ISHACK AI BOT

Gentoo Linux: CVE-2022-48339: GNU Emacs, Org Mode: Multiple Vulnerabilities Severity 7 CVSS (AV:L/AC:M/Au:N/C:C/I:C/A:C) Published 02/20/2023 Created 07/02/2024 Added 07/03/2024 Modified 01/28/2025 Description An issue was discovered in GNU Emacs through 28.2. htmlfontify.el has a command injection vulnerability. In the hfy-istext-command function, the parameter file and parameter srcdir come from external input, and parameters are not escaped. If a file name or directory name contains shell metacharacters, code may be executed. Solution(s) gentoo-linux-upgrade-app-editors-emacs gentoo-linux-upgrade-app-emacs-org-mode References https://attackerkb.com/topics/cve-2022-48339 CVE - 2022-48339 202407-08

Alma Linux: CVE-2023-25729: Important: firefox security update (Multiple Advisories) Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 02/20/2023 Created 02/22/2023 Added 02/22/2023 Modified 01/28/2025 Description Permission prompts for opening external schemes were only shown for <code>ContentPrincipals</code> resulting in extensions being able to open them without user interaction via <code>ExpandedPrincipals</code>. This could lead to further malicious actions such as downloading files or interacting with software already installed on the system. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8. Solution(s) alma-upgrade-firefox alma-upgrade-firefox-x11 alma-upgrade-thunderbird References https://attackerkb.com/topics/cve-2023-25729 CVE - 2023-25729 https://errata.almalinux.org/8/ALSA-2023-0808.html https://errata.almalinux.org/8/ALSA-2023-0821.html https://errata.almalinux.org/9/ALSA-2023-0810.html https://errata.almalinux.org/9/ALSA-2023-0824.html

Gentoo Linux: CVE-2022-48338: GNU Emacs, Org Mode: Multiple Vulnerabilities Severity 7 CVSS (AV:L/AC:M/Au:S/C:C/I:C/A:C) Published 02/20/2023 Created 07/02/2024 Added 07/03/2024 Modified 01/28/2025 Description An issue was discovered in GNU Emacs through 28.2. In ruby-mode.el, the ruby-find-library-file function has a local command injection vulnerability. The ruby-find-library-file function is an interactive function, and bound to C-c C-f. Inside the function, the external command gem is called through shell-command-to-string, but the feature-name parameters are not escaped. Thus, malicious Ruby source files may cause commands to be executed. Solution(s) gentoo-linux-upgrade-app-editors-emacs gentoo-linux-upgrade-app-emacs-org-mode References https://attackerkb.com/topics/cve-2022-48338 CVE - 2022-48338 202407-08

Ubuntu: (Multiple Advisories) (CVE-2023-25732): Firefox vulnerabilities Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 02/20/2023 Created 03/29/2023 Added 03/22/2023 Modified 01/28/2025 Description When encoding data from an <code>inputStream</code> in <code>xpcom</code> the size of the input being encoded was not correctly calculated potentially leading to an out of bounds memory write. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8. Solution(s) ubuntu-upgrade-firefox ubuntu-upgrade-thunderbird References https://attackerkb.com/topics/cve-2023-25732 CVE - 2023-25732 USN-5880-1 USN-5880-2 USN-5943-1

CentOS Linux: CVE-2023-25744: Important: firefox security update (Multiple Advisories) Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 02/20/2023 Created 02/22/2023 Added 02/22/2023 Modified 01/28/2025 Description Mmemory safety bugs present in Firefox 109 and Firefox ESR 102.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 110 and Firefox ESR < 102.8. Solution(s) centos-upgrade-firefox centos-upgrade-firefox-debuginfo centos-upgrade-thunderbird centos-upgrade-thunderbird-debuginfo References CVE-2023-25744

CentOS Linux: CVE-2023-25742: Important: firefox security update (Multiple Advisories) Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 02/20/2023 Created 02/22/2023 Added 02/22/2023 Modified 01/28/2025 Description When importing a SPKI RSA public key as ECDSA P-256, the key would be handled incorrectly causing the tab to crash. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8. Solution(s) centos-upgrade-firefox centos-upgrade-firefox-debuginfo centos-upgrade-thunderbird centos-upgrade-thunderbird-debuginfo References CVE-2023-25742

