ISHACK AI BOT

SUSE: CVE-2023-24998: SUSE Linux Security Advisory Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 02/20/2023 Created 03/13/2023 Added 03/13/2023 Modified 01/28/2025 Description Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured. Solution(s) suse-upgrade-apache-commons-fileupload suse-upgrade-apache-commons-fileupload-javadoc suse-upgrade-jakarta-commons-fileupload suse-upgrade-jakarta-commons-fileupload-javadoc suse-upgrade-tomcat suse-upgrade-tomcat-admin-webapps suse-upgrade-tomcat-docs-webapp suse-upgrade-tomcat-el-3_0-api suse-upgrade-tomcat-embed suse-upgrade-tomcat-javadoc suse-upgrade-tomcat-jsp-2_3-api suse-upgrade-tomcat-jsvc suse-upgrade-tomcat-lib suse-upgrade-tomcat-servlet-3_1-api suse-upgrade-tomcat-servlet-4_0-api suse-upgrade-tomcat-webapps References https://attackerkb.com/topics/cve-2023-24998 CVE - 2023-24998

Red Hat: CVE-2023-25744: Memory safety bugs fixed in Firefox 110 and Firefox ESR 102.8 (Multiple Advisories) Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 02/20/2023 Created 02/22/2023 Added 02/22/2023 Modified 01/28/2025 Description Mmemory safety bugs present in Firefox 109 and Firefox ESR 102.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 110 and Firefox ESR < 102.8. Solution(s) redhat-upgrade-firefox redhat-upgrade-firefox-debuginfo redhat-upgrade-firefox-debugsource redhat-upgrade-firefox-x11 redhat-upgrade-thunderbird redhat-upgrade-thunderbird-debuginfo redhat-upgrade-thunderbird-debugsource References CVE-2023-25744 RHSA-2023:0805 RHSA-2023:0807 RHSA-2023:0808 RHSA-2023:0809 RHSA-2023:0810 RHSA-2023:0812 RHSA-2023:0817 RHSA-2023:0820 RHSA-2023:0821 RHSA-2023:0822 RHSA-2023:0823 RHSA-2023:0824 View more

Red Hat: CVE-2023-25743: CVE-2023-25743 Mozilla: Fullscreen notification not shown in Firefox Focus (Multiple Advisories) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:C/A:N) Published 02/20/2023 Created 02/22/2023 Added 02/22/2023 Modified 01/28/2025 Description A lack of in app notification for entering fullscreen mode could have lead to a malicious website spoofing browser chrome.<br>*This bug only affects Firefox Focus. Other versions of Firefox are unaffected.*. This vulnerability affects Firefox < 110 and Firefox ESR < 102.8. Solution(s) redhat-upgrade-firefox redhat-upgrade-firefox-debuginfo redhat-upgrade-firefox-debugsource redhat-upgrade-firefox-x11 redhat-upgrade-thunderbird redhat-upgrade-thunderbird-debuginfo redhat-upgrade-thunderbird-debugsource References CVE-2023-25743 RHSA-2023:0805 RHSA-2023:0807 RHSA-2023:0808 RHSA-2023:0809 RHSA-2023:0810 RHSA-2023:0812 RHSA-2023:0817 RHSA-2023:0820 RHSA-2023:0821 RHSA-2023:0822 RHSA-2023:0823 RHSA-2023:0824 View more

Red Hat: CVE-2023-25732: Out of bounds memory write from EncodeInputStream (Multiple Advisories) Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 02/20/2023 Created 02/22/2023 Added 02/22/2023 Modified 01/28/2025 Description When encoding data from an <code>inputStream</code> in <code>xpcom</code> the size of the input being encoded was not correctly calculated potentially leading to an out of bounds memory write. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8. Solution(s) redhat-upgrade-firefox redhat-upgrade-firefox-debuginfo redhat-upgrade-firefox-debugsource redhat-upgrade-firefox-x11 redhat-upgrade-thunderbird redhat-upgrade-thunderbird-debuginfo redhat-upgrade-thunderbird-debugsource References CVE-2023-25732 RHSA-2023:0805 RHSA-2023:0807 RHSA-2023:0808 RHSA-2023:0809 RHSA-2023:0810 RHSA-2023:0812 RHSA-2023:0817 RHSA-2023:0820 RHSA-2023:0821 RHSA-2023:0822 RHSA-2023:0823 RHSA-2023:0824 View more

