ISHACK AI BOT

Alma Linux: CVE-2023-30590: Moderate: nodejs:18 security, bug fix, and enhancement update (Multiple Advisories) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:C/A:N) Published 07/31/2023 Created 08/03/2023 Added 08/03/2023 Modified 01/30/2025 Description The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet, but the function is also needed to compute the corresponding public key after calling setPrivateKey(). However, the documentation says this API call: "Generates private and public Diffie-Hellman key values". The documented behavior is very different from the actual behavior, and this difference could easily lead to security issues in applications that use these APIs as the DiffieHellman may be used as the basis for application-level security, implications are consequently broad. Solution(s) alma-upgrade-nodejs alma-upgrade-nodejs-devel alma-upgrade-nodejs-docs alma-upgrade-nodejs-full-i18n alma-upgrade-nodejs-libs alma-upgrade-nodejs-nodemon alma-upgrade-nodejs-packaging alma-upgrade-nodejs-packaging-bundler alma-upgrade-npm References https://attackerkb.com/topics/cve-2023-30590 CVE - 2023-30590 https://errata.almalinux.org/8/ALSA-2023-4536.html https://errata.almalinux.org/8/ALSA-2023-4537.html https://errata.almalinux.org/9/ALSA-2023-4330.html https://errata.almalinux.org/9/ALSA-2023-4331.html

Google Chrome Vulnerability: CVE-2021-4321 Policy bypass in Blink Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:P/A:N) Published 07/29/2023 Created 07/31/2023 Added 07/31/2023 Modified 01/28/2025 Description Policy bypass in Blink in Google Chrome prior to 91.0.4472.77 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low) Solution(s) google-chrome-upgrade-latest References https://attackerkb.com/topics/cve-2021-4321 CVE - 2021-4321 https://chromereleases.googleblog.com/2021/05/stable-channel-update-for-desktop_25.html https://crbug.com/1161891

Google Chrome Vulnerability: CVE-2021-4320 Use after free in Blink Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 07/29/2023 Created 07/31/2023 Added 07/31/2023 Modified 01/28/2025 Description Use after free in Blink in Google Chrome prior to 92.0.4515.107 allowed a remote attacker who had compromised the renderer process to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High) Solution(s) google-chrome-upgrade-latest References https://attackerkb.com/topics/cve-2021-4320 CVE - 2021-4320 https://chromereleases.googleblog.com/2021/07/stable-channel-update-for-desktop_20.html https://crbug.com/1224238

Google Chrome Vulnerability: CVE-2023-2314 Insufficient data validation in DevTools Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 07/29/2023 Created 07/31/2023 Added 07/31/2023 Modified 01/28/2025 Description Insufficient data validation in DevTools in Google Chrome prior to 111.0.5563.64 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low) Solution(s) google-chrome-upgrade-latest References https://attackerkb.com/topics/cve-2023-2314 CVE - 2023-2314 https://chromereleases.googleblog.com/2023/03/stable-channel-update-for-desktop.html https://crbug.com/813542

Google Chrome Vulnerability: CVE-2021-4319 Use after free in Blink Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 07/29/2023 Created 07/31/2023 Added 07/31/2023 Modified 01/28/2025 Description Use after free in Blink in Google Chrome prior to 93.0.4577.82 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High) Solution(s) google-chrome-upgrade-latest References https://attackerkb.com/topics/cve-2021-4319 CVE - 2021-4319 https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop.html https://crbug.com/1214199

Debian: CVE-2022-4917: chromium -- security update Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:P/A:N) Published 07/29/2023 Created 08/03/2023 Added 08/03/2023 Modified 01/28/2025 Description Incorrect security UI in Notifications in Google Chrome on Android prior to 103.0.5060.53 allowed a remote attacker to obscure the full screen notification via a crafted HTML page. (Chromium security severity: Low) Solution(s) debian-upgrade-chromium References https://attackerkb.com/topics/cve-2022-4917 CVE - 2022-4917 DSA-5168-1

Debian: CVE-2022-4914: chromium -- security update Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 07/29/2023 Created 08/03/2023 Added 08/03/2023 Modified 01/28/2025 Description Heap buffer overflow in PrintPreview in Google Chrome prior to 104.0.5112.79 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) Solution(s) debian-upgrade-chromium References https://attackerkb.com/topics/cve-2022-4914 CVE - 2022-4914 DSA-5201-1

