ISHACK AI BOT

Ubuntu: (Multiple Advisories) (CVE-2023-2640): Linux kernel (OEM) vulnerabilities Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 07/25/2023 Created 07/26/2023 Added 07/26/2023 Modified 01/30/2025 Description On Ubuntu kernels carrying both c914c0e27eb0 and "UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs", an unprivileged user may set privileged extended attributes on the mounted files, leading them to be set on the upper files without the appropriate security checks. Solution(s) ubuntu-upgrade-linux-image-5-19-0-1029-aws ubuntu-upgrade-linux-image-5-19-0-1030-gcp ubuntu-upgrade-linux-image-5-19-0-50-generic ubuntu-upgrade-linux-image-5-19-0-50-generic-64k ubuntu-upgrade-linux-image-5-19-0-50-generic-lpae ubuntu-upgrade-linux-image-6-0-0-1020-oem ubuntu-upgrade-linux-image-6-1-0-1019-oem ubuntu-upgrade-linux-image-6-2-0-1006-ibm ubuntu-upgrade-linux-image-6-2-0-1008-aws ubuntu-upgrade-linux-image-6-2-0-1008-azure ubuntu-upgrade-linux-image-6-2-0-1008-oracle ubuntu-upgrade-linux-image-6-2-0-1009-kvm ubuntu-upgrade-linux-image-6-2-0-1009-lowlatency ubuntu-upgrade-linux-image-6-2-0-1009-lowlatency-64k ubuntu-upgrade-linux-image-6-2-0-1009-raspi ubuntu-upgrade-linux-image-6-2-0-1010-gcp ubuntu-upgrade-linux-image-6-2-0-26-generic ubuntu-upgrade-linux-image-6-2-0-26-generic-64k ubuntu-upgrade-linux-image-6-2-0-26-generic-lpae ubuntu-upgrade-linux-image-aws ubuntu-upgrade-linux-image-azure ubuntu-upgrade-linux-image-gcp ubuntu-upgrade-linux-image-generic ubuntu-upgrade-linux-image-generic-64k ubuntu-upgrade-linux-image-generic-64k-hwe-22-04 ubuntu-upgrade-linux-image-generic-hwe-22-04 ubuntu-upgrade-linux-image-generic-lpae ubuntu-upgrade-linux-image-generic-lpae-hwe-22-04 ubuntu-upgrade-linux-image-ibm ubuntu-upgrade-linux-image-kvm ubuntu-upgrade-linux-image-lowlatency ubuntu-upgrade-linux-image-lowlatency-64k ubuntu-upgrade-linux-image-oem-22-04b ubuntu-upgrade-linux-image-oem-22-04c ubuntu-upgrade-linux-image-oracle ubuntu-upgrade-linux-image-raspi ubuntu-upgrade-linux-image-raspi-nolpae ubuntu-upgrade-linux-image-virtual ubuntu-upgrade-linux-image-virtual-hwe-22-04 References https://attackerkb.com/topics/cve-2023-2640 CVE - 2023-2640 USN-6248-1 USN-6250-1 USN-6260-1 USN-6285-1

Amazon Linux AMI 2: CVE-2023-39128: Security patch for gdb (ALAS-2024-2685) Severity 5 CVSS (AV:L/AC:M/Au:N/C:N/I:N/A:C) Published 07/25/2023 Created 11/05/2024 Added 11/04/2024 Modified 01/28/2025 Description GNU gdb (GDB) 13.0.50.20220805-git was discovered to contain a stack overflow via the function ada_decode at /gdb/ada-lang.c. Solution(s) amazon-linux-ami-2-upgrade-gdb amazon-linux-ami-2-upgrade-gdb-debuginfo amazon-linux-ami-2-upgrade-gdb-doc amazon-linux-ami-2-upgrade-gdb-gdbserver References https://attackerkb.com/topics/cve-2023-39128 AL2/ALAS-2024-2685 CVE - 2023-39128

Amazon Linux AMI 2: CVE-2023-37920: Security patch for ca-certificates (ALAS-2023-2224) Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 07/25/2023 Created 09/08/2023 Added 09/08/2023 Modified 01/30/2025 Description Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store. Solution(s) amazon-linux-ami-2-upgrade-ca-certificates References https://attackerkb.com/topics/cve-2023-37920 AL2/ALAS-2023-2224 CVE - 2023-37920

