I:P/A:N) Published 08/31/2023 Created 09/05/2023 Added 09/01/2023 Modified 01/28/2025 Description An issue has been discovered in GitLab affecting all versions starting from 10.0 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. Due to improper permission validation it was possible to edit labels description by an unauthorised user. Solution(s) freebsd-upgrade-package-gitlab-ce References CVE-2023-0120

FreeBSD: VID-AAEA7B7C-4887-11EE-B164-001B217B3468 (CVE-2023-4378): Gitlab -- Vulnerabilities Severity 4 CVSS (AV:N/AC:L/Au:S/C:P/I:N/A:N) Published 08/31/2023 Created 09/05/2023 Added 09/01/2023 Modified 01/28/2025 Description An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.8 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. A malicious Maintainer can, under specific circumstances, leak the sentry token by changing the configured URL in the Sentry error tracking settings page. This was as a result of an incomplete fix for CVE-2022-4365. Solution(s) freebsd-upgrade-package-gitlab-ce References CVE-2023-4378

FreeBSD: VID-AAEA7B7C-4887-11EE-B164-001B217B3468 (CVE-2023-3205): Gitlab -- Vulnerabilities Severity 7 CVSS (AV:N/AC:L/Au:S/C:N/I:N/A:C) Published 08/31/2023 Created 09/05/2023 Added 09/01/2023 Modified 01/28/2025 Description An issue has been discovered in GitLab affecting all versions starting from 15.11 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. An authenticated user could trigger a denial of service when importing or cloning malicious content. Solution(s) freebsd-upgrade-package-gitlab-ce References CVE-2023-3205

Oracle Linux: CVE-2023-39350: ELSA-2024-2208:freerdp security update (MODERATE) (Multiple Advisories) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 08/31/2023 Created 05/22/2024 Added 05/07/2024 Modified 11/30/2024 Description FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. This issue affects Clients only. Integer underflow leading to DOS (e.g. abort due to `WINPR_ASSERT` with default compilation flags). When an insufficient blockLen is provided, and proper length validation is not performed, an Integer Underflow occurs, leading to a Denial of Service (DOS) vulnerability. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this vulnerability. A flaw was found in FreeRDP. When an insufficient blockLen value is provided and proper length validation is not performed, an Integer Underflow can occur, leading to a Denial of Service (DOS). Solution(s) oracle-linux-upgrade-freerdp oracle-linux-upgrade-freerdp-devel oracle-linux-upgrade-freerdp-libs oracle-linux-upgrade-libwinpr oracle-linux-upgrade-libwinpr-devel References https://attackerkb.com/topics/cve-2023-39350 CVE - 2023-39350 ELSA-2024-2208

Oracle Linux: CVE-2023-40589: ELSA-2024-2208:freerdp security update (MODERATE) (Multiple Advisories) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 08/31/2023 Created 05/22/2024 Added 05/07/2024 Modified 11/30/2024 Description FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. In affected versions there is a Global-Buffer-Overflow in the ncrush_decompress function. Feeding crafted input into this function can trigger the overflow which has only been shown to cause a crash. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this issue. A flaw was found in the FreeRDP implementation. Feeding crafted input into the ncrush_decompress function may cause a buffer overflow, resulting in a crash. Solution(s) oracle-linux-upgrade-freerdp oracle-linux-upgrade-freerdp-devel oracle-linux-upgrade-freerdp-libs oracle-linux-upgrade-libwinpr oracle-linux-upgrade-libwinpr-devel References https://attackerkb.com/topics/cve-2023-40589 CVE - 2023-40589 ELSA-2024-2208

SUSE: CVE-2023-40188: SUSE Linux Security Advisory Severity 9 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:C) Published 08/31/2023 Created 12/01/2023 Added 11/30/2023 Modified 01/28/2025 Description FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions are subject to an Out-Of-Bounds Read in the `general_LumaToYUV444` function. This Out-Of-Bounds Read occurs because processing is done on the `in` variable without checking if it contains data of sufficient length. Insufficient data for the `in` variable may cause errors or crashes. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this issue. Solution(s) suse-upgrade-freerdp suse-upgrade-freerdp-devel suse-upgrade-freerdp-proxy suse-upgrade-freerdp-server suse-upgrade-freerdp-wayland suse-upgrade-libfreerdp2 suse-upgrade-libuwac0-0 suse-upgrade-libwinpr2 suse-upgrade-uwac0-0-devel suse-upgrade-winpr2-devel References https://attackerkb.com/topics/cve-2023-40188 CVE - 2023-40188

