ISHACK AI BOT

Gentoo Linux: CVE-2023-34417: Mozilla Firefox: Multiple Vulnerabilities Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 06/19/2023 Created 01/09/2024 Added 01/08/2024 Modified 01/28/2025 Description Memory safety bugs present in Firefox 113. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 114. Solution(s) gentoo-linux-upgrade-www-client-firefox gentoo-linux-upgrade-www-client-firefox-bin References https://attackerkb.com/topics/cve-2023-34417 CVE - 2023-34417 202401-10

VMware Photon OS: CVE-2023-34414 Severity 3 CVSS (AV:N/AC:H/Au:N/C:N/I:N/A:P) Published 06/19/2023 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description The error page for sites with invalid TLS certificates was missing the activation-delay Firefox uses to protect prompts and permission dialogs from attacks that exploit human response time delays. If a malicious page elicited user clicks in precise locations immediately before navigating to a site with a certificate error and made the renderer extremely busy at the same time, it could create a gap between when the error page was loaded and when the display actually refreshed. With the right timing the elicited clicks could land in that gap and activate the button that overrides the certificate error for that site. This vulnerability affects Firefox ESR < 102.12, Firefox < 114, and Thunderbird < 102.12. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2023-34414 CVE - 2023-34414

Gentoo Linux: CVE-2023-32209: Mozilla Firefox: Multiple Vulnerabilities Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 06/19/2023 Created 01/09/2024 Added 01/08/2024 Modified 01/28/2025 Description A maliciously crafted favicon could have led to an out of memory crash. This vulnerability affects Firefox < 113. Solution(s) gentoo-linux-upgrade-www-client-firefox gentoo-linux-upgrade-www-client-firefox-bin References https://attackerkb.com/topics/cve-2023-32209 CVE - 2023-32209 202401-10

VMware Photon OS: CVE-2023-34416 Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 06/19/2023 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description Memory safety bugs present in Firefox 113, Firefox ESR 102.11, and Thunderbird 102.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 102.12, Firefox < 114, and Thunderbird < 102.12. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2023-34416 CVE - 2023-34416

VMware Photon OS: CVE-2023-25733 Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 06/19/2023 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description The return value from `gfx::SourceSurfaceSkia::Map()` wasn't being verified which could have potentially lead to a null pointer dereference. This vulnerability affects Firefox < 110. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2023-25733 CVE - 2023-25733

VMware Photon OS: CVE-2023-35852 Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:C/A:N) Published 06/19/2023 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description In Suricata before 6.0.13 (when there is an adversary who controls an external source of rules), a dataset filename, that comes from a rule, may trigger absolute or relative directory traversal, and lead to write access to a local filesystem. This is addressed in 6.0.13 by requiring allow-absolute-filenames and allow-write (in the datasets rules configuration section) if an installation requires traversal/writing in this situation. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2023-35852 CVE - 2023-35852

VMware Photon OS: CVE-2023-35853 Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 06/19/2023 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description In Suricata before 6.0.13, an adversary who controls an external source of Lua rules may be able to execute Lua code. This is addressed in 6.0.13 by disabling Lua unless allow-rules is true in the security lua configuration section. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2023-35853 CVE - 2023-35853

SUSE: CVE-2023-27349: SUSE Linux Security Advisory Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 06/19/2023 Created 06/21/2023 Added 06/20/2023 Modified 05/06/2024 Description BlueZ Audio Profile AVRCP Improper Validation of Array Index Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code via Bluetooth on affected installations of BlueZ. User interaction is required to exploit this vulnerability in that the target must connect to a malicious device. The specific flaw exists within the handling of the AVRCP protocol. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-19908. Solution(s) suse-upgrade-bluez suse-upgrade-bluez-auto-enable-devices suse-upgrade-bluez-cups suse-upgrade-bluez-deprecated suse-upgrade-bluez-devel suse-upgrade-bluez-devel-32bit suse-upgrade-bluez-obexd suse-upgrade-bluez-test suse-upgrade-bluez-zsh-completion suse-upgrade-libbluetooth3 suse-upgrade-libbluetooth3-32bit References https://attackerkb.com/topics/cve-2023-27349 CVE - 2023-27349

Alpine Linux: CVE-2023-29542: Vulnerability in Multiple Components Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 06/19/2023 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description A newline in a filename could have been used to bypass the file extension security mechanisms that replace malicious file extensions such as .lnkwith .download. This could have led to accidental execution of malicious code. *This bug only affects Firefox and Thunderbird on Windows. Other versions of Firefox and Thunderbird are unaffected.* This vulnerability affects Firefox < 112, Firefox ESR < 102.10, and Thunderbird < 102.10. Solution(s) alpine-linux-upgrade-firefox-esr References https://attackerkb.com/topics/cve-2023-29542 CVE - 2023-29542 https://security.alpinelinux.org/vuln/CVE-2023-29542