Amazon Linux AMI 2: CVE-2023-35943: Security patch for ecs-service-connect-agent (Multiple Advisories) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 07/25/2023 Created 09/07/2023 Added 09/07/2023 Modified 01/28/2025 Description Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, the CORS filter will segfault and crash Envoy when the `origin` header is removed and deleted between `decodeHeaders`and `encodeHeaders`. Versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12 have a fix for this issue. As a workaround, do not remove the `origin` header in the Envoy configuration. Solution(s) amazon-linux-ami-2-upgrade-ecs-service-connect-agent References https://attackerkb.com/topics/cve-2023-35943 AL2/ALASECS-2023-006 AL2/ALASECS-2023-007 CVE - 2023-35943

OS X update for libxpc (CVE-2023-38565) Severity 7 CVSS (AV:L/AC:M/Au:N/C:C/I:C/A:C) Published 07/25/2023 Created 07/25/2023 Added 07/25/2023 Modified 01/28/2025 Description A path handling issue was addressed with improved validation. This issue is fixed in macOS Monterey 12.6.8, iOS 16.6 and iPadOS 16.6, macOS Big Sur 11.7.9, macOS Ventura 13.5, watchOS 9.6. An app may be able to gain root privileges. Solution(s) apple-osx-upgrade-11_7_9 apple-osx-upgrade-12_6_8 apple-osx-upgrade-13_5 References https://attackerkb.com/topics/cve-2023-38565 CVE - 2023-38565 https://support.apple.com/kb/HT213843 https://support.apple.com/kb/HT213844 https://support.apple.com/kb/HT213845

Microsoft Edge Chromium: CVE-2023-3737 Inappropriate implementation in Notifications Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:P/A:N) Published 07/25/2023 Created 07/25/2023 Added 07/25/2023 Modified 01/28/2025 Description Inappropriate implementation in Notifications in Google Chrome prior to 115.0.5790.98 allowed a remote attacker to spoof the contents of media notifications via a crafted HTML page. (Chromium security severity: Medium) Solution(s) microsoft-edge-upgrade-latest References https://attackerkb.com/topics/cve-2023-3737 CVE - 2023-3737 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-3737

Microsoft Edge Chromium: CVE-2023-3730 Use after free in Tab Groups Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 07/25/2023 Created 07/25/2023 Added 07/25/2023 Modified 01/28/2025 Description Use after free in Tab Groups in Google Chrome prior to 115.0.5790.98 allowed a remote attacker who convinced a user to engage in specific UI interactions to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) Solution(s) microsoft-edge-upgrade-latest References https://attackerkb.com/topics/cve-2023-3730 CVE - 2023-3730 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-3730

Microsoft Edge Chromium: CVE-2023-3734 Inappropriate implementation in Picture In Picture Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:P/A:N) Published 07/25/2023 Created 07/25/2023 Added 07/25/2023 Modified 01/28/2025 Description Inappropriate implementation in Picture In Picture in Google Chrome prior to 115.0.5790.98 allowed a remote attacker to potentially spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Medium) Solution(s) microsoft-edge-upgrade-latest References https://attackerkb.com/topics/cve-2023-3734 CVE - 2023-3734 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-3734

Apple Safari security update for CVE-2023-38595 Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 07/25/2023 Created 07/25/2023 Added 07/25/2023 Modified 01/28/2025 Description The issue was addressed with improved checks. This issue is fixed in iOS 16.6 and iPadOS 16.6, tvOS 16.6, macOS Ventura 13.5, Safari 16.6, watchOS 9.6. Processing web content may lead to arbitrary code execution. Solution(s) apple-safari-upgrade-16_6 apple-safari-windows-uninstall References https://attackerkb.com/topics/cve-2023-38595 CVE - 2023-38595 http://support.apple.com/kb/HT213847

