ISHACK AI BOT

OS X update for Maps (CVE-2022-46707) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 08/02/2023 Created 08/02/2023 Added 08/02/2023 Modified 08/03/2023 Description Deprecated Solution(s)

Huawei EulerOS: CVE-2023-4016: procps-ng security update Severity 2 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:P) Published 08/02/2023 Created 01/11/2024 Added 01/10/2024 Modified 01/28/2025 Description Under some circumstances, this weakness allows a user who has access to run the “ps” utility on a machine, the ability to write almost unlimited amounts of unfiltered data into the process heap. Solution(s) huawei-euleros-2_0_sp11-upgrade-procps-ng huawei-euleros-2_0_sp11-upgrade-procps-ng-i18n References https://attackerkb.com/topics/cve-2023-4016 CVE - 2023-4016 EulerOS-SA-2023-3041

Huawei EulerOS: CVE-2023-4016: procps-ng security update Severity 2 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:P) Published 08/02/2023 Created 01/11/2024 Added 01/10/2024 Modified 01/28/2025 Description Under some circumstances, this weakness allows a user who has access to run the “ps” utility on a machine, the ability to write almost unlimited amounts of unfiltered data into the process heap. Solution(s) huawei-euleros-2_0_sp10-upgrade-procps-ng huawei-euleros-2_0_sp10-upgrade-procps-ng-i18n References https://attackerkb.com/topics/cve-2023-4016 CVE - 2023-4016 EulerOS-SA-2023-3226

Huawei EulerOS: CVE-2023-29409: golang security update Severity 5 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:P) Published 08/02/2023 Created 01/11/2024 Added 01/10/2024 Modified 01/28/2025 Description Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable. Solution(s) huawei-euleros-2_0_sp10-upgrade-golang huawei-euleros-2_0_sp10-upgrade-golang-devel huawei-euleros-2_0_sp10-upgrade-golang-help References https://attackerkb.com/topics/cve-2023-29409 CVE - 2023-29409 EulerOS-SA-2023-3213

CentOS Linux: CVE-2023-3978: Moderate: podman security, bug fix, and enhancement update (Multiple Advisories) Severity 6 CVSS (AV:N/AC:M/Au:N/C:P/I:P/A:N) Published 08/02/2023 Created 11/09/2023 Added 11/08/2023 Modified 01/28/2025 Description Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. Solution(s) centos-upgrade-aardvark-dns centos-upgrade-buildah centos-upgrade-buildah-debuginfo centos-upgrade-buildah-debugsource centos-upgrade-buildah-tests centos-upgrade-buildah-tests-debuginfo centos-upgrade-cockpit-podman centos-upgrade-conmon centos-upgrade-conmon-debuginfo centos-upgrade-conmon-debugsource centos-upgrade-container-selinux centos-upgrade-containernetworking-plugins centos-upgrade-containernetworking-plugins-debuginfo centos-upgrade-containernetworking-plugins-debugsource centos-upgrade-containers-common centos-upgrade-crit centos-upgrade-criu centos-upgrade-criu-debuginfo centos-upgrade-criu-debugsource centos-upgrade-criu-devel centos-upgrade-criu-libs centos-upgrade-criu-libs-debuginfo centos-upgrade-crun centos-upgrade-crun-debuginfo centos-upgrade-crun-debugsource centos-upgrade-fuse-overlayfs centos-upgrade-fuse-overlayfs-debuginfo centos-upgrade-fuse-overlayfs-debugsource centos-upgrade-libslirp centos-upgrade-libslirp-debuginfo centos-upgrade-libslirp-debugsource centos-upgrade-libslirp-devel centos-upgrade-netavark centos-upgrade-oci-seccomp-bpf-hook centos-upgrade-oci-seccomp-bpf-hook-debuginfo centos-upgrade-oci-seccomp-bpf-hook-debugsource centos-upgrade-podman centos-upgrade-podman-catatonit centos-upgrade-podman-catatonit-debuginfo centos-upgrade-podman-debuginfo centos-upgrade-podman-debugsource centos-upgrade-podman-docker centos-upgrade-podman-gvproxy centos-upgrade-podman-gvproxy-debuginfo centos-upgrade-podman-plugins centos-upgrade-podman-plugins-debuginfo centos-upgrade-podman-remote centos-upgrade-podman-remote-debuginfo centos-upgrade-podman-tests centos-upgrade-python3-criu centos-upgrade-python3-podman centos-upgrade-runc centos-upgrade-runc-debuginfo centos-upgrade-runc-debugsource centos-upgrade-skopeo centos-upgrade-skopeo-debuginfo centos-upgrade-skopeo-debugsource centos-upgrade-skopeo-tests centos-upgrade-slirp4netns centos-upgrade-slirp4netns-debuginfo centos-upgrade-slirp4netns-debugsource centos-upgrade-toolbox centos-upgrade-toolbox-debuginfo centos-upgrade-toolbox-debugsource centos-upgrade-toolbox-tests centos-upgrade-udica References CVE-2023-3978

