ISHACK AI BOT

Microsoft Edge Chromium: CVE-2023-24935 Severity 6 CVSS (AV:N/AC:M/Au:N/C:P/I:P/A:N) Published 04/10/2023 Created 05/05/2023 Added 04/10/2023 Modified 01/28/2025 Description Microsoft Edge (Chromium-based) Spoofing Vulnerability Solution(s) microsoft-edge-upgrade-latest References https://attackerkb.com/topics/cve-2023-24935 CVE - 2023-24935 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24935

Amazon Linux AMI 2: CVE-2023-28205: Security patch for webkitgtk4 (ALAS-2023-2088) Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 04/10/2023 Created 06/14/2023 Added 06/13/2023 Modified 01/28/2025 Description A use after free issue was addressed with improved memory management. This issue is fixed in Safari 16.4.1, iOS 15.7.5 and iPadOS 15.7.5, iOS 16.4.1 and iPadOS 16.4.1, macOS Ventura 13.3.1. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. Solution(s) amazon-linux-ami-2-upgrade-webkitgtk4 amazon-linux-ami-2-upgrade-webkitgtk4-debuginfo amazon-linux-ami-2-upgrade-webkitgtk4-devel amazon-linux-ami-2-upgrade-webkitgtk4-jsc amazon-linux-ami-2-upgrade-webkitgtk4-jsc-devel References https://attackerkb.com/topics/cve-2023-28205 AL2/ALAS-2023-2088 CVE - 2023-28205

OS X update for Core Bluetooth (CVE-2022-46709) Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 04/10/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

OS X update for Grapher (CVE-2022-46709) Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 04/10/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

OS X update for Audio (CVE-2022-46709) Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 04/10/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

Zoho ManageEngine ServiceDesk Plus MSP: XXE Vulnerability (CVE-2023-29443) Severity 6 CVSS (AV:N/AC:L/Au:M/C:C/I:N/A:N) Published 04/10/2023 Created 01/15/2025 Added 01/14/2025 Modified 01/14/2025 Description An admin only XXE vulnerability in the Reports integration has been fixed and released. Solution(s) zoho-manageengine-servicedesk-plus-msp-upgrade-latest References https://attackerkb.com/topics/cve-2023-29443 CVE - 2023-29443 https://www.manageengine.com/products/service-desk/CVE-2023-29443.html

Huawei EulerOS: CVE-2023-1916: libtiff security update Severity 5 CVSS (AV:L/AC:M/Au:N/C:P/I:N/A:C) Published 04/10/2023 Created 10/09/2024 Added 10/08/2024 Modified 01/28/2025 Description A flaw was found in tiffcrop, a program distributed by the libtiff package. A specially crafted tiff file can lead to an out-of-bounds read in the extractImageSection function in tools/tiffcrop.c, resulting in a denial of service and limited information disclosure. This issue affects libtiff versions 4.x. Solution(s) huawei-euleros-2_0_sp10-upgrade-libtiff References https://attackerkb.com/topics/cve-2023-1916 CVE - 2023-1916 EulerOS-SA-2024-2446

OS X update for ColorSync (CVE-2022-46709) Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 04/10/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

OS X update for ImageIO (CVE-2022-46703) Severity 5 CVSS (AV:L/AC:M/Au:N/C:C/I:N/A:N) Published 04/10/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

OS X update for ImageIO (CVE-2022-46716) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:C/A:N) Published 04/10/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

OS X update for Kernel (CVE-2022-46716) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:C/A:N) Published 04/10/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

OS X update for AppleAVD (CVE-2022-46709) Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 04/10/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

Debian: CVE-2023-30456: linux -- security update Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 04/10/2023 Created 05/05/2023 Added 05/01/2023 Modified 01/28/2025 Description An issue was discovered in arch/x86/kvm/vmx/nested.c in the Linux kernel before 6.2.8. nVMX on x86_64 lacks consistency checks for CR0 and CR4. Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2023-30456 CVE - 2023-30456 DLA-3403-1 DLA-3404-1

OS X update for TCC (CVE-2022-46703) Severity 5 CVSS (AV:L/AC:M/Au:N/C:C/I:N/A:N) Published 04/10/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

Debian: CVE-2023-28205: webkit2gtk, wpewebkit -- security update Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 04/10/2023 Created 05/05/2023 Added 05/04/2023 Modified 01/28/2025 Description A use after free issue was addressed with improved memory management. This issue is fixed in Safari 16.4.1, iOS 15.7.5 and iPadOS 15.7.5, iOS 16.4.1 and iPadOS 16.4.1, macOS Ventura 13.3.1. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. Solution(s) debian-upgrade-webkit2gtk debian-upgrade-wpewebkit References https://attackerkb.com/topics/cve-2023-28205 CVE - 2023-28205 DSA-5396 DSA-5396-1 DSA-5397 DSA-5397-1

OS X update for Intel Graphics Driver (CVE-2022-46709) Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 04/10/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

OS X update for DriverKit (CVE-2022-46709) Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 04/10/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