Debian: CVE-2023-3772: linux -- security update Severity 4 CVSS (AV:L/AC:L/Au:M/C:N/I:N/A:C) Published 07/25/2023 Created 10/11/2023 Added 10/10/2023 Modified 01/28/2025 Description A flaw was found in the Linux kernel’s IP framework for transforming packets (XFRM subsystem). This issue may allow a malicious user with CAP_NET_ADMIN privileges to directly dereference a NULL pointer in xfrm_update_ae_params(), leading to a possible kernel crash and denial of service. Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2023-3772 CVE - 2023-3772 DSA-5492-1

Debian: CVE-2023-37329: gst-plugins-bad1.0 -- security update Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 07/25/2023 Created 07/25/2023 Added 07/25/2023 Modified 01/28/2025 Description GStreamer SRT File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the parsing of SRT subtitle files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-20968. Solution(s) debian-upgrade-gst-plugins-bad1-0 References https://attackerkb.com/topics/cve-2023-37329 CVE - 2023-37329 DSA-5444-1

Debian: CVE-2023-3773: linux -- security update Severity 4 CVSS (AV:L/AC:L/Au:M/C:C/I:N/A:N) Published 07/25/2023 Created 10/11/2023 Added 10/10/2023 Modified 01/28/2025 Description A flaw was found in the Linux kernel’s IP framework for transforming packets (XFRM subsystem). This issue may allow a malicious user with CAP_NET_ADMIN privileges to cause a 4 byte out-of-bounds read of XFRMA_MTIMER_THRESH when parsing netlink attributes, leading to potential leakage of sensitive heap data to userspace. Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2023-3773 CVE - 2023-3773 DSA-5492-1

Debian: CVE-2023-37328: gst-plugins-base1.0 -- security update Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 07/25/2023 Created 07/25/2023 Added 07/25/2023 Modified 01/28/2025 Description GStreamer PGS File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the parsing of PGS subtitle files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. . Was ZDI-CAN-20994. Solution(s) debian-upgrade-gst-plugins-base1-0 References https://attackerkb.com/topics/cve-2023-37328 CVE - 2023-37328 DSA-5443-1

