ISHACK AI BOT

SUSE: CVE-2023-37464: SUSE Linux Security Advisory Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:C/A:N) Published 07/14/2023 Created 08/02/2023 Added 08/01/2023 Modified 01/28/2025 Description OpenIDC/cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE. The specsays that a fixed length of 16 octets must be applied. Therefore this bug allows an attacker to provide a truncated Authentication Tag and to modify the JWE accordingly. Users should upgrade to a version >= 0.6.2.2. Users unable to upgrade should avoid using AES GCM encryption and replace it with another encryption algorithm (e.g. AES CBC). Solution(s) suse-upgrade-libcjose-devel suse-upgrade-libcjose0 References https://attackerkb.com/topics/cve-2023-37464 CVE - 2023-37464

Huawei EulerOS: CVE-2023-2483: kernel security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 07/17/2023 Created 07/18/2023 Added 07/18/2023 Modified 11/08/2023 Description Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2023-33203. Reason: This candidate is a reservation duplicate of CVE-2023-33203. Notes: All CVE users should reference CVE-2023-33203 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Solution(s) huawei-euleros-2_0_sp10-upgrade-kernel huawei-euleros-2_0_sp10-upgrade-kernel-abi-stablelists huawei-euleros-2_0_sp10-upgrade-kernel-tools huawei-euleros-2_0_sp10-upgrade-kernel-tools-libs huawei-euleros-2_0_sp10-upgrade-python3-perf References https://attackerkb.com/topics/cve-2023-2483 CVE - 2023-2483 EulerOS-SA-2023-2383

Red Hat: CVE-2023-38403: memory allocation hazard and crash (Multiple Advisories) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 07/17/2023 Created 08/02/2023 Added 08/01/2023 Modified 01/28/2025 Description iperf3 before 3.14 allows peers to cause an integer overflow and heap corruption via a crafted length field. Solution(s) redhat-upgrade-iperf3 redhat-upgrade-iperf3-debuginfo redhat-upgrade-iperf3-debugsource redhat-upgrade-iperf3-devel References CVE-2023-38403 RHSA-2023:4326 RHSA-2023:4414 RHSA-2023:4431 RHSA-2023:4570 RHSA-2023:4571

Ubuntu: USN-7260-1 (CVE-2023-37476): OpenRefine vulnerabilities Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 07/17/2023 Created 02/12/2025 Added 02/11/2025 Modified 02/11/2025 Description OpenRefine is a free, open source tool for data processing. A carefully crafted malicious OpenRefine project tar file can be used to trigger arbitrary code execution in the context of the OpenRefine process if a user can be convinced to import it. The vulnerability exists in all versions of OpenRefine up to and including 3.7.3. Users should update to OpenRefine 3.7.4 as soon as possible. Users unable to upgrade should only import OpenRefine projects from trusted sources. Solution(s) ubuntu-pro-upgrade-openrefine References https://attackerkb.com/topics/cve-2023-37476 CVE - 2023-37476 USN-7260-1

Ubuntu: (Multiple Advisories) (CVE-2023-38403): iperf3 vulnerabilities Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 07/17/2023 Created 10/17/2023 Added 10/17/2023 Modified 01/28/2025 Description iperf3 before 3.14 allows peers to cause an integer overflow and heap corruption via a crafted length field. Solution(s) ubuntu-pro-upgrade-iperf3 ubuntu-pro-upgrade-libiperf0 References https://attackerkb.com/topics/cve-2023-38403 CVE - 2023-38403 USN-6431-1 USN-6431-2

VMware Photon OS: CVE-2023-38426 Severity 9 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:C) Published 07/17/2023 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description An issue was discovered in the Linux kernel before 6.3.4. ksmbd has an out-of-bounds read in smb2_find_context_vals when create_context's name_len is larger than the tag length. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2023-38426 CVE - 2023-38426

VMware Photon OS: CVE-2023-38427 Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 07/17/2023 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description An issue was discovered in the Linux kernel before 6.3.8. fs/smb/server/smb2pdu.c in ksmbd has an integer underflow and out-of-bounds read in deassemble_neg_contexts. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2023-38427 CVE - 2023-38427