Rocky Linux: CVE-2023-29409: go-toolset-and-golang (RLSA-2023-5738) Severity 5 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:P) Published 08/02/2023 Created 03/07/2024 Added 03/05/2024 Modified 01/28/2025 Description Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable. Solution(s) rocky-upgrade-go-toolset rocky-upgrade-golang rocky-upgrade-golang-bin References https://attackerkb.com/topics/cve-2023-29409 CVE - 2023-29409 https://errata.rockylinux.org/RLSA-2023:5738

F5 Networks: CVE-2023-3470: K000135449: BIG-IP FIPS HSM password vulnerability CVE-2023-3470 Severity 7 CVSS (AV:L/AC:L/Au:N/C:C/I:C/A:N) Published 08/02/2023 Created 12/09/2023 Added 12/08/2023 Modified 01/28/2025 Description Specific F5 BIG-IP platforms with Cavium Nitrox FIPS HSM cards generate a deterministic password for the Crypto User account. The predictable nature of the password allows an authenticated user with TMSH access to the BIG-IP system, or anyone with physical access to the FIPS HSM, the information required to generate the correct password. On vCMP systems, all Guests share the same deterministic password, allowing those with TMSH access on one Guest to access keys of a different Guest. The following BIG-IP hardware platforms are affected: 10350v-F, i5820-DF, i7820-DF, i15820-DF, 5250v-F, 7200v-F, 10200v-F, 6900-F, 8900-F, 11000-F, and 11050-F. The BIG-IP rSeries r5920-DF and r10920-DF are not affected, nor does the issue affect software FIPS implementations or network HSM configurations. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. Solution(s) f5-big-ip-upgrade-latest References https://attackerkb.com/topics/cve-2023-3470 CVE - 2023-3470 https://my.f5.com/manage/s/article/K000135449

