ISHACK AI BOT

Alpine Linux: CVE-2023-30589: Vulnerability in Multiple Components Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:C/A:N) Published 06/30/2023 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20 Solution(s) alpine-linux-upgrade-openjdk17 References https://attackerkb.com/topics/cve-2023-30589 CVE - 2023-30589 https://security.alpinelinux.org/vuln/CVE-2023-30589

Alma Linux: CVE-2023-1206: Important: kernel security, bug fix, and enhancement update (ALSA-2023-7077) Severity 6 CVSS (AV:A/AC:L/Au:S/C:N/I:N/A:C) Published 06/30/2023 Created 11/29/2023 Added 11/28/2023 Modified 01/28/2025 Description A hash collision flaw was found in the IPv6 connection lookup table in the Linux kernel’s IPv6 functionality when a user makes a new kind of SYN flood attack. A user located in the local network or with a high bandwidth connection can increase the CPU usage of the server that accepts IPV6 connections up to 95%. Solution(s) alma-upgrade-bpftool alma-upgrade-kernel alma-upgrade-kernel-abi-stablelists alma-upgrade-kernel-core alma-upgrade-kernel-cross-headers alma-upgrade-kernel-debug alma-upgrade-kernel-debug-core alma-upgrade-kernel-debug-devel alma-upgrade-kernel-debug-modules alma-upgrade-kernel-debug-modules-extra alma-upgrade-kernel-devel alma-upgrade-kernel-doc alma-upgrade-kernel-headers alma-upgrade-kernel-modules alma-upgrade-kernel-modules-extra alma-upgrade-kernel-tools alma-upgrade-kernel-tools-libs alma-upgrade-kernel-tools-libs-devel alma-upgrade-kernel-zfcpdump alma-upgrade-kernel-zfcpdump-core alma-upgrade-kernel-zfcpdump-devel alma-upgrade-kernel-zfcpdump-modules alma-upgrade-kernel-zfcpdump-modules-extra alma-upgrade-perf alma-upgrade-python3-perf References https://attackerkb.com/topics/cve-2023-1206 CVE - 2023-1206 https://errata.almalinux.org/8/ALSA-2023-7077.html

Red Hat: CVE-2023-26966: Buffer Overflow in uv_encode() (Multiple Advisories) Severity 5 CVSS (AV:L/AC:M/Au:N/C:N/I:N/A:C) Published 06/29/2023 Created 11/09/2023 Added 11/08/2023 Modified 01/28/2025 Description libtiff 4.5.0 is vulnerable to Buffer Overflow in uv_encode() when libtiff reads a corrupted little-endian TIFF file and specifies the output to be big-endian. Solution(s) redhat-upgrade-libtiff redhat-upgrade-libtiff-debuginfo redhat-upgrade-libtiff-debugsource redhat-upgrade-libtiff-devel redhat-upgrade-libtiff-tools redhat-upgrade-libtiff-tools-debuginfo References CVE-2023-26966 RHSA-2023:6575

Debian: CVE-2023-25433: tiff -- security update Severity 5 CVSS (AV:L/AC:M/Au:N/C:N/I:N/A:C) Published 06/29/2023 Created 08/02/2023 Added 08/02/2023 Modified 01/28/2025 Description libtiff 4.5.0 is vulnerable to Buffer Overflow via /libtiff/tools/tiffcrop.c:8499. Incorrect updating of buffer size after rotateImage() in tiffcrop cause heap-buffer-overflow and SEGV. Solution(s) debian-upgrade-tiff References https://attackerkb.com/topics/cve-2023-25433 CVE - 2023-25433 DLA-3513-1

Rocky Linux: CVE-2023-25433: libtiff (RLSA-2024-5079) Severity 5 CVSS (AV:L/AC:M/Au:N/C:N/I:N/A:C) Published 06/29/2023 Created 08/23/2024 Added 08/22/2024 Modified 01/28/2025 Description libtiff 4.5.0 is vulnerable to Buffer Overflow via /libtiff/tools/tiffcrop.c:8499. Incorrect updating of buffer size after rotateImage() in tiffcrop cause heap-buffer-overflow and SEGV. Solution(s) rocky-upgrade-libtiff rocky-upgrade-libtiff-debuginfo rocky-upgrade-libtiff-debugsource rocky-upgrade-libtiff-devel rocky-upgrade-libtiff-tools rocky-upgrade-libtiff-tools-debuginfo References https://attackerkb.com/topics/cve-2023-25433 CVE - 2023-25433 https://errata.rockylinux.org/RLSA-2024:5079