Huawei EulerOS: CVE-2023-24593: glib2 security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 07/17/2023 Created 08/10/2023 Added 08/09/2023 Modified 07/16/2024 Description Rejected reason: Rejected by upstream. Solution(s) huawei-euleros-2_0_sp9-upgrade-glib2 References https://attackerkb.com/topics/cve-2023-24593 CVE - 2023-24593 EulerOS-SA-2023-2612

VMware Photon OS: CVE-2023-38432 Severity 9 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:C) Published 07/17/2023 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description An issue was discovered in the Linux kernel before 6.3.10. fs/smb/server/smb2misc.c in ksmbd does not validate the relationship between the command payload size and the RFC1002 length specification, leading to an out-of-bounds read. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2023-38432 CVE - 2023-38432

Debian: CVE-2023-3724: wolfssl -- security update Severity 9 CVSS (AV:N/AC:L/Au:S/C:C/I:C/A:C) Published 07/17/2023 Created 07/31/2024 Added 07/30/2024 Modified 01/28/2025 Description If a TLS 1.3 client gets neither a PSK (pre shared key) extension nor a KSE (key share extension) when connecting to a malicious server, a default predictable buffer gets used for the IKM (Input Keying Material) value when generating the session master secret. Using a potentially known IKM value when generating the session master secret key compromises the key generated, allowing an eavesdropper to reconstruct it and potentially allowing access to or meddling with message contents in the session. This issue does not affect client validation of connected servers, nor expose private key information, but could result in an insecure TLS 1.3 session when not controlling both sides of the connection. wolfSSL recommends that TLS 1.3 client side users update the version of wolfSSL used. Solution(s) debian-upgrade-wolfssl References https://attackerkb.com/topics/cve-2023-3724 CVE - 2023-3724

Amazon Linux 2023: CVE-2023-38559: Medium priority package update for ghostscript Severity 5 CVSS (AV:L/AC:L/Au:N/C:N/I:N/A:C) Published 07/17/2023 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description A buffer overflow flaw was found in base/gdevdevn.c:1973 in devn_pcx_write_rle() in ghostscript. This issue may allow a local attacker to cause a denial of service via outputting a crafted PDF file for a DEVN device with gs. Solution(s) amazon-linux-2023-upgrade-ghostscript amazon-linux-2023-upgrade-ghostscript-debuginfo amazon-linux-2023-upgrade-ghostscript-debugsource amazon-linux-2023-upgrade-ghostscript-doc amazon-linux-2023-upgrade-ghostscript-gtk amazon-linux-2023-upgrade-ghostscript-gtk-debuginfo amazon-linux-2023-upgrade-ghostscript-tools-dvipdf amazon-linux-2023-upgrade-ghostscript-tools-fonts amazon-linux-2023-upgrade-ghostscript-tools-printing amazon-linux-2023-upgrade-ghostscript-x11 amazon-linux-2023-upgrade-ghostscript-x11-debuginfo amazon-linux-2023-upgrade-libgs amazon-linux-2023-upgrade-libgs-debuginfo amazon-linux-2023-upgrade-libgs-devel References https://attackerkb.com/topics/cve-2023-38559 CVE - 2023-38559 https://alas.aws.amazon.com/AL2023/ALAS-2023-296.html

CentOS Linux: CVE-2023-38409: Important: kernel security and bug fix update (Multiple Advisories) Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 07/17/2023 Created 01/27/2024 Added 01/26/2024 Modified 01/28/2025 Description An issue was discovered in set_con2fb_map in drivers/video/fbdev/core/fbcon.c in the Linux kernel before 6.2.12. Because an assignment occurs only for the first vc, the fbcon_registered_fb and fbcon_display arrays can be desynchronized in fbcon_mode_deleted (the con2fb_map points at the old fb_info). Solution(s) centos-upgrade-kernel centos-upgrade-kernel-rt References CVE-2023-38409