Ubuntu: (Multiple Advisories) (CVE-2023-3772): Linux kernel (OEM) vulnerabilities Severity 4 CVSS (AV:L/AC:L/Au:M/C:N/I:N/A:C) Published 07/25/2023 Created 10/06/2023 Added 10/06/2023 Modified 01/28/2025 Description A flaw was found in the Linux kernel’s IP framework for transforming packets (XFRM subsystem). This issue may allow a malicious user with CAP_NET_ADMIN privileges to directly dereference a NULL pointer in xfrm_update_ae_params(), leading to a possible kernel crash and denial of service. Solution(s) ubuntu-upgrade-linux-image-4-15-0-1125-oracle ubuntu-upgrade-linux-image-4-15-0-1146-kvm ubuntu-upgrade-linux-image-4-15-0-1156-gcp ubuntu-upgrade-linux-image-4-15-0-1162-aws ubuntu-upgrade-linux-image-4-15-0-1171-azure ubuntu-upgrade-linux-image-4-15-0-219-generic ubuntu-upgrade-linux-image-4-15-0-219-lowlatency ubuntu-upgrade-linux-image-4-4-0-1124-aws ubuntu-upgrade-linux-image-4-4-0-1125-kvm ubuntu-upgrade-linux-image-4-4-0-1162-aws ubuntu-upgrade-linux-image-4-4-0-246-generic ubuntu-upgrade-linux-image-4-4-0-246-lowlatency ubuntu-upgrade-linux-image-5-15-0-1032-gkeop ubuntu-upgrade-linux-image-5-15-0-1040-nvidia ubuntu-upgrade-linux-image-5-15-0-1040-nvidia-lowlatency ubuntu-upgrade-linux-image-5-15-0-1042-ibm ubuntu-upgrade-linux-image-5-15-0-1042-raspi ubuntu-upgrade-linux-image-5-15-0-1045-intel-iotg ubuntu-upgrade-linux-image-5-15-0-1046-gcp ubuntu-upgrade-linux-image-5-15-0-1046-gke ubuntu-upgrade-linux-image-5-15-0-1046-kvm ubuntu-upgrade-linux-image-5-15-0-1047-oracle ubuntu-upgrade-linux-image-5-15-0-1049-aws ubuntu-upgrade-linux-image-5-15-0-1051-azure ubuntu-upgrade-linux-image-5-15-0-1051-azure-fde ubuntu-upgrade-linux-image-5-15-0-88-generic ubuntu-upgrade-linux-image-5-15-0-88-generic-64k ubuntu-upgrade-linux-image-5-15-0-88-generic-lpae ubuntu-upgrade-linux-image-5-15-0-88-lowlatency ubuntu-upgrade-linux-image-5-15-0-88-lowlatency-64k ubuntu-upgrade-linux-image-5-4-0-1025-iot ubuntu-upgrade-linux-image-5-4-0-1033-xilinx-zynqmp ubuntu-upgrade-linux-image-5-4-0-1060-ibm ubuntu-upgrade-linux-image-5-4-0-1074-bluefield ubuntu-upgrade-linux-image-5-4-0-1080-gkeop ubuntu-upgrade-linux-image-5-4-0-1097-raspi ubuntu-upgrade-linux-image-5-4-0-1102-kvm ubuntu-upgrade-linux-image-5-4-0-1112-oracle ubuntu-upgrade-linux-image-5-4-0-1113-aws ubuntu-upgrade-linux-image-5-4-0-1117-gcp ubuntu-upgrade-linux-image-5-4-0-1119-azure ubuntu-upgrade-linux-image-5-4-0-166-generic ubuntu-upgrade-linux-image-5-4-0-166-generic-lpae ubuntu-upgrade-linux-image-5-4-0-166-lowlatency ubuntu-upgrade-linux-image-6-1-0-1023-oem ubuntu-upgrade-linux-image-6-2-0-1008-starfive ubuntu-upgrade-linux-image-6-2-0-1009-starfive ubuntu-upgrade-linux-image-6-2-0-1011-nvidia ubuntu-upgrade-linux-image-6-2-0-1011-nvidia-64k ubuntu-upgrade-linux-image-6-2-0-1015-aws ubuntu-upgrade-linux-image-6-2-0-1015-oracle ubuntu-upgrade-linux-image-6-2-0-1016-azure ubuntu-upgrade-linux-image-6-2-0-1016-azure-fde ubuntu-upgrade-linux-image-6-2-0-1016-kvm ubuntu-upgrade-linux-image-6-2-0-1016-lowlatency ubuntu-upgrade-linux-image-6-2-0-1016-lowlatency-64k ubuntu-upgrade-linux-image-6-2-0-1016-raspi ubuntu-upgrade-linux-image-6-2-0-1018-gcp ubuntu-upgrade-linux-image-6-2-0-36-generic ubuntu-upgrade-linux-image-6-2-0-36-generic-64k ubuntu-upgrade-linux-image-6-2-0-36-generic-lpae ubuntu-upgrade-linux-image-aws ubuntu-upgrade-linux-image-aws-hwe ubuntu-upgrade-linux-image-aws-lts-18-04 