Huawei EulerOS: CVE-2023-36617: ruby security update Severity 5 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:P) Published 06/29/2023 Created 01/11/2024 Added 01/10/2024 Modified 01/28/2025 Description A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with rfc2396_parser.rb and rfc3986_parser.rb. NOTE: this issue exists becuse of an incomplete fix for CVE-2023-28755. Version 0.10.3 is also a fixed version. Solution(s) huawei-euleros-2_0_sp10-upgrade-ruby huawei-euleros-2_0_sp10-upgrade-ruby-help huawei-euleros-2_0_sp10-upgrade-ruby-irb References https://attackerkb.com/topics/cve-2023-36617 CVE - 2023-36617 EulerOS-SA-2023-2824

Huawei EulerOS: CVE-2023-36617: ruby security update Severity 5 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:P) Published 06/29/2023 Created 01/11/2024 Added 01/10/2024 Modified 01/28/2025 Description A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with rfc2396_parser.rb and rfc3986_parser.rb. NOTE: this issue exists becuse of an incomplete fix for CVE-2023-28755. Version 0.10.3 is also a fixed version. Solution(s) huawei-euleros-2_0_sp11-upgrade-ruby huawei-euleros-2_0_sp11-upgrade-ruby-help huawei-euleros-2_0_sp11-upgrade-ruby-irb References https://attackerkb.com/topics/cve-2023-36617 CVE - 2023-36617 EulerOS-SA-2023-2868

OS X update for WebKit (CVE-2023-32393) Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 06/29/2023 Created 06/29/2023 Added 06/29/2023 Modified 01/28/2025 Description The issue was addressed with improved memory handling. This issue is fixed in watchOS 9.3, tvOS 16.3, macOS Ventura 13.2, iOS 16.3 and iPadOS 16.3. Processing web content may lead to arbitrary code execution. Solution(s) apple-osx-upgrade-13_2 References https://attackerkb.com/topics/cve-2023-32393 CVE - 2023-32393 https://support.apple.com/kb/HT213605

Zoom: CVE-2023-36539: Exposure of Sensitive Information Severity 5 CVSS (AV:N/AC:H/Au:S/C:C/I:N/A:N) Published 06/29/2023 Created 01/09/2025 Added 01/08/2025 Modified 01/08/2025 Description Exposure of information intended to be encrypted by some Zoom clients may lead to disclosure of sensitive information. Zoom encrypts in-meeting chat messages using a per-meeting key and then transmits these encrypted messages between user devices and Zoom using TLS encryption. In the affected products, a copy of each in-meeting chat message was also sent encrypted only using TLS and not with the per-meeting key, including messages sent during End-to-End Encrypted (E2EE) meetings. Solution(s) zoom-zoom-upgrade-latest References https://attackerkb.com/topics/cve-2023-36539 CVE - 2023-36539 https://explore.zoom.us/en/trust/security/security-bulletin

Oracle Linux: CVE-2023-32439: ELSA-2023-4202:webkit2gtk3 security update (IMPORTANT) (Multiple Advisories) Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 06/29/2023 Created 07/21/2023 Added 07/20/2023 Modified 02/05/2025 Description A type confusion issue was addressed with improved checks. This issue is fixed in iOS 16.5.1 and iPadOS 16.5.1, iOS 15.7.7 and iPadOS 15.7.7, macOS Ventura 13.4.1, Safari 16.5.1. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. A vulnerability was found in webkitgtk. This issue occurs when processing maliciously crafted web content, which may lead to arbitrary code execution. Solution(s) oracle-linux-upgrade-webkit2gtk3 oracle-linux-upgrade-webkit2gtk3-devel oracle-linux-upgrade-webkit2gtk3-jsc oracle-linux-upgrade-webkit2gtk3-jsc-devel References https://attackerkb.com/topics/cve-2023-32439 CVE - 2023-32439 ELSA-2023-4202 ELSA-2023-4201

MediaWiki: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CVE-2023-37256) Severity 6 CVSS (AV:N/AC:M/Au:N/C:P/I:P/A:N) Published 06/29/2023 Created 07/10/2023 Added 07/10/2023 Modified 01/28/2025 Description An issue was discovered in the Cargo extension for MediaWiki through 1.39.3. It allows one to store javascript: URLs in URL fields, and automatically links these URLs. Solution(s) mediawiki-upgrade-latest References https://attackerkb.com/topics/cve-2023-37256 CVE - 2023-37256 https://phabricator.wikimedia.org/T331311

