ISHACK AI BOT

IBM WebSphere Application Server: CVE-2023-24966: IBM WebSphere Application Server is vulnerable to cross-site scripting in the Admin Console (CVE-2023-24966) Severity 6 CVSS (AV:N/AC:M/Au:N/C:P/I:P/A:N) Published 04/27/2023 Created 05/12/2023 Added 05/12/2023 Modified 01/28/2025 Description IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.IBM X-Force ID:246904. Solution(s) ibm-was-install-8-5-0-0-ph52785 ibm-was-install-9-0-0-0-ph52785 ibm-was-upgrade-8-5-0-0-8-5-5-24 ibm-was-upgrade-9-0-0-0-9-0-5-16 References https://attackerkb.com/topics/cve-2023-24966 CVE - 2023-24966 https://exchange.xforce.ibmcloud.com/vulnerabilities/246904 https://www.ibm.com/support/pages/node/6986333

Amazon Linux AMI 2: CVE-2023-30624: Security patch for ecs-service-connect-agent (ALASECS-2023-007) Severity 9 CVSS (AV:N/AC:L/Au:S/C:C/I:C/A:C) Published 04/27/2023 Created 09/28/2023 Added 09/28/2023 Modified 01/30/2025 Description Wasmtime is a standalone runtime for WebAssembly. Prior to versions 6.0.2, 7.0.1, and 8.0.1, Wasmtime's implementation of managing per-instance state, such as tables and memories, contains LLVM-level undefined behavior. This undefined behavior was found to cause runtime-level issues when compiled with LLVM 16 which causes some writes, which are critical for correctness, to be optimized away. Vulnerable versions of Wasmtime compiled with Rust 1.70, which is currently in beta, or later are known to have incorrectly compiled functions. Versions of Wasmtime compiled with the current Rust stable release, 1.69, and prior are not known at this time to have any issues, but can theoretically exhibit potential issues. The underlying problem is that Wasmtime's runtime state for an instance involves a Rust-defined structure called `Instance` which has a trailing `VMContext` structure after it. This `VMContext` structure has a runtime-defined layout that is unique per-module. This representation cannot be expressed with safe code in Rust so `unsafe` code is required to maintain this state. The code doing this, however, has methods which take `&self` as an argument but modify data in the `VMContext` part of the allocation. This means that pointers derived from `&self` are mutated. This is typically not allowed, except in the presence of `UnsafeCell`, in Rust. When compiled to LLVM these functions have `noalias readonly` parameters which means it's UB to write through the pointers. Wasmtime's internal representation and management of `VMContext` has been updated to use `&mut self` methods where appropriate. Additionally verification tools for `unsafe` code in Rust, such as `cargo miri`, are planned to be executed on the `main` branch soon to fix any Rust-level issues that may be exploited in future compiler versions. Precomplied binaries available for Wasmtime from GitHub releases have been compiled with at most LLVM 15 so are not known to be vulnerable. As mentioned above, however, it's still recommended to update. Wasmtime version 6.0.2, 7.0.1, and 8.0.1 have been issued which contain the patch necessary to work correctly on LLVM 16 and have no known UB on LLVM 15 and earlier. If Wasmtime is compiled with Rust 1.69 and prior, which use LLVM 15, then there are no known issues. There is a theoretical possibility for undefined behavior to exploited, however, so it's recommended that users upgrade to a patched version of Wasmtime. Users using beta Rust (1.70 at this time) or nightly Rust (1.71 at this time) must update to a patched version to work correctly. Solution(s) amazon-linux-ami-2-upgrade-ecs-service-connect-agent References https://attackerkb.com/topics/cve-2023-30624 AL2/ALASECS-2023-007 CVE - 2023-30624

Huawei EulerOS: CVE-2023-1786: cloud-init security update Severity 5 CVSS (AV:L/AC:L/Au:S/C:C/I:N/A:N) Published 04/26/2023 Created 01/11/2024 Added 01/10/2024 Modified 01/28/2025 Description Sensitive data could be exposed in logs of cloud-init before version 23.1.2. An attacker could use this information to find hashed passwords and possibly escalate their privilege. Solution(s) huawei-euleros-2_0_sp11-upgrade-cloud-init References https://attackerkb.com/topics/cve-2023-1786 CVE - 2023-1786 EulerOS-SA-2023-2855