ubuntu-upgrade-linux-image-aws-lts-20-04 ubuntu-upgrade-linux-image-aws-lts-22-04 ubuntu-upgrade-linux-image-azure ubuntu-upgrade-linux-image-azure-cvm ubuntu-upgrade-linux-image-azure-fde ubuntu-upgrade-linux-image-azure-fde-lts-22-04 ubuntu-upgrade-linux-image-azure-lts-18-04 ubuntu-upgrade-linux-image-azure-lts-20-04 ubuntu-upgrade-linux-image-azure-lts-22-04 ubuntu-upgrade-linux-image-bluefield ubuntu-upgrade-linux-image-gcp ubuntu-upgrade-linux-image-gcp-lts-18-04 ubuntu-upgrade-linux-image-gcp-lts-20-04 ubuntu-upgrade-linux-image-gcp-lts-22-04 ubuntu-upgrade-linux-image-generic ubuntu-upgrade-linux-image-generic-64k ubuntu-upgrade-linux-image-generic-64k-hwe-20-04 ubuntu-upgrade-linux-image-generic-64k-hwe-22-04 ubuntu-upgrade-linux-image-generic-hwe-16-04 ubuntu-upgrade-linux-image-generic-hwe-18-04 ubuntu-upgrade-linux-image-generic-hwe-20-04 ubuntu-upgrade-linux-image-generic-hwe-22-04 ubuntu-upgrade-linux-image-generic-lpae ubuntu-upgrade-linux-image-generic-lpae-hwe-20-04 ubuntu-upgrade-linux-image-generic-lpae-hwe-22-04 ubuntu-upgrade-linux-image-generic-lts-xenial ubuntu-upgrade-linux-image-gke ubuntu-upgrade-linux-image-gke-5-15 ubuntu-upgrade-linux-image-gkeop ubuntu-upgrade-linux-image-gkeop-5-15 ubuntu-upgrade-linux-image-gkeop-5-4 ubuntu-upgrade-linux-image-ibm ubuntu-upgrade-linux-image-ibm-lts-20-04 ubuntu-upgrade-linux-image-intel ubuntu-upgrade-linux-image-intel-iotg ubuntu-upgrade-linux-image-kvm ubuntu-upgrade-linux-image-lowlatency ubuntu-upgrade-linux-image-lowlatency-64k ubuntu-upgrade-linux-image-lowlatency-64k-hwe-20-04 ubuntu-upgrade-linux-image-lowlatency-64k-hwe-22-04 ubuntu-upgrade-linux-image-lowlatency-hwe-16-04 ubuntu-upgrade-linux-image-lowlatency-hwe-18-04 ubuntu-upgrade-linux-image-lowlatency-hwe-20-04 ubuntu-upgrade-linux-image-lowlatency-hwe-22-04 ubuntu-upgrade-linux-image-lowlatency-lts-xenial ubuntu-upgrade-linux-image-nvidia ubuntu-upgrade-linux-image-nvidia-6-2 ubuntu-upgrade-linux-image-nvidia-64k-6-2 ubuntu-upgrade-linux-image-nvidia-64k-hwe-22-04 ubuntu-upgrade-linux-image-nvidia-hwe-22-04 ubuntu-upgrade-linux-image-nvidia-lowlatency ubuntu-upgrade-linux-image-oem ubuntu-upgrade-linux-image-oem-20-04 ubuntu-upgrade-linux-image-oem-20-04b ubuntu-upgrade-linux-image-oem-20-04c ubuntu-upgrade-linux-image-oem-20-04d ubuntu-upgrade-linux-image-oem-22-04a ubuntu-upgrade-linux-image-oem-22-04b ubuntu-upgrade-linux-image-oem-22-04c ubuntu-upgrade-linux-image-oem-osp1 ubuntu-upgrade-linux-image-oracle ubuntu-upgrade-linux-image-oracle-lts-18-04 ubuntu-upgrade-linux-image-oracle-lts-20-04 ubuntu-upgrade-linux-image-oracle-lts-22-04 ubuntu-upgrade-linux-image-raspi ubuntu-upgrade-linux-image-raspi-hwe-18-04 ubuntu-upgrade-linux-image-raspi-nolpae ubuntu-upgrade-linux-image-raspi2 ubuntu-upgrade-linux-image-snapdragon-hwe-18-04 ubuntu-upgrade-linux-image-starfive ubuntu-upgrade-linux-image-virtual ubuntu-upgrade-linux-image-virtual-hwe-16-04 ubuntu-upgrade-linux-image-virtual-hwe-18-04 ubuntu-upgrade-linux-image-virtual-hwe-20-04 ubuntu-upgrade-linux-image-virtual-hwe-22-04 ubuntu-upgrade-linux-image-virtual-lts-xenial ubuntu-upgrade-linux-image-xilinx-zynqmp References https://attackerkb.com/topics/cve-2023-3772 CVE - 2023-3772 USN-6415-1 USN-6439-1 USN-6439-2 USN-6440-1 USN-6440-2 USN-6440-3 USN-6462-1 USN-6462-2 USN-6464-1 USN-6465-1 USN-6465-2 USN-6465-3 USN-6466-1 USN-6516-1 USN-6520-1 View more