SUSE: CVE-2023-40575: SUSE Linux Security Advisory Severity 9 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:C) Published 08/31/2023 Created 12/01/2023 Added 11/30/2023 Modified 01/28/2025 Description FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions are subject to an Out-Of-Bounds Read in the `general_YUV444ToRGB_8u_P3AC4R_BGRX` function. This issue is likely down to insufficient data for the `pSrc` variable and results in crashes. This issue has been addressed in version 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this issue. Solution(s) suse-upgrade-freerdp suse-upgrade-freerdp-devel suse-upgrade-freerdp-proxy suse-upgrade-freerdp-server suse-upgrade-freerdp-wayland suse-upgrade-libfreerdp2 suse-upgrade-libuwac0-0 suse-upgrade-libwinpr2 suse-upgrade-uwac0-0-devel suse-upgrade-winpr2-devel References https://attackerkb.com/topics/cve-2023-40575 CVE - 2023-40575

SUSE: CVE-2023-39351: SUSE Linux Security Advisory Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 08/31/2023 Created 12/01/2023 Added 11/30/2023 Modified 01/28/2025 Description FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions of FreeRDP are subject to a Null Pointer Dereference leading a crash in the RemoteFX (rfx) handling.Inside the `rfx_process_message_tileset` function, the program allocates tiles using `rfx_allocate_tiles` for the number of numTiles. If the initialization process of tiles is not completed for various reasons, tiles will have a NULL pointer. Which may be accessed in further processing and would cause a program crash. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this vulnerability. Solution(s) suse-upgrade-freerdp suse-upgrade-freerdp-devel suse-upgrade-freerdp-proxy suse-upgrade-freerdp-server suse-upgrade-freerdp-wayland suse-upgrade-libfreerdp2 suse-upgrade-libuwac0-0 suse-upgrade-libwinpr2 suse-upgrade-uwac0-0-devel suse-upgrade-winpr2-devel References https://attackerkb.com/topics/cve-2023-39351 CVE - 2023-39351

SUSE: CVE-2023-39356: SUSE Linux Security Advisory Severity 9 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:C) Published 08/31/2023 Created 12/01/2023 Added 11/30/2023 Modified 01/28/2025 Description FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. In affected versions a missing offset validation may lead to an Out Of Bound Read in the function `gdi_multi_opaque_rect`. In particular there is no code to validate if the value `multi_opaque_rect->numRectangles` is less than 45. Looping through `multi_opaque_rect->`numRectangles without proper boundary checks can lead to Out-of-Bounds Read errors which will likely lead to a crash. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this vulnerability. Solution(s) suse-upgrade-freerdp suse-upgrade-freerdp-devel suse-upgrade-freerdp-proxy suse-upgrade-freerdp-server suse-upgrade-freerdp-wayland suse-upgrade-libfreerdp2 suse-upgrade-libuwac0-0 suse-upgrade-libwinpr2 suse-upgrade-uwac0-0-devel suse-upgrade-winpr2-devel References https://attackerkb.com/topics/cve-2023-39356 CVE - 2023-39356

SUSE: CVE-2023-40567: SUSE Linux Security Advisory Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 08/31/2023 Created 12/01/2023 Added 11/30/2023 Modified 01/28/2025 Description FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions are subject to an Out-Of-Bounds Write in the `clear_decompress_bands_data` function in which there is no offset validation. Abuse of this vulnerability may lead to an out of bounds write. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. there are no known workarounds for this vulnerability. Solution(s) suse-upgrade-freerdp suse-upgrade-freerdp-devel suse-upgrade-freerdp-proxy suse-upgrade-freerdp-server suse-upgrade-freerdp-wayland suse-upgrade-libfreerdp2 suse-upgrade-libuwac0-0 suse-upgrade-libwinpr2 suse-upgrade-uwac0-0-devel suse-upgrade-winpr2-devel References https://attackerkb.com/topics/cve-2023-40567 CVE - 2023-40567