Amazon Linux AMI: CVE-2022-4132: Security patch for tomcat7 (ALAS-2023-1738) Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 04/27/2023 Created 05/05/2023 Added 05/04/2023 Modified 01/28/2025 Description Details for this vulnerability have not been published by NIST at this point. Descriptions from software vendor advisories for this issue are provided below. From ALAS-2023-1738: 2023-05-11: CVE-2017-12616 was added to this advisory. When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80 it was possible to bypass security constraints and/or view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request. ( CVE-2017-12616) Tomcat: Memory leak (CVE-2022-4132) Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured. (CVE-2023-24998) Solution(s) amazon-linux-upgrade-tomcat7 References ALAS-2023-1738 CVE-2022-4132

Amazon Linux AMI: CVE-2023-33203: Security patch for kernel (ALAS-2023-1735) Severity 7 CVSS (AV:L/AC:M/Au:N/C:C/I:C/A:C) Published 04/27/2023 Created 07/17/2023 Added 07/14/2023 Modified 01/28/2025 Description The Linux kernel before 6.2.9 has a race condition and resultant use-after-free in drivers/net/ethernet/qualcomm/emac/emac.c if a physically proximate attacker unplugs an emac based device. Solution(s) amazon-linux-upgrade-kernel References ALAS-2023-1735 CVE-2023-33203

Ubuntu: (Multiple Advisories) (CVE-2023-0458): Linux kernel vulnerabilities Severity 4 CVSS (AV:L/AC:M/Au:S/C:C/I:N/A:N) Published 04/26/2023 Created 05/17/2023 Added 05/17/2023 Modified 01/30/2025 Description A speculative pointer dereference problem exists in the Linux Kernel on the do_prlimit() function. The resource argument value is controlled and is used in pointer arithmetic for the 'rlim' variable and can be used to leak the contents. We recommend upgrading past version 6.1.8 or commit 739790605705ddcf18f21782b9c99ad7d53a8c11 Solution(s) ubuntu-upgrade-linux-image-3-13-0-193-generic ubuntu-upgrade-linux-image-3-13-0-193-lowlatency ubuntu-upgrade-linux-image-4-4-0-1121-aws ubuntu-upgrade-linux-image-4-4-0-1122-kvm ubuntu-upgrade-linux-image-4-4-0-1159-aws ubuntu-upgrade-linux-image-4-4-0-243-generic ubuntu-upgrade-linux-image-4-4-0-243-lowlatency ubuntu-upgrade-linux-image-5-15-0-1030-intel-iotg ubuntu-upgrade-linux-image-5-19-0-1018-raspi ubuntu-upgrade-linux-image-5-19-0-1018-raspi-nolpae ubuntu-upgrade-linux-image-5-19-0-1022-ibm ubuntu-upgrade-linux-image-5-19-0-1023-kvm ubuntu-upgrade-linux-image-5-19-0-1023-oracle ubuntu-upgrade-linux-image-5-19-0-1024-gcp ubuntu-upgrade-linux-image-5-19-0-1024-lowlatency ubuntu-upgrade-linux-image-5-19-0-1024-lowlatency-64k ubuntu-upgrade-linux-image-5-19-0-1025-aws ubuntu-upgrade-linux-image-5-19-0-1026-azure ubuntu-upgrade-linux-image-5-19-0-42-generic ubuntu-upgrade-linux-image-5-19-0-42-generic-64k ubuntu-upgrade-linux-image-5-19-0-42-generic-lpae ubuntu-upgrade-linux-image-5-4-0-1017-iot ubuntu-upgrade-linux-image-5-4-0-1024-xilinx-zynqmp ubuntu-upgrade-linux-image-5-4-0-1062-bluefield ubuntu-upgrade-linux-image-6-0-0-1021-oem ubuntu-upgrade-linux-image-aws ubuntu-upgrade-linux-image-azure ubuntu-upgrade-linux-image-bluefield ubuntu-upgrade-linux-image-gcp ubuntu-upgrade-linux-image-generic ubuntu-upgrade-linux-image-generic-64k ubuntu-upgrade-linux-image-generic-64k-hwe-22-04 ubuntu-upgrade-linux-image-generic-hwe-22-04 ubuntu-upgrade-linux-image-generic-lpae ubuntu-upgrade-linux-image-generic-lpae-hwe-22-04 ubuntu-upgrade-linux-image-generic-lts-trusty ubuntu-upgrade-linux-image-generic-lts-xenial ubuntu-upgrade-linux-image-ibm ubuntu-upgrade-linux-image-intel ubuntu-upgrade-linux-image-intel-iotg ubuntu-upgrade-linux-image-kvm ubuntu-upgrade-linux-image-lowlatency ubuntu-upgrade-linux-image-lowlatency-64k ubuntu-upgrade-linux-image-lowlatency-lts-xenial ubuntu-upgrade-linux-image-oem-22-04b ubuntu-upgrade-linux-image-oracle ubuntu-upgrade-linux-image-raspi ubuntu-upgrade-linux-image-raspi-nolpae ubuntu-upgrade-linux-image-server ubuntu-upgrade-linux-image-virtual ubuntu-upgrade-linux-image-virtual-hwe-22-04 ubuntu-upgrade-linux-image-virtual-lts-xenial ubuntu-upgrade-linux-image-xilinx-zynqmp References https://attackerkb.com/topics/cve-2023-0458 CVE - 2023-0458 USN-6079-1 USN-6091-1 USN-6093-1 USN-6096-1 USN-6134-1 USN-6222-1 USN-6254-1 USN-6256-1 USN-6341-1 USN-6385-1 View more

