ISHACK AI BOT

Debian: CVE-2022-47952: lxc -- security update Severity 2 CVSS (AV:L/AC:L/Au:S/C:P/I:N/A:N) Published 01/01/2023 Created 08/18/2023 Added 08/18/2023 Modified 01/30/2025 Description lxc-user-nic in lxc through 5.0.1 is installed setuid root, and may allow local users to infer whether any file exists, even within a protected directory tree, because "Failed to open" often indicates that a file does not exist, whereas "does not refer to a network namespace path" often indicates that a file exists. NOTE: this is different from CVE-2018-6556 because the CVE-2018-6556 fix design was based on the premise that "we will report back to the user that the open() failed but the user has no way of knowing why it failed"; however, in many realistic cases, there are no plausible reasons for failing except that the file does not exist. Solution(s) debian-upgrade-lxc References https://attackerkb.com/topics/cve-2022-47952 CVE - 2022-47952 DLA-3533-1

Huawei EulerOS: CVE-2022-47952: lxc security update Severity 2 CVSS (AV:L/AC:L/Au:S/C:P/I:N/A:N) Published 01/01/2023 Created 03/10/2023 Added 03/09/2023 Modified 01/30/2025 Description lxc-user-nic in lxc through 5.0.1 is installed setuid root, and may allow local users to infer whether any file exists, even within a protected directory tree, because "Failed to open" often indicates that a file does not exist, whereas "does not refer to a network namespace path" often indicates that a file exists. NOTE: this is different from CVE-2018-6556 because the CVE-2018-6556 fix design was based on the premise that "we will report back to the user that the open() failed but the user has no way of knowing why it failed"; however, in many realistic cases, there are no plausible reasons for failing except that the file does not exist. Solution(s) huawei-euleros-2_0_sp9-upgrade-lxc huawei-euleros-2_0_sp9-upgrade-lxc-libs References https://attackerkb.com/topics/cve-2022-47952 CVE - 2022-47952 EulerOS-SA-2023-1476

Huawei EulerOS: CVE-2022-47952: lxc security update Severity 2 CVSS (AV:L/AC:L/Au:S/C:P/I:N/A:N) Published 01/01/2023 Created 05/05/2023 Added 04/13/2023 Modified 01/30/2025 Description lxc-user-nic in lxc through 5.0.1 is installed setuid root, and may allow local users to infer whether any file exists, even within a protected directory tree, because "Failed to open" often indicates that a file does not exist, whereas "does not refer to a network namespace path" often indicates that a file exists. NOTE: this is different from CVE-2018-6556 because the CVE-2018-6556 fix design was based on the premise that "we will report back to the user that the open() failed but the user has no way of knowing why it failed"; however, in many realistic cases, there are no plausible reasons for failing except that the file does not exist. Solution(s) huawei-euleros-2_0_sp8-upgrade-lxc huawei-euleros-2_0_sp8-upgrade-lxc-libs References https://attackerkb.com/topics/cve-2022-47952 CVE - 2022-47952 EulerOS-SA-2023-1600

Huawei EulerOS: CVE-2022-47952: lxc security update Severity 2 CVSS (AV:L/AC:L/Au:S/C:P/I:N/A:N) Published 01/01/2023 Created 03/22/2023 Added 03/20/2023 Modified 01/30/2025 Description lxc-user-nic in lxc through 5.0.1 is installed setuid root, and may allow local users to infer whether any file exists, even within a protected directory tree, because "Failed to open" often indicates that a file does not exist, whereas "does not refer to a network namespace path" often indicates that a file exists. NOTE: this is different from CVE-2018-6556 because the CVE-2018-6556 fix design was based on the premise that "we will report back to the user that the open() failed but the user has no way of knowing why it failed"; however, in many realistic cases, there are no plausible reasons for failing except that the file does not exist. Solution(s) huawei-euleros-2_0_sp10-upgrade-lxc huawei-euleros-2_0_sp10-upgrade-lxc-libs References https://attackerkb.com/topics/cve-2022-47952 CVE - 2022-47952 EulerOS-SA-2023-1557