SUSE: CVE-2023-39350: SUSE Linux Security Advisory Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 08/31/2023 Created 12/01/2023 Added 11/30/2023 Modified 01/28/2025 Description FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. This issue affects Clients only. Integer underflow leading to DOS (e.g. abort due to `WINPR_ASSERT` with default compilation flags). When an insufficient blockLen is provided, and proper length validation is not performed, an Integer Underflow occurs, leading to a Denial of Service (DOS) vulnerability. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this vulnerability. Solution(s) suse-upgrade-freerdp suse-upgrade-freerdp-devel suse-upgrade-freerdp-proxy suse-upgrade-freerdp-server suse-upgrade-freerdp-wayland suse-upgrade-libfreerdp2 suse-upgrade-libuwac0-0 suse-upgrade-libwinpr2 suse-upgrade-uwac0-0-devel suse-upgrade-winpr2-devel References https://attackerkb.com/topics/cve-2023-39350 CVE - 2023-39350

SUSE: CVE-2023-40574: SUSE Linux Security Advisory Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 08/31/2023 Created 12/01/2023 Added 11/30/2023 Modified 01/28/2025 Description FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions are subject to an Out-Of-Bounds Write in the `writePixelBGRX` function. This issue is likely down to incorrect calculations of the `nHeight` and `srcStep` variables. This issue has been addressed in version 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this issue. Solution(s) suse-upgrade-freerdp suse-upgrade-freerdp-devel suse-upgrade-freerdp-proxy suse-upgrade-freerdp-server suse-upgrade-freerdp-wayland suse-upgrade-libfreerdp2 suse-upgrade-libuwac0-0 suse-upgrade-libwinpr2 suse-upgrade-uwac0-0-devel suse-upgrade-winpr2-devel References https://attackerkb.com/topics/cve-2023-40574 CVE - 2023-40574

Debian: CVE-2023-39356: freerdp2 -- security update Severity 9 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:C) Published 08/31/2023 Created 10/11/2023 Added 10/10/2023 Modified 01/28/2025 Description FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. In affected versions a missing offset validation may lead to an Out Of Bound Read in the function `gdi_multi_opaque_rect`. In particular there is no code to validate if the value `multi_opaque_rect->numRectangles` is less than 45. Looping through `multi_opaque_rect->`numRectangles without proper boundary checks can lead to Out-of-Bounds Read errors which will likely lead to a crash. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this vulnerability. Solution(s) debian-upgrade-freerdp2 References https://attackerkb.com/topics/cve-2023-39356 CVE - 2023-39356 DLA-3606-1

Alma Linux: CVE-2023-39350: Moderate: freerdp security update (ALSA-2024-2208) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 08/31/2023 Created 05/08/2024 Added 05/08/2024 Modified 01/28/2025 Description FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. This issue affects Clients only. Integer underflow leading to DOS (e.g. abort due to `WINPR_ASSERT` with default compilation flags). When an insufficient blockLen is provided, and proper length validation is not performed, an Integer Underflow occurs, leading to a Denial of Service (DOS) vulnerability. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this vulnerability. Solution(s) alma-upgrade-freerdp alma-upgrade-freerdp-devel alma-upgrade-freerdp-libs alma-upgrade-libwinpr alma-upgrade-libwinpr-devel References https://attackerkb.com/topics/cve-2023-39350 CVE - 2023-39350 https://errata.almalinux.org/9/ALSA-2024-2208.html

Amazon Linux AMI 2: CVE-2023-39356: Security patch for freerdp (ALAS-2023-2269) Severity 9 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:C) Published 08/31/2023 Created 10/06/2023 Added 10/06/2023 Modified 01/28/2025 Description FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. In affected versions a missing offset validation may lead to an Out Of Bound Read in the function `gdi_multi_opaque_rect`. In particular there is no code to validate if the value `multi_opaque_rect->numRectangles` is less than 45. Looping through `multi_opaque_rect->`numRectangles without proper boundary checks can lead to Out-of-Bounds Read errors which will likely lead to a crash. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this vulnerability. Solution(s) amazon-linux-ami-2-upgrade-freerdp amazon-linux-ami-2-upgrade-freerdp-debuginfo amazon-linux-ami-2-upgrade-freerdp-devel amazon-linux-ami-2-upgrade-freerdp-libs amazon-linux-ami-2-upgrade-libwinpr amazon-linux-ami-2-upgrade-libwinpr-devel References https://attackerkb.com/topics/cve-2023-39356 AL2/ALAS-2023-2269 CVE - 2023-39356