Oracle Linux: CVE-2023-38470: ELSA-2024-2433:avahi security update (MODERATE) (Multiple Advisories) Severity 5 CVSS (AV:L/AC:L/Au:N/C:N/I:N/A:C) Published 04/26/2023 Created 12/20/2023 Added 12/18/2023 Modified 01/07/2025 Description A vulnerability was found in Avahi. A reachable assertion exists in the avahi_escape_label() function. Solution(s) oracle-linux-upgrade-avahi oracle-linux-upgrade-avahi-autoipd oracle-linux-upgrade-avahi-compat-howl oracle-linux-upgrade-avahi-compat-howl-devel oracle-linux-upgrade-avahi-compat-libdns-sd oracle-linux-upgrade-avahi-compat-libdns-sd-devel oracle-linux-upgrade-avahi-devel oracle-linux-upgrade-avahi-glib oracle-linux-upgrade-avahi-glib-devel oracle-linux-upgrade-avahi-gobject oracle-linux-upgrade-avahi-gobject-devel oracle-linux-upgrade-avahi-libs oracle-linux-upgrade-avahi-tools oracle-linux-upgrade-avahi-ui oracle-linux-upgrade-avahi-ui-devel oracle-linux-upgrade-avahi-ui-gtk3 oracle-linux-upgrade-python3-avahi References https://attackerkb.com/topics/cve-2023-38470 CVE - 2023-38470 ELSA-2024-2433 ELSA-2023-7836

Debian: CVE-2023-0458: linux -- security update Severity 4 CVSS (AV:L/AC:M/Au:S/C:C/I:N/A:N) Published 04/26/2023 Created 05/05/2023 Added 05/01/2023 Modified 01/30/2025 Description A speculative pointer dereference problem exists in the Linux Kernel on the do_prlimit() function. The resource argument value is controlled and is used in pointer arithmetic for the 'rlim' variable and can be used to leak the contents. We recommend upgrading past version 6.1.8 or commit 739790605705ddcf18f21782b9c99ad7d53a8c11 Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2023-0458 CVE - 2023-0458 DLA-3403-1 DLA-3404-1

SUSE: CVE-2023-1387: SUSE Linux Security Advisory Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 04/26/2023 Created 06/23/2023 Added 06/22/2023 Modified 01/28/2025 Description Grafana is an open-source platform for monitoring and observability. Starting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. By enabling the "url_login" configuration option (disabled by default), a JWT might be sent to data sources. If an attacker has access to the data source, the leaked token could be used to authenticate to Grafana. Solution(s) suse-upgrade-grafana References https://attackerkb.com/topics/cve-2023-1387 CVE - 2023-1387