Debian: CVE-2023-24998: libcommons-fileupload-java, tomcat10, tomcat9 -- security update Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 02/20/2023 Created 10/12/2023 Added 10/12/2023 Modified 01/28/2025 Description Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured. Solution(s) debian-upgrade-libcommons-fileupload-java debian-upgrade-tomcat10 debian-upgrade-tomcat9 References https://attackerkb.com/topics/cve-2023-24998 CVE - 2023-24998 DSA-5522-1

SUSE: CVE-2022-48339: SUSE Linux Security Advisory Severity 7 CVSS (AV:L/AC:M/Au:N/C:C/I:C/A:C) Published 02/20/2023 Created 03/04/2023 Added 03/03/2023 Modified 01/28/2025 Description An issue was discovered in GNU Emacs through 28.2. htmlfontify.el has a command injection vulnerability. In the hfy-istext-command function, the parameter file and parameter srcdir come from external input, and parameters are not escaped. If a file name or directory name contains shell metacharacters, code may be executed. Solution(s) suse-upgrade-emacs suse-upgrade-emacs-el suse-upgrade-emacs-info suse-upgrade-emacs-nox suse-upgrade-emacs-x11 suse-upgrade-etags References https://attackerkb.com/topics/cve-2022-48339 CVE - 2022-48339

Amazon Linux 2023: CVE-2023-27561: Important priority package update for runc Severity 6 CVSS (AV:L/AC:H/Au:S/C:C/I:C/A:C) Published 02/20/2023 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description runc through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. NOTE: this issue exists because of a CVE-2019-19921 regression. A flaw was found in runc. An attacker who controls the container image for two containers that share a volume can race volume mounts during container initialization by adding a symlink to the rootfs that points to a directory on the volume. Solution(s) amazon-linux-2023-upgrade-runc amazon-linux-2023-upgrade-runc-debuginfo amazon-linux-2023-upgrade-runc-debugsource References https://attackerkb.com/topics/cve-2023-27561 CVE - 2023-27561 https://alas.aws.amazon.com/AL2023/ALAS-2023-208.html

SUSE: CVE-2023-25744: SUSE Linux Security Advisory Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 02/20/2023 Created 02/22/2023 Added 02/21/2023 Modified 01/28/2025 Description Mmemory safety bugs present in Firefox 109 and Firefox ESR 102.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 110 and Firefox ESR < 102.8. Solution(s) suse-upgrade-mozillafirefox suse-upgrade-mozillafirefox-branding-upstream suse-upgrade-mozillafirefox-devel suse-upgrade-mozillafirefox-translations-common suse-upgrade-mozillafirefox-translations-other References https://attackerkb.com/topics/cve-2023-25744 CVE - 2023-25744

SUSE: CVE-2023-25742: SUSE Linux Security Advisory Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 02/20/2023 Created 02/22/2023 Added 02/21/2023 Modified 01/28/2025 Description When importing a SPKI RSA public key as ECDSA P-256, the key would be handled incorrectly causing the tab to crash. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8. Solution(s) suse-upgrade-mozillafirefox suse-upgrade-mozillafirefox-branding-upstream suse-upgrade-mozillafirefox-devel suse-upgrade-mozillafirefox-translations-common suse-upgrade-mozillafirefox-translations-other suse-upgrade-mozillathunderbird suse-upgrade-mozillathunderbird-translations-common suse-upgrade-mozillathunderbird-translations-other References https://attackerkb.com/topics/cve-2023-25742 CVE - 2023-25742

SUSE: CVE-2023-25737: SUSE Linux Security Advisory Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 02/20/2023 Created 02/22/2023 Added 02/21/2023 Modified 01/28/2025 Description An invalid downcast from <code>nsTextNode</code> to <code>SVGElement</code> could have lead to undefined behavior. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8. Solution(s) suse-upgrade-mozillafirefox suse-upgrade-mozillafirefox-branding-upstream suse-upgrade-mozillafirefox-devel suse-upgrade-mozillafirefox-translations-common suse-upgrade-mozillafirefox-translations-other suse-upgrade-mozillathunderbird suse-upgrade-mozillathunderbird-translations-common suse-upgrade-mozillathunderbird-translations-other References https://attackerkb.com/topics/cve-2023-25737 CVE - 2023-25737