Red Hat: CVE-2023-3978: golang.org/x/net/html: Cross site scripting (Multiple Advisories) Severity 6 CVSS (AV:N/AC:M/Au:N/C:P/I:P/A:N) Published 08/02/2023 Created 11/09/2023 Added 11/08/2023 Modified 01/28/2025 Description Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. Solution(s) redhat-upgrade-aardvark-dns redhat-upgrade-buildah redhat-upgrade-buildah-debuginfo redhat-upgrade-buildah-debugsource redhat-upgrade-buildah-tests redhat-upgrade-buildah-tests-debuginfo redhat-upgrade-cockpit-podman redhat-upgrade-conmon redhat-upgrade-conmon-debuginfo redhat-upgrade-conmon-debugsource redhat-upgrade-container-selinux redhat-upgrade-containernetworking-plugins redhat-upgrade-containernetworking-plugins-debuginfo redhat-upgrade-containernetworking-plugins-debugsource redhat-upgrade-containers-common redhat-upgrade-crit redhat-upgrade-criu redhat-upgrade-criu-debuginfo redhat-upgrade-criu-debugsource redhat-upgrade-criu-devel redhat-upgrade-criu-libs redhat-upgrade-criu-libs-debuginfo redhat-upgrade-crun redhat-upgrade-crun-debuginfo redhat-upgrade-crun-debugsource redhat-upgrade-fuse-overlayfs redhat-upgrade-fuse-overlayfs-debuginfo redhat-upgrade-fuse-overlayfs-debugsource redhat-upgrade-libslirp redhat-upgrade-libslirp-debuginfo redhat-upgrade-libslirp-debugsource redhat-upgrade-libslirp-devel redhat-upgrade-netavark redhat-upgrade-oci-seccomp-bpf-hook redhat-upgrade-oci-seccomp-bpf-hook-debuginfo redhat-upgrade-oci-seccomp-bpf-hook-debugsource redhat-upgrade-podman redhat-upgrade-podman-catatonit redhat-upgrade-podman-catatonit-debuginfo redhat-upgrade-podman-debuginfo redhat-upgrade-podman-debugsource redhat-upgrade-podman-docker redhat-upgrade-podman-gvproxy redhat-upgrade-podman-gvproxy-debuginfo redhat-upgrade-podman-plugins redhat-upgrade-podman-plugins-debuginfo redhat-upgrade-podman-remote redhat-upgrade-podman-remote-debuginfo redhat-upgrade-podman-tests redhat-upgrade-python3-criu redhat-upgrade-python3-podman redhat-upgrade-runc redhat-upgrade-runc-debuginfo redhat-upgrade-runc-debugsource redhat-upgrade-skopeo redhat-upgrade-skopeo-debuginfo redhat-upgrade-skopeo-debugsource redhat-upgrade-skopeo-tests redhat-upgrade-slirp4netns redhat-upgrade-slirp4netns-debuginfo redhat-upgrade-slirp4netns-debugsource redhat-upgrade-toolbox redhat-upgrade-toolbox-debuginfo redhat-upgrade-toolbox-debugsource redhat-upgrade-toolbox-tests redhat-upgrade-udica References CVE-2023-3978 RHSA-2023:6474 RHSA-2023:6938 RHSA-2023:6939

OS X update for ImageIO (CVE-2023-27939) Severity 5 CVSS (AV:L/AC:M/Au:N/C:C/I:N/A:N) Published 08/02/2023 Created 08/02/2023 Added 08/02/2023 Modified 01/28/2025 Description An out-of-bounds read was addressed with improved input validation. This issue is fixed in macOS Ventura 13.3. Processing an image may result in disclosure of process memory. Solution(s) apple-osx-upgrade-13_3 References https://attackerkb.com/topics/cve-2023-27939 CVE - 2023-27939 https://support.apple.com/kb/HT213670

CentOS Linux: CVE-2022-40609: Important: java-1.8.0-ibm security update (CESA-2023:4160) Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 08/02/2023 Created 08/09/2023 Added 08/08/2023 Modified 01/28/2025 Description IBM SDK, Java Technology Edition 7.1.5.18 and 8.0.8.0 could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization flaw. By sending specially-crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system.IBM X-Force ID:236069. Solution(s) centos-upgrade-java-1-8-0-ibm centos-upgrade-java-1-8-0-ibm-demo centos-upgrade-java-1-8-0-ibm-devel centos-upgrade-java-1-8-0-ibm-jdbc centos-upgrade-java-1-8-0-ibm-plugin centos-upgrade-java-1-8-0-ibm-src References CVE-2022-40609

Gentoo Linux: CVE-2023-3732: Chromium, Google Chrome, Microsoft Edge: Multiple Vulnerabilities Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 08/01/2023 Created 02/02/2024 Added 02/01/2024 Modified 01/28/2025 Description Out of bounds memory access in Mojo in Google Chrome prior to 115.0.5790.98 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) Solution(s) gentoo-linux-upgrade-www-client-chromium gentoo-linux-upgrade-www-client-google-chrome gentoo-linux-upgrade-www-client-microsoft-edge References https://attackerkb.com/topics/cve-2023-3732 CVE - 2023-3732 202401-34

Gentoo Linux: CVE-2023-4056: Mozilla Thunderbird: Multiple Vulnerabilities Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 08/01/2023 Created 02/22/2024 Added 02/21/2024 Modified 01/28/2025 Description Memory safety bugs present in Firefox 115, Firefox ESR 115.0, Firefox ESR 102.13, Thunderbird 115.0, and Thunderbird 102.13. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1. Solution(s) gentoo-linux-upgrade-mail-client-thunderbird gentoo-linux-upgrade-mail-client-thunderbird-bin References https://attackerkb.com/topics/cve-2023-4056 CVE - 2023-4056 202402-25

