ISHACK AI BOT

OS X update for System Settings (CVE-2023-0054) Severity 7 CVSS (AV:L/AC:M/Au:N/C:C/I:C/A:C) Published 01/04/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

Amazon Linux AMI: CVE-2023-0049: Security patch for vim (ALAS-2023-1681) Severity 7 CVSS (AV:L/AC:M/Au:N/C:C/I:C/A:C) Published 01/04/2023 Created 02/17/2023 Added 02/15/2023 Modified 01/28/2025 Description Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.1143. Solution(s) amazon-linux-upgrade-vim References ALAS-2023-1681 CVE-2023-0049

OS X update for IOAcceleratorFamily (CVE-2023-0051) Severity 7 CVSS (AV:L/AC:M/Au:N/C:C/I:C/A:C) Published 01/04/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

VMware Photon OS: CVE-2023-0051 Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 01/04/2023 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1144. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2023-0051 CVE - 2023-0051

OS X update for DesktopServices (CVE-2023-0051) Severity 7 CVSS (AV:L/AC:M/Au:N/C:C/I:C/A:C) Published 01/04/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

OS X update for Identity Services (CVE-2023-0054) Severity 7 CVSS (AV:L/AC:M/Au:N/C:C/I:C/A:C) Published 01/04/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

OS X update for ImageIO (CVE-2023-0054) Severity 7 CVSS (AV:L/AC:M/Au:N/C:C/I:C/A:C) Published 01/04/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

OS X update for ImageIO (CVE-2023-0051) Severity 7 CVSS (AV:L/AC:M/Au:N/C:C/I:C/A:C) Published 01/04/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

OS X update for iCloud (CVE-2023-0054) Severity 7 CVSS (AV:L/AC:M/Au:N/C:C/I:C/A:C) Published 01/04/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

OS X update for NetworkExtension (CVE-2023-0051) Severity 7 CVSS (AV:L/AC:M/Au:N/C:C/I:C/A:C) Published 01/04/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

OS X update for LaunchServices (CVE-2023-0049) Severity 7 CVSS (AV:L/AC:M/Au:N/C:C/I:C/A:C) Published 01/04/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

Huawei EulerOS: CVE-2023-0051: vim security update Severity 7 CVSS (AV:L/AC:M/Au:N/C:C/I:C/A:C) Published 01/04/2023 Created 03/10/2023 Added 03/09/2023 Modified 01/28/2025 Description Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1144. Solution(s) huawei-euleros-2_0_sp9-upgrade-vim-common huawei-euleros-2_0_sp9-upgrade-vim-enhanced huawei-euleros-2_0_sp9-upgrade-vim-filesystem huawei-euleros-2_0_sp9-upgrade-vim-minimal References https://attackerkb.com/topics/cve-2023-0051 CVE - 2023-0051 EulerOS-SA-2023-1485

Debian: CVE-2023-22456: viewvc -- security update Severity 6 CVSS (AV:N/AC:M/Au:N/C:P/I:P/A:N) Published 01/03/2023 Created 01/13/2023 Added 01/12/2023 Modified 01/30/2025 Description ViewVC, a browser interface for CVS and Subversion version control repositories, as a cross-site scripting vulnerability that affects versions prior to 1.2.2 and 1.1.29. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a Subversion repository exposed by an otherwise trusted ViewVC instance. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. Users should update to at least version 1.2.2 (if they are using a 1.2.x version of ViewVC) or 1.1.29 (if they are using a 1.1.x version). ViewVC 1.0.x is no longer supported, so users of that release lineage should implement a workaround. Users can edit their ViewVC EZT view templates to manually HTML-escape changed paths during rendering. Locate in your template set's `revision.ezt` file references to those changed paths, and wrap them with `[format "html"]` and `[end]`. For most users, that means that references to `[changes.path]` will become `[format "html"][changes.path][end]`. (This workaround should be reverted after upgrading to a patched version of ViewVC, else changed path names will be doubly escaped.) Solution(s) debian-upgrade-viewvc References https://attackerkb.com/topics/cve-2023-22456 CVE - 2023-22456 DLA-3266-1

SUSE: CVE-2022-45143: SUSE Linux Security Advisory Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:C/A:N) Published 01/03/2023 Created 05/05/2023 Added 04/17/2023 Modified 01/28/2025 Description The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output. Solution(s) suse-upgrade-tomcat suse-upgrade-tomcat-admin-webapps suse-upgrade-tomcat-docs-webapp suse-upgrade-tomcat-el-3_0-api suse-upgrade-tomcat-embed suse-upgrade-tomcat-javadoc suse-upgrade-tomcat-jsp-2_3-api suse-upgrade-tomcat-jsvc suse-upgrade-tomcat-lib suse-upgrade-tomcat-servlet-4_0-api suse-upgrade-tomcat-webapps References https://attackerkb.com/topics/cve-2022-45143 CVE - 2022-45143