CentOS Linux: CVE-2023-38403: Important: iperf3 security update (CESA-2023:4326) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 07/17/2023 Created 08/02/2023 Added 08/01/2023 Modified 01/28/2025 Description iperf3 before 3.14 allows peers to cause an integer overflow and heap corruption via a crafted length field. Solution(s) centos-upgrade-iperf3 centos-upgrade-iperf3-debuginfo centos-upgrade-iperf3-devel References CVE-2023-38403

Debian: CVE-2023-37476: openrefine -- security update Severity 7 CVSS (AV:L/AC:M/Au:N/C:C/I:C/A:C) Published 07/17/2023 Created 07/31/2024 Added 07/30/2024 Modified 01/28/2025 Description OpenRefine is a free, open source tool for data processing. A carefully crafted malicious OpenRefine project tar file can be used to trigger arbitrary code execution in the context of the OpenRefine process if a user can be convinced to import it. The vulnerability exists in all versions of OpenRefine up to and including 3.7.3. Users should update to OpenRefine 3.7.4 as soon as possible. Users unable to upgrade should only import OpenRefine projects from trusted sources. Solution(s) debian-upgrade-openrefine References https://attackerkb.com/topics/cve-2023-37476 CVE - 2023-37476

Debian: CVE-2023-38403: iperf3 -- security update Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 07/17/2023 Created 07/25/2023 Added 07/24/2023 Modified 01/28/2025 Description iperf3 before 3.14 allows peers to cause an integer overflow and heap corruption via a crafted length field. Solution(s) debian-upgrade-iperf3 References https://attackerkb.com/topics/cve-2023-38403 CVE - 2023-38403 DSA-5455-1

Debian: CVE-2023-38409: linux -- security update Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 07/17/2023 Created 07/31/2024 Added 07/30/2024 Modified 01/28/2025 Description An issue was discovered in set_con2fb_map in drivers/video/fbdev/core/fbcon.c in the Linux kernel before 6.2.12. Because an assignment occurs only for the first vc, the fbcon_registered_fb and fbcon_display arrays can be desynchronized in fbcon_mode_deleted (the con2fb_map points at the old fb_info). Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2023-38409 CVE - 2023-38409

Huawei EulerOS: CVE-2023-25180: glib2 security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 07/17/2023 Created 07/18/2023 Added 07/18/2023 Modified 05/17/2024 Description Rejected reason: Rejected by upstream. Solution(s) huawei-euleros-2_0_sp10-upgrade-glib2 References https://attackerkb.com/topics/cve-2023-25180 CVE - 2023-25180 EulerOS-SA-2023-2381

SUSE: CVE-2023-38403: SUSE Linux Security Advisory Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 07/17/2023 Created 07/27/2023 Added 07/27/2023 Modified 01/28/2025 Description iperf3 before 3.14 allows peers to cause an integer overflow and heap corruption via a crafted length field. Solution(s) suse-upgrade-iperf suse-upgrade-iperf-devel suse-upgrade-libiperf0 References https://attackerkb.com/topics/cve-2023-38403 CVE - 2023-38403

Huawei EulerOS: CVE-2023-24593: glib2 security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 07/17/2023 Created 07/18/2023 Added 07/18/2023 Modified 05/28/2024 Description Rejected reason: Rejected by upstream. Solution(s) huawei-euleros-2_0_sp10-upgrade-glib2 References https://attackerkb.com/topics/cve-2023-24593 CVE - 2023-24593 EulerOS-SA-2023-2381