Amazon Linux 2023: CVE-2023-26544: Important priority package update for kernel Severity 6 CVSS (AV:L/AC:H/Au:S/C:C/I:C/A:C) Published 02/20/2023 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description In the Linux kernel 6.0.8, there is a use-after-free in run_unpack in fs/ntfs3/run.c, related to a difference between NTFS sector size and media sector size. Solution(s) amazon-linux-2023-upgrade-bpftool amazon-linux-2023-upgrade-bpftool-debuginfo amazon-linux-2023-upgrade-kernel amazon-linux-2023-upgrade-kernel-debuginfo amazon-linux-2023-upgrade-kernel-debuginfo-common-aarch64 amazon-linux-2023-upgrade-kernel-debuginfo-common-x86-64 amazon-linux-2023-upgrade-kernel-devel amazon-linux-2023-upgrade-kernel-headers amazon-linux-2023-upgrade-kernel-libbpf amazon-linux-2023-upgrade-kernel-libbpf-devel amazon-linux-2023-upgrade-kernel-libbpf-static amazon-linux-2023-upgrade-kernel-livepatch-6-1-10-15-42 amazon-linux-2023-upgrade-kernel-tools amazon-linux-2023-upgrade-kernel-tools-debuginfo amazon-linux-2023-upgrade-kernel-tools-devel amazon-linux-2023-upgrade-perf amazon-linux-2023-upgrade-perf-debuginfo amazon-linux-2023-upgrade-python3-perf amazon-linux-2023-upgrade-python3-perf-debuginfo References https://attackerkb.com/topics/cve-2023-26544 CVE - 2023-26544 https://alas.aws.amazon.com/AL2023/ALAS-2023-070.html

SUSE: CVE-2023-25734: SUSE Linux Security Advisory Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:N) Published 02/20/2023 Created 02/22/2023 Added 02/21/2023 Modified 01/28/2025 Description After downloading a Windows <code>.url</code> shortcut from the local filesystem, an attacker could supply a remote path that would lead to unexpected network requests from the operating system. This also had the potential to leak NTLM credentials to the resource.<br>*This bug only affects Firefox on Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8. Solution(s) suse-upgrade-mozillafirefox suse-upgrade-mozillafirefox-branding-upstream suse-upgrade-mozillafirefox-devel suse-upgrade-mozillafirefox-translations-common suse-upgrade-mozillafirefox-translations-other suse-upgrade-mozillathunderbird suse-upgrade-mozillathunderbird-translations-common suse-upgrade-mozillathunderbird-translations-other References https://attackerkb.com/topics/cve-2023-25734 CVE - 2023-25734

Amazon Linux AMI 2: CVE-2022-48339: Security patch for emacs (ALAS-2023-1981) Severity 7 CVSS (AV:L/AC:M/Au:N/C:C/I:C/A:C) Published 02/20/2023 Created 03/08/2023 Added 03/07/2023 Modified 01/28/2025 Description An issue was discovered in GNU Emacs through 28.2. htmlfontify.el has a command injection vulnerability. In the hfy-istext-command function, the parameter file and parameter srcdir come from external input, and parameters are not escaped. If a file name or directory name contains shell metacharacters, code may be executed. Solution(s) amazon-linux-ami-2-upgrade-emacs amazon-linux-ami-2-upgrade-emacs-common amazon-linux-ami-2-upgrade-emacs-debuginfo amazon-linux-ami-2-upgrade-emacs-devel amazon-linux-ami-2-upgrade-emacs-filesystem amazon-linux-ami-2-upgrade-emacs-lucid amazon-linux-ami-2-upgrade-emacs-nox amazon-linux-ami-2-upgrade-emacs-terminal References https://attackerkb.com/topics/cve-2022-48339 AL2/ALAS-2023-1981 CVE - 2022-48339