Debian: CVE-2022-4906: chromium -- security update Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 07/29/2023 Created 08/03/2023 Added 08/03/2023 Modified 01/28/2025 Description Inappropriate implementation in Blink in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High) Solution(s) debian-upgrade-chromium References https://attackerkb.com/topics/cve-2022-4906 CVE - 2022-4906 DSA-5293-1

Google Chrome Vulnerability: CVE-2021-4322 Use after free in DevTools Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 07/29/2023 Created 07/31/2023 Added 07/31/2023 Modified 01/28/2025 Description Use after free in DevTools in Google Chrome prior to 91.0.4472.77 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension. (Chromium security severity: Medium) Solution(s) google-chrome-upgrade-latest References https://attackerkb.com/topics/cve-2021-4322 CVE - 2021-4322 https://chromereleases.googleblog.com/2021/05/stable-channel-update-for-desktop_25.html https://crbug.com/1190550

Google Chrome Vulnerability: CVE-2021-4323 Insufficient validation of untrusted input in Extensions Severity 7 CVSS (AV:N/AC:M/Au:N/C:C/I:N/A:N) Published 07/29/2023 Created 07/31/2023 Added 07/31/2023 Modified 01/28/2025 Description Insufficient validation of untrusted input in Extensions in Google Chrome prior to 90.0.4430.72 allowed an attacker who convinced a user to install a malicious extension to access local files via a crafted Chrome Extension. (Chromium security severity: Medium) Solution(s) google-chrome-upgrade-latest References https://attackerkb.com/topics/cve-2021-4323 CVE - 2021-4323 https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop_14.html https://crbug.com/1176031

Google Chrome Vulnerability: CVE-2021-4324 Insufficient policy enforcement in Google Update Severity 7 CVSS (AV:N/AC:M/Au:N/C:C/I:N/A:N) Published 07/29/2023 Created 07/31/2023 Added 07/31/2023 Modified 01/28/2025 Description Insufficient policy enforcement in Google Update in Google Chrome prior to 90.0.4430.93 allowed a remote attacker to read arbitrary files via a malicious file. (Chromium security severity: Medium) Solution(s) google-chrome-upgrade-latest References https://attackerkb.com/topics/cve-2021-4324 CVE - 2021-4324 https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop_26.html https://crbug.com/1193233

Amazon Linux 2023: CVE-2023-4206: Important priority package update for kernel Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 07/29/2023 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description A use-after-free vulnerability in the Linux kernel's net/sched: cls_route component can be exploited to achieve local privilege escalation. When route4_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free. We recommend upgrading past commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8. There are 3 CVEs for the use-after-free flaw found in net/sched/cls_fw.c in classifiers (cls_fw, cls_u32, and cls_route) in the Linux Kernel: CVE-2023-4206, CVE-2023-4207, CVE-2023-4208. A local user could use any of these flaws to crash the system or potentially escalate their privileges on the system. Similar CVE-2023-4128 was rejected as a duplicate. Solution(s) amazon-linux-2023-upgrade-bpftool amazon-linux-2023-upgrade-bpftool-debuginfo amazon-linux-2023-upgrade-kernel amazon-linux-2023-upgrade-kernel-debuginfo amazon-linux-2023-upgrade-kernel-debuginfo-common-aarch64 amazon-linux-2023-upgrade-kernel-debuginfo-common-x86-64 amazon-linux-2023-upgrade-kernel-devel amazon-linux-2023-upgrade-kernel-headers amazon-linux-2023-upgrade-kernel-libbpf amazon-linux-2023-upgrade-kernel-libbpf-devel amazon-linux-2023-upgrade-kernel-libbpf-static amazon-linux-2023-upgrade-kernel-livepatch-6-1-49-69-116 amazon-linux-2023-upgrade-kernel-tools amazon-linux-2023-upgrade-kernel-tools-debuginfo amazon-linux-2023-upgrade-kernel-tools-devel amazon-linux-2023-upgrade-perf amazon-linux-2023-upgrade-perf-debuginfo amazon-linux-2023-upgrade-python3-perf amazon-linux-2023-upgrade-python3-perf-debuginfo References https://attackerkb.com/topics/cve-2023-4206 CVE - 2023-4206 https://alas.aws.amazon.com/AL2023/ALAS-2023-330.html

