ISHACK AI BOT

Red Hat: CVE-2022-4130: Important: Satellite 6.14 security and bug fix update (RHSA-2023:6818) Severity 6 CVSS (AV:N/AC:M/Au:M/C:N/I:C/A:N) Published 12/16/2022 Created 11/14/2023 Added 11/13/2023 Modified 01/28/2025 Description A blind site-to-site request forgery vulnerability was found in Satellite server. It is possible to trigger an external interaction to an attacker's server by modifying the Referer header in an HTTP request of specific resources in the server. Solution(s) redhat-upgrade-foreman-cli redhat-upgrade-python39-pulp_manifest redhat-upgrade-rubygem-amazing_print redhat-upgrade-rubygem-apipie-bindings redhat-upgrade-rubygem-clamp redhat-upgrade-rubygem-domain_name redhat-upgrade-rubygem-fast_gettext redhat-upgrade-rubygem-ffi redhat-upgrade-rubygem-ffi-debuginfo redhat-upgrade-rubygem-ffi-debugsource redhat-upgrade-rubygem-foreman_maintain redhat-upgrade-rubygem-gssapi redhat-upgrade-rubygem-hammer_cli redhat-upgrade-rubygem-hammer_cli_foreman redhat-upgrade-rubygem-hammer_cli_foreman_admin redhat-upgrade-rubygem-hammer_cli_foreman_ansible redhat-upgrade-rubygem-hammer_cli_foreman_azure_rm redhat-upgrade-rubygem-hammer_cli_foreman_bootdisk redhat-upgrade-rubygem-hammer_cli_foreman_discovery redhat-upgrade-rubygem-hammer_cli_foreman_google redhat-upgrade-rubygem-hammer_cli_foreman_openscap redhat-upgrade-rubygem-hammer_cli_foreman_remote_execution redhat-upgrade-rubygem-hammer_cli_foreman_tasks redhat-upgrade-rubygem-hammer_cli_foreman_templates redhat-upgrade-rubygem-hammer_cli_foreman_virt_who_configure redhat-upgrade-rubygem-hammer_cli_foreman_webhooks redhat-upgrade-rubygem-hammer_cli_katello redhat-upgrade-rubygem-hashie redhat-upgrade-rubygem-highline redhat-upgrade-rubygem-http-accept redhat-upgrade-rubygem-http-cookie redhat-upgrade-rubygem-jwt redhat-upgrade-rubygem-little-plugger redhat-upgrade-rubygem-locale redhat-upgrade-rubygem-logging redhat-upgrade-rubygem-mime-types redhat-upgrade-rubygem-mime-types-data redhat-upgrade-rubygem-multi_json redhat-upgrade-rubygem-netrc redhat-upgrade-rubygem-oauth redhat-upgrade-rubygem-oauth-tty redhat-upgrade-rubygem-powerbar redhat-upgrade-rubygem-rest-client redhat-upgrade-rubygem-snaky_hash redhat-upgrade-rubygem-unf redhat-upgrade-rubygem-unf_ext redhat-upgrade-rubygem-unf_ext-debuginfo redhat-upgrade-rubygem-unf_ext-debugsource redhat-upgrade-rubygem-unicode redhat-upgrade-rubygem-unicode-debuginfo redhat-upgrade-rubygem-unicode-debugsource redhat-upgrade-rubygem-unicode-display_width redhat-upgrade-rubygem-version_gem redhat-upgrade-satellite redhat-upgrade-satellite-branding redhat-upgrade-satellite-cli redhat-upgrade-satellite-clone redhat-upgrade-satellite-maintain References CVE-2022-4130

Red Hat: CVE-2022-46878: CVE-2022-46878 Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird 102.6 (Multiple Advisories) Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 12/16/2022 Created 12/16/2022 Added 12/16/2022 Modified 01/28/2025 Description Mozilla developers Randell Jesup, Valentin Gosu, Olli Pettay, and the Mozilla Fuzzing Team reported memory safety bugs present in Thunderbird 102.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 108, Firefox ESR < 102.6, and Thunderbird < 102.6. Solution(s) redhat-upgrade-firefox redhat-upgrade-firefox-debuginfo redhat-upgrade-firefox-debugsource redhat-upgrade-thunderbird redhat-upgrade-thunderbird-debuginfo redhat-upgrade-thunderbird-debugsource References CVE-2022-46878 RHSA-2022:9065 RHSA-2022:9066 RHSA-2022:9067 RHSA-2022:9068 RHSA-2022:9069 RHSA-2022:9072 RHSA-2022:9074 RHSA-2022:9075 RHSA-2022:9078 RHSA-2022:9079 RHSA-2022:9080 RHSA-2022:9081 View more