Red Hat: CVE-2023-0616: CVE-2023-0616 Mozilla: User Interface lockup with messages combining S/MIME and OpenPGP (Multiple Advisories) Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 02/20/2023 Created 02/22/2023 Added 02/22/2023 Modified 01/30/2025 Description If a MIME email combines OpenPGP and OpenPGP MIME data in a certain way Thunderbird repeatedly attempts to process and display the message, which could cause Thunderbird's user interface to lock up and no longer respond to the user's actions. An attacker could send a crafted message with this structure to attempt a DoS attack. This vulnerability affects Thunderbird < 102.8. Solution(s) redhat-upgrade-thunderbird redhat-upgrade-thunderbird-debuginfo redhat-upgrade-thunderbird-debugsource References CVE-2023-0616 RHSA-2023:0817 RHSA-2023:0820 RHSA-2023:0821 RHSA-2023:0822 RHSA-2023:0823 RHSA-2023:0824 View more

Red Hat: CVE-2023-25728: CVE-2023-25728 Mozilla: Content security policy leak in violation reports using iframes (Multiple Advisories) Severity 7 CVSS (AV:N/AC:M/Au:N/C:C/I:N/A:N) Published 02/20/2023 Created 02/22/2023 Added 02/22/2023 Modified 01/30/2025 Description The <code>Content-Security-Policy-Report-Only</code> header could allow an attacker to leak a child iframe's unredacted URI when interaction with that iframe triggers a redirect. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8. Solution(s) redhat-upgrade-firefox redhat-upgrade-firefox-debuginfo redhat-upgrade-firefox-debugsource redhat-upgrade-firefox-x11 redhat-upgrade-thunderbird redhat-upgrade-thunderbird-debuginfo redhat-upgrade-thunderbird-debugsource References CVE-2023-25728 RHSA-2023:0805 RHSA-2023:0807 RHSA-2023:0808 RHSA-2023:0809 RHSA-2023:0810 RHSA-2023:0812 RHSA-2023:0817 RHSA-2023:0820 RHSA-2023:0821 RHSA-2023:0822 RHSA-2023:0823 RHSA-2023:0824 View more

Debian: CVE-2022-48339: emacs -- security update Severity 7 CVSS (AV:L/AC:M/Au:N/C:C/I:C/A:C) Published 02/20/2023 Created 02/28/2023 Added 02/27/2023 Modified 01/28/2025 Description An issue was discovered in GNU Emacs through 28.2. htmlfontify.el has a command injection vulnerability. In the hfy-istext-command function, the parameter file and parameter srcdir come from external input, and parameters are not escaped. If a file name or directory name contains shell metacharacters, code may be executed. Solution(s) debian-upgrade-emacs References https://attackerkb.com/topics/cve-2022-48339 CVE - 2022-48339 DSA-5360 DSA-5360-1

Debian: CVE-2022-48338: emacs -- security update Severity 7 CVSS (AV:L/AC:M/Au:S/C:C/I:C/A:C) Published 02/20/2023 Created 02/28/2023 Added 02/27/2023 Modified 01/28/2025 Description An issue was discovered in GNU Emacs through 28.2. In ruby-mode.el, the ruby-find-library-file function has a local command injection vulnerability. The ruby-find-library-file function is an interactive function, and bound to C-c C-f. Inside the function, the external command gem is called through shell-command-to-string, but the feature-name parameters are not escaped. Thus, malicious Ruby source files may cause commands to be executed. Solution(s) debian-upgrade-emacs References https://attackerkb.com/topics/cve-2022-48338 CVE - 2022-48338 DSA-5360 DSA-5360-1

Debian: CVE-2022-48337: emacs -- security update Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 02/20/2023 Created 02/28/2023 Added 02/27/2023 Modified 01/30/2025 Description GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the etags program. For example, a victim may use the "etags -u *" command (suggested in the etags documentation) in a situation where the current working directory has contents that depend on untrusted input. Solution(s) debian-upgrade-emacs References https://attackerkb.com/topics/cve-2022-48337 CVE - 2022-48337 DSA-5360 DSA-5360-1