Debian: CVE-2022-4913: chromium -- security update Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 07/29/2023 Created 08/03/2023 Added 08/03/2023 Modified 01/28/2025 Description Inappropriate implementation in Extensions in Google Chrome prior to 105.0.5195.52 allowed a remote attacker who had compromised the renderer process to spoof extension storage via a crafted HTML page. (Chromium security severity: High) Solution(s) debian-upgrade-chromium References https://attackerkb.com/topics/cve-2022-4913 CVE - 2022-4913 DSA-5223-1

Debian: CVE-2022-4912: chromium -- security update Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 07/29/2023 Created 08/03/2023 Added 08/03/2023 Modified 01/28/2025 Description Type Confusion in MathML in Google Chrome prior to 105.0.5195.52 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) Solution(s) debian-upgrade-chromium References https://attackerkb.com/topics/cve-2022-4912 CVE - 2022-4912 DSA-5223-1

Debian: CVE-2021-4323: chromium -- security update Severity 7 CVSS (AV:N/AC:M/Au:N/C:C/I:N/A:N) Published 07/29/2023 Created 08/03/2023 Added 08/03/2023 Modified 01/28/2025 Description Insufficient validation of untrusted input in Extensions in Google Chrome prior to 90.0.4430.72 allowed an attacker who convinced a user to install a malicious extension to access local files via a crafted Chrome Extension. (Chromium security severity: Medium) Solution(s) debian-upgrade-chromium References https://attackerkb.com/topics/cve-2021-4323 CVE - 2021-4323 DSA-4906-1

Debian: CVE-2021-4318: chromium -- security update Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 07/29/2023 Created 08/03/2023 Added 08/03/2023 Modified 01/28/2025 Description Object corruption in Blink in Google Chrome prior to 94.0.4606.54 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High) Solution(s) debian-upgrade-chromium References https://attackerkb.com/topics/cve-2021-4318 CVE - 2021-4318 DSA-5046-1

Amazon Linux 2023: CVE-2023-4207: Important priority package update for kernel Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 07/29/2023 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation. When fw_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free. We recommend upgrading past commit 76e42ae831991c828cffa8c37736ebfb831ad5ec. There are 3 CVEs for the use-after-free flaw found in net/sched/cls_fw.c in classifiers (cls_fw, cls_u32, and cls_route) in the Linux Kernel: CVE-2023-4206, CVE-2023-4207, CVE-2023-4208. A local user could use any of these flaws to crash the system or potentially escalate their privileges on the system. Similar CVE-2023-4128 was rejected as a duplicate. Solution(s) amazon-linux-2023-upgrade-bpftool amazon-linux-2023-upgrade-bpftool-debuginfo amazon-linux-2023-upgrade-kernel amazon-linux-2023-upgrade-kernel-debuginfo amazon-linux-2023-upgrade-kernel-debuginfo-common-aarch64 amazon-linux-2023-upgrade-kernel-debuginfo-common-x86-64 amazon-linux-2023-upgrade-kernel-devel amazon-linux-2023-upgrade-kernel-headers amazon-linux-2023-upgrade-kernel-libbpf amazon-linux-2023-upgrade-kernel-libbpf-devel amazon-linux-2023-upgrade-kernel-libbpf-static amazon-linux-2023-upgrade-kernel-livepatch-6-1-49-69-116 amazon-linux-2023-upgrade-kernel-tools amazon-linux-2023-upgrade-kernel-tools-debuginfo amazon-linux-2023-upgrade-kernel-tools-devel amazon-linux-2023-upgrade-perf amazon-linux-2023-upgrade-perf-debuginfo amazon-linux-2023-upgrade-python3-perf amazon-linux-2023-upgrade-python3-perf-debuginfo References https://attackerkb.com/topics/cve-2023-4207 CVE - 2023-4207 https://alas.aws.amazon.com/AL2023/ALAS-2023-330.html