Amazon Linux AMI 2: CVE-2023-0458: Security patch for kernel (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:S/C:C/I:N/A:N) Published 04/26/2023 Created 05/05/2023 Added 05/02/2023 Modified 01/30/2025 Description A speculative pointer dereference problem exists in the Linux Kernel on the do_prlimit() function. The resource argument value is controlled and is used in pointer arithmetic for the 'rlim' variable and can be used to leak the contents. We recommend upgrading past version 6.1.8 or commit 739790605705ddcf18f21782b9c99ad7d53a8c11 Solution(s) amazon-linux-ami-2-upgrade-bpftool amazon-linux-ami-2-upgrade-bpftool-debuginfo amazon-linux-ami-2-upgrade-kernel amazon-linux-ami-2-upgrade-kernel-debuginfo amazon-linux-ami-2-upgrade-kernel-debuginfo-common-aarch64 amazon-linux-ami-2-upgrade-kernel-debuginfo-common-x86_64 amazon-linux-ami-2-upgrade-kernel-devel amazon-linux-ami-2-upgrade-kernel-headers amazon-linux-ami-2-upgrade-kernel-livepatch-4-14-309-231-529 amazon-linux-ami-2-upgrade-kernel-livepatch-5-10-173-154-642 amazon-linux-ami-2-upgrade-kernel-livepatch-5-15-102-61-139 amazon-linux-ami-2-upgrade-kernel-tools amazon-linux-ami-2-upgrade-kernel-tools-debuginfo amazon-linux-ami-2-upgrade-kernel-tools-devel amazon-linux-ami-2-upgrade-perf amazon-linux-ami-2-upgrade-perf-debuginfo amazon-linux-ami-2-upgrade-python-perf amazon-linux-ami-2-upgrade-python-perf-debuginfo References https://attackerkb.com/topics/cve-2023-0458 AL2/ALAS-2023-1987 AL2/ALASKERNEL-5.10-2023-028 AL2/ALASKERNEL-5.15-2023-015 AL2/ALASKERNEL-5.4-2023-043 CVE - 2023-0458

SUSE: CVE-2023-1786: SUSE Linux Security Advisory Severity 5 CVSS (AV:L/AC:L/Au:S/C:C/I:N/A:N) Published 04/26/2023 Created 05/11/2023 Added 05/11/2023 Modified 01/28/2025 Description Sensitive data could be exposed in logs of cloud-init before version 23.1.2. An attacker could use this information to find hashed passwords and possibly escalate their privilege. Solution(s) suse-upgrade-cloud-init suse-upgrade-cloud-init-config-suse suse-upgrade-cloud-init-doc References https://attackerkb.com/topics/cve-2023-1786 CVE - 2023-1786

Rapid7 Insight Agent: CVE-2023-2273: Directory Traversal vulnerability Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:C/A:N) Published 04/26/2023 Created 05/15/2023 Added 05/15/2023 Modified 04/23/2024 Description Rapid7 Insight Agent token handler versions 3.2.6 and below on Linux and Mac Operating Systems, suffer from a Directory Traversal vulnerability whereby unsanitized input from a CLI argument flows into io.ioutil.WriteFile, where it is used as a path. This can result in a Path Traversal vulnerability and allow an attacker to write arbitrary files. This issue is remediated in version 3.3.0 via safe guards that reject inputs that attempt to do path traversal. Solution(s) rapid7-insightagent-cve-2023-2273 References https://attackerkb.com/topics/cve-2023-2273 CVE - 2023-2273 https://docs.rapid7.com/release-notes/insightagent/20230425/

Amazon Linux 2023: CVE-2023-38471: Medium priority package update for avahi Severity 5 CVSS (AV:L/AC:L/Au:N/C:N/I:N/A:C) Published 04/26/2023 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description A vulnerability was found in Avahi. A reachable assertion exists in the dbus_set_host_name function. Solution(s) amazon-linux-2023-upgrade-avahi amazon-linux-2023-upgrade-avahi-autoipd amazon-linux-2023-upgrade-avahi-autoipd-debuginfo amazon-linux-2023-upgrade-avahi-compat-howl amazon-linux-2023-upgrade-avahi-compat-howl-debuginfo amazon-linux-2023-upgrade-avahi-compat-howl-devel amazon-linux-2023-upgrade-avahi-compat-libdns-sd amazon-linux-2023-upgrade-avahi-compat-libdns-sd-debuginfo amazon-linux-2023-upgrade-avahi-compat-libdns-sd-devel amazon-linux-2023-upgrade-avahi-debuginfo amazon-linux-2023-upgrade-avahi-debugsource amazon-linux-2023-upgrade-avahi-devel amazon-linux-2023-upgrade-avahi-dnsconfd amazon-linux-2023-upgrade-avahi-dnsconfd-debuginfo amazon-linux-2023-upgrade-avahi-glib amazon-linux-2023-upgrade-avahi-glib-debuginfo amazon-linux-2023-upgrade-avahi-glib-devel amazon-linux-2023-upgrade-avahi-gobject amazon-linux-2023-upgrade-avahi-gobject-debuginfo amazon-linux-2023-upgrade-avahi-gobject-devel amazon-linux-2023-upgrade-avahi-libs amazon-linux-2023-upgrade-avahi-libs-debuginfo amazon-linux-2023-upgrade-avahi-tools amazon-linux-2023-upgrade-avahi-tools-debuginfo amazon-linux-2023-upgrade-avahi-ui-devel amazon-linux-2023-upgrade-avahi-ui-gtk3 amazon-linux-2023-upgrade-avahi-ui-gtk3-debuginfo References https://attackerkb.com/topics/cve-2023-38471 CVE - 2023-38471 https://alas.aws.amazon.com/AL2023/ALAS-2023-272.html