Gentoo Linux: CVE-2023-4055: Mozilla Thunderbird: Multiple Vulnerabilities Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:C/A:N) Published 08/01/2023 Created 02/22/2024 Added 02/21/2024 Modified 01/28/2025 Description When the number of cookies per domain was exceeded in `document.cookie`, the actual cookie jar sent to the host was no longer consistent with expected cookie jar state. This could have caused requests to be sent with some cookies missing. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1. Solution(s) gentoo-linux-upgrade-mail-client-thunderbird gentoo-linux-upgrade-mail-client-thunderbird-bin References https://attackerkb.com/topics/cve-2023-4055 CVE - 2023-4055 202402-25

Gentoo Linux: CVE-2023-4048: Mozilla Thunderbird: Multiple Vulnerabilities Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 08/01/2023 Created 02/22/2024 Added 02/21/2024 Modified 01/28/2025 Description An out-of-bounds read could have led to an exploitable crash when parsing HTML with DOMParser in low memory situations. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1. Solution(s) gentoo-linux-upgrade-mail-client-thunderbird gentoo-linux-upgrade-mail-client-thunderbird-bin References https://attackerkb.com/topics/cve-2023-4048 CVE - 2023-4048 202402-25

Gentoo Linux: CVE-2023-4053: Mozilla Thunderbird: Multiple Vulnerabilities Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 08/01/2023 Created 02/22/2024 Added 02/21/2024 Modified 01/28/2025 Description A website could have obscured the full screen notification by using a URL with a scheme handled by an external program, such as a mailto URL. This could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 116, Firefox ESR < 115.2, and Thunderbird < 115.2. Solution(s) gentoo-linux-upgrade-mail-client-thunderbird gentoo-linux-upgrade-mail-client-thunderbird-bin References https://attackerkb.com/topics/cve-2023-4053 CVE - 2023-4053 202402-25

Gentoo Linux: CVE-2023-4046: Mozilla Thunderbird: Multiple Vulnerabilities Severity 5 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:P) Published 08/01/2023 Created 02/22/2024 Added 02/21/2024 Modified 01/28/2025 Description In some circumstances, a stale value could have been used for a global variable in WASM JIT analysis. This resulted in incorrect compilation and a potentially exploitable crash in the content process. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1. Solution(s) gentoo-linux-upgrade-mail-client-thunderbird gentoo-linux-upgrade-mail-client-thunderbird-bin References https://attackerkb.com/topics/cve-2023-4046 CVE - 2023-4046 202402-25

Gentoo Linux: CVE-2023-3727: Chromium, Google Chrome, Microsoft Edge: Multiple Vulnerabilities Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 08/01/2023 Created 02/02/2024 Added 02/01/2024 Modified 01/28/2025 Description Use after free in WebRTC in Google Chrome prior to 115.0.5790.98 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) Solution(s) gentoo-linux-upgrade-www-client-chromium gentoo-linux-upgrade-www-client-google-chrome gentoo-linux-upgrade-www-client-microsoft-edge References https://attackerkb.com/topics/cve-2023-3727 CVE - 2023-3727 202401-34

Gentoo Linux: CVE-2023-3738: Chromium, Google Chrome, Microsoft Edge: Multiple Vulnerabilities Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:P/A:N) Published 08/01/2023 Created 02/02/2024 Added 02/01/2024 Modified 01/28/2025 Description Inappropriate implementation in Autofill in Google Chrome prior to 115.0.5790.98 allowed a remote attacker to obfuscate security UI via a crafted HTML page. (Chromium security severity: Medium) Solution(s) gentoo-linux-upgrade-www-client-chromium gentoo-linux-upgrade-www-client-google-chrome gentoo-linux-upgrade-www-client-microsoft-edge References https://attackerkb.com/topics/cve-2023-3738 CVE - 2023-3738 202401-34