FreeBSD: VID-6DCCC186-B824-11ED-B695-6C3BE5272ACD (CVE-2023-22462): Grafana -- Stored XSS in text panel plugin Severity 5 CVSS (AV:N/AC:M/Au:S/C:P/I:P/A:N) Published 01/01/2023 Created 03/07/2023 Added 03/04/2023 Modified 01/28/2025 Description Grafana is an open-source platform for monitoring and observability. On 2023-01-01 during an internal audit of Grafana, a member of the security team found a stored XSS vulnerability affecting the core plugin "Text". The stored XSS vulnerability requires several user interactions in order to be fully exploited. The vulnerability was possible due to React's render cycle that will pass though the unsanitized HTML code, but in the next cycle the HTML is cleaned up and saved in Grafana's database. An attacker needs to have the Editor role in order to change a Text panel to include JavaScript. Another user needs to edit the same Text panel, and click on "Markdown" or "HTML" for the code to be executed. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. This issue has been patched in versions 9.2.10 and 9.3.4. Solution(s) freebsd-upgrade-package-grafana freebsd-upgrade-package-grafana9 References CVE-2023-22462

Alpine Linux: CVE-2022-47952: Observable Discrepancy Severity 2 CVSS (AV:L/AC:L/Au:S/C:P/I:N/A:N) Published 01/01/2023 Created 04/09/2024 Added 03/26/2024 Modified 10/02/2024 Description lxc-user-nic in lxc through 5.0.1 is installed setuid root, and may allow local users to infer whether any file exists, even within a protected directory tree, because "Failed to open" often indicates that a file does not exist, whereas "does not refer to a network namespace path" often indicates that a file exists. NOTE: this is different from CVE-2018-6556 because the CVE-2018-6556 fix design was based on the premise that "we will report back to the user that the open() failed but the user has no way of knowing why it failed"; however, in many realistic cases, there are no plausible reasons for failing except that the file does not exist. Solution(s) alpine-linux-upgrade-lxc References https://attackerkb.com/topics/cve-2022-47952 CVE - 2022-47952 https://security.alpinelinux.org/vuln/CVE-2022-47952

Huawei EulerOS: CVE-2022-47952: lxc security update Severity 2 CVSS (AV:L/AC:L/Au:S/C:P/I:N/A:N) Published 01/01/2023 Created 06/09/2023 Added 06/09/2023 Modified 01/30/2025 Description lxc-user-nic in lxc through 5.0.1 is installed setuid root, and may allow local users to infer whether any file exists, even within a protected directory tree, because "Failed to open" often indicates that a file does not exist, whereas "does not refer to a network namespace path" often indicates that a file exists. NOTE: this is different from CVE-2018-6556 because the CVE-2018-6556 fix design was based on the premise that "we will report back to the user that the open() failed but the user has no way of knowing why it failed"; however, in many realistic cases, there are no plausible reasons for failing except that the file does not exist. Solution(s) huawei-euleros-2_0_sp5-upgrade-lxc huawei-euleros-2_0_sp5-upgrade-lxc-libs References https://attackerkb.com/topics/cve-2022-47952 CVE - 2022-47952 EulerOS-SA-2023-2159

Huawei EulerOS: CVE-2022-47952: lxc security update Severity 2 CVSS (AV:L/AC:L/Au:S/C:P/I:N/A:N) Published 01/01/2023 Created 05/08/2023 Added 05/08/2023 Modified 01/30/2025 Description lxc-user-nic in lxc through 5.0.1 is installed setuid root, and may allow local users to infer whether any file exists, even within a protected directory tree, because "Failed to open" often indicates that a file does not exist, whereas "does not refer to a network namespace path" often indicates that a file exists. NOTE: this is different from CVE-2018-6556 because the CVE-2018-6556 fix design was based on the premise that "we will report back to the user that the open() failed but the user has no way of knowing why it failed"; however, in many realistic cases, there are no plausible reasons for failing except that the file does not exist. Solution(s) huawei-euleros-2_0_sp11-upgrade-lxc huawei-euleros-2_0_sp11-upgrade-lxc-libs References https://attackerkb.com/topics/cve-2022-47952 CVE - 2022-47952 EulerOS-SA-2023-1785

