ISHACK AI BOT

FreeBSD: VID-D357F6BB-0AF4-4AC9-B096-EEEC183AD829 (CVE-2023-1220): chromium -- multiple vulnerabilities Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 03/07/2023 Created 03/24/2023 Added 03/23/2023 Modified 01/28/2025 Description Heap buffer overflow in UMA in Google Chrome prior to 111.0.5563.64 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) Solution(s) freebsd-upgrade-package-chromium freebsd-upgrade-package-ungoogled-chromium References CVE-2023-1220

FreeBSD: VID-D357F6BB-0AF4-4AC9-B096-EEEC183AD829 (CVE-2023-1216): chromium -- multiple vulnerabilities Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 03/07/2023 Created 03/24/2023 Added 03/23/2023 Modified 01/28/2025 Description Use after free in DevTools in Google Chrome prior to 111.0.5563.64 allowed a remote attacker who had convienced the user to engage in direct UI interaction to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) Solution(s) freebsd-upgrade-package-chromium freebsd-upgrade-package-ungoogled-chromium References CVE-2023-1216

Microsoft Edge Chromium: CVE-2023-1220 Heap buffer overflow in UMA Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 03/07/2023 Created 03/15/2023 Added 03/14/2023 Modified 01/28/2025 Description Heap buffer overflow in UMA in Google Chrome prior to 111.0.5563.64 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) Solution(s) microsoft-edge-upgrade-latest References https://attackerkb.com/topics/cve-2023-1220 CVE - 2023-1220 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-1220

Microsoft Edge Chromium: CVE-2023-1236 Inappropriate implementation in Internals Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:P/A:N) Published 03/07/2023 Created 03/15/2023 Added 03/14/2023 Modified 01/28/2025 Description Inappropriate implementation in Internals in Google Chrome prior to 111.0.5563.64 allowed a remote attacker to spoof the origin of an iframe via a crafted HTML page. (Chromium security severity: Low) Solution(s) microsoft-edge-upgrade-latest References https://attackerkb.com/topics/cve-2023-1236 CVE - 2023-1236 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-1236

Microsoft Edge Chromium: CVE-2023-1217 Stack buffer overflow in Crash reporting Severity 7 CVSS (AV:N/AC:M/Au:N/C:C/I:N/A:N) Published 03/07/2023 Created 03/15/2023 Added 03/14/2023 Modified 01/28/2025 Description Stack buffer overflow in Crash reporting in Google Chrome on Windows prior to 111.0.5563.64 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High) Solution(s) microsoft-edge-upgrade-latest References https://attackerkb.com/topics/cve-2023-1217 CVE - 2023-1217 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-1217

Microsoft Edge Chromium: CVE-2023-1218 Use after free in WebRTC Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 03/07/2023 Created 03/15/2023 Added 03/14/2023 Modified 01/28/2025 Description Use after free in WebRTC in Google Chrome prior to 111.0.5563.64 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) Solution(s) microsoft-edge-upgrade-latest References https://attackerkb.com/topics/cve-2023-1218 CVE - 2023-1218 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-1218

Microsoft Edge Chromium: CVE-2023-1219 Heap buffer overflow in Metrics Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 03/07/2023 Created 03/15/2023 Added 03/14/2023 Modified 01/28/2025 Description Heap buffer overflow in Metrics in Google Chrome prior to 111.0.5563.64 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) Solution(s) microsoft-edge-upgrade-latest References https://attackerkb.com/topics/cve-2023-1219 CVE - 2023-1219 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-1219

Alpine Linux: CVE-2023-1264: NULL Pointer Dereference Severity 5 CVSS (AV:L/AC:M/Au:N/C:N/I:N/A:C) Published 03/07/2023 Created 03/22/2024 Added 03/26/2024 Modified 10/02/2024 Description NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.1392. Solution(s) alpine-linux-upgrade-vim References https://attackerkb.com/topics/cve-2023-1264 CVE - 2023-1264 https://security.alpinelinux.org/vuln/CVE-2023-1264