Gentoo Linux: CVE-2023-3735: Chromium, Google Chrome, Microsoft Edge: Multiple Vulnerabilities Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:P/A:N) Published 08/01/2023 Created 02/02/2024 Added 02/01/2024 Modified 01/28/2025 Description Inappropriate implementation in Web API Permission Prompts in Google Chrome prior to 115.0.5790.98 allowed a remote attacker to obfuscate security UI via a crafted HTML page. (Chromium security severity: Medium) Solution(s) gentoo-linux-upgrade-www-client-chromium gentoo-linux-upgrade-www-client-google-chrome gentoo-linux-upgrade-www-client-microsoft-edge References https://attackerkb.com/topics/cve-2023-3735 CVE - 2023-3735 202401-34

Gentoo Linux: CVE-2023-4047: Mozilla Thunderbird: Multiple Vulnerabilities Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 08/01/2023 Created 02/22/2024 Added 02/21/2024 Modified 01/28/2025 Description A bug in popup notifications delay calculation could have made it possible for an attacker to trick a user into granting permissions. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1. Solution(s) gentoo-linux-upgrade-mail-client-thunderbird gentoo-linux-upgrade-mail-client-thunderbird-bin References https://attackerkb.com/topics/cve-2023-4047 CVE - 2023-4047 202402-25

SUSE: CVE-2023-4054: SUSE Linux Security Advisory Severity 5 CVSS (AV:L/AC:M/Au:N/C:N/I:C/A:N) Published 08/01/2023 Created 08/03/2023 Added 08/03/2023 Modified 01/28/2025 Description When opening appref-ms files, Firefox did not warn the user that these files may contain malicious code. *This bug only affects Firefox on Windows. Other operating systems are unaffected.* This vulnerability affects Firefox < 116, Firefox ESR < 102.14, Firefox ESR < 115.1, Thunderbird < 102.14, and Thunderbird < 115.1. Solution(s) suse-upgrade-mozillafirefox suse-upgrade-mozillafirefox-branding-upstream suse-upgrade-mozillafirefox-devel suse-upgrade-mozillafirefox-translations-common suse-upgrade-mozillafirefox-translations-other suse-upgrade-mozillathunderbird suse-upgrade-mozillathunderbird-translations-common suse-upgrade-mozillathunderbird-translations-other References https://attackerkb.com/topics/cve-2023-4054 CVE - 2023-4054

Alpine Linux: CVE-2023-4053: Link Following Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 08/01/2023 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description A website could have obscured the full screen notification by using a URL with a scheme handled by an external program, such as a mailto URL. This could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 116, Firefox ESR < 115.2, and Thunderbird < 115.2. Solution(s) alpine-linux-upgrade-firefox-esr References https://attackerkb.com/topics/cve-2023-4053 CVE - 2023-4053 https://security.alpinelinux.org/vuln/CVE-2023-4053

Alpine Linux: CVE-2023-4056: Out-of-bounds Write Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 08/01/2023 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description Memory safety bugs present in Firefox 115, Firefox ESR 115.0, Firefox ESR 102.13, Thunderbird 115.0, and Thunderbird 102.13. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1. Solution(s) alpine-linux-upgrade-firefox-esr References https://attackerkb.com/topics/cve-2023-4056 CVE - 2023-4056 https://security.alpinelinux.org/vuln/CVE-2023-4056

Alpine Linux: CVE-2023-4054: Vulnerability in Multiple Components Severity 5 CVSS (AV:L/AC:M/Au:N/C:N/I:C/A:N) Published 08/01/2023 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description When opening appref-ms files, Firefox did not warn the user that these files may contain malicious code. *This bug only affects Firefox on Windows. Other operating systems are unaffected.* This vulnerability affects Firefox < 116, Firefox ESR < 102.14, Firefox ESR < 115.1, Thunderbird < 102.14, and Thunderbird < 115.1. Solution(s) alpine-linux-upgrade-firefox-esr References https://attackerkb.com/topics/cve-2023-4054 CVE - 2023-4054 https://security.alpinelinux.org/vuln/CVE-2023-4054

Alpine Linux: CVE-2023-4049: Race Condition Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 08/01/2023 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description Race conditions in reference counting code were found through code inspection. These could have resulted in potentially exploitable use-after-free vulnerabilities. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1. Solution(s) alpine-linux-upgrade-firefox-esr References https://attackerkb.com/topics/cve-2023-4049 CVE - 2023-4049 https://security.alpinelinux.org/vuln/CVE-2023-4049