Oracle Linux: CVE-2023-23454: ELSA-2023-12206:Unbreakable Enterprise kernel security update (IMPORTANT) (Multiple Advisories) Severity 4 CVSS (AV:L/AC:L/Au:M/C:N/I:N/A:C) Published 01/01/2023 Created 03/22/2023 Added 03/17/2023 Modified 01/23/2025 Description cbq_classify in net/sched/sch_cbq.c in the Linux kernel through 6.1.4 allows attackers to cause a denial of service (slab-out-of-bounds read) because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition rather than valid classification results). An out-of-bounds (OOB) read problem was found in cbq_classify in net/sched/sch_cbq.c in the Linux kernel. This issue may allow a local attacker to cause a denial of service due to type confusion. Non-negative numbers could indicate a TC_ACT_SHOT condition rather than valid classification results. Solution(s) oracle-linux-upgrade-kernel oracle-linux-upgrade-kernel-uek References https://attackerkb.com/topics/cve-2023-23454 CVE - 2023-23454 ELSA-2023-12206 ELSA-2023-12375 ELSA-2023-12207 ELSA-2023-12196 ELSA-2023-2951

Oracle Linux: CVE-2023-23455: ELSA-2023-12206:Unbreakable Enterprise kernel security update (IMPORTANT) (Multiple Advisories) Severity 4 CVSS (AV:L/AC:L/Au:M/C:N/I:N/A:C) Published 01/01/2023 Created 03/10/2023 Added 03/08/2023 Modified 01/23/2025 Description atm_tc_enqueue in net/sched/sch_atm.c in the Linux kernel through 6.1.4 allows attackers to cause a denial of service because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition rather than valid classification results). A denial of service flaw was found in atm_tc_enqueue in net/sched/sch_atm.c in the Linux kernel. This issue may allow a local attacker to cause a denial of service due to type confusion. Non-negative numbers could indicate a TC_ACT_SHOT condition rather than valid classification results. Solution(s) oracle-linux-upgrade-kernel oracle-linux-upgrade-kernel-uek References https://attackerkb.com/topics/cve-2023-23455 CVE - 2023-23455 ELSA-2023-12206 ELSA-2023-12200 ELSA-2023-7077 ELSA-2023-12207 ELSA-2023-12196 ELSA-2023-12199 ELSA-2023-12160 View more

Gentoo Linux: CVE-2022-42257: NVIDIA Drivers: Multiple Vulnerabilities Severity 6 CVSS (AV:L/AC:L/Au:S/C:C/I:P/A:C) Published 12/30/2022 Created 10/04/2023 Added 10/04/2023 Modified 01/28/2025 Description NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an integer overflow may lead to information disclosure, data tampering or denial of service. Solution(s) gentoo-linux-upgrade-x11-drivers-nvidia-drivers References https://attackerkb.com/topics/cve-2022-42257 CVE - 2022-42257 202310-02

Gentoo Linux: CVE-2022-34677: NVIDIA Drivers: Multiple Vulnerabilities Severity 6 CVSS (AV:L/AC:L/Au:S/C:N/I:C/A:C) Published 12/30/2022 Created 10/04/2023 Added 10/04/2023 Modified 01/28/2025 Description NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an unprivileged regular user can cause an integer to be truncated, which may lead to denial of service or data tampering. Solution(s) gentoo-linux-upgrade-x11-drivers-nvidia-drivers References https://attackerkb.com/topics/cve-2022-34677 CVE - 2022-34677 202310-02

Zoho ManageEngine PasswordManager Pro: SQL Injection vulnerability (CVE-2022-47523) Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 12/30/2022 Created 12/28/2024 Added 12/23/2024 Modified 12/23/2024 Description An SQL Injection vulnerability affected PAM360 Access Manager Plus and Password Manager Pro has been fixed and released. Solution(s) zoho-manageengine-passwordmanager-pro-upgrade-latest References https://attackerkb.com/topics/cve-2022-47523 CVE - 2022-47523 https://www.manageengine.com/privileged-session-management/advisory/cve-2022-47523.html

Ubuntu: (CVE-2022-42264): nvidia-graphics-drivers-450-server vulnerability Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 12/30/2022 Created 11/21/2024 Added 11/19/2024 Modified 01/28/2025 Description NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer, where an unprivileged regular user can cause the use of an out-of-range pointer offset, which may lead to data tampering, data loss, information disclosure, or denial of service. Solution(s) ubuntu-upgrade-nvidia-graphics-drivers-450-server ubuntu-upgrade-nvidia-graphics-drivers-470 ubuntu-upgrade-nvidia-graphics-drivers-470-server ubuntu-upgrade-nvidia-graphics-drivers-510 ubuntu-upgrade-nvidia-graphics-drivers-515 ubuntu-upgrade-nvidia-graphics-drivers-515-server References https://attackerkb.com/topics/cve-2022-42264 CVE - 2022-42264 https://nvidia.custhelp.com/app/answers/detail/a_id/5415 https://www.cve.org/CVERecord?id=CVE-2022-42264