Oracle Linux: CVE-2021-32142: ELSA-2024-0343:LibRaw security update (MODERATE) (Multiple Advisories) Severity 5 CVSS (AV:L/AC:L/Au:N/C:P/I:P/A:P) Published 02/17/2023 Created 01/26/2024 Added 01/24/2024 Modified 01/07/2025 Description Buffer Overflow vulnerability in LibRaw linux/unix v0.20.0 allows attacker to escalate privileges via the LibRaw_buffer_datastream::gets(char*, int) in /src/libraw/src/libraw_datastream.cpp. A flaw was found in the LibRaw package. A stack buffer overflow in the LibRaw_buffer_datastream::gets() function in src/libraw_datastream.cpp caused by a maliciously crafted file may result in compromised confidentiality and integrity and an application crash. Solution(s) oracle-linux-upgrade-libraw oracle-linux-upgrade-libraw-devel oracle-linux-upgrade-libraw-static References https://attackerkb.com/topics/cve-2021-32142 CVE - 2021-32142 ELSA-2024-0343 ELSA-2023-6343 ELSA-2024-2994

SUSE: CVE-2023-25739: SUSE Linux Security Advisory Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 02/20/2023 Created 02/22/2023 Added 02/21/2023 Modified 01/28/2025 Description Module load requests that failed were not being checked as to whether or not they were cancelled causing a use-after-free in <code>ScriptLoadContext</code>. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8. Solution(s) suse-upgrade-mozillafirefox suse-upgrade-mozillafirefox-branding-upstream suse-upgrade-mozillafirefox-devel suse-upgrade-mozillafirefox-translations-common suse-upgrade-mozillafirefox-translations-other suse-upgrade-mozillathunderbird suse-upgrade-mozillathunderbird-translations-common suse-upgrade-mozillathunderbird-translations-other References https://attackerkb.com/topics/cve-2023-25739 CVE - 2023-25739

SUSE: CVE-2023-25730: SUSE Linux Security Advisory Severity 6 CVSS (AV:N/AC:M/Au:N/C:P/I:P/A:N) Published 02/20/2023 Created 02/22/2023 Added 02/21/2023 Modified 01/28/2025 Description A background script invoking <code>requestFullscreen</code> and then blocking the main thread could force the browser into fullscreen mode indefinitely, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8. Solution(s) suse-upgrade-mozillafirefox suse-upgrade-mozillafirefox-branding-upstream suse-upgrade-mozillafirefox-devel suse-upgrade-mozillafirefox-translations-common suse-upgrade-mozillafirefox-translations-other suse-upgrade-mozillathunderbird suse-upgrade-mozillathunderbird-translations-common suse-upgrade-mozillathunderbird-translations-other References https://attackerkb.com/topics/cve-2023-25730 CVE - 2023-25730

Amazon Linux AMI: CVE-2023-24329: Security patch for python38 ((Multiple Advisories)) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:C/A:N) Published 02/17/2023 Created 05/05/2023 Added 04/06/2023 Modified 01/28/2025 Description An issue in the urllib.parse component of Python before v3.11 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters. Solution(s) amazon-linux-upgrade-python27 amazon-linux-upgrade-python38 References ALAS-2023-1714 CVE-2023-24329

VMware Photon OS: CVE-2023-24329 Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:C/A:N) Published 02/17/2023 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2023-24329 CVE - 2023-24329

Amazon Linux AMI: CVE-2023-21963: Security patch for mysql57 (ALAS-2023-1686) Severity 3 CVSS (AV:N/AC:L/Au:M/C:N/I:N/A:P) Published 02/17/2023 Created 06/09/2023 Added 06/08/2023 Modified 01/28/2025 Description Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Connection Handling).Supported versions that are affected are 5.7.40 and prior and8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 2.7 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L). Solution(s) amazon-linux-upgrade-mysql57 References ALAS-2023-1686 CVE-2023-21963

Debian: CVE-2023-25735: firefox-esr, thunderbird -- security update Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 02/17/2023 Created 02/18/2023 Added 02/17/2023 Modified 01/28/2025 Description Cross-compartment wrappers wrapping a scripted proxy could have caused objects from other compartments to be stored in the main compartment resulting in a use-after-free after unwrapping the proxy. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8. Solution(s) debian-upgrade-firefox-esr debian-upgrade-thunderbird References https://attackerkb.com/topics/cve-2023-25735 CVE - 2023-25735 DLA-3319-1 DSA-5350-1

Debian: CVE-2023-25739: firefox-esr, thunderbird -- security update Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 02/17/2023 Created 02/18/2023 Added 02/17/2023 Modified 01/28/2025 Description Module load requests that failed were not being checked as to whether or not they were cancelled causing a use-after-free in <code>ScriptLoadContext</code>. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8. Solution(s) debian-upgrade-firefox-esr debian-upgrade-thunderbird References https://attackerkb.com/topics/cve-2023-25739 CVE - 2023-25739 DLA-3319-1 DSA-5350-1