FreeBSD: VID-AAEA7B7C-4887-11EE-B164-001B217B3468 (CVE-2023-4018): Gitlab -- Vulnerabilities Severity 5 CVSS (AV:N/AC:L/Au:N/C:N/I:P/A:N) Published 08/31/2023 Created 09/05/2023 Added 09/01/2023 Modified 01/28/2025 Description An issue has been discovered in GitLab affecting all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. Due to improper permission validation it was possible to create model experiments in public projects. Solution(s) freebsd-upgrade-package-gitlab-ce References CVE-2023-4018

FreeBSD: VID-AAEA7B7C-4887-11EE-B164-001B217B3468 (CVE-2023-3915): Gitlab -- Vulnerabilities Severity 8 CVSS (AV:N/AC:L/Au:M/C:C/I:C/A:C) Published 08/31/2023 Created 09/05/2023 Added 09/01/2023 Modified 01/28/2025 Description An issue has been discovered in GitLab EE affecting all versions starting from 16.1 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. If an external user is given an owner role on any group, that external user may escalate their privileges on the instance by creating a service account in that group. This service account is not classified as external and may be used to access internal projects. Solution(s) freebsd-upgrade-package-gitlab-ce References CVE-2023-3915

FreeBSD: VID-AAEA7B7C-4887-11EE-B164-001B217B3468 (CVE-2023-3950): Gitlab -- Vulnerabilities Severity 5 CVSS (AV:N/AC:L/Au:M/C:P/I:P/A:N) Published 08/31/2023 Created 09/05/2023 Added 09/01/2023 Modified 01/28/2025 Description An information disclosure issue in GitLab EE affecting all versions from 16.2 prior to 16.2.5, and 16.3 prior to 16.3.1 allowed other Group Owners to see the Public Key for a Google Cloud Logging audit event streaming destination, if configured. Owners can now only write the key, not read it. Solution(s) freebsd-upgrade-package-gitlab-ce References CVE-2023-3950

Debian: CVE-2023-39354: freerdp2 -- security update Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 08/31/2023 Created 10/11/2023 Added 10/10/2023 Modified 01/28/2025 Description FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions are subject to an Out-Of-Bounds Read in the `nsc_rle_decompress_data` function. The Out-Of-Bounds Read occurs because it processes `context->Planes` withoutchecking if it contains data of sufficient length. Should an attacker be able to leverage this vulnerability they may be able to cause a crash. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this vulnerability. Solution(s) debian-upgrade-freerdp2 References https://attackerkb.com/topics/cve-2023-39354 CVE - 2023-39354 DLA-3606-1

FreeBSD: VID-AAEA7B7C-4887-11EE-B164-001B217B3468 (CVE-2022-4343): Gitlab -- Vulnerabilities Severity 4 CVSS (AV:N/AC:L/Au:S/C:P/I:N/A:N) Published 08/31/2023 Created 09/05/2023 Added 09/01/2023 Modified 01/28/2025 Description An issue has been discovered in GitLab EE affecting all versions starting from 13.12 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1 in which a project member can leak credentials stored in site profile. Solution(s) freebsd-upgrade-package-gitlab-ce References CVE-2022-4343

Red Hat: CVE-2023-39350: freerdp: Incorrect offset calculation leading to DOS (Multiple Advisories) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 08/31/2023 Created 05/01/2024 Added 05/01/2024 Modified 09/03/2024 Description FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. This issue affects Clients only. Integer underflow leading to DOS (e.g. abort due to `WINPR_ASSERT` with default compilation flags). When an insufficient blockLen is provided, and proper length validation is not performed, an Integer Underflow occurs, leading to a Denial of Service (DOS) vulnerability. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this vulnerability. Solution(s) redhat-upgrade-freerdp redhat-upgrade-freerdp-debuginfo redhat-upgrade-freerdp-debugsource redhat-upgrade-freerdp-devel redhat-upgrade-freerdp-libs redhat-upgrade-freerdp-libs-debuginfo redhat-upgrade-libwinpr redhat-upgrade-libwinpr-debuginfo redhat-upgrade-libwinpr-devel References CVE-2023-39350 RHSA-2024:2208