Red Hat: CVE-2023-0458: kernel: speculative pointer dereference in do_prlimit() in kernel/sys.c (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:S/C:C/I:N/A:N) Published 04/26/2023 Created 08/02/2023 Added 08/02/2023 Modified 01/30/2025 Description A speculative pointer dereference problem exists in the Linux Kernel on the do_prlimit() function. The resource argument value is controlled and is used in pointer arithmetic for the 'rlim' variable and can be used to leak the contents. We recommend upgrading past version 6.1.8 or commit 739790605705ddcf18f21782b9c99ad7d53a8c11 Solution(s) redhat-upgrade-kernel redhat-upgrade-kernel-rt References CVE-2023-0458 RHSA-2023:4377 RHSA-2023:4378 RHSA-2023:4801 RHSA-2023:4814 RHSA-2023:6901 RHSA-2023:7077 RHSA-2024:0575 RHSA-2024:0724 View more

FreeBSD: VID-5E257B0D-E466-11ED-834B-6C3BE5272ACD (CVE-2023-1387): Grafana -- Exposure of sensitive information to an unauthorized actor Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 04/26/2023 Created 05/05/2023 Added 04/27/2023 Modified 01/28/2025 Description Grafana is an open-source platform for monitoring and observability. Starting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. By enabling the "url_login" configuration option (disabled by default), a JWT might be sent to data sources. If an attacker has access to the data source, the leaked token could be used to authenticate to Grafana. Solution(s) freebsd-upgrade-package-grafana freebsd-upgrade-package-grafana9 References CVE-2023-1387

FreeBSD: VID-02562A78-E6B7-11ED-B0CE-B42E991FC52E (CVE-2023-1786): cloud-init -- sensitive data exposure in cloud-init logs Severity 5 CVSS (AV:L/AC:L/Au:S/C:C/I:N/A:N) Published 04/26/2023 Created 05/05/2023 Added 05/02/2023 Modified 01/28/2025 Description Sensitive data could be exposed in logs of cloud-init before version 23.1.2. An attacker could use this information to find hashed passwords and possibly escalate their privilege. Solution(s) freebsd-upgrade-package-cloud-init freebsd-upgrade-package-cloud-init-devel References CVE-2023-1786

Huawei EulerOS: CVE-2023-0458: kernel security update Severity 4 CVSS (AV:L/AC:M/Au:S/C:C/I:N/A:N) Published 04/26/2023 Created 07/18/2023 Added 07/18/2023 Modified 01/30/2025 Description A speculative pointer dereference problem exists in the Linux Kernel on the do_prlimit() function. The resource argument value is controlled and is used in pointer arithmetic for the 'rlim' variable and can be used to leak the contents. We recommend upgrading past version 6.1.8 or commit 739790605705ddcf18f21782b9c99ad7d53a8c11 Solution(s) huawei-euleros-2_0_sp10-upgrade-kernel huawei-euleros-2_0_sp10-upgrade-kernel-abi-stablelists huawei-euleros-2_0_sp10-upgrade-kernel-tools huawei-euleros-2_0_sp10-upgrade-kernel-tools-libs huawei-euleros-2_0_sp10-upgrade-python3-perf References https://attackerkb.com/topics/cve-2023-0458 CVE - 2023-0458 EulerOS-SA-2023-2383