Amazon Linux 2023: CVE-2023-24626: Low priority package update for screen Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 04/08/2023 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description socket.c in GNU Screen through 4.9.0, when installed setuid or setgid (the default on platforms such as Arch Linux and FreeBSD), allows local users to send a privileged SIGHUP signal to any PID, causing a denial of service or disruption of the target process. A flaw was found in screen. This flaw allows local users to send a SIGHUP signal to any PID due to a missing signal sending permission check, potentially resulting in a denial of service or disruption of the target process. Solution(s) amazon-linux-2023-upgrade-screen amazon-linux-2023-upgrade-screen-debuginfo amazon-linux-2023-upgrade-screen-debugsource References https://attackerkb.com/topics/cve-2023-24626 CVE - 2023-24626 https://alas.aws.amazon.com/AL2023/ALAS-2023-224.html

OS X update for AMD (CVE-2022-46716) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:C/A:N) Published 04/10/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

Huawei EulerOS: CVE-2023-24626: screen security update Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 04/08/2023 Created 01/11/2024 Added 01/10/2024 Modified 01/28/2025 Description socket.c in GNU Screen through 4.9.0, when installed setuid or setgid (the default on platforms such as Arch Linux and FreeBSD), allows local users to send a privileged SIGHUP signal to any PID, causing a denial of service or disruption of the target process. Solution(s) huawei-euleros-2_0_sp8-upgrade-screen References https://attackerkb.com/topics/cve-2023-24626 CVE - 2023-24626 EulerOS-SA-2023-3159

Huawei EulerOS: CVE-2023-24626: screen security update Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 04/08/2023 Created 07/18/2023 Added 07/18/2023 Modified 01/28/2025 Description socket.c in GNU Screen through 4.9.0, when installed setuid or setgid (the default on platforms such as Arch Linux and FreeBSD), allows local users to send a privileged SIGHUP signal to any PID, causing a denial of service or disruption of the target process. Solution(s) huawei-euleros-2_0_sp10-upgrade-screen References https://attackerkb.com/topics/cve-2023-24626 CVE - 2023-24626 EulerOS-SA-2023-2393

OS X update for tcpdump (CVE-2023-1801) Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 04/07/2023 Created 12/23/2023 Added 12/22/2023 Modified 01/28/2025 Description The SMB protocol decoder in tcpdump version 4.99.3 can perform an out-of-bounds write when decoding a crafted network packet. Solution(s) apple-osx-upgrade-11_7_9 apple-osx-upgrade-12_6_8 apple-osx-upgrade-13_5 References https://attackerkb.com/topics/cve-2023-1801 CVE - 2023-1801 https://support.apple.com/kb/HT213843 https://support.apple.com/kb/HT213844 https://support.apple.com/kb/HT213845

Oracle Linux: CVE-2023-28205: ELSA-2023-1918:webkit2gtk3 security update (IMPORTANT) (Multiple Advisories) Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 04/07/2023 Created 05/05/2023 Added 04/21/2023 Modified 02/14/2025 Description A use after free issue was addressed with improved memory management. This issue is fixed in Safari 16.4.1, iOS 15.7.5 and iPadOS 15.7.5, iOS 16.4.1 and iPadOS 16.4.1, macOS Ventura 13.3.1. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. A flaw was found in the webkitgtk package. An improper input validation issue may lead to a use-after-free vulnerability. This vulnerability allows attackers with network access to pass specially crafted web content files, causing Denial of Service or Arbitrary Code Execution. Solution(s) oracle-linux-upgrade-webkit2gtk3 oracle-linux-upgrade-webkit2gtk3-devel oracle-linux-upgrade-webkit2gtk3-jsc oracle-linux-upgrade-webkit2gtk3-jsc-devel References https://attackerkb.com/topics/cve-2023-28205 CVE - 2023-28205 ELSA-2023-1918 ELSA-2023-1919

VMware Photon OS: CVE-2023-1801 Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 04/07/2023 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description The SMB protocol decoder in tcpdump version 4.99.3 can perform an out-of-bounds write when decoding a crafted network packet. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2023-1801 CVE - 2023-1801

Ubuntu: (Multiple Advisories) (CVE-2023-24536): Go vulnerabilities Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 04/06/2023 Created 11/16/2024 Added 11/15/2024 Modified 01/28/2025 Description Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems from several causes: 1. mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can consume. ReadForm can undercount the amount of memory consumed, leading it to accept larger inputs than intended. 2. Limiting total memory does not account for increased pressure on the garbage collector from large numbers of small allocations in forms with many parts. 3. ReadForm can allocate a large number of short-lived buffers, further increasing pressure on the garbage collector. The combination of these factors can permit an attacker to cause an program that parses multipart forms to consume large amounts of CPU and memory, potentially resulting in a denial of service. This affects programs that use mime/multipart.Reader.ReadForm, as well as form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. With fix, ReadForm now does a better job of estimating the memory consumption of parsed forms, and performs many fewer short-lived allocations. In addition, the fixed mime/multipart.Reader imposes the following limits on the size of parsed forms: 1. Forms parsed with ReadForm may contain no more than 1000 parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxparts=. 2. Form parts parsed with NextPart and NextRawPart may contain no more than 10,000 header fields. In addition, forms parsed with ReadForm may contain no more than 10,000 header fields across all parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxheaders=. Solution(s) ubuntu-pro-upgrade-golang-1-17 ubuntu-pro-upgrade-golang-1-17-go ubuntu-pro-upgrade-golang-1-17-src ubuntu-pro-upgrade-golang-1-18 ubuntu-pro-upgrade-golang-1-18-go ubuntu-pro-upgrade-golang-1-18-src References https://attackerkb.com/topics/cve-2023-24536 CVE - 2023-24536 USN-7109-1 USN-7111-1