MediaWiki: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CVE-2023-37251) Severity 6 CVSS (AV:N/AC:M/Au:N/C:P/I:P/A:N) Published 06/29/2023 Created 07/10/2023 Added 07/10/2023 Modified 01/28/2025 Description An issue was discovered in the GoogleAnalyticsMetrics extension for MediaWiki through 1.39.3. The googleanalyticstrackurl parser function does not properly escape JavaScript in the onclick handler and does not prevent use of javascript: URLs. Solution(s) mediawiki-upgrade-latest References https://attackerkb.com/topics/cve-2023-37251 CVE - 2023-37251 https://phabricator.wikimedia.org/T333980

Ubuntu: (Multiple Advisories) (CVE-2023-26966): LibTIFF vulnerabilities Severity 5 CVSS (AV:L/AC:M/Au:N/C:N/I:N/A:C) Published 06/29/2023 Created 07/14/2023 Added 07/14/2023 Modified 01/28/2025 Description libtiff 4.5.0 is vulnerable to Buffer Overflow in uv_encode() when libtiff reads a corrupted little-endian TIFF file and specifies the output to be big-endian. Solution(s) ubuntu-pro-upgrade-libtiff-tools ubuntu-pro-upgrade-libtiff5 ubuntu-pro-upgrade-libtiff6 References https://attackerkb.com/topics/cve-2023-26966 CVE - 2023-26966 USN-6229-1 USN-6290-1

Ubuntu: (Multiple Advisories) (CVE-2023-25433): LibTIFF vulnerabilities Severity 5 CVSS (AV:L/AC:M/Au:N/C:N/I:N/A:C) Published 06/29/2023 Created 07/14/2023 Added 07/14/2023 Modified 01/28/2025 Description libtiff 4.5.0 is vulnerable to Buffer Overflow via /libtiff/tools/tiffcrop.c:8499. Incorrect updating of buffer size after rotateImage() in tiffcrop cause heap-buffer-overflow and SEGV. Solution(s) ubuntu-pro-upgrade-libtiff-tools ubuntu-pro-upgrade-libtiff5 ubuntu-pro-upgrade-libtiff6 References https://attackerkb.com/topics/cve-2023-25433 CVE - 2023-25433 USN-6229-1 USN-6290-1

Huawei EulerOS: CVE-2023-26966: libtiff security update Severity 5 CVSS (AV:L/AC:M/Au:N/C:N/I:N/A:C) Published 06/29/2023 Created 07/17/2024 Added 07/17/2024 Modified 01/28/2025 Description libtiff 4.5.0 is vulnerable to Buffer Overflow in uv_encode() when libtiff reads a corrupted little-endian TIFF file and specifies the output to be big-endian. Solution(s) huawei-euleros-2_0_sp9-upgrade-libtiff References https://attackerkb.com/topics/cve-2023-26966 CVE - 2023-26966 EulerOS-SA-2024-1966

Red Hat: CVE-2023-36617: rubygem-uri: ReDoS vulnerability - upstream's incomplete fix for CVE-2023-28755 (Multiple Advisories) Severity 5 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:P) Published 06/29/2023 Created 03/20/2024 Added 03/20/2024 Modified 02/10/2025 Description A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with rfc2396_parser.rb and rfc3986_parser.rb. NOTE: this issue exists becuse of an incomplete fix for CVE-2023-28755. Version 0.10.3 is also a fixed version. Solution(s) redhat-upgrade-ruby redhat-upgrade-ruby-bundled-gems redhat-upgrade-ruby-bundled-gems-debuginfo redhat-upgrade-ruby-debuginfo redhat-upgrade-ruby-debugsource redhat-upgrade-ruby-default-gems redhat-upgrade-ruby-devel redhat-upgrade-ruby-doc redhat-upgrade-ruby-irb redhat-upgrade-ruby-libs redhat-upgrade-ruby-libs-debuginfo redhat-upgrade-rubygem-abrt redhat-upgrade-rubygem-abrt-doc redhat-upgrade-rubygem-bigdecimal redhat-upgrade-rubygem-bigdecimal-debuginfo redhat-upgrade-rubygem-bson redhat-upgrade-rubygem-bson-debuginfo redhat-upgrade-rubygem-bson-debugsource redhat-upgrade-rubygem-bson-doc redhat-upgrade-rubygem-bundler redhat-upgrade-rubygem-bundler-doc redhat-upgrade-rubygem-did_you_mean redhat-upgrade-rubygem-io-console redhat-upgrade-rubygem-io-console-debuginfo redhat-upgrade-rubygem-irb redhat-upgrade-rubygem-json redhat-upgrade-rubygem-json-debuginfo redhat-upgrade-rubygem-minitest redhat-upgrade-rubygem-mongo redhat-upgrade-rubygem-mongo-doc redhat-upgrade-rubygem-mysql2 redhat-upgrade-rubygem-mysql2-debuginfo redhat-upgrade-rubygem-mysql2-debugsource redhat-upgrade-rubygem-mysql2-doc redhat-upgrade-rubygem-net-telnet redhat-upgrade-rubygem-openssl redhat-upgrade-rubygem-openssl-debuginfo redhat-upgrade-rubygem-pg redhat-upgrade-rubygem-pg-debuginfo redhat-upgrade-rubygem-pg-debugsource redhat-upgrade-rubygem-pg-doc redhat-upgrade-rubygem-power_assert redhat-upgrade-rubygem-psych redhat-upgrade-rubygem-psych-debuginfo redhat-upgrade-rubygem-rake redhat-upgrade-rubygem-rbs redhat-upgrade-rubygem-rbs-debuginfo redhat-upgrade-rubygem-rdoc redhat-upgrade-rubygem-rexml redhat-upgrade-rubygem-rss redhat-upgrade-rubygem-test-unit redhat-upgrade-rubygem-typeprof redhat-upgrade-rubygem-xmlrpc redhat-upgrade-rubygems redhat-upgrade-rubygems-devel References CVE-2023-36617 RHSA-2024:1431 RHSA-2024:1576 RHSA-2024:4499