Oracle Linux: CVE-2023-38471: ELSA-2024-2433:avahi security update (MODERATE) (Multiple Advisories) Severity 5 CVSS (AV:L/AC:L/Au:N/C:N/I:N/A:C) Published 04/26/2023 Created 12/20/2023 Added 12/18/2023 Modified 01/07/2025 Description A vulnerability was found in Avahi. A reachable assertion exists in the dbus_set_host_name function. Solution(s) oracle-linux-upgrade-avahi oracle-linux-upgrade-avahi-autoipd oracle-linux-upgrade-avahi-compat-howl oracle-linux-upgrade-avahi-compat-howl-devel oracle-linux-upgrade-avahi-compat-libdns-sd oracle-linux-upgrade-avahi-compat-libdns-sd-devel oracle-linux-upgrade-avahi-devel oracle-linux-upgrade-avahi-glib oracle-linux-upgrade-avahi-glib-devel oracle-linux-upgrade-avahi-gobject oracle-linux-upgrade-avahi-gobject-devel oracle-linux-upgrade-avahi-libs oracle-linux-upgrade-avahi-tools oracle-linux-upgrade-avahi-ui oracle-linux-upgrade-avahi-ui-devel oracle-linux-upgrade-avahi-ui-gtk3 oracle-linux-upgrade-python3-avahi References https://attackerkb.com/topics/cve-2023-38471 CVE - 2023-38471 ELSA-2024-2433 ELSA-2023-7836

Ubuntu: USN-6042-1 (CVE-2023-1786): Cloud-init vulnerability Severity 5 CVSS (AV:L/AC:L/Au:S/C:C/I:N/A:N) Published 04/26/2023 Created 05/05/2023 Added 05/01/2023 Modified 01/28/2025 Description Sensitive data could be exposed in logs of cloud-init before version 23.1.2. An attacker could use this information to find hashed passwords and possibly escalate their privilege. Solution(s) ubuntu-upgrade-cloud-init References https://attackerkb.com/topics/cve-2023-1786 CVE - 2023-1786 USN-6042-1

Huawei EulerOS: CVE-2023-1786: cloud-init security update Severity 5 CVSS (AV:L/AC:L/Au:S/C:C/I:N/A:N) Published 04/26/2023 Created 01/11/2024 Added 01/10/2024 Modified 01/28/2025 Description Sensitive data could be exposed in logs of cloud-init before version 23.1.2. An attacker could use this information to find hashed passwords and possibly escalate their privilege. Solution(s) huawei-euleros-2_0_sp10-upgrade-cloud-init References https://attackerkb.com/topics/cve-2023-1786 CVE - 2023-1786 EulerOS-SA-2023-2805

Amazon Linux 2023: CVE-2023-38473: Medium priority package update for avahi Severity 5 CVSS (AV:L/AC:L/Au:N/C:N/I:N/A:C) Published 04/26/2023 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description A vulnerability was found in Avahi. A reachable assertion exists in the avahi_alternative_host_name() function. Solution(s) amazon-linux-2023-upgrade-avahi amazon-linux-2023-upgrade-avahi-autoipd amazon-linux-2023-upgrade-avahi-autoipd-debuginfo amazon-linux-2023-upgrade-avahi-compat-howl amazon-linux-2023-upgrade-avahi-compat-howl-debuginfo amazon-linux-2023-upgrade-avahi-compat-howl-devel amazon-linux-2023-upgrade-avahi-compat-libdns-sd amazon-linux-2023-upgrade-avahi-compat-libdns-sd-debuginfo amazon-linux-2023-upgrade-avahi-compat-libdns-sd-devel amazon-linux-2023-upgrade-avahi-debuginfo amazon-linux-2023-upgrade-avahi-debugsource amazon-linux-2023-upgrade-avahi-devel amazon-linux-2023-upgrade-avahi-dnsconfd amazon-linux-2023-upgrade-avahi-dnsconfd-debuginfo amazon-linux-2023-upgrade-avahi-glib amazon-linux-2023-upgrade-avahi-glib-debuginfo amazon-linux-2023-upgrade-avahi-glib-devel amazon-linux-2023-upgrade-avahi-gobject amazon-linux-2023-upgrade-avahi-gobject-debuginfo amazon-linux-2023-upgrade-avahi-gobject-devel amazon-linux-2023-upgrade-avahi-libs amazon-linux-2023-upgrade-avahi-libs-debuginfo amazon-linux-2023-upgrade-avahi-tools amazon-linux-2023-upgrade-avahi-tools-debuginfo amazon-linux-2023-upgrade-avahi-ui-devel amazon-linux-2023-upgrade-avahi-ui-gtk3 amazon-linux-2023-upgrade-avahi-ui-gtk3-debuginfo References https://attackerkb.com/topics/cve-2023-38473 CVE - 2023-38473 https://alas.aws.amazon.com/AL2023/ALAS-2023-455.html