SUSE: CVE-2023-38409: SUSE Linux Security Advisory Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 07/17/2023 Created 08/15/2023 Added 08/15/2023 Modified 01/28/2025 Description An issue was discovered in set_con2fb_map in drivers/video/fbdev/core/fbcon.c in the Linux kernel before 6.2.12. Because an assignment occurs only for the first vc, the fbcon_registered_fb and fbcon_display arrays can be desynchronized in fbcon_mode_deleted (the con2fb_map points at the old fb_info). Solution(s) suse-upgrade-cluster-md-kmp-64kb suse-upgrade-cluster-md-kmp-azure suse-upgrade-cluster-md-kmp-default suse-upgrade-cluster-md-kmp-rt suse-upgrade-dlm-kmp-64kb suse-upgrade-dlm-kmp-azure suse-upgrade-dlm-kmp-default suse-upgrade-dlm-kmp-rt suse-upgrade-dtb-allwinner suse-upgrade-dtb-altera suse-upgrade-dtb-amazon suse-upgrade-dtb-amd suse-upgrade-dtb-amlogic suse-upgrade-dtb-apm suse-upgrade-dtb-apple suse-upgrade-dtb-arm suse-upgrade-dtb-broadcom suse-upgrade-dtb-cavium suse-upgrade-dtb-exynos suse-upgrade-dtb-freescale suse-upgrade-dtb-hisilicon suse-upgrade-dtb-lg suse-upgrade-dtb-marvell suse-upgrade-dtb-mediatek suse-upgrade-dtb-nvidia suse-upgrade-dtb-qcom suse-upgrade-dtb-renesas suse-upgrade-dtb-rockchip suse-upgrade-dtb-socionext suse-upgrade-dtb-sprd suse-upgrade-dtb-xilinx suse-upgrade-gfs2-kmp-64kb suse-upgrade-gfs2-kmp-azure suse-upgrade-gfs2-kmp-default suse-upgrade-gfs2-kmp-rt suse-upgrade-kernel-64kb suse-upgrade-kernel-64kb-devel suse-upgrade-kernel-64kb-extra suse-upgrade-kernel-64kb-livepatch-devel suse-upgrade-kernel-64kb-optional suse-upgrade-kernel-azure suse-upgrade-kernel-azure-devel suse-upgrade-kernel-azure-extra suse-upgrade-kernel-azure-livepatch-devel suse-upgrade-kernel-azure-optional suse-upgrade-kernel-azure-vdso suse-upgrade-kernel-debug suse-upgrade-kernel-debug-devel suse-upgrade-kernel-debug-livepatch-devel suse-upgrade-kernel-debug-vdso suse-upgrade-kernel-default suse-upgrade-kernel-default-base suse-upgrade-kernel-default-base-rebuild suse-upgrade-kernel-default-devel suse-upgrade-kernel-default-extra suse-upgrade-kernel-default-livepatch suse-upgrade-kernel-default-livepatch-devel suse-upgrade-kernel-default-optional suse-upgrade-kernel-default-vdso suse-upgrade-kernel-devel suse-upgrade-kernel-devel-azure suse-upgrade-kernel-devel-rt suse-upgrade-kernel-docs suse-upgrade-kernel-docs-html suse-upgrade-kernel-kvmsmall suse-upgrade-kernel-kvmsmall-devel suse-upgrade-kernel-kvmsmall-livepatch-devel suse-upgrade-kernel-kvmsmall-vdso suse-upgrade-kernel-macros suse-upgrade-kernel-obs-build suse-upgrade-kernel-obs-qa suse-upgrade-kernel-rt suse-upgrade-kernel-rt-devel suse-upgrade-kernel-rt-extra suse-upgrade-kernel-rt-livepatch suse-upgrade-kernel-rt-livepatch-devel suse-upgrade-kernel-rt-optional suse-upgrade-kernel-rt-vdso suse-upgrade-kernel-rt_debug suse-upgrade-kernel-rt_debug-devel suse-upgrade-kernel-rt_debug-livepatch-devel suse-upgrade-kernel-rt_debug-vdso suse-upgrade-kernel-source suse-upgrade-kernel-source-azure suse-upgrade-kernel-source-rt suse-upgrade-kernel-source-vanilla suse-upgrade-kernel-syms suse-upgrade-kernel-syms-azure suse-upgrade-kernel-syms-rt suse-upgrade-kernel-zfcpdump suse-upgrade-kselftests-kmp-64kb suse-upgrade-kselftests-kmp-azure suse-upgrade-kselftests-kmp-default suse-upgrade-kselftests-kmp-rt suse-upgrade-ocfs2-kmp-64kb suse-upgrade-ocfs2-kmp-azure suse-upgrade-ocfs2-kmp-default suse-upgrade-ocfs2-kmp-rt suse-upgrade-reiserfs-kmp-64kb suse-upgrade-reiserfs-kmp-azure suse-upgrade-reiserfs-kmp-default suse-upgrade-reiserfs-kmp-rt References https://attackerkb.com/topics/cve-2023-38409 CVE - 2023-38409