VMware Photon OS: CVE-2023-25433 Severity 5 CVSS (AV:L/AC:L/Au:N/C:N/I:N/A:C) Published 06/29/2023 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description libtiff 4.5.0 is vulnerable to Buffer Overflow via /libtiff/tools/tiffcrop.c:8499. Incorrect updating of buffer size after rotateImage() in tiffcrop cause heap-buffer-overflow and SEGV. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2023-25433 CVE - 2023-25433

Huawei EulerOS: CVE-2023-25433: libtiff security update Severity 5 CVSS (AV:L/AC:M/Au:N/C:N/I:N/A:C) Published 06/29/2023 Created 07/17/2024 Added 07/17/2024 Modified 01/28/2025 Description libtiff 4.5.0 is vulnerable to Buffer Overflow via /libtiff/tools/tiffcrop.c:8499. Incorrect updating of buffer size after rotateImage() in tiffcrop cause heap-buffer-overflow and SEGV. Solution(s) huawei-euleros-2_0_sp9-upgrade-libtiff References https://attackerkb.com/topics/cve-2023-25433 CVE - 2023-25433 EulerOS-SA-2024-1966

Debian: CVE-2023-3358: linux -- security update Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 06/28/2023 Created 07/31/2024 Added 07/30/2024 Modified 01/30/2025 Description A null pointer dereference was found in the Linux kernel's Integrated Sensor Hub (ISH) driver. This issue could allow a local user to crash the system. Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2023-3358 CVE - 2023-3358

Debian: CVE-2023-3389: linux -- security update Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 06/28/2023 Created 08/21/2023 Added 08/21/2023 Modified 01/28/2025 Description A use-after-free vulnerability in the Linux Kernel io_uring subsystem can be exploited to achieve local privilege escalation. Racing a io_uring cancel poll request with a linked timeout can cause a UAF in a hrtimer. We recommend upgrading past commit ef7dfac51d8ed961b742218f526bd589f3900a59 (4716c73b188566865bdd79c3a6709696a224ac04 for 5.10 stable and 0e388fce7aec40992eadee654193cad345d62663 for 5.15 stable). Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2023-3389 CVE - 2023-3389 DSA-5480-1

Huawei EulerOS: CVE-2023-3090: kernel security update Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 06/28/2023 Created 01/11/2024 Added 01/10/2024 Modified 01/28/2025 Description A heap out-of-bounds write vulnerability in the Linux Kernel ipvlan network driver can be exploited to achieve local privilege escalation. The out-of-bounds write is caused by missing skb->cbinitialization in the ipvlan network driver. The vulnerability is reachable if CONFIG_IPVLAN is enabled. We recommend upgrading past commit 90cbed5247439a966b645b34eb0a2e037836ea8e. Solution(s) huawei-euleros-2_0_sp8-upgrade-bpftool huawei-euleros-2_0_sp8-upgrade-kernel huawei-euleros-2_0_sp8-upgrade-kernel-devel huawei-euleros-2_0_sp8-upgrade-kernel-headers huawei-euleros-2_0_sp8-upgrade-kernel-tools huawei-euleros-2_0_sp8-upgrade-kernel-tools-libs huawei-euleros-2_0_sp8-upgrade-perf huawei-euleros-2_0_sp8-upgrade-python-perf huawei-euleros-2_0_sp8-upgrade-python3-perf References https://attackerkb.com/topics/cve-2023-3090 CVE - 2023-3090 EulerOS-SA-2023-3132