SUSE: CVE-2022-20567: SUSE Linux Security Advisory Severity 6 CVSS (AV:L/AC:M/Au:M/C:C/I:C/A:C) Published 12/16/2022 Created 05/05/2023 Added 04/11/2023 Modified 01/28/2025 Description In pppol2tp_create of l2tp_ppp.c, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-186777253References: Upstream kernel Solution(s) suse-upgrade-kernel-azure suse-upgrade-kernel-azure-base suse-upgrade-kernel-azure-devel suse-upgrade-kernel-debug-base suse-upgrade-kernel-default suse-upgrade-kernel-default-base suse-upgrade-kernel-default-devel suse-upgrade-kernel-default-extra suse-upgrade-kernel-default-man suse-upgrade-kernel-devel suse-upgrade-kernel-devel-azure suse-upgrade-kernel-docs suse-upgrade-kernel-kvmsmall-base suse-upgrade-kernel-macros suse-upgrade-kernel-obs-build suse-upgrade-kernel-source suse-upgrade-kernel-source-azure suse-upgrade-kernel-syms suse-upgrade-kernel-syms-azure suse-upgrade-kernel-vanilla suse-upgrade-kernel-vanilla-base suse-upgrade-kernel-vanilla-devel suse-upgrade-kernel-vanilla-livepatch-devel suse-upgrade-kernel-zfcpdump-man suse-upgrade-reiserfs-kmp-default References https://attackerkb.com/topics/cve-2022-20567 CVE - 2022-20567

Red Hat: CVE-2022-20572: missing DM_TARGET_IMMUTABLE feature flag in verity_target in drivers/md/dm-verity-target.c (Multiple Advisories) Severity 7 CVSS (AV:L/AC:L/Au:M/C:C/I:C/A:C) Published 12/16/2022 Created 05/05/2023 Added 04/24/2023 Modified 01/28/2025 Description In verity_target of dm-verity-target.c, there is a possible way to modify read-only files due to a missing permission check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-234475629References: Upstream kernel Solution(s) redhat-upgrade-kernel redhat-upgrade-kernel-rt References CVE-2022-20572 RHSA-2022:7444 RHSA-2022:7683 RHSA-2022:7933 RHSA-2022:8267

Debian: CVE-2022-20567: linux -- security update Severity 6 CVSS (AV:L/AC:M/Au:M/C:C/I:C/A:C) Published 12/16/2022 Created 07/31/2024 Added 07/30/2024 Modified 01/28/2025 Description In pppol2tp_create of l2tp_ppp.c, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-186777253References: Upstream kernel Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2022-20567 CVE - 2022-20567

CentOS Linux: CVE-2022-20572: Moderate: kernel-rt security and bug fix update (Multiple Advisories) Severity 7 CVSS (AV:L/AC:L/Au:M/C:C/I:C/A:C) Published 12/16/2022 Created 05/05/2023 Added 04/24/2023 Modified 01/28/2025 Description In verity_target of dm-verity-target.c, there is a possible way to modify read-only files due to a missing permission check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-234475629References: Upstream kernel Solution(s) centos-upgrade-kernel centos-upgrade-kernel-rt References CVE-2022-20572

Rocky Linux: CVE-2022-4130: Satellite-6.14 (RLSA-2023-6818) Severity 6 CVSS (AV:N/AC:M/Au:M/C:N/I:C/A:N) Published 12/16/2022 Created 03/07/2024 Added 03/05/2024 Modified 01/30/2025 Description A blind site-to-site request forgery vulnerability was found in Satellite server. It is possible to trigger an external interaction to an attacker's server by modifying the Referer header in an HTTP request of specific resources in the server. Solution(s) rocky-upgrade-libdb-cxx rocky-upgrade-libdb-cxx-debuginfo rocky-upgrade-libdb-debuginfo rocky-upgrade-libdb-debugsource rocky-upgrade-libdb-sql-debuginfo rocky-upgrade-libdb-sql-devel-debuginfo rocky-upgrade-libdb-utils-debuginfo References https://attackerkb.com/topics/cve-2022-4130 CVE - 2022-4130 https://errata.rockylinux.org/RLSA-2023:6818

