ISHACK AI BOT

Alpine Linux: CVE-2022-31739: Vulnerability in Multiple Components Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 12/22/2022 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description When downloading files on Windows, the % character was not escaped, which could have lead to a download incorrectly being saved to attacker-influenced paths that used variables such as %HOMEPATH% or %APPDATA%.<br>*This bug only affects Firefox for Windows. Other operating systems are unaffected.*. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10. Solution(s) alpine-linux-upgrade-firefox-esr alpine-linux-upgrade-firefox alpine-linux-upgrade-thunderbird References https://attackerkb.com/topics/cve-2022-31739 CVE - 2022-31739 https://security.alpinelinux.org/vuln/CVE-2022-31739

OS X update for CoreCapture (CVE-2022-43551) Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 12/23/2022 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

Alpine Linux: CVE-2022-36314: Uncontrolled Search Path Element Severity 5 CVSS (AV:L/AC:M/Au:N/C:N/I:C/A:N) Published 12/22/2022 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description When opening a Windows shortcut from the local filesystem, an attacker could supply a remote path that would lead to unexpected network requests from the operating system.<br>This bug only affects Firefox for Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR < 102.1, Firefox < 103, and Thunderbird < 102.1. Solution(s) alpine-linux-upgrade-firefox-esr alpine-linux-upgrade-firefox References https://attackerkb.com/topics/cve-2022-36314 CVE - 2022-36314 https://security.alpinelinux.org/vuln/CVE-2022-36314

Gentoo Linux: CVE-2022-43551: curl: Multiple Vulnerabilities Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 12/23/2022 Created 10/12/2023 Added 10/12/2023 Modified 01/28/2025 Description A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) `.`. Then in a subsequent request, it does not detect the HSTS state and makes a clear text transfer. Because it would store the info IDN encoded but look for it IDN decoded. Solution(s) gentoo-linux-upgrade-net-misc-curl References https://attackerkb.com/topics/cve-2022-43551 CVE - 2022-43551 202310-12

Amazon Linux AMI 2: CVE-2022-40898: Security patch for python-wheel (ALAS-2023-2362) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 12/23/2022 Created 12/06/2023 Added 12/05/2023 Modified 01/28/2025 Description An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli. Solution(s) amazon-linux-ami-2-upgrade-python-wheel-wheel amazon-linux-ami-2-upgrade-python2-wheel amazon-linux-ami-2-upgrade-python3-wheel References https://attackerkb.com/topics/cve-2022-40898 AL2/ALAS-2023-2362 CVE - 2022-40898

Zoho ManageEngine ServiceDesk Plus: Stored XSS Vulnerability (CVE-2023-23078) Severity 6 CVSS (AV:N/AC:L/Au:N/C:P/I:P/A:N) Published 12/23/2022 Created 12/19/2024 Added 12/18/2024 Modified 01/21/2025 Description A stored XSS vulnerability in the asset details page has been fixed. Solution(s) zoho-manageengine-servicedesk-plus-upgrade-latest References https://attackerkb.com/topics/cve-2023-23078 CVE - 2023-23078 https://bugbounty.zohocorp.com/bb/#/bug/101000006458675?tab=originator https://www.manageengine.com/products/service-desk/CVE-2023-23078.html

Ubuntu: (CVE-2022-46883): firefox vulnerability Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 12/22/2022 Created 11/21/2024 Added 11/19/2024 Modified 01/28/2025 Description Mozilla developers Gabriele Svelto, Yulia Startsev, Andrew McCreight and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 106. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.<br />*Note*: This advisory was added on December 13th, 2022 after discovering it was inadvertently left out of the original advisory. The fix was included in the original release of Firefox 107. This vulnerability affects Firefox < 107. Solution(s) ubuntu-upgrade-firefox References https://attackerkb.com/topics/cve-2022-46883 CVE - 2022-46883 https://www.cve.org/CVERecord?id=CVE-2022-46883

Rocky Linux: CVE-2021-4140: firefox (Multiple Advisories) Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 12/22/2022 Created 03/13/2024 Added 03/12/2024 Modified 01/28/2025 Description It was possible to construct specific XSLT markup that would be able to bypass an iframe sandbox. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5. Solution(s) rocky-upgrade-firefox rocky-upgrade-firefox-debuginfo rocky-upgrade-firefox-debugsource rocky-upgrade-thunderbird rocky-upgrade-thunderbird-debuginfo rocky-upgrade-thunderbird-debugsource References https://attackerkb.com/topics/cve-2021-4140 CVE - 2021-4140 https://errata.rockylinux.org/RLSA-2022:0129 https://errata.rockylinux.org/RLSA-2022:0130

