ISHACK AI BOT

Amazon Linux AMI 2: CVE-2023-22458: Security patch for redis (ALASREDIS6-2023-001) Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 01/20/2023 Created 09/28/2023 Added 09/28/2023 Modified 01/28/2025 Description Redis is an in-memory database that persists on disk. Authenticated users can issue a `HRANDFIELD` or `ZRANDMEMBER` command with specially crafted arguments to trigger a denial-of-service by crashing Redis with an assertion failure. This problem affects Redis versions 6.2 or newer up to but not including 6.2.9 as well as versions 7.0 up to but not including 7.0.8. Users are advised to upgrade. There are no known workarounds for this vulnerability. Solution(s) amazon-linux-ami-2-upgrade-redis amazon-linux-ami-2-upgrade-redis-debuginfo amazon-linux-ami-2-upgrade-redis-devel amazon-linux-ami-2-upgrade-redis-doc References https://attackerkb.com/topics/cve-2023-22458 AL2/ALASREDIS6-2023-001 CVE - 2023-22458

Ubuntu: USN-6600-1 (CVE-2022-47015): MariaDB vulnerabilities Severity 7 CVSS (AV:N/AC:L/Au:S/C:N/I:N/A:C) Published 01/20/2023 Created 01/27/2024 Added 01/26/2024 Modified 01/28/2025 Description MariaDB Server before 10.3.34 thru 10.9.3 is vulnerable to Denial of Service. It is possible for function spider_db_mbase::print_warnings to dereference a null pointer. Solution(s) ubuntu-upgrade-mariadb-server References https://attackerkb.com/topics/cve-2022-47015 CVE - 2022-47015 USN-6600-1

Ubuntu: USN-6531-1 (CVE-2022-35977): Redis vulnerabilities Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 01/20/2023 Created 12/07/2023 Added 12/06/2023 Modified 01/28/2025 Description Redis is an in-memory database that persists on disk. Authenticated users issuing specially crafted `SETRANGE` and `SORT(_RO)` commands can trigger an integer overflow, resulting with Redis attempting to allocate impossible amounts of memory and abort with an out-of-memory (OOM) panic. The problem is fixed in Redis versions 7.0.8, 6.2.9 and 6.0.17. Users are advised to upgrade. There are no known workarounds for this vulnerability. Solution(s) ubuntu-pro-upgrade-redis-server ubuntu-pro-upgrade-redis-tools References https://attackerkb.com/topics/cve-2022-35977 CVE - 2022-35977 USN-6531-1

SUSE: CVE-2023-23601: SUSE Linux Security Advisory Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 01/20/2023 Created 01/24/2023 Added 01/23/2023 Modified 01/28/2025 Description Navigations were being allowed when dragging a URL from a cross-origin iframe into the same tab which could lead to website spoofing attacks. This vulnerability affects Firefox < 109, Thunderbird < 102.7, and Firefox ESR < 102.7. Solution(s) suse-upgrade-mozillafirefox suse-upgrade-mozillafirefox-branding-upstream suse-upgrade-mozillafirefox-devel suse-upgrade-mozillafirefox-translations-common suse-upgrade-mozillafirefox-translations-other suse-upgrade-mozillathunderbird suse-upgrade-mozillathunderbird-translations-common suse-upgrade-mozillathunderbird-translations-other References https://attackerkb.com/topics/cve-2023-23601 CVE - 2023-23601

SUSE: CVE-2023-23602: SUSE Linux Security Advisory Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 01/20/2023 Created 01/24/2023 Added 01/23/2023 Modified 01/28/2025 Description A mishandled security check when creating a WebSocket in a WebWorker caused the Content Security Policy connect-src header to be ignored. This could lead to connections to restricted origins from inside WebWorkers. This vulnerability affects Firefox < 109, Thunderbird < 102.7, and Firefox ESR < 102.7. Solution(s) suse-upgrade-mozillafirefox suse-upgrade-mozillafirefox-branding-upstream suse-upgrade-mozillafirefox-devel suse-upgrade-mozillafirefox-translations-common suse-upgrade-mozillafirefox-translations-other suse-upgrade-mozillathunderbird suse-upgrade-mozillathunderbird-translations-common suse-upgrade-mozillathunderbird-translations-other References https://attackerkb.com/topics/cve-2023-23602 CVE - 2023-23602