CentOS Linux: CVE-2023-3316: Moderate: libtiff security update (CESA-2023:6575) Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 06/19/2023 Created 11/09/2023 Added 11/08/2023 Modified 01/28/2025 Description A NULL pointer dereference in TIFFClose() is caused by a failure to open an output file (non-existent path or a path that requires permissions like /dev/null) while specifying zones. Solution(s) centos-upgrade-libtiff centos-upgrade-libtiff-debuginfo centos-upgrade-libtiff-debugsource centos-upgrade-libtiff-devel centos-upgrade-libtiff-tools-debuginfo References CVE-2023-3316

Jenkins Advisory 2023-06-14: CVE-2023-3315: Missing permission checks in Team Concert Plugin Severity 4 CVSS (AV:N/AC:L/Au:S/C:P/I:N/A:N) Published 06/19/2023 Created 06/27/2023 Added 06/26/2023 Modified 01/28/2025 Description Missing permission checks in Jenkins Team Concert Plugin 2.4.1 and earlier allow attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system. Solution(s) jenkins-lts-upgrade-2_401_1 jenkins-upgrade-2_400 References https://attackerkb.com/topics/cve-2023-3315 CVE - 2023-3315 https://jenkins.io/security/advisory/2023-06-14/

VMware Photon OS: CVE-2023-3316 Severity 5 CVSS (AV:N/AC:H/Au:N/C:N/I:N/A:C) Published 06/19/2023 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description A NULL pointer dereference in TIFFClose() is caused by a failure to open an output file (non-existent path or a path that requires permissions like /dev/null) while specifying zones. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2023-3316 CVE - 2023-3316

Debian: CVE-2023-3316: tiff -- security update Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 06/19/2023 Created 08/02/2023 Added 08/02/2023 Modified 01/28/2025 Description A NULL pointer dereference in TIFFClose() is caused by a failure to open an output file (non-existent path or a path that requires permissions like /dev/null) while specifying zones. Solution(s) debian-upgrade-tiff References https://attackerkb.com/topics/cve-2023-3316 CVE - 2023-3316 DLA-3513-1

Amazon Linux AMI 2: CVE-2023-3316: Security patch for compat-libtiff3, libtiff (Multiple Advisories) Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 06/19/2023 Created 07/21/2023 Added 07/21/2023 Modified 01/28/2025 Description A NULL pointer dereference in TIFFClose() is caused by a failure to open an output file (non-existent path or a path that requires permissions like /dev/null) while specifying zones. Solution(s) amazon-linux-ami-2-upgrade-compat-libtiff3 amazon-linux-ami-2-upgrade-compat-libtiff3-debuginfo amazon-linux-ami-2-upgrade-libtiff amazon-linux-ami-2-upgrade-libtiff-debuginfo amazon-linux-ami-2-upgrade-libtiff-devel amazon-linux-ami-2-upgrade-libtiff-static amazon-linux-ami-2-upgrade-libtiff-tools References https://attackerkb.com/topics/cve-2023-3316 AL2/ALAS-2023-2125 AL2/ALAS-2023-2126 CVE - 2023-3316

CentOS Linux: CVE-2023-3022: Important: kernel-rt security and bug fix update (CESA-2022:1975) Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 06/19/2023 Created 06/27/2023 Added 06/26/2023 Modified 01/28/2025 Description A flaw was found in the IPv6 module of the Linux kernel. The arg.result was not used consistently in fib6_rule_lookup, sometimes holding rt6_info and other times fib6_info. This was not accounted for in other parts of the code where rt6_info was expected unconditionally, potentially leading to a kernel panic in fib6_rule_suppress. Solution(s) centos-upgrade-kernel-rt References CVE-2023-3022

Gentoo Linux: CVE-2023-34415: Mozilla Firefox: Multiple Vulnerabilities Severity 6 CVSS (AV:N/AC:M/Au:N/C:P/I:P/A:N) Published 06/19/2023 Created 01/09/2024 Added 01/08/2024 Modified 01/30/2025 Description When choosing a site-isolated process for a document loaded from a data: URL that was the result of a redirect, Firefox would load that document in the same process as the site that issued the redirect. This bypassed the site-isolation protections against Spectre-like attacks on sites that host an "open redirect". Firefox no longer follows HTTP redirects to data: URLs. This vulnerability affects Firefox < 114. Solution(s) gentoo-linux-upgrade-www-client-firefox gentoo-linux-upgrade-www-client-firefox-bin References https://attackerkb.com/topics/cve-2023-34415 CVE - 2023-34415 202401-10

Huawei EulerOS: CVE-2023-3316: libtiff security update Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 06/19/2023 Created 01/11/2024 Added 01/10/2024 Modified 01/28/2025 Description A NULL pointer dereference in TIFFClose() is caused by a failure to open an output file (non-existent path or a path that requires permissions like /dev/null) while specifying zones. Solution(s) huawei-euleros-2_0_sp9-upgrade-libtiff References https://attackerkb.com/topics/cve-2023-3316 CVE - 2023-3316 EulerOS-SA-2023-2900

Alpine Linux: CVE-2023-34416: Out-of-bounds Write Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 06/19/2023 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description Memory safety bugs present in Firefox 113, Firefox ESR 102.11, and Thunderbird 102.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 102.12, Firefox < 114, and Thunderbird < 102.12. Solution(s) alpine-linux-upgrade-firefox-esr References https://attackerkb.com/topics/cve-2023-34416 CVE - 2023-34416 https://security.alpinelinux.org/vuln/CVE-2023-34416