FreeBSD: VID-D357F6BB-0AF4-4AC9-B096-EEEC183AD829 (CVE-2023-1213): chromium -- multiple vulnerabilities Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 03/07/2023 Created 03/24/2023 Added 03/23/2023 Modified 01/28/2025 Description Use after free in Swiftshader in Google Chrome prior to 111.0.5563.64 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) Solution(s) freebsd-upgrade-package-chromium freebsd-upgrade-package-ungoogled-chromium References CVE-2023-1213

Huawei EulerOS: CVE-2023-27522: httpd security update Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:C/A:N) Published 03/07/2023 Created 06/09/2023 Added 06/09/2023 Modified 01/28/2025 Description HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55. Special characters in the origin response header can truncate/split the response forwarded to the client. Solution(s) huawei-euleros-2_0_sp8-upgrade-httpd huawei-euleros-2_0_sp8-upgrade-httpd-devel huawei-euleros-2_0_sp8-upgrade-httpd-filesystem huawei-euleros-2_0_sp8-upgrade-httpd-manual huawei-euleros-2_0_sp8-upgrade-httpd-tools huawei-euleros-2_0_sp8-upgrade-mod_session huawei-euleros-2_0_sp8-upgrade-mod_ssl References https://attackerkb.com/topics/cve-2023-27522 CVE - 2023-27522 EulerOS-SA-2023-2191

FreeBSD: VID-D357F6BB-0AF4-4AC9-B096-EEEC183AD829 (CVE-2023-1232): chromium -- multiple vulnerabilities Severity 4 CVSS (AV:N/AC:M/Au:N/C:P/I:N/A:N) Published 03/07/2023 Created 03/24/2023 Added 03/23/2023 Modified 01/28/2025 Description Insufficient policy enforcement in Resource Timing in Google Chrome prior to 111.0.5563.64 allowed a remote attacker to obtain potentially sensitive information from API via a crafted HTML page. (Chromium security severity: Low) Solution(s) freebsd-upgrade-package-chromium freebsd-upgrade-package-ungoogled-chromium References CVE-2023-1232

FreeBSD: VID-D357F6BB-0AF4-4AC9-B096-EEEC183AD829 (CVE-2023-1231): chromium -- multiple vulnerabilities Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:P/A:N) Published 03/07/2023 Created 03/24/2023 Added 03/23/2023 Modified 01/28/2025 Description Inappropriate implementation in Autofill in Google Chrome on Android prior to 111.0.5563.64 allowed a remote attacker to potentially spoof the contents of the omnibox via a crafted HTML page. (Chromium security severity: Medium) Solution(s) freebsd-upgrade-package-chromium freebsd-upgrade-package-ungoogled-chromium References CVE-2023-1231

Alma Linux: CVE-2023-27522: Moderate: httpd:2.4 security update (Multiple Advisories) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:C/A:N) Published 03/07/2023 Created 09/13/2023 Added 09/13/2023 Modified 01/28/2025 Description HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55. Special characters in the origin response header can truncate/split the response forwarded to the client. Solution(s) alma-upgrade-httpd alma-upgrade-httpd-core alma-upgrade-httpd-devel alma-upgrade-httpd-filesystem alma-upgrade-httpd-manual alma-upgrade-httpd-tools alma-upgrade-mod_http2 alma-upgrade-mod_ldap alma-upgrade-mod_lua alma-upgrade-mod_md alma-upgrade-mod_proxy_html alma-upgrade-mod_session alma-upgrade-mod_ssl References https://attackerkb.com/topics/cve-2023-27522 CVE - 2023-27522 https://errata.almalinux.org/8/ALSA-2023-5050.html https://errata.almalinux.org/9/ALSA-2023-6403.html