SUSE: CVE-2023-23605: SUSE Linux Security Advisory Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 01/20/2023 Created 01/24/2023 Added 01/23/2023 Modified 01/28/2025 Description Memory safety bugs present in Firefox 108 and Firefox ESR 102.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 109, Thunderbird < 102.7, and Firefox ESR < 102.7. Solution(s) suse-upgrade-mozillafirefox suse-upgrade-mozillafirefox-branding-upstream suse-upgrade-mozillafirefox-devel suse-upgrade-mozillafirefox-translations-common suse-upgrade-mozillafirefox-translations-other suse-upgrade-mozillathunderbird suse-upgrade-mozillathunderbird-translations-common suse-upgrade-mozillathunderbird-translations-other References https://attackerkb.com/topics/cve-2023-23605 CVE - 2023-23605

SUSE: CVE-2023-23603: SUSE Linux Security Advisory Severity 7 CVSS (AV:N/AC:M/Au:N/C:C/I:N/A:N) Published 01/20/2023 Created 01/24/2023 Added 01/23/2023 Modified 01/28/2025 Description Regular expressions used to filter out forbidden properties and values from style directives in calls to <code>console.log</code> weren't accounting for external URLs. Data could then be potentially exfiltrated from the browser. This vulnerability affects Firefox < 109, Thunderbird < 102.7, and Firefox ESR < 102.7. Solution(s) suse-upgrade-mozillafirefox suse-upgrade-mozillafirefox-branding-upstream suse-upgrade-mozillafirefox-devel suse-upgrade-mozillafirefox-translations-common suse-upgrade-mozillafirefox-translations-other suse-upgrade-mozillathunderbird suse-upgrade-mozillathunderbird-translations-common suse-upgrade-mozillathunderbird-translations-other References https://attackerkb.com/topics/cve-2023-23603 CVE - 2023-23603

SUSE: CVE-2023-23598: SUSE Linux Security Advisory Severity 7 CVSS (AV:N/AC:M/Au:N/C:C/I:N/A:N) Published 01/20/2023 Created 01/24/2023 Added 01/23/2023 Modified 01/28/2025 Description Due to the Firefox GTK wrapper code's use of text/plain for drag data and GTK treating all text/plain MIMEs containing file URLs as being dragged a website could arbitrarily read a file via a call to <code>DataTransfer.setData</code>. This vulnerability affects Firefox < 109, Thunderbird < 102.7, and Firefox ESR < 102.7. Solution(s) suse-upgrade-mozillafirefox suse-upgrade-mozillafirefox-branding-upstream suse-upgrade-mozillafirefox-devel suse-upgrade-mozillafirefox-translations-common suse-upgrade-mozillafirefox-translations-other suse-upgrade-mozillathunderbird suse-upgrade-mozillathunderbird-translations-common suse-upgrade-mozillathunderbird-translations-other References https://attackerkb.com/topics/cve-2023-23598 CVE - 2023-23598

Debian: CVE-2023-24038: libhtml-stripscripts-perl -- security update Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 01/21/2023 Created 02/02/2023 Added 02/01/2023 Modified 01/28/2025 Description The HTML-StripScripts module through 1.06 for Perl allows _hss_attval_style ReDoS because of catastrophic backtracking for HTML content with certain style attributes. Solution(s) debian-upgrade-libhtml-stripscripts-perl References https://attackerkb.com/topics/cve-2023-24038 CVE - 2023-24038 DLA-3296-1 DSA-5339