Gentoo Linux: CVE-2022-34676: NVIDIA Drivers: Multiple Vulnerabilities Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 12/30/2022 Created 10/04/2023 Added 10/04/2023 Modified 01/28/2025 Description NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an out-of-bounds read may lead to denial of service, information disclosure, or data tampering. Solution(s) gentoo-linux-upgrade-x11-drivers-nvidia-drivers References https://attackerkb.com/topics/cve-2022-34676 CVE - 2022-34676 202310-02

Ubuntu: (CVE-2022-42265): nvidia-graphics-drivers-515 vulnerability Severity 6 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:N) Published 12/30/2022 Created 11/21/2024 Added 11/19/2024 Modified 01/28/2025 Description NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an integer overflow may lead to information disclosure or data tampering. Solution(s) ubuntu-upgrade-nvidia-graphics-drivers-515 ubuntu-upgrade-nvidia-graphics-drivers-515-server References https://attackerkb.com/topics/cve-2022-42265 CVE - 2022-42265 https://nvidia.custhelp.com/app/answers/detail/a_id/5415 https://www.cve.org/CVERecord?id=CVE-2022-42265

Debian: CVE-2022-42257: Multiple Affected Packages Severity 6 CVSS (AV:L/AC:L/Au:S/C:C/I:P/A:C) Published 12/30/2022 Created 05/15/2023 Added 05/15/2023 Modified 01/28/2025 Description NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an integer overflow may lead to information disclosure, data tampering or denial of service. Solution(s) debian-upgrade-nvidia-graphics-drivers debian-upgrade-nvidia-graphics-drivers-legacy-390xx debian-upgrade-nvidia-graphics-drivers-tesla debian-upgrade-nvidia-graphics-drivers-tesla-418 debian-upgrade-nvidia-graphics-drivers-tesla-450 debian-upgrade-nvidia-graphics-drivers-tesla-460 debian-upgrade-nvidia-graphics-drivers-tesla-470 debian-upgrade-nvidia-open-gpu-kernel-modules References https://attackerkb.com/topics/cve-2022-42257 CVE - 2022-42257 DLA-3418-1

Ubuntu: (CVE-2022-34682): nvidia-graphics-drivers-450-server vulnerability Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 12/30/2022 Created 11/21/2024 Added 11/19/2024 Modified 01/28/2025 Description NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer, where an unprivileged regular user can cause a null-pointer dereference, which may lead to denial of service. Solution(s) ubuntu-upgrade-nvidia-graphics-drivers-450-server ubuntu-upgrade-nvidia-graphics-drivers-470 ubuntu-upgrade-nvidia-graphics-drivers-470-server ubuntu-upgrade-nvidia-graphics-drivers-510 ubuntu-upgrade-nvidia-graphics-drivers-515 ubuntu-upgrade-nvidia-graphics-drivers-515-server References https://attackerkb.com/topics/cve-2022-34682 CVE - 2022-34682 https://nvidia.custhelp.com/app/answers/detail/a_id/5415 https://www.cve.org/CVERecord?id=CVE-2022-34682

Ubuntu: (CVE-2022-42259): nvidia-graphics-drivers-390 vulnerability Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 12/30/2022 Created 11/21/2024 Added 11/19/2024 Modified 01/28/2025 Description NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an integer overflow may lead to denial of service. Solution(s) ubuntu-upgrade-nvidia-graphics-drivers-390 ubuntu-upgrade-nvidia-graphics-drivers-450-server ubuntu-upgrade-nvidia-graphics-drivers-470 ubuntu-upgrade-nvidia-graphics-drivers-470-server ubuntu-upgrade-nvidia-graphics-drivers-510 ubuntu-upgrade-nvidia-graphics-drivers-515 ubuntu-upgrade-nvidia-graphics-drivers-515-server References https://attackerkb.com/topics/cve-2022-42259 CVE - 2022-42259 https://nvidia.custhelp.com/app/answers/detail/a_id/5415 https://www.cve.org/CVERecord?id=CVE-2022-42259