Gentoo Linux: CVE-2023-32210: Mozilla Firefox: Multiple Vulnerabilities Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 06/19/2023 Created 01/09/2024 Added 01/08/2024 Modified 01/28/2025 Description Documents were incorrectly assuming an ordering of principal objects when ensuring we were loading an appropriately privileged principal. In certain circumstances it might have been possible to cause a document to be loaded with a higher privileged principal than intended. This vulnerability affects Firefox < 113. Solution(s) gentoo-linux-upgrade-www-client-firefox gentoo-linux-upgrade-www-client-firefox-bin References https://attackerkb.com/topics/cve-2023-32210 CVE - 2023-32210 202401-10

Alpine Linux: CVE-2023-35852: Path Traversal Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:C/A:N) Published 06/19/2023 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description In Suricata before 6.0.13 (when there is an adversary who controls an external source of rules), a dataset filename, that comes from a rule, may trigger absolute or relative directory traversal, and lead to write access to a local filesystem. This is addressed in 6.0.13 by requiring allow-absolute-filenames and allow-write (in the datasets rules configuration section) if an installation requires traversal/writing in this situation. Solution(s) alpine-linux-upgrade-suricata References https://attackerkb.com/topics/cve-2023-35852 CVE - 2023-35852 https://security.alpinelinux.org/vuln/CVE-2023-35852

Gentoo Linux: CVE-2023-32214: Mozilla Thunderbird: Multiple Vulnerabilities Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 06/19/2023 Created 12/22/2023 Added 12/21/2023 Modified 01/28/2025 Description Protocol handlers `ms-cxh` and `ms-cxh-full` could have been leveraged to trigger a denial of service. *Note: This attack only affects Windows. Other operating systems are not affected.* This vulnerability affects Firefox < 113, Firefox ESR < 102.11, and Thunderbird < 102.11. Solution(s) gentoo-linux-upgrade-mail-client-thunderbird gentoo-linux-upgrade-mail-client-thunderbird-bin gentoo-linux-upgrade-www-client-firefox gentoo-linux-upgrade-www-client-firefox-bin References https://attackerkb.com/topics/cve-2023-32214 CVE - 2023-32214 202312-03 202401-10

Alpine Linux: CVE-2023-3316: NULL Pointer Dereference Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 06/19/2023 Created 04/09/2024 Added 03/26/2024 Modified 10/02/2024 Description A NULL pointer dereference in TIFFClose() is caused by a failure to open an output file (non-existent path or a path that requires permissions like /dev/null) while specifying zones. Solution(s) alpine-linux-upgrade-tiff References https://attackerkb.com/topics/cve-2023-3316 CVE - 2023-3316 https://security.alpinelinux.org/vuln/CVE-2023-3316

Gentoo Linux: CVE-2023-32216: Mozilla Firefox: Multiple Vulnerabilities Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 06/19/2023 Created 01/09/2024 Added 01/08/2024 Modified 01/28/2025 Description Memory safetybugs present in Firefox 112. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 113. Solution(s) gentoo-linux-upgrade-www-client-firefox gentoo-linux-upgrade-www-client-firefox-bin References https://attackerkb.com/topics/cve-2023-32216 CVE - 2023-32216 202401-10

Debian: CVE-2023-35823: linux -- security update Severity 7 CVSS (AV:L/AC:M/Au:S/C:C/I:C/A:C) Published 06/18/2023 Created 07/31/2023 Added 07/31/2023 Modified 01/28/2025 Description An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in saa7134_finidev in drivers/media/pci/saa7134/saa7134-core.c. Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2023-35823 CVE - 2023-35823 DLA-3508-1

Alma Linux: CVE-2023-34414: Important: thunderbird security update (Multiple Advisories) Severity 3 CVSS (AV:N/AC:H/Au:N/C:N/I:N/A:P) Published 06/19/2023 Created 06/23/2023 Added 06/22/2023 Modified 01/28/2025 Description The error page for sites with invalid TLS certificates was missing the activation-delay Firefox uses to protect prompts and permission dialogs from attacks that exploit human response time delays. If a malicious page elicited user clicks in precise locations immediately before navigating to a site with a certificate error and made the renderer extremely busy at the same time, it could create a gap between when the error page was loaded and when the display actually refreshed. With the right timing the elicited clicks could land in that gap and activate the button that overrides the certificate error for that site. This vulnerability affects Firefox ESR < 102.12, Firefox < 114, and Thunderbird < 102.12. Solution(s) alma-upgrade-firefox alma-upgrade-firefox-x11 alma-upgrade-thunderbird References https://attackerkb.com/topics/cve-2023-34414 CVE - 2023-34414 https://errata.almalinux.org/8/ALSA-2023-3588.html https://errata.almalinux.org/8/ALSA-2023-3590.html https://errata.almalinux.org/9/ALSA-2023-3587.html https://errata.almalinux.org/9/ALSA-2023-3589.html