Debian: CVE-2022-41838: openimageio -- security update Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 12/22/2022 Created 05/05/2023 Added 04/06/2023 Modified 01/28/2025 Description A code execution vulnerability exists in the DDS scanline parsing functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially-crafted .dds can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability. Solution(s) debian-upgrade-openimageio References https://attackerkb.com/topics/cve-2022-41838 CVE - 2022-41838 DLA-3382-1

Debian: CVE-2022-3628: linux -- security update Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 12/22/2022 Created 12/23/2022 Added 12/22/2022 Modified 01/28/2025 Description A buffer overflow flaw was found in the Linux kernel Broadcom Full MAC Wi-Fi driver. This issue occurs when a user connects to a malicious USB device. This can allow a local user to crash the system or escalate their privileges. Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2022-3628 CVE - 2022-3628 DLA-3244-1 DLA-3245-1

Debian: CVE-2022-36354: openimageio -- security update Severity 5 CVSS (AV:N/AC:L/Au:N/C:P/I:N/A:N) Published 12/22/2022 Created 05/05/2023 Added 04/06/2023 Modified 01/28/2025 Description A heap out-of-bounds read vulnerability exists in the RLA format parser of OpenImageIO master-branch-9aeece7a and v2.3.19.0. More specifically, in the way run-length encoded byte spans are handled. A malformed RLA file can lead to an out-of-bounds read of heap metadata which can result in sensitive information leak. An attacker can provide a malicious file to trigger this vulnerability. Solution(s) debian-upgrade-openimageio References https://attackerkb.com/topics/cve-2022-36354 CVE - 2022-36354 DLA-3382-1

Debian: CVE-2022-38143: openimageio -- security update Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 12/22/2022 Created 07/31/2024 Added 07/30/2024 Modified 01/28/2025 Description A heap out-of-bounds write vulnerability exists in the way OpenImageIO v2.3.19.0 processes RLE encoded BMP images. A specially-crafted bmp file can write to arbitrary out of bounds memory, which can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability. Solution(s) debian-upgrade-openimageio References https://attackerkb.com/topics/cve-2022-38143 CVE - 2022-38143

Debian: CVE-2022-4139: linux -- security update Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 12/22/2022 Created 12/23/2022 Added 12/22/2022 Modified 01/28/2025 Description An incorrect TLB flush issue was found in the Linux kernel’s GPU i915 kernel driver, potentially leading to random memory corruption or data leaks. This flaw could allow a local user to crash the system or escalate their privileges on the system. Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2022-4139 CVE - 2022-4139 DLA-3244-1

Debian: CVE-2022-41999: openimageio -- security update Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 12/22/2022 Created 05/05/2023 Added 04/06/2023 Modified 01/28/2025 Description A denial of service vulnerability exists in the DDS native tile reading functionality of OpenImageIO Project OpenImageIO v2.3.19.0 and v2.4.4.2. A specially-crafted .dds can lead to denial of service. An attacker can provide a malicious file to trigger this vulnerability. Solution(s) debian-upgrade-openimageio References https://attackerkb.com/topics/cve-2022-41999 CVE - 2022-41999 DLA-3382-1

Debian: CVE-2022-41649: openimageio -- security update Severity 9 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:C) Published 12/22/2022 Created 05/05/2023 Added 04/11/2023 Modified 01/28/2025 Description A heap out of bounds read vulnerability exists in the handling of IPTC data while parsing TIFF images in OpenImageIO v2.3.19.0. A specially-crafted TIFF file can cause a read of adjacent heap memory, which can leak sensitive process information. An attacker can provide a malicious file to trigger this vulnerability. Solution(s) debian-upgrade-openimageio References https://attackerkb.com/topics/cve-2022-41649 CVE - 2022-41649 DSA-5384-1

Debian: CVE-2022-41977: openimageio -- security update Severity 2 CVSS (AV:L/AC:M/Au:N/C:P/I:N/A:N) Published 12/22/2022 Created 05/05/2023 Added 04/06/2023 Modified 01/28/2025 Description An out of bounds read vulnerability exists in the way OpenImageIO version v2.3.19.0 processes string fields in TIFF image files. A specially-crafted TIFF file can lead to information disclosure. An attacker can provide a malicious file to trigger this vulnerability. Solution(s) debian-upgrade-openimageio References https://attackerkb.com/topics/cve-2022-41977 CVE - 2022-41977 DLA-3382-1

Alpine Linux: CVE-2022-42929: Vulnerability in Multiple Components Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 12/22/2022 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description If a website called `window.print()` in a particular way, it could cause a denial of service of the browser, which may persist beyond browser restart depending on the user's session restore settings. This vulnerability affects Firefox < 106, Firefox ESR < 102.4, and Thunderbird < 102.4. Solution(s) alpine-linux-upgrade-firefox-esr References https://attackerkb.com/topics/cve-2022-42929 CVE - 2022-42929 https://security.alpinelinux.org/vuln/CVE-2022-42929