VMware Photon OS: CVE-2022-45143 Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:C/A:N) Published 01/03/2023 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2022-45143 CVE - 2022-45143

Gentoo Linux: CVE-2022-45143: Apache Tomcat: Multiple Vulnerabilities Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:C/A:N) Published 01/03/2023 Created 05/31/2023 Added 05/31/2023 Modified 01/28/2025 Description The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output. Solution(s) gentoo-linux-upgrade-www-servers-tomcat References https://attackerkb.com/topics/cve-2022-45143 CVE - 2022-45143 202305-37

Amazon Linux 2023: CVE-2023-0051: Important priority package update for vim Severity 7 CVSS (AV:L/AC:L/Au:N/C:C/I:C/A:C) Published 01/03/2023 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1144. A heap-based buffer overflow was found in Vim in the msg_puts_printf function in the message.c file. The issue occurs because of an invalid memory access when calculating the length of a string when a specially crafted input is processed. This flaw allows an attacker who can trick a user into opening a specially crafted file into triggering the heap-based buffer overflow, causing the application to crash. Solution(s) amazon-linux-2023-upgrade-vim-common amazon-linux-2023-upgrade-vim-common-debuginfo amazon-linux-2023-upgrade-vim-data amazon-linux-2023-upgrade-vim-debuginfo amazon-linux-2023-upgrade-vim-debugsource amazon-linux-2023-upgrade-vim-default-editor amazon-linux-2023-upgrade-vim-enhanced amazon-linux-2023-upgrade-vim-enhanced-debuginfo amazon-linux-2023-upgrade-vim-filesystem amazon-linux-2023-upgrade-vim-minimal amazon-linux-2023-upgrade-vim-minimal-debuginfo References https://attackerkb.com/topics/cve-2023-0051 CVE - 2023-0051 https://alas.aws.amazon.com/AL2023/ALAS-2023-117.html

Amazon Linux 2023: CVE-2023-0054: Important priority package update for vim Severity 7 CVSS (AV:L/AC:L/Au:N/C:C/I:C/A:C) Published 01/03/2023 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.1145. An out-of-bounds write flaw was found in Vim, in the do_string_sub function in the eval.c file. The issue occurs because of an invalid memory access due to a missing check of the return value of the vim_regsub function when a specially crafted input is processed. This flaw allows an attacker who can trick a user into opening a specially crafted file to trigger the out-of-bounds write, causing the application to crash. Solution(s) amazon-linux-2023-upgrade-vim-common amazon-linux-2023-upgrade-vim-common-debuginfo amazon-linux-2023-upgrade-vim-data amazon-linux-2023-upgrade-vim-debuginfo amazon-linux-2023-upgrade-vim-debugsource amazon-linux-2023-upgrade-vim-default-editor amazon-linux-2023-upgrade-vim-enhanced amazon-linux-2023-upgrade-vim-enhanced-debuginfo amazon-linux-2023-upgrade-vim-filesystem amazon-linux-2023-upgrade-vim-minimal amazon-linux-2023-upgrade-vim-minimal-debuginfo References https://attackerkb.com/topics/cve-2023-0054 CVE - 2023-0054 https://alas.aws.amazon.com/AL2023/ALAS-2023-117.html

Debian: CVE-2021-30558: chromium -- security update Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 01/02/2023 Created 03/15/2023 Added 03/14/2023 Modified 01/28/2025 Description Insufficient policy enforcement in content security policy in Google Chrome prior to 91.0.4472.77 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chrome security severity: Medium) Solution(s) debian-upgrade-chromium References https://attackerkb.com/topics/cve-2021-30558 CVE - 2021-30558 DSA-5046-1