Ubuntu: (CVE-2022-34673): nvidia-graphics-drivers-515 vulnerability Severity 6 CVSS (AV:L/AC:L/Au:S/C:C/I:P/A:C) Published 12/30/2022 Created 11/21/2024 Added 11/19/2024 Modified 01/28/2025 Description NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an out-of-bounds array access may lead to denial of service, information disclosure, or data tampering. Solution(s) ubuntu-upgrade-nvidia-graphics-drivers-515 ubuntu-upgrade-nvidia-graphics-drivers-515-server References https://attackerkb.com/topics/cve-2022-34673 CVE - 2022-34673 https://nvidia.custhelp.com/app/answers/detail/a_id/5415 https://www.cve.org/CVERecord?id=CVE-2022-34673

Gentoo Linux: CVE-2022-34680: NVIDIA Drivers: Multiple Vulnerabilities Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 12/30/2022 Created 10/04/2023 Added 10/04/2023 Modified 01/28/2025 Description NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an integer truncation can lead to an out-of-bounds read, which may lead to denial of service. Solution(s) gentoo-linux-upgrade-x11-drivers-nvidia-drivers References https://attackerkb.com/topics/cve-2022-34680 CVE - 2022-34680 202310-02

Ubuntu: (CVE-2022-34670): nvidia-graphics-drivers-390 vulnerability Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 12/30/2022 Created 11/21/2024 Added 11/19/2024 Modified 01/28/2025 Description NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an unprivileged regular user can cause truncation errors when casting a primitive to a primitive of smaller size causes data to be lost in the conversion, which may lead to denial of service or information disclosure. Solution(s) ubuntu-upgrade-nvidia-graphics-drivers-390 ubuntu-upgrade-nvidia-graphics-drivers-450-server ubuntu-upgrade-nvidia-graphics-drivers-470 ubuntu-upgrade-nvidia-graphics-drivers-470-server ubuntu-upgrade-nvidia-graphics-drivers-510 ubuntu-upgrade-nvidia-graphics-drivers-515 ubuntu-upgrade-nvidia-graphics-drivers-515-server References https://attackerkb.com/topics/cve-2022-34670 CVE - 2022-34670 https://nvidia.custhelp.com/app/answers/detail/a_id/5415 https://www.cve.org/CVERecord?id=CVE-2022-34670

Ubuntu: (CVE-2022-34680): nvidia-graphics-drivers-390 vulnerability Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 12/30/2022 Created 11/21/2024 Added 11/19/2024 Modified 01/28/2025 Description NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an integer truncation can lead to an out-of-bounds read, which may lead to denial of service. Solution(s) ubuntu-upgrade-nvidia-graphics-drivers-390 ubuntu-upgrade-nvidia-graphics-drivers-450-server ubuntu-upgrade-nvidia-graphics-drivers-470 ubuntu-upgrade-nvidia-graphics-drivers-470-server ubuntu-upgrade-nvidia-graphics-drivers-510 ubuntu-upgrade-nvidia-graphics-drivers-515 ubuntu-upgrade-nvidia-graphics-drivers-515-server References https://attackerkb.com/topics/cve-2022-34680 CVE - 2022-34680 https://nvidia.custhelp.com/app/answers/detail/a_id/5415 https://www.cve.org/CVERecord?id=CVE-2022-34680

Gentoo Linux: CVE-2022-42258: NVIDIA Drivers: Multiple Vulnerabilities Severity 6 CVSS (AV:L/AC:L/Au:S/C:C/I:P/A:C) Published 12/30/2022 Created 10/04/2023 Added 10/04/2023 Modified 01/28/2025 Description NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an integer overflow may lead to denial of service, data tampering, or information disclosure. Solution(s) gentoo-linux-upgrade-x11-drivers-nvidia-drivers References https://attackerkb.com/topics/cve-2022-42258 CVE - 2022-42258 202310-02

Ubuntu: (CVE-2022-34679): nvidia-graphics-drivers-450-server vulnerability Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 12/30/2022 Created 11/21/2024 Added 11/19/2024 Modified 01/28/2025 Description NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an unhandled return value can lead to a null-pointer dereference, which may lead to denial of service. Solution(s) ubuntu-upgrade-nvidia-graphics-drivers-450-server ubuntu-upgrade-nvidia-graphics-drivers-470 ubuntu-upgrade-nvidia-graphics-drivers-470-server ubuntu-upgrade-nvidia-graphics-drivers-510 ubuntu-upgrade-nvidia-graphics-drivers-515 ubuntu-upgrade-nvidia-graphics-drivers-515-server References https://attackerkb.com/topics/cve-2022-34679 CVE - 2022-34679 https://nvidia.custhelp.com/app/answers/detail/a_id/5415 https://www.cve.org/CVERecord?id=CVE-2022-34679