Huawei EulerOS: CVE-2022-20566: kernel security update Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 12/16/2022 Created 06/09/2023 Added 06/09/2023 Modified 01/28/2025 Description In l2cap_chan_put of l2cap_core, there is a possible use after free due to improper locking. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-165329981References: Upstream kernel Solution(s) huawei-euleros-2_0_sp5-upgrade-kernel huawei-euleros-2_0_sp5-upgrade-kernel-devel huawei-euleros-2_0_sp5-upgrade-kernel-headers huawei-euleros-2_0_sp5-upgrade-kernel-tools huawei-euleros-2_0_sp5-upgrade-kernel-tools-libs huawei-euleros-2_0_sp5-upgrade-perf huawei-euleros-2_0_sp5-upgrade-python-perf References https://attackerkb.com/topics/cve-2022-20566 CVE - 2022-20566 EulerOS-SA-2023-2152

Huawei EulerOS: CVE-2022-20572: kernel security update Severity 7 CVSS (AV:L/AC:L/Au:M/C:C/I:C/A:C) Published 12/16/2022 Created 06/09/2023 Added 06/09/2023 Modified 01/28/2025 Description In verity_target of dm-verity-target.c, there is a possible way to modify read-only files due to a missing permission check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-234475629References: Upstream kernel Solution(s) huawei-euleros-2_0_sp5-upgrade-kernel huawei-euleros-2_0_sp5-upgrade-kernel-devel huawei-euleros-2_0_sp5-upgrade-kernel-headers huawei-euleros-2_0_sp5-upgrade-kernel-tools huawei-euleros-2_0_sp5-upgrade-kernel-tools-libs huawei-euleros-2_0_sp5-upgrade-perf huawei-euleros-2_0_sp5-upgrade-python-perf References https://attackerkb.com/topics/cve-2022-20572 CVE - 2022-20572 EulerOS-SA-2023-2181

Debian: CVE-2022-20572: linux -- security update Severity 7 CVSS (AV:L/AC:L/Au:M/C:C/I:C/A:C) Published 12/16/2022 Created 07/31/2024 Added 07/30/2024 Modified 01/28/2025 Description In verity_target of dm-verity-target.c, there is a possible way to modify read-only files due to a missing permission check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-234475629References: Upstream kernel Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2022-20572 CVE - 2022-20572

Debian: CVE-2022-20566: linux -- security update Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 12/16/2022 Created 07/31/2024 Added 07/30/2024 Modified 01/28/2025 Description In l2cap_chan_put of l2cap_core, there is a possible use after free due to improper locking. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-165329981References: Upstream kernel Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2022-20566 CVE - 2022-20566

Debian: CVE-2022-4556: sogo -- security update Severity 6 CVSS (AV:N/AC:M/Au:N/C:P/I:P/A:N) Published 12/16/2022 Created 07/31/2024 Added 07/30/2024 Modified 01/28/2025 Description A vulnerability was found in Alinto SOGo up to 5.7.1 and classified as problematic. Affected by this issue is the function _migrateMailIdentities of the file SoObjects/SOGo/SOGoUserDefaults.m of the component Identity Handler. The manipulation of the argument fullName leads to cross site scripting. The attack may be launched remotely. Upgrading to version 5.8.0 is able to address this issue. The name of the patch is efac49ae91a4a325df9931e78e543f707a0f8e5e. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-215960. Solution(s) debian-upgrade-sogo References https://attackerkb.com/topics/cve-2022-4556 CVE - 2022-4556

Debian: CVE-2022-20568: linux -- security update Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 12/16/2022 Created 07/31/2024 Added 07/30/2024 Modified 01/28/2025 Description In (TBD) of (TBD), there is a possible way to corrupt kernel memory due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-220738351References: Upstream kernel Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2022-20568 CVE - 2022-20568