SUSE: CVE-2023-38496: SUSE Linux Security Advisory Severity 2 CVSS (AV:L/AC:M/Au:N/C:N/I:P/A:N) Published 07/25/2023 Created 08/20/2024 Added 08/19/2024 Modified 01/28/2025 Description Apptainer is an open source container platform. Version 1.2.0-rc.2 introduced an ineffective privilege drop when requesting container network setup, therefore subsequent functions are called with root privileges, the attack surface is rather limited for users but an attacker could possibly craft a starter config to delete any directory on the host filesystems. A security fix has been included in Apptainer 1.2.1. There is no known workaround outside of upgrading to Apptainer 1.2.1. Solution(s) suse-upgrade-apptainer suse-upgrade-apptainer-leap suse-upgrade-apptainer-sle15_5 suse-upgrade-apptainer-sle15_6 suse-upgrade-libsquashfuse0 suse-upgrade-squashfuse suse-upgrade-squashfuse-devel suse-upgrade-squashfuse-tools References https://attackerkb.com/topics/cve-2023-38496 CVE - 2023-38496

JetBrains TeamCity: CVE-2023-39174: A ReDoS attack was possible via integration with issue trackers (TW-82283) Severity 4 CVSS (AV:N/AC:L/Au:S/C:N/I:N/A:P) Published 07/25/2023 Created 10/22/2024 Added 10/15/2024 Modified 02/03/2025 Description In JetBrains TeamCity before 2023.05.2 a ReDoS attack was possible via integration with issue trackers Solution(s) jetbrains-teamcity-upgrade-latest References https://attackerkb.com/topics/cve-2023-39174 CVE - 2023-39174 https://www.jetbrains.com/privacy-security/issues-fixed/

Amazon Linux AMI 2: CVE-2023-35941: Security patch for ecs-service-connect-agent (Multiple Advisories) Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 07/25/2023 Created 09/07/2023 Added 09/07/2023 Modified 01/30/2025 Description Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, a malicious client is able to construct credentials with permanent validity in some specific scenarios. This is caused by the some rare scenarios in which HMAC payload can be always valid in OAuth2 filter's check. Versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12 have a fix for this issue. As a workaround, avoid wildcards/prefix domain wildcards in the host's domain configuration. Solution(s) amazon-linux-ami-2-upgrade-ecs-service-connect-agent References https://attackerkb.com/topics/cve-2023-35941 AL2/ALASECS-2023-006 AL2/ALASECS-2023-007 CVE - 2023-35941

Huawei EulerOS: CVE-2023-39129: gdb security update Severity 5 CVSS (AV:L/AC:M/Au:N/C:N/I:N/A:C) Published 07/25/2023 Created 01/11/2024 Added 01/10/2024 Modified 01/28/2025 Description GNU gdb (GDB) 13.0.50.20220805-git was discovered to contain a heap use after free via the function add_pe_exported_sym() at /gdb/coff-pe-read.c. Solution(s) huawei-euleros-2_0_sp10-upgrade-gdb huawei-euleros-2_0_sp10-upgrade-gdb-headless huawei-euleros-2_0_sp10-upgrade-gdb-help References https://attackerkb.com/topics/cve-2023-39129 CVE - 2023-39129 EulerOS-SA-2024-1080

VMware Photon OS: CVE-2023-37920 Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:C/A:N) Published 07/25/2023 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2023-37920 CVE - 2023-37920