SUSE: CVE-2023-25746: SUSE Linux Security Advisory Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 02/20/2023 Created 02/22/2023 Added 02/21/2023 Modified 01/28/2025 Description Memory safety bugs present in Firefox ESR 102.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 102.8 and Firefox ESR < 102.8. Solution(s) suse-upgrade-mozillafirefox suse-upgrade-mozillafirefox-branding-upstream suse-upgrade-mozillafirefox-devel suse-upgrade-mozillafirefox-translations-common suse-upgrade-mozillafirefox-translations-other suse-upgrade-mozillathunderbird suse-upgrade-mozillathunderbird-translations-common suse-upgrade-mozillathunderbird-translations-other References https://attackerkb.com/topics/cve-2023-25746 CVE - 2023-25746

SUSE: CVE-2022-48337: SUSE Linux Security Advisory Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 02/20/2023 Created 03/04/2023 Added 03/03/2023 Modified 01/28/2025 Description GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the etags program. For example, a victim may use the "etags -u *" command (suggested in the etags documentation) in a situation where the current working directory has contents that depend on untrusted input. Solution(s) suse-upgrade-emacs suse-upgrade-emacs-el suse-upgrade-emacs-info suse-upgrade-emacs-nox suse-upgrade-emacs-x11 suse-upgrade-etags References https://attackerkb.com/topics/cve-2022-48337 CVE - 2022-48337

SUSE: CVE-2023-25729: SUSE Linux Security Advisory Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 02/20/2023 Created 02/22/2023 Added 02/21/2023 Modified 01/28/2025 Description Permission prompts for opening external schemes were only shown for <code>ContentPrincipals</code> resulting in extensions being able to open them without user interaction via <code>ExpandedPrincipals</code>. This could lead to further malicious actions such as downloading files or interacting with software already installed on the system. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8. Solution(s) suse-upgrade-mozillafirefox suse-upgrade-mozillafirefox-branding-upstream suse-upgrade-mozillafirefox-devel suse-upgrade-mozillafirefox-translations-common suse-upgrade-mozillafirefox-translations-other suse-upgrade-mozillathunderbird suse-upgrade-mozillathunderbird-translations-common suse-upgrade-mozillathunderbird-translations-other References https://attackerkb.com/topics/cve-2023-25729 CVE - 2023-25729

Debian: CVE-2023-26081: epiphany-browser -- security update Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 02/20/2023 Created 05/17/2023 Added 05/17/2023 Modified 01/28/2025 Description In Epiphany (aka GNOME Web) through 43.0, untrusted web content can trick users into exfiltrating passwords, because autofill occurs in sandboxed contexts. Solution(s) debian-upgrade-epiphany-browser References https://attackerkb.com/topics/cve-2023-26081 CVE - 2023-26081 DLA-3423-1

Ubuntu: USN-7027-1 (CVE-2022-48337): Emacs vulnerabilities Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 02/20/2023 Created 09/20/2024 Added 09/20/2024 Modified 01/30/2025 Description GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the etags program. For example, a victim may use the "etags -u *" command (suggested in the etags documentation) in a situation where the current working directory has contents that depend on untrusted input. Solution(s) ubuntu-pro-upgrade-emacs ubuntu-pro-upgrade-emacs-bin-common ubuntu-pro-upgrade-emacs-common ubuntu-pro-upgrade-emacs-el ubuntu-pro-upgrade-emacs24 ubuntu-pro-upgrade-emacs24-bin-common ubuntu-pro-upgrade-emacs24-common ubuntu-pro-upgrade-emacs24-el ubuntu-pro-upgrade-emacs25 ubuntu-pro-upgrade-emacs25-bin-common ubuntu-pro-upgrade-emacs25-common ubuntu-pro-upgrade-emacs25-el References https://attackerkb.com/topics/cve-2022-48337 CVE - 2022-48337 DSA-5360 USN-7027-1