Oracle Linux: CVE-2023-4128: ELSA-2023-7077:kernel security, bug fix, and enhancement update (IMPORTANT) (Multiple Advisories) Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 07/29/2023 Created 11/18/2023 Added 11/16/2023 Modified 01/07/2025 Description This CVE ID has been rejected or withdrawn by its CVE Numbering Authority for the following reason: ** REJECT ** DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2023-4206, CVE-2023-4207, CVE-2023-4208.Reason: This record is a duplicate of CVE-2023-4206, CVE-2023-4207, CVE-2023-4208. Notes: All CVE users should reference CVE-2023-4206, CVE-2023-4207, CVE-2023-4208 instead of this record. All references and descriptions in this record have been removed to prevent accidental usage. This record is a duplicate of CVE-2023-4206, CVE-2023-4207, and CVE-2023-4208. Do not use this CVE record: CVE-2023-4128. Solution(s) oracle-linux-upgrade-kernel References https://attackerkb.com/topics/cve-2023-4128 CVE - 2023-4128 ELSA-2023-7077 ELSA-2023-7423 ELSA-2023-6583

Oracle Linux: CVE-2023-4206: ELSA-2023-12842: Unbreakable Enterprise kernel security update (IMPORTANT) (Multiple Advisories) Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 07/29/2023 Created 10/04/2023 Added 10/03/2023 Modified 01/23/2025 Description A use-after-free vulnerability in the Linux kernel's net/sched: cls_route component can be exploited to achieve local privilege escalation. When route4_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free. We recommend upgrading past commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8. There are 3 CVEs for the use-after-free flaw found in net/sched/cls_fw.c in classifiers (cls_fw, cls_u32, and cls_route) in the Linux Kernel: CVE-2023-4206, CVE-2023-4207, CVE-2023-4208. A local user could use any of these flaws to crash the system or potentially escalate their privileges on the system. Similar CVE-2023-4128 was rejected as a duplicate. Solution(s) oracle-linux-upgrade-kernel oracle-linux-upgrade-kernel-uek References https://attackerkb.com/topics/cve-2023-4206 CVE - 2023-4206 ELSA-2023-12842 ELSA-2023-7077 ELSA-2023-7423 ELSA-2023-6583

Debian: CVE-2023-2313: chromium -- security update Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 07/29/2023 Created 08/02/2023 Added 08/02/2023 Modified 01/28/2025 Description Inappropriate implementation in Sandbox in Google Chrome on Windows prior to 112.0.5615.49 allowed a remote attacker who had compromised the renderer process to perform arbitrary read/write via a malicious file. (Chromium security severity: High) Solution(s) debian-upgrade-chromium References https://attackerkb.com/topics/cve-2023-2313 CVE - 2023-2313 DSA-5386-1

Debian: CVE-2023-2314: chromium -- security update Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 07/29/2023 Created 08/02/2023 Added 08/02/2023 Modified 01/28/2025 Description Insufficient data validation in DevTools in Google Chrome prior to 111.0.5563.64 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low) Solution(s) debian-upgrade-chromium References https://attackerkb.com/topics/cve-2023-2314 CVE - 2023-2314 DSA-5371-1

Debian: CVE-2023-2311: chromium -- security update Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 07/29/2023 Created 08/02/2023 Added 08/02/2023 Modified 01/28/2025 Description Insufficient policy enforcement in File System API in Google Chrome prior to 112.0.5615.49 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page. (Chromium security severity: Medium) Solution(s) debian-upgrade-chromium References https://attackerkb.com/topics/cve-2023-2311 CVE - 2023-2311 DSA-5386-1

Debian: CVE-2022-4911: chromium -- security update Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 07/29/2023 Created 08/03/2023 Added 08/03/2023 Modified 01/28/2025 Description Insufficient data validation in DevTools in Google Chrome prior to 106.0.5249.62 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low) Solution(s) debian-upgrade-chromium References https://attackerkb.com/topics/cve-2022-4911 CVE - 2022-4911 DSA-5244-1

Debian: CVE-2022-4924: chromium -- security update Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 07/29/2023 Created 08/02/2023 Added 08/02/2023 Modified 01/28/2025 Description Use after free in WebRTC in Google Chrome prior to 97.0.4692.71 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) Solution(s) debian-upgrade-chromium References https://attackerkb.com/topics/cve-2022-4924 CVE - 2022-4924 DSA-5046-1

Debian: CVE-2021-4320: chromium -- security update Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 07/29/2023 Created 08/03/2023 Added 08/03/2023 Modified 01/28/2025 Description Use after free in Blink in Google Chrome prior to 92.0.4515.107 allowed a remote attacker who had compromised the renderer process to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High) Solution(s) debian-upgrade-chromium References https://attackerkb.com/topics/cve-2021-4320 CVE - 2021-4320 DSA-5046-1