Huawei EulerOS: CVE-2022-20572: kernel security update Severity 7 CVSS (AV:L/AC:L/Au:M/C:C/I:C/A:C) Published 12/16/2022 Created 02/10/2023 Added 02/09/2023 Modified 01/28/2025 Description In verity_target of dm-verity-target.c, there is a possible way to modify read-only files due to a missing permission check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-234475629References: Upstream kernel Solution(s) huawei-euleros-2_0_sp8-upgrade-bpftool huawei-euleros-2_0_sp8-upgrade-kernel huawei-euleros-2_0_sp8-upgrade-kernel-devel huawei-euleros-2_0_sp8-upgrade-kernel-headers huawei-euleros-2_0_sp8-upgrade-kernel-tools huawei-euleros-2_0_sp8-upgrade-kernel-tools-libs huawei-euleros-2_0_sp8-upgrade-perf huawei-euleros-2_0_sp8-upgrade-python-perf huawei-euleros-2_0_sp8-upgrade-python3-perf References https://attackerkb.com/topics/cve-2022-20572 CVE - 2022-20572 EulerOS-SA-2023-1347

Debian: CVE-2022-4558: sogo -- security update Severity 6 CVSS (AV:N/AC:M/Au:N/C:P/I:P/A:N) Published 12/16/2022 Created 07/31/2024 Added 07/30/2024 Modified 01/28/2025 Description A vulnerability was found in Alinto SOGo up to 5.7.1. It has been classified as problematic. This affects an unknown part of the file SoObjects/SOGo/NSString+Utilities.m of the component Folder/Mail Handler. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 5.8.0 is able to address this issue. The name of the patch is 1e0f5f00890f751e84d67be4f139dd7f00faa5f3. It is recommended to upgrade the affected component. The identifier VDB-215961 was assigned to this vulnerability. Solution(s) debian-upgrade-sogo References https://attackerkb.com/topics/cve-2022-4558 CVE - 2022-4558

Debian: CVE-2022-3109: ffmpeg -- security update Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 12/16/2022 Created 05/05/2023 Added 05/02/2023 Modified 01/28/2025 Description An issue was discovered in the FFmpeg package, where vp3_decode_frame in libavcodec/vp3.c lacks check of the return value of av_malloc() and will cause a null pointer dereference, impacting availability. Solution(s) debian-upgrade-ffmpeg References https://attackerkb.com/topics/cve-2022-3109 CVE - 2022-3109 DSA-5394 DSA-5394-1

CentOS Linux: CVE-2022-46872: Important: firefox security update (Multiple Advisories) Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 12/16/2022 Created 12/16/2022 Added 12/16/2022 Modified 01/28/2025 Description An attacker who compromised a content process could have partially escaped the sandbox to read arbitrary files via clipboard-related IPC messages.<br>*This bug only affects Thunderbird for Linux. Other operating systems are unaffected.*. This vulnerability affects Firefox < 108, Firefox ESR < 102.6, and Thunderbird < 102.6. Solution(s) centos-upgrade-firefox centos-upgrade-firefox-debuginfo centos-upgrade-firefox-debugsource centos-upgrade-thunderbird centos-upgrade-thunderbird-debuginfo centos-upgrade-thunderbird-debugsource References CVE-2022-46872

Google Chrome Vulnerability: CVE-2021-30570 Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 12/18/2022 Created 01/14/2023 Added 12/18/2022 Modified 01/09/2023 Description Google Chrome Vulnerability: CVE-2021-30570 Solution(s) google-chrome-upgrade-latest References https://attackerkb.com/topics/cve-2021-30570 CVE - 2021-30570

CentOS Linux: CVE-2022-46874: Important: firefox security update (Multiple Advisories) Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 12/16/2022 Created 12/16/2022 Added 12/16/2022 Modified 01/28/2025 Description A file with a long filename could have had its filename truncated to remove the valid extension, leaving a malicious extension in its place. This could potentially led to user confusion and the execution of malicious code.<br/>*Note*: This issue was originally included in the advisories for Thunderbird 102.6, but a patch (specific to Thunderbird) was omitted, resulting in it actually being fixed in Thunderbird 102.6.1. This vulnerability affects Firefox < 108, Thunderbird < 102.6.1, Thunderbird < 102.6, and Firefox ESR < 102.6. Solution(s) centos-upgrade-firefox centos-upgrade-firefox-debuginfo centos-upgrade-firefox-debugsource centos-upgrade-thunderbird centos-upgrade-thunderbird-debuginfo centos-upgrade-thunderbird-debugsource References CVE-2022-46874