Alpine Linux: CVE-2023-22742: Improper Verification of Cryptographic Signature Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 01/20/2023 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description libgit2 is a cross-platform, linkable library implementation of Git. When using an SSH remote with the optional libssh2 backend, libgit2 does not perform certificate checking by default. Prior versions of libgit2 require the caller to set the `certificate_check` field of libgit2's `git_remote_callbacks` structure - if a certificate check callback is not set, libgit2 does not perform any certificate checking. This means that by default - without configuring a certificate check callback, clients will not perform validation on the server SSH keys and may be subject to a man-in-the-middle attack. Users are encouraged to upgrade to v1.4.5 or v1.5.1. Users unable to upgrade should ensure that all relevant certificates are manually checked. Solution(s) alpine-linux-upgrade-libgit2 References https://attackerkb.com/topics/cve-2023-22742 CVE - 2023-22742 https://security.alpinelinux.org/vuln/CVE-2023-22742

OS X update for Vim (CVE-2023-0433) Severity 7 CVSS (AV:L/AC:M/Au:N/C:C/I:C/A:C) Published 01/21/2023 Created 03/28/2023 Added 03/28/2023 Modified 01/28/2025 Description Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1225. Solution(s) apple-osx-upgrade-11_7_5 apple-osx-upgrade-12_6_4 apple-osx-upgrade-13_3 References https://attackerkb.com/topics/cve-2023-0433 CVE - 2023-0433 https://support.apple.com/kb/HT213670 https://support.apple.com/kb/HT213675 https://support.apple.com/kb/HT213677

OS X update for Carbon Core (CVE-2023-0433) Severity 7 CVSS (AV:L/AC:M/Au:N/C:C/I:C/A:C) Published 01/21/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

OS X update for ImageIO (CVE-2023-0433) Severity 7 CVSS (AV:L/AC:M/Au:N/C:C/I:C/A:C) Published 01/21/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

OS X update for Model I/O (CVE-2023-0433) Severity 7 CVSS (AV:L/AC:M/Au:N/C:C/I:C/A:C) Published 01/21/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

OS X update for Crash Reporter (CVE-2023-0433) Severity 7 CVSS (AV:L/AC:M/Au:N/C:C/I:C/A:C) Published 01/21/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

OS X update for curl (CVE-2023-0433) Severity 7 CVSS (AV:L/AC:M/Au:N/C:C/I:C/A:C) Published 01/21/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

OS X update for TCC (CVE-2023-0433) Severity 7 CVSS (AV:L/AC:M/Au:N/C:C/I:C/A:C) Published 01/21/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

OS X update for FaceTime (CVE-2023-0433) Severity 7 CVSS (AV:L/AC:M/Au:N/C:C/I:C/A:C) Published 01/21/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

OS X update for iCloud (CVE-2023-0433) Severity 7 CVSS (AV:L/AC:M/Au:N/C:C/I:C/A:C) Published 01/21/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

VMware Photon OS: CVE-2023-22458 Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 01/20/2023 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description Redis is an in-memory database that persists on disk. Authenticated users can issue a `HRANDFIELD` or `ZRANDMEMBER` command with specially crafted arguments to trigger a denial-of-service by crashing Redis with an assertion failure. This problem affects Redis versions 6.2 or newer up to but not including 6.2.9 as well as versions 7.0 up to but not including 7.0.8. Users are advised to upgrade. There are no known workarounds for this vulnerability. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2023-22458 CVE - 2023-22458