FreeBSD: VID-DDD3FCC9-2BDD-11EE-9AF4-589CFC0F81B0: phpmyfaq -- multiple vulnerabilities Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 07/16/2023 Created 08/26/2023 Added 08/24/2023 Modified 08/24/2023 Description phpmyfaq developers report: Cross Site Scripting vulnerability CSV injection vulnerability Solution(s) freebsd-upgrade-package-phpmyfaq-php80 freebsd-upgrade-package-phpmyfaq-php81 freebsd-upgrade-package-phpmyfaq-php82 freebsd-upgrade-package-phpmyfaq-php83

Debian: CVE-2021-31294: redis -- security update Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 07/15/2023 Created 07/31/2024 Added 07/30/2024 Modified 01/28/2025 Description Redis before 6cbea7d allows a replica to cause an assertion failure in a primary server by sending a non-administrative command (specifically, a SET command). NOTE: this was fixed for Redis 6.2.x and 7.x in 2021. Versions before 6.2 were not intended to have safety guarantees related to this. Solution(s) debian-upgrade-redis References https://attackerkb.com/topics/cve-2021-31294 CVE - 2021-31294

APSB23-41: Security updates available for Adobe ColdFusion | APSB23-41 (CVE-2023-38203) Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 07/14/2023 Created 07/17/2023 Added 07/17/2023 Modified 01/28/2025 Description Adobe ColdFusion versions 2018u17 (and earlier), 2021u7 (and earlier) and 2023u1 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction. Solution(s) adobe-coldfusion-2018-release-update-18 adobe-coldfusion-2021-release-update-8 adobe-coldfusion-2023-release-update-2 References https://attackerkb.com/topics/cve-2023-38203 CVE - 2023-38203 https://helpx.adobe.com/security/products/coldfusion/apsb23-41.html

Amazon Linux 2023: CVE-2023-3648: Medium priority package update for wireshark Severity 5 CVSS (AV:L/AC:L/Au:N/C:P/I:P/A:P) Published 07/14/2023 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description Kafka dissector crash in Wireshark 4.0.0 to 4.0.6 and 3.6.0 to 3.6.14 allows denial of service via packet injection or crafted capture file Solution(s) amazon-linux-2023-upgrade-wireshark-cli amazon-linux-2023-upgrade-wireshark-cli-debuginfo amazon-linux-2023-upgrade-wireshark-debugsource amazon-linux-2023-upgrade-wireshark-devel References https://attackerkb.com/topics/cve-2023-3648 CVE - 2023-3648 https://alas.aws.amazon.com/AL2023/ALAS-2023-277.html

Amazon Linux 2023: CVE-2023-3649: Medium priority package update for wireshark Severity 5 CVSS (AV:L/AC:L/Au:N/C:P/I:P/A:P) Published 07/14/2023 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description iSCSI dissector crash in Wireshark 4.0.0 to 4.0.6 allows denial of service via packet injection or crafted capture file Solution(s) amazon-linux-2023-upgrade-wireshark-cli amazon-linux-2023-upgrade-wireshark-cli-debuginfo amazon-linux-2023-upgrade-wireshark-debugsource amazon-linux-2023-upgrade-wireshark-devel References https://attackerkb.com/topics/cve-2023-3649 CVE - 2023-3649 https://alas.aws.amazon.com/AL2023/ALAS-2023-277.html