Alma Linux: CVE-2023-3390: Important: kernel security, bug fix, and enhancement update (Multiple Advisories) Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 06/28/2023 Created 09/15/2023 Added 09/15/2023 Modified 01/30/2025 Description A use-after-free vulnerability was found in the Linux kernel's netfilter subsystem in net/netfilter/nf_tables_api.c. Mishandled error handling with NFT_MSG_NEWRULE makes it possible to use a dangling pointer in the same transaction causing a use-after-free vulnerability. This flaw allows a local attacker with user access to cause a privilege escalation issue. We recommend upgrading past commit 1240eb93f0616b21c675416516ff3d74798fdc97. Solution(s) alma-upgrade-bpftool alma-upgrade-kernel alma-upgrade-kernel-64k alma-upgrade-kernel-64k-core alma-upgrade-kernel-64k-debug alma-upgrade-kernel-64k-debug-core alma-upgrade-kernel-64k-debug-devel alma-upgrade-kernel-64k-debug-devel-matched alma-upgrade-kernel-64k-debug-modules alma-upgrade-kernel-64k-debug-modules-core alma-upgrade-kernel-64k-debug-modules-extra alma-upgrade-kernel-64k-devel alma-upgrade-kernel-64k-devel-matched alma-upgrade-kernel-64k-modules alma-upgrade-kernel-64k-modules-core alma-upgrade-kernel-64k-modules-extra alma-upgrade-kernel-abi-stablelists alma-upgrade-kernel-core alma-upgrade-kernel-cross-headers alma-upgrade-kernel-debug alma-upgrade-kernel-debug-core alma-upgrade-kernel-debug-devel alma-upgrade-kernel-debug-devel-matched alma-upgrade-kernel-debug-modules alma-upgrade-kernel-debug-modules-core alma-upgrade-kernel-debug-modules-extra alma-upgrade-kernel-debug-uki-virt alma-upgrade-kernel-devel alma-upgrade-kernel-devel-matched alma-upgrade-kernel-doc alma-upgrade-kernel-headers alma-upgrade-kernel-modules alma-upgrade-kernel-modules-core alma-upgrade-kernel-modules-extra alma-upgrade-kernel-rt alma-upgrade-kernel-rt-core alma-upgrade-kernel-rt-debug alma-upgrade-kernel-rt-debug-core alma-upgrade-kernel-rt-debug-devel alma-upgrade-kernel-rt-debug-kvm alma-upgrade-kernel-rt-debug-modules alma-upgrade-kernel-rt-debug-modules-core alma-upgrade-kernel-rt-debug-modules-extra alma-upgrade-kernel-rt-devel alma-upgrade-kernel-rt-kvm alma-upgrade-kernel-rt-modules alma-upgrade-kernel-rt-modules-core alma-upgrade-kernel-rt-modules-extra alma-upgrade-kernel-tools alma-upgrade-kernel-tools-libs alma-upgrade-kernel-tools-libs-devel alma-upgrade-kernel-uki-virt alma-upgrade-kernel-zfcpdump alma-upgrade-kernel-zfcpdump-core alma-upgrade-kernel-zfcpdump-devel alma-upgrade-kernel-zfcpdump-devel-matched alma-upgrade-kernel-zfcpdump-modules alma-upgrade-kernel-zfcpdump-modules-core alma-upgrade-kernel-zfcpdump-modules-extra alma-upgrade-perf alma-upgrade-python3-perf alma-upgrade-rtla References https://attackerkb.com/topics/cve-2023-3390 CVE - 2023-3390 https://errata.almalinux.org/8/ALSA-2023-5244.html https://errata.almalinux.org/9/ALSA-2023-5069.html https://errata.almalinux.org/9/ALSA-2023-5091.html

OS X update for Notes (CVE-2022-48505) Severity 5 CVSS (AV:L/AC:M/Au:N/C:N/I:C/A:N) Published 06/28/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

OS X update for curl (CVE-2022-48505) Severity 5 CVSS (AV:L/AC:M/Au:N/C:N/I:C/A:N) Published 06/28/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

OS X update for CoreTypes (CVE-2022-48505) Severity 5 CVSS (AV:L/AC:M/Au:N/C:N/I:C/A:N) Published 06/28/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)