FreeBSD: VID-541696ED-8D12-11ED-AF80-ECF4BBC0BDA0 (CVE-2023-22456): devel/viewvc-devel is vulnerable to cross-site scripting Severity 6 CVSS (AV:N/AC:M/Au:N/C:P/I:P/A:N) Published 01/03/2023 Created 01/11/2023 Added 01/09/2023 Modified 01/28/2025 Description ViewVC, a browser interface for CVS and Subversion version control repositories, as a cross-site scripting vulnerability that affects versions prior to 1.2.2 and 1.1.29. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a Subversion repository exposed by an otherwise trusted ViewVC instance. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. Users should update to at least version 1.2.2 (if they are using a 1.2.x version of ViewVC) or 1.1.29 (if they are using a 1.1.x version). ViewVC 1.0.x is no longer supported, so users of that release lineage should implement a workaround. Users can edit their ViewVC EZT view templates to manually HTML-escape changed paths during rendering. Locate in your template set's `revision.ezt` file references to those changed paths, and wrap them with `[format "html"]` and `[end]`. For most users, that means that references to `[changes.path]` will become `[format "html"][changes.path][end]`. (This workaround should be reverted after upgrading to a patched version of ViewVC, else changed path names will be doubly escaped.) Solution(s) freebsd-upgrade-package-py37-viewvc-devel freebsd-upgrade-package-py38-viewvc-devel freebsd-upgrade-package-py39-viewvc-devel References CVE-2023-22456

Amazon Linux AMI 2: CVE-2022-45143: Security patch for tomcat (Multiple Advisories) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:C/A:N) Published 01/03/2023 Created 09/28/2023 Added 09/28/2023 Modified 01/28/2025 Description The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output. Solution(s) amazon-linux-ami-2-upgrade-tomcat amazon-linux-ami-2-upgrade-tomcat-admin-webapps amazon-linux-ami-2-upgrade-tomcat-docs-webapp amazon-linux-ami-2-upgrade-tomcat-el-3-0-api amazon-linux-ami-2-upgrade-tomcat-javadoc amazon-linux-ami-2-upgrade-tomcat-jsp-2-3-api amazon-linux-ami-2-upgrade-tomcat-jsvc amazon-linux-ami-2-upgrade-tomcat-lib amazon-linux-ami-2-upgrade-tomcat-servlet-3-1-api amazon-linux-ami-2-upgrade-tomcat-servlet-4-0-api amazon-linux-ami-2-upgrade-tomcat-webapps References https://attackerkb.com/topics/cve-2022-45143 AL2/ALASTOMCAT8.5-2023-013 AL2/ALASTOMCAT9-2023-008 CVE - 2022-45143

Ubuntu: (CVE-2021-30558): chromium-browser vulnerability Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 01/02/2023 Created 11/21/2024 Added 11/19/2024 Modified 01/28/2025 Description Insufficient policy enforcement in content security policy in Google Chrome prior to 91.0.4472.77 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chrome security severity: Medium) Solution(s) ubuntu-upgrade-chromium-browser References https://attackerkb.com/topics/cve-2021-30558 CVE - 2021-30558 https://chromereleases.googleblog.com/2021/05/stable-channel-update-for-desktop_25.html https://crbug.com/916326 https://www.cve.org/CVERecord?id=CVE-2021-30558

Ubuntu: (CVE-2022-2743): chromium-browser vulnerability Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 01/02/2023 Created 11/21/2024 Added 11/19/2024 Modified 01/28/2025 Description Integer overflow in Window Manager in Google Chrome on Chrome OS and Lacros prior to 104.0.5112.79 allowed a remote attacker who convinced a user to engage in specific UI interactions to perform an out of bounds memory write via crafted UI interactions. (Chrome security severity: High) Solution(s) ubuntu-upgrade-chromium-browser References https://attackerkb.com/topics/cve-2022-2743 CVE - 2022-2743 https://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop.html https://crbug.com/1316960 https://www.cve.org/CVERecord?id=CVE-2022-2743

Ubuntu: (CVE-2022-0337): chromium-browser vulnerability Severity 7 CVSS (AV:N/AC:M/Au:N/C:C/I:N/A:N) Published 01/02/2023 Created 11/21/2024 Added 11/19/2024 Modified 01/28/2025 Description Inappropriate implementation in File System API in Google Chrome on Windows prior to 97.0.4692.71 allowed a remote attacker to obtain potentially sensitive information via a crafted HTML page. (Chrome security severity: High) Solution(s) ubuntu-upgrade-chromium-browser References https://attackerkb.com/topics/cve-2022-0337 CVE - 2022-0337 https://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html https://crbug.com/1247389 https://www.cve.org/CVERecord?id=CVE-2022-0337

Debian: CVE-2022-2743: chromium -- security update Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 01/02/2023 Created 02/22/2023 Added 02/21/2023 Modified 01/28/2025 Description Integer overflow in Window Manager in Google Chrome on Chrome OS and Lacros prior to 104.0.5112.79 allowed a remote attacker who convinced a user to engage in specific UI interactions to perform an out of bounds memory write via crafted UI interactions. (Chrome security severity: High) Solution(s) debian-upgrade-chromium References https://attackerkb.com/topics/cve-2022-2743 CVE - 2022-2743 DSA-5201-1