SUSE: CVE-2023-1214: SUSE Linux Security Advisory Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 03/07/2023 Created 03/15/2023 Added 03/14/2023 Modified 01/28/2025 Description Type confusion in V8 in Google Chrome prior to 111.0.5563.64 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) Solution(s) suse-upgrade-chromedriver suse-upgrade-chromium suse-upgrade-opera References https://attackerkb.com/topics/cve-2023-1214 CVE - 2023-1214

FreeBSD: VID-D357F6BB-0AF4-4AC9-B096-EEEC183AD829 (CVE-2023-1215): chromium -- multiple vulnerabilities Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 03/07/2023 Created 03/24/2023 Added 03/23/2023 Modified 01/28/2025 Description Type confusion in CSS in Google Chrome prior to 111.0.5563.64 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) Solution(s) freebsd-upgrade-package-chromium freebsd-upgrade-package-ungoogled-chromium References CVE-2023-1215

Gentoo Linux: CVE-2023-25690: Apache HTTPD: Multiple Vulnerabilities Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 03/07/2023 Created 09/11/2023 Added 09/11/2023 Modified 01/30/2025 Description Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution. For example, something like: RewriteEngine on RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P] ProxyPassReverse /here/ http://example.com:8080/ Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Users are recommended to update to at least version 2.4.56 of Apache HTTP Server. Solution(s) gentoo-linux-upgrade-www-servers-apache References https://attackerkb.com/topics/cve-2023-25690 CVE - 2023-25690 202309-01

Gentoo Linux: CVE-2023-27522: Apache HTTPD: Multiple Vulnerabilities Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:C/A:N) Published 03/07/2023 Created 09/11/2023 Added 09/11/2023 Modified 01/28/2025 Description HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55. Special characters in the origin response header can truncate/split the response forwarded to the client. Solution(s) gentoo-linux-upgrade-www-servers-apache References https://attackerkb.com/topics/cve-2023-27522 CVE - 2023-27522 202309-01

Huawei EulerOS: CVE-2023-1264: vim security update Severity 5 CVSS (AV:L/AC:M/Au:N/C:N/I:N/A:C) Published 03/07/2023 Created 05/10/2023 Added 05/10/2023 Modified 01/28/2025 Description NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.1392. Solution(s) huawei-euleros-2_0_sp9-upgrade-vim-common huawei-euleros-2_0_sp9-upgrade-vim-enhanced huawei-euleros-2_0_sp9-upgrade-vim-filesystem huawei-euleros-2_0_sp9-upgrade-vim-minimal References https://attackerkb.com/topics/cve-2023-1264 CVE - 2023-1264 EulerOS-SA-2023-1883

Ubuntu: USN-5949-1 (CVE-2023-1235): Chromium vulnerabilities Severity 7 CVSS (AV:N/AC:M/Au:N/C:P/I:P/A:P) Published 03/07/2023 Created 03/29/2023 Added 03/22/2023 Modified 01/28/2025 Description Type confusion in DevTools in Google Chrome prior to 111.0.5563.64 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted UI interaction. (Chromium security severity: Low) Solution(s) ubuntu-upgrade-chromium-browser References https://attackerkb.com/topics/cve-2023-1235 CVE - 2023-1235 USN-5949-1

Amazon Linux AMI 2: CVE-2023-25737: Security patch for firefox, thunderbird (Multiple Advisories) Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 03/07/2023 Created 03/08/2023 Added 03/07/2023 Modified 01/28/2025 Description An invalid downcast from <code>nsTextNode</code> to <code>SVGElement</code> could have lead to undefined behavior. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8. Solution(s) amazon-linux-ami-2-upgrade-firefox amazon-linux-ami-2-upgrade-firefox-debuginfo amazon-linux-ami-2-upgrade-thunderbird amazon-linux-ami-2-upgrade-thunderbird-debuginfo References https://attackerkb.com/topics/cve-2023-25737 AL2/ALAS-2023-1983 AL2/ALASFIREFOX-2023-007 CVE - 2023-25737