Alpine Linux: CVE-2022-45403: Observable Discrepancy Severity 7 CVSS (AV:N/AC:M/Au:N/C:C/I:N/A:N) Published 12/22/2022 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description Service Workers should not be able to infer information about opaque cross-origin responses; but timing information for cross-origin media combined with Range requests might have allowed them to determine the presence or length of a media file. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107. Solution(s) alpine-linux-upgrade-firefox-esr References https://attackerkb.com/topics/cve-2022-45403 CVE - 2022-45403 https://security.alpinelinux.org/vuln/CVE-2022-45403

Alpine Linux: CVE-2022-46880: Use After Free Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 12/22/2022 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description A missing check related to tex units could have led to a use-after-free and potentially exploitable crash.<br />*Note*: This advisory was added on December 13th, 2022 after we better understood the impact of the issue. The fix was included in the original release of Firefox 105. This vulnerability affects Firefox ESR < 102.6, Firefox < 105, and Thunderbird < 102.6. Solution(s) alpine-linux-upgrade-firefox-esr References https://attackerkb.com/topics/cve-2022-46880 CVE - 2022-46880 https://security.alpinelinux.org/vuln/CVE-2022-46880

Alpine Linux: CVE-2022-34483: Vulnerability in Multiple Components Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 12/22/2022 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description An attacker who could have convinced a user to drag and drop an image to a filesystem could have manipulated the resulting filename to contain an executable extension, and by extension potentially tricked the user into executing malicious code. While very similar, this is a separate issue from CVE-2022-34482. This vulnerability affects Firefox < 102. Solution(s) alpine-linux-upgrade-firefox References https://attackerkb.com/topics/cve-2022-34483 CVE - 2022-34483 https://security.alpinelinux.org/vuln/CVE-2022-34483

Alpine Linux: CVE-2022-46872: Vulnerability in Multiple Components Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 12/22/2022 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description An attacker who compromised a content process could have partially escaped the sandbox to read arbitrary files via clipboard-related IPC messages.<br>*This bug only affects Thunderbird for Linux. Other operating systems are unaffected.*. This vulnerability affects Firefox < 108, Firefox ESR < 102.6, and Thunderbird < 102.6. Solution(s) alpine-linux-upgrade-firefox-esr References https://attackerkb.com/topics/cve-2022-46872 CVE - 2022-46872 https://security.alpinelinux.org/vuln/CVE-2022-46872

Ubuntu: USN-5824-1 (CVE-2022-46880): Thunderbird vulnerabilities Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 12/22/2022 Created 03/29/2023 Added 03/22/2023 Modified 01/28/2025 Description A missing check related to tex units could have led to a use-after-free and potentially exploitable crash.<br />*Note*: This advisory was added on December 13th, 2022 after we better understood the impact of the issue. The fix was included in the original release of Firefox 105. This vulnerability affects Firefox ESR < 102.6, Firefox < 105, and Thunderbird < 102.6. Solution(s) ubuntu-upgrade-thunderbird References https://attackerkb.com/topics/cve-2022-46880 CVE - 2022-46880 USN-5824-1

Alpine Linux: CVE-2022-34478: Vulnerability in Multiple Components Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 12/22/2022 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description The <code>ms-msdt</code>, <code>search</code>, and <code>search-ms</code> protocols deliver content to Microsoft applications, bypassing the browser, when a user accepts a prompt. These applications have had known vulnerabilities, exploited in the wild (although we know of none exploited through Thunderbird), so in this release Thunderbird has blocked these protocols from prompting the user to open them.<br>*This bug only affects Thunderbird on Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11. Solution(s) alpine-linux-upgrade-firefox-esr alpine-linux-upgrade-thunderbird alpine-linux-upgrade-firefox References https://attackerkb.com/topics/cve-2022-34478 CVE - 2022-34478 https://security.alpinelinux.org/vuln/CVE-2022-34478

Alpine Linux: CVE-2022-45412: Link Following Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 12/22/2022 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description When resolving a symlink such as <code>file:///proc/self/fd/1</code>, an error message may be produced where the symlink was resolved to a string containing unitialized memory in the buffer. <br>*This bug only affects Thunderbird on Unix-based operated systems (Android, Linux, MacOS). Windows is unaffected.*. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107. Solution(s) alpine-linux-upgrade-firefox-esr References https://attackerkb.com/topics/cve-2022-45412 CVE - 2022-45412 https://security.alpinelinux.org/vuln/CVE-2022-45412

Alpine Linux: CVE-2022-42932: Out-of-bounds Write Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 12/22/2022 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description Mozilla developers Ashley Hale and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 105 and Firefox ESR 102.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 106, Firefox ESR < 102.4, and Thunderbird < 102.4. Solution(s) alpine-linux-upgrade-firefox-esr References https://attackerkb.com/topics/cve-2022-42932 CVE - 2022-42932 https://security.alpinelinux.org/vuln/CVE-2022-42932