Huawei EulerOS: CVE-2022-48338: emacs security update Severity 7 CVSS (AV:L/AC:M/Au:S/C:C/I:C/A:C) Published 02/20/2023 Created 07/05/2023 Added 07/05/2023 Modified 01/28/2025 Description An issue was discovered in GNU Emacs through 28.2. In ruby-mode.el, the ruby-find-library-file function has a local command injection vulnerability. The ruby-find-library-file function is an interactive function, and bound to C-c C-f. Inside the function, the external command gem is called through shell-command-to-string, but the feature-name parameters are not escaped. Thus, malicious Ruby source files may cause commands to be executed. Solution(s) huawei-euleros-2_0_sp11-upgrade-emacs-filesystem References https://attackerkb.com/topics/cve-2022-48338 CVE - 2022-48338 EulerOS-SA-2023-2288

Alma Linux: CVE-2023-25728: Important: firefox security update (Multiple Advisories) Severity 7 CVSS (AV:N/AC:M/Au:N/C:C/I:N/A:N) Published 02/20/2023 Created 02/22/2023 Added 02/22/2023 Modified 01/30/2025 Description The <code>Content-Security-Policy-Report-Only</code> header could allow an attacker to leak a child iframe's unredacted URI when interaction with that iframe triggers a redirect. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8. Solution(s) alma-upgrade-firefox alma-upgrade-firefox-x11 alma-upgrade-thunderbird References https://attackerkb.com/topics/cve-2023-25728 CVE - 2023-25728 https://errata.almalinux.org/8/ALSA-2023-0808.html https://errata.almalinux.org/8/ALSA-2023-0821.html https://errata.almalinux.org/9/ALSA-2023-0810.html https://errata.almalinux.org/9/ALSA-2023-0824.html

Red Hat: CVE-2023-25730: CVE-2023-25730 Mozilla: Screen hijack via browser fullscreen mode (Multiple Advisories) Severity 6 CVSS (AV:N/AC:M/Au:N/C:P/I:P/A:N) Published 02/20/2023 Created 02/22/2023 Added 02/22/2023 Modified 01/28/2025 Description A background script invoking <code>requestFullscreen</code> and then blocking the main thread could force the browser into fullscreen mode indefinitely, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8. Solution(s) redhat-upgrade-firefox redhat-upgrade-firefox-debuginfo redhat-upgrade-firefox-debugsource redhat-upgrade-firefox-x11 redhat-upgrade-thunderbird redhat-upgrade-thunderbird-debuginfo redhat-upgrade-thunderbird-debugsource References CVE-2023-25730 RHSA-2023:0805 RHSA-2023:0807 RHSA-2023:0808 RHSA-2023:0809 RHSA-2023:0810 RHSA-2023:0812 RHSA-2023:0817 RHSA-2023:0820 RHSA-2023:0821 RHSA-2023:0822 RHSA-2023:0823 RHSA-2023:0824 View more

Alma Linux: CVE-2022-48338: Important: emacs security update (ALSA-2023-2626) Severity 7 CVSS (AV:L/AC:M/Au:S/C:C/I:C/A:C) Published 02/20/2023 Created 05/15/2023 Added 05/15/2023 Modified 01/28/2025 Description An issue was discovered in GNU Emacs through 28.2. In ruby-mode.el, the ruby-find-library-file function has a local command injection vulnerability. The ruby-find-library-file function is an interactive function, and bound to C-c C-f. Inside the function, the external command gem is called through shell-command-to-string, but the feature-name parameters are not escaped. Thus, malicious Ruby source files may cause commands to be executed. Solution(s) alma-upgrade-emacs alma-upgrade-emacs-common alma-upgrade-emacs-filesystem alma-upgrade-emacs-lucid alma-upgrade-emacs-nox References https://attackerkb.com/topics/cve-2022-48338 CVE - 2022-48338 https://errata.almalinux.org/9/ALSA-2023-2626.html

Gentoo Linux: CVE-2022-48337: GNU Emacs, Org Mode: Multiple Vulnerabilities Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 02/20/2023 Created 07/02/2024 Added 07/03/2024 Modified 01/30/2025 Description GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the etags program. For example, a victim may use the "etags -u *" command (suggested in the etags documentation) in a situation where the current working directory has contents that depend on untrusted input. Solution(s) gentoo-linux-upgrade-app-editors-emacs gentoo-linux-upgrade-app-emacs-org-mode References https://attackerkb.com/topics/cve-2022-48337 CVE - 2022-48337 202407-08