Amazon Linux 2023: CVE-2023-38469: Medium priority package update for avahi Severity 5 CVSS (AV:L/AC:L/Au:N/C:N/I:N/A:C) Published 04/26/2023 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description A vulnerability was found in Avahi, where a reachable assertion exists in avahi_dns_packet_append_record. Solution(s) amazon-linux-2023-upgrade-avahi amazon-linux-2023-upgrade-avahi-autoipd amazon-linux-2023-upgrade-avahi-autoipd-debuginfo amazon-linux-2023-upgrade-avahi-compat-howl amazon-linux-2023-upgrade-avahi-compat-howl-debuginfo amazon-linux-2023-upgrade-avahi-compat-howl-devel amazon-linux-2023-upgrade-avahi-compat-libdns-sd amazon-linux-2023-upgrade-avahi-compat-libdns-sd-debuginfo amazon-linux-2023-upgrade-avahi-compat-libdns-sd-devel amazon-linux-2023-upgrade-avahi-debuginfo amazon-linux-2023-upgrade-avahi-debugsource amazon-linux-2023-upgrade-avahi-devel amazon-linux-2023-upgrade-avahi-dnsconfd amazon-linux-2023-upgrade-avahi-dnsconfd-debuginfo amazon-linux-2023-upgrade-avahi-glib amazon-linux-2023-upgrade-avahi-glib-debuginfo amazon-linux-2023-upgrade-avahi-glib-devel amazon-linux-2023-upgrade-avahi-gobject amazon-linux-2023-upgrade-avahi-gobject-debuginfo amazon-linux-2023-upgrade-avahi-gobject-devel amazon-linux-2023-upgrade-avahi-libs amazon-linux-2023-upgrade-avahi-libs-debuginfo amazon-linux-2023-upgrade-avahi-tools amazon-linux-2023-upgrade-avahi-tools-debuginfo amazon-linux-2023-upgrade-avahi-ui-devel amazon-linux-2023-upgrade-avahi-ui-gtk3 amazon-linux-2023-upgrade-avahi-ui-gtk3-debuginfo References https://attackerkb.com/topics/cve-2023-38469 CVE - 2023-38469 https://alas.aws.amazon.com/AL2023/ALAS-2023-272.html

CentOS Linux: CVE-2023-0458: Important: kernel security, bug fix, and enhancement update (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:S/C:C/I:N/A:N) Published 04/26/2023 Created 08/02/2023 Added 08/02/2023 Modified 01/28/2025 Description A speculative pointer dereference problem exists in the Linux Kernel on the do_prlimit() function. The resource argument value is controlled and is used in pointer arithmetic for the 'rlim' variable and can be used to leak the contents. We recommend upgrading past version 6.1.8 or commit 739790605705ddcf18f21782b9c99ad7d53a8c11 Solution(s) centos-upgrade-kernel centos-upgrade-kernel-rt References CVE-2023-0458

Huawei EulerOS: CVE-2023-1786: cloud-init security update Severity 5 CVSS (AV:L/AC:L/Au:S/C:C/I:N/A:N) Published 04/26/2023 Created 01/11/2024 Added 01/10/2024 Modified 01/28/2025 Description Sensitive data could be exposed in logs of cloud-init before version 23.1.2. An attacker could use this information to find hashed passwords and possibly escalate their privilege. Solution(s) huawei-euleros-2_0_sp8-upgrade-cloud-init References https://attackerkb.com/topics/cve-2023-1786 CVE - 2023-1786 EulerOS-SA-2023-3116

Alma Linux: CVE-2023-1786: Moderate: cloud-init security, bug fix, and enhancement update (Multiple Advisories) Severity 5 CVSS (AV:L/AC:L/Au:S/C:C/I:N/A:N) Published 04/26/2023 Created 11/17/2023 Added 11/16/2023 Modified 01/28/2025 Description Sensitive data could be exposed in logs of cloud-init before version 23.1.2. An attacker could use this information to find hashed passwords and possibly escalate their privilege. Solution(s) alma-upgrade-cloud-init References https://attackerkb.com/topics/cve-2023-1786 CVE - 2023-1786 https://errata.almalinux.org/8/ALSA-2023-6943.html https://errata.almalinux.org/9/ALSA-2023-6371.html