Red Hat: CVE-2022-47015: print_warnings() (Multiple Advisories) Severity 7 CVSS (AV:N/AC:L/Au:S/C:N/I:N/A:C) Published 01/20/2023 Created 09/20/2023 Added 09/20/2023 Modified 01/28/2025 Description MariaDB Server before 10.3.34 thru 10.9.3 is vulnerable to Denial of Service. It is possible for function spider_db_mbase::print_warnings to dereference a null pointer. Solution(s) redhat-upgrade-galera redhat-upgrade-galera-debuginfo redhat-upgrade-galera-debugsource redhat-upgrade-judy redhat-upgrade-judy-debuginfo redhat-upgrade-judy-debugsource redhat-upgrade-mariadb redhat-upgrade-mariadb-backup redhat-upgrade-mariadb-backup-debuginfo redhat-upgrade-mariadb-common redhat-upgrade-mariadb-debuginfo redhat-upgrade-mariadb-debugsource redhat-upgrade-mariadb-devel redhat-upgrade-mariadb-embedded redhat-upgrade-mariadb-embedded-debuginfo redhat-upgrade-mariadb-embedded-devel redhat-upgrade-mariadb-errmsg redhat-upgrade-mariadb-gssapi-server redhat-upgrade-mariadb-gssapi-server-debuginfo redhat-upgrade-mariadb-oqgraph-engine redhat-upgrade-mariadb-oqgraph-engine-debuginfo redhat-upgrade-mariadb-pam redhat-upgrade-mariadb-pam-debuginfo redhat-upgrade-mariadb-server redhat-upgrade-mariadb-server-debuginfo redhat-upgrade-mariadb-server-galera redhat-upgrade-mariadb-server-utils redhat-upgrade-mariadb-server-utils-debuginfo redhat-upgrade-mariadb-test redhat-upgrade-mariadb-test-debuginfo References CVE-2022-47015 RHSA-2023:5259 RHSA-2023:5683 RHSA-2023:5684

SUSE: CVE-2022-35977: SUSE Linux Security Advisory Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 01/20/2023 Created 02/08/2023 Added 02/07/2023 Modified 01/28/2025 Description Redis is an in-memory database that persists on disk. Authenticated users issuing specially crafted `SETRANGE` and `SORT(_RO)` commands can trigger an integer overflow, resulting with Redis attempting to allocate impossible amounts of memory and abort with an out-of-memory (OOM) panic. The problem is fixed in Redis versions 7.0.8, 6.2.9 and 6.0.17. Users are advised to upgrade. There are no known workarounds for this vulnerability. Solution(s) suse-upgrade-redis References https://attackerkb.com/topics/cve-2022-35977 CVE - 2022-35977

Rocky Linux: CVE-2022-47015: mariadb-10.5 (RLSA-2023-5683) Severity 7 CVSS (AV:N/AC:L/Au:S/C:N/I:N/A:C) Published 01/20/2023 Created 03/07/2024 Added 08/15/2024 Modified 01/28/2025 Description Deprecated Solution(s)

Red Hat: CVE-2023-22458: redis: Integer overflow in the Redis HRANDFIELD and ZRANDMEMBER commands may lead to denial-of-service (Multiple Advisories) Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 01/20/2023 Created 01/24/2025 Added 01/23/2025 Modified 01/23/2025 Description Redis is an in-memory database that persists on disk. Authenticated users can issue a `HRANDFIELD` or `ZRANDMEMBER` command with specially crafted arguments to trigger a denial-of-service by crashing Redis with an assertion failure. This problem affects Redis versions 6.2 or newer up to but not including 6.2.9 as well as versions 7.0 up to but not including 7.0.8. Users are advised to upgrade. There are no known workarounds for this vulnerability. Solution(s) redhat-upgrade-redis redhat-upgrade-redis-debuginfo redhat-upgrade-redis-debugsource redhat-upgrade-redis-devel redhat-upgrade-redis-doc References CVE-2023-22458 RHSA-2025:0595

Debian: CVE-2023-22458: redis -- security update Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 01/20/2023 Created 07/31/2024 Added 07/30/2024 Modified 01/28/2025 Description Redis is an in-memory database that persists on disk. Authenticated users can issue a `HRANDFIELD` or `ZRANDMEMBER` command with specially crafted arguments to trigger a denial-of-service by crashing Redis with an assertion failure. This problem affects Redis versions 6.2 or newer up to but not including 6.2.9 as well as versions 7.0 up to but not including 7.0.8. Users are advised to upgrade. There are no known workarounds for this vulnerability. Solution(s) debian-upgrade-redis References https://attackerkb.com/topics/cve-2023-22458 CVE - 2023-22458