Amazon Linux AMI 2: CVE-2023-25742: Security patch for firefox, thunderbird (Multiple Advisories) Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 03/07/2023 Created 03/08/2023 Added 03/07/2023 Modified 01/28/2025 Description When importing a SPKI RSA public key as ECDSA P-256, the key would be handled incorrectly causing the tab to crash. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8. Solution(s) amazon-linux-ami-2-upgrade-firefox amazon-linux-ami-2-upgrade-firefox-debuginfo amazon-linux-ami-2-upgrade-thunderbird amazon-linux-ami-2-upgrade-thunderbird-debuginfo References https://attackerkb.com/topics/cve-2023-25742 AL2/ALAS-2023-1983 AL2/ALASFIREFOX-2023-007 CVE - 2023-25742

Amazon Linux AMI 2: CVE-2023-25734: Security patch for firefox, thunderbird (Multiple Advisories) Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:N) Published 03/07/2023 Created 03/08/2023 Added 03/07/2023 Modified 01/28/2025 Description After downloading a Windows <code>.url</code> shortcut from the local filesystem, an attacker could supply a remote path that would lead to unexpected network requests from the operating system. This also had the potential to leak NTLM credentials to the resource.<br>*This bug only affects Firefox on Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8. Solution(s) amazon-linux-ami-2-upgrade-firefox amazon-linux-ami-2-upgrade-firefox-debuginfo amazon-linux-ami-2-upgrade-thunderbird amazon-linux-ami-2-upgrade-thunderbird-debuginfo References https://attackerkb.com/topics/cve-2023-25734 AL2/ALAS-2023-1983 AL2/ALASFIREFOX-2023-007 CVE - 2023-25734

Amazon Linux AMI 2: CVE-2023-25732: Security patch for firefox, thunderbird (Multiple Advisories) Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 03/07/2023 Created 03/08/2023 Added 03/07/2023 Modified 01/28/2025 Description When encoding data from an <code>inputStream</code> in <code>xpcom</code> the size of the input being encoded was not correctly calculated potentially leading to an out of bounds memory write. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8. Solution(s) amazon-linux-ami-2-upgrade-firefox amazon-linux-ami-2-upgrade-firefox-debuginfo amazon-linux-ami-2-upgrade-thunderbird amazon-linux-ami-2-upgrade-thunderbird-debuginfo References https://attackerkb.com/topics/cve-2023-25732 AL2/ALAS-2023-1983 AL2/ALASFIREFOX-2023-007 CVE - 2023-25732

SUSE: CVE-2023-25690: SUSE Linux Security Advisory Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 03/07/2023 Created 03/22/2023 Added 03/20/2023 Modified 01/28/2025 Description Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution. For example, something like: RewriteEngine on RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P] ProxyPassReverse /here/ http://example.com:8080/ Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Users are recommended to update to at least version 2.4.56 of Apache HTTP Server. Solution(s) suse-upgrade-apache2 suse-upgrade-apache2-devel suse-upgrade-apache2-doc suse-upgrade-apache2-event suse-upgrade-apache2-example-pages suse-upgrade-apache2-prefork suse-upgrade-apache2-utils suse-upgrade-apache2-worker References https://attackerkb.com/topics/cve-2023-25690 CVE - 2023-25690

Amazon Linux AMI 2: CVE-2023-25731: Security patch for firefox, thunderbird (Multiple Advisories) Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 03/07/2023 Created 03/08/2023 Added 03/07/2023 Modified 01/28/2025 Description Due to URL previews in the network panel of developer tools improperly storing URLs, query parameters could potentially be used to overwrite global objects in privileged code. This vulnerability affects Firefox < 110. Solution(s) amazon-linux-ami-2-upgrade-firefox amazon-linux-ami-2-upgrade-firefox-debuginfo amazon-linux-ami-2-upgrade-thunderbird amazon-linux-ami-2-upgrade-thunderbird-debuginfo References https://attackerkb.com/topics/cve-2023-25731 AL2/ALAS-2023-1983 AL2/ALASFIREFOX-2023-007 CVE - 2023-25731