Amazon Linux AMI 2: CVE-2023-3772: Security patch for kernel (Multiple Advisories) Severity 4 CVSS (AV:L/AC:L/Au:M/C:N/I:N/A:C) Published 07/25/2023 Created 10/06/2023 Added 10/06/2023 Modified 01/28/2025 Description A flaw was found in the Linux kernel’s IP framework for transforming packets (XFRM subsystem). This issue may allow a malicious user with CAP_NET_ADMIN privileges to directly dereference a NULL pointer in xfrm_update_ae_params(), leading to a possible kernel crash and denial of service. Solution(s) amazon-linux-ami-2-upgrade-bpftool amazon-linux-ami-2-upgrade-bpftool-debuginfo amazon-linux-ami-2-upgrade-kernel amazon-linux-ami-2-upgrade-kernel-debuginfo amazon-linux-ami-2-upgrade-kernel-debuginfo-common-aarch64 amazon-linux-ami-2-upgrade-kernel-debuginfo-common-x86_64 amazon-linux-ami-2-upgrade-kernel-devel amazon-linux-ami-2-upgrade-kernel-headers amazon-linux-ami-2-upgrade-kernel-livepatch-4-14-326-245-539 amazon-linux-ami-2-upgrade-kernel-livepatch-5-15-128-80-144 amazon-linux-ami-2-upgrade-kernel-tools amazon-linux-ami-2-upgrade-kernel-tools-debuginfo amazon-linux-ami-2-upgrade-kernel-tools-devel amazon-linux-ami-2-upgrade-perf amazon-linux-ami-2-upgrade-perf-debuginfo amazon-linux-ami-2-upgrade-python-perf amazon-linux-ami-2-upgrade-python-perf-debuginfo References https://attackerkb.com/topics/cve-2023-3772 AL2/ALAS-2023-2264 AL2/ALASKERNEL-5.15-2023-026 AL2/ALASKERNEL-5.4-2023-053 CVE - 2023-3772

Huawei EulerOS: CVE-2023-39130: gdb security update Severity 5 CVSS (AV:L/AC:M/Au:N/C:N/I:N/A:C) Published 07/25/2023 Created 01/30/2024 Added 01/29/2024 Modified 01/28/2025 Description GNU gdb (GDB) 13.0.50.20220805-git was discovered to contain a heap buffer overflow via the function pe_as16() at /gdb/coff-pe-read.c. Solution(s) huawei-euleros-2_0_sp11-upgrade-gdb huawei-euleros-2_0_sp11-upgrade-gdb-headless huawei-euleros-2_0_sp11-upgrade-gdb-help References https://attackerkb.com/topics/cve-2023-39130 CVE - 2023-39130 EulerOS-SA-2024-1119

Huawei EulerOS: CVE-2023-39128: gdb security update Severity 5 CVSS (AV:L/AC:M/Au:N/C:N/I:N/A:C) Published 07/25/2023 Created 01/11/2024 Added 01/10/2024 Modified 01/28/2025 Description GNU gdb (GDB) 13.0.50.20220805-git was discovered to contain a stack overflow via the function ada_decode at /gdb/ada-lang.c. Solution(s) huawei-euleros-2_0_sp11-upgrade-gdb huawei-euleros-2_0_sp11-upgrade-gdb-headless huawei-euleros-2_0_sp11-upgrade-gdb-help References https://attackerkb.com/topics/cve-2023-39128 CVE - 2023-39128 EulerOS-SA-2023-3268

Azul Zulu: CVE-2023-22044: Vulnerability in the Hotspot component Severity 4 CVSS (AV:N/AC:M/Au:N/C:P/I:N/A:N) Published 07/25/2023 Created 07/25/2023 Added 07/25/2023 Modified 01/28/2025 Description Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot).Supported versions that are affected are Oracle Java SE: 8u371-perf, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.Successful attacks of this vulnerability can result inunauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Confidentiality impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N). Solution(s) azul-zulu-upgrade-latest References https://attackerkb.com/topics/cve-2023-22044 CVE - 2023-22044 https://www.azul.com/downloads/

Azul Zulu: CVE-2023-22049: Vulnerability in the Libraries component Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:P/A:N) Published 07/25/2023 Created 07/25/2023 Added 07/25/2023 Modified 01/28/2025 Description Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Libraries).Supported versions that are affected are Oracle Java SE: 8u371, 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). Solution(s) azul-zulu-upgrade-latest References https://attackerkb.com/topics/cve-2023-22049 CVE - 2023-22049 https://www.azul.com/downloads/

Azul Zulu: CVE-2023-22006: Vulnerability in the Networking component Severity 3 CVSS (AV:N/AC:H/Au:N/C:N/I:P/A:N) Published 07/25/2023 Created 07/25/2023 Added 07/25/2023 Modified 01/28/2025 Description Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Networking).Supported versions that are affected are Oracle Java SE: 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N). Solution(s) azul-zulu-upgrade-latest References https://attackerkb.com/topics/cve-2023-22006 CVE - 2023-22006 https://www.azul.com/downloads/