VMware Photon OS: CVE-2022-47519 Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 12/18/2022 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description An issue was discovered in the Linux kernel before 6.0.11. Missing validation of IEEE80211_P2P_ATTR_OPER_CHANNEL in drivers/net/wireless/microchip/wilc1000/cfg80211.c in the WILC1000 wireless driver can trigger an out-of-bounds write when parsing the channel list attribute from Wi-Fi management frames. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2022-47519 CVE - 2022-47519

Huawei EulerOS: CVE-2022-4603: ppp security update Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 12/18/2022 Created 06/09/2023 Added 06/09/2023 Modified 01/28/2025 Description A vulnerability classified as problematic has been found in ppp. Affected is the function dumpppp of the file pppdump/pppdump.c of the component pppdump. The manipulation of the argument spkt.buf/rpkt.buf leads to improper validation of array index. The real existence of this vulnerability is still doubted at the moment. The name of the patch is a75fb7b198eed50d769c80c36629f38346882cbf. It is recommended to apply a patch to fix this issue. VDB-216198 is the identifier assigned to this vulnerability. NOTE: pppdump is not used in normal process of setting up a PPP connection, is not installed setuid-root, and is not invoked automatically in any scenario. Solution(s) huawei-euleros-2_0_sp5-upgrade-ppp References https://attackerkb.com/topics/cve-2022-4603 CVE - 2022-4603 EulerOS-SA-2023-2165

Debian: CVE-2021-4249: haskell-xml-conduit -- security update Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 12/18/2022 Created 07/31/2024 Added 07/30/2024 Modified 01/28/2025 Description A vulnerability was found in xml-conduit. It has been classified as problematic. Affected is an unknown function of the file xml-conduit/src/Text/XML/Stream/Parse.hs of the component DOCTYPE Entity Expansion Handler. The manipulation leads to infinite loop. It is possible to launch the attack remotely. Upgrading to version 1.9.1.0 is able to address this issue. The name of the patch is 4be1021791dcdee8b164d239433a2043dc0939ea. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-216204. Solution(s) debian-upgrade-haskell-xml-conduit References https://attackerkb.com/topics/cve-2021-4249 CVE - 2021-4249

Debian: CVE-2022-47519: linux -- security update Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 12/18/2022 Created 12/23/2022 Added 12/22/2022 Modified 01/28/2025 Description An issue was discovered in the Linux kernel before 6.0.11. Missing validation of IEEE80211_P2P_ATTR_OPER_CHANNEL in drivers/net/wireless/microchip/wilc1000/cfg80211.c in the WILC1000 wireless driver can trigger an out-of-bounds write when parsing the channel list attribute from Wi-Fi management frames. Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2022-47519 CVE - 2022-47519 DLA-3244-1

Debian: CVE-2022-47518: linux -- security update Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 12/18/2022 Created 12/23/2022 Added 12/22/2022 Modified 01/28/2025 Description An issue was discovered in the Linux kernel before 6.0.11. Missing validation of the number of channels in drivers/net/wireless/microchip/wilc1000/cfg80211.c in the WILC1000 wireless driver can trigger a heap-based buffer overflow when copying the list of operating channels from Wi-Fi management frames. Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2022-47518 CVE - 2022-47518 DLA-3244-1

Debian: CVE-2022-47521: linux -- security update Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 12/18/2022 Created 12/23/2022 Added 12/22/2022 Modified 01/28/2025 Description An issue was discovered in the Linux kernel before 6.0.11. Missing validation of IEEE80211_P2P_ATTR_CHANNEL_LIST in drivers/net/wireless/microchip/wilc1000/cfg80211.c in the WILC1000 wireless driver can trigger a heap-based buffer overflow when parsing the operating channel attribute from Wi-Fi management frames. Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2022-47521 CVE - 2022-47521 DLA-3244-1