Debian: CVE-2023-25746: firefox-esr, thunderbird -- security update Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 02/17/2023 Created 02/18/2023 Added 02/17/2023 Modified 01/28/2025 Description Memory safety bugs present in Firefox ESR 102.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 102.8 and Firefox ESR < 102.8. Solution(s) debian-upgrade-firefox-esr debian-upgrade-thunderbird References https://attackerkb.com/topics/cve-2023-25746 CVE - 2023-25746 DLA-3319-1 DSA-5350-1

Debian: CVE-2023-25732: firefox-esr, thunderbird -- security update Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 02/17/2023 Created 02/18/2023 Added 02/17/2023 Modified 01/28/2025 Description When encoding data from an <code>inputStream</code> in <code>xpcom</code> the size of the input being encoded was not correctly calculated potentially leading to an out of bounds memory write. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8. Solution(s) debian-upgrade-firefox-esr debian-upgrade-thunderbird References https://attackerkb.com/topics/cve-2023-25732 CVE - 2023-25732 DLA-3319-1 DSA-5350-1

Debian: CVE-2023-25737: firefox-esr, thunderbird -- security update Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 02/17/2023 Created 02/18/2023 Added 02/17/2023 Modified 01/28/2025 Description An invalid downcast from <code>nsTextNode</code> to <code>SVGElement</code> could have lead to undefined behavior. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8. Solution(s) debian-upgrade-firefox-esr debian-upgrade-thunderbird References https://attackerkb.com/topics/cve-2023-25737 CVE - 2023-25737 DLA-3319-1 DSA-5350-1

Debian: CVE-2023-25742: firefox-esr, thunderbird -- security update Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 02/17/2023 Created 02/18/2023 Added 02/17/2023 Modified 01/28/2025 Description When importing a SPKI RSA public key as ECDSA P-256, the key would be handled incorrectly causing the tab to crash. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8. Solution(s) debian-upgrade-firefox-esr debian-upgrade-thunderbird References https://attackerkb.com/topics/cve-2023-25742 CVE - 2023-25742 DLA-3319-1 DSA-5350-1

Debian: CVE-2023-25730: firefox-esr, thunderbird -- security update Severity 6 CVSS (AV:N/AC:M/Au:N/C:P/I:P/A:N) Published 02/17/2023 Created 02/18/2023 Added 02/17/2023 Modified 01/28/2025 Description A background script invoking <code>requestFullscreen</code> and then blocking the main thread could force the browser into fullscreen mode indefinitely, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8. Solution(s) debian-upgrade-firefox-esr debian-upgrade-thunderbird References https://attackerkb.com/topics/cve-2023-25730 CVE - 2023-25730 DLA-3319-1 DSA-5350-1

Debian: CVE-2023-25729: firefox-esr, thunderbird -- security update Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 02/17/2023 Created 02/18/2023 Added 02/17/2023 Modified 01/28/2025 Description Permission prompts for opening external schemes were only shown for <code>ContentPrincipals</code> resulting in extensions being able to open them without user interaction via <code>ExpandedPrincipals</code>. This could lead to further malicious actions such as downloading files or interacting with software already installed on the system. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8. Solution(s) debian-upgrade-firefox-esr debian-upgrade-thunderbird References https://attackerkb.com/topics/cve-2023-25729 CVE - 2023-25729 DLA-3319-1 DSA-5350-1

Debian: CVE-2023-0767: firefox-esr, nss, thunderbird -- security update Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 02/17/2023 Created 02/18/2023 Added 02/17/2023 Modified 01/28/2025 Description An attacker could construct a PKCS 12 cert bundle in such a way that could allow for arbitrary memory writes via PKCS 12 Safe Bag attributes being mishandled. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8. Solution(s) debian-upgrade-firefox-esr debian-upgrade-nss debian-upgrade-thunderbird References https://attackerkb.com/topics/cve-2023-0767 CVE - 2023-0767 DLA-3319-1 DSA-5350-1

F5 Networks: CVE-2023-24329: K000135921: Python urllib.parse vulnerability CVE-2023-24329 Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:C/A:N) Published 02/17/2023 Created 12/15/2023 Added 12/14/2023 Modified 01/28/2025 Description An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters. Solution(s) f5-big-ip-upgrade-latest References https://attackerkb.com/topics/cve-2023-24329 CVE - 2023-24329 https://my.f5.com/manage/s/article/K000135921