ISHACK AI BOT

Azul Zulu: CVE-2024-20921: Vulnerability in the Hotspot component Severity 7 CVSS (AV:N/AC:M/Au:N/C:C/I:N/A:N) Published 03/19/2024 Created 03/20/2024 Added 03/19/2024 Modified 01/28/2025 Description Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.Successful attacks of this vulnerability can result inunauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.9 (Confidentiality impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). Solution(s) azul-zulu-upgrade-latest References https://attackerkb.com/topics/cve-2024-20921 CVE - 2024-20921 https://www.azul.com/downloads/

Red Hat OpenShift: CVE-2023-6597: python: Path traversal on tempfile.TemporaryDirectory Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/19/2024 Created 01/24/2025 Added 01/23/2025 Modified 02/14/2025 Description An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances. Solution(s) linuxrpm-upgrade-rhcos References https://attackerkb.com/topics/cve-2023-6597 CVE - 2023-6597 RHSA-2024:3347 RHSA-2024:3391 RHSA-2024:3466 RHSA-2024:4058 RHSA-2024:4077 RHSA-2024:4078 RHSA-2024:4166 RHSA-2024:4370 RHSA-2024:4406 RHSA-2024:4456 RHSA-2024:4865 RHSA-2024:4871 RHSA-2024:4896 RHSA-2024:5535 RHSA-2024:5689 RHSA-2025:0364 RHSA-2025:0646 RHSA-2025:0650 RHSA-2025:0832 RHSA-2025:1116 RHSA-2025:1120 View more

Huawei EulerOS: CVE-2024-0450: python3 security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/19/2024 Created 07/02/2024 Added 07/01/2024 Modified 07/01/2024 Description An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive. Solution(s) huawei-euleros-2_0_sp12-upgrade-python3 huawei-euleros-2_0_sp12-upgrade-python3-fgo huawei-euleros-2_0_sp12-upgrade-python3-unversioned-command References https://attackerkb.com/topics/cve-2024-0450 CVE - 2024-0450 EulerOS-SA-2024-1875

Amazon Linux AMI 2: CVE-2024-2616: Security patch for firefox, thunderbird (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/19/2024 Created 04/02/2024 Added 04/02/2024 Modified 04/02/2024 Description To harden ICU against exploitation, the behavior for out-of-memory conditions was changed to crash instead of attempt to continue. This vulnerability affects Firefox ESR < 115.9 and Thunderbird < 115.9. Solution(s) amazon-linux-ami-2-upgrade-firefox amazon-linux-ami-2-upgrade-firefox-debuginfo amazon-linux-ami-2-upgrade-thunderbird amazon-linux-ami-2-upgrade-thunderbird-debuginfo References https://attackerkb.com/topics/cve-2024-2616 AL2/ALAS-2024-2505 AL2/ALASFIREFOX-2024-023 CVE - 2024-2616

MFSA2024-12 Firefox: Security Vulnerabilities fixed in Firefox 124 (CVE-2024-2612) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/19/2024 Created 03/20/2024 Added 03/20/2024 Modified 03/21/2024 Description If an attacker could find a way to trigger a particular code path in `SafeRefPtr`, it could have triggered a crash or potentially be leveraged to achieve code execution. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9. Solution(s) mozilla-firefox-upgrade-124_0 References https://attackerkb.com/topics/cve-2024-2612 CVE - 2024-2612 http://www.mozilla.org/security/announce/2024/mfsa2024-12.html

Amazon Linux AMI 2: CVE-2024-2614: Security patch for firefox, thunderbird (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/19/2024 Created 04/02/2024 Added 04/02/2024 Modified 04/02/2024 Description Memory safety bugs present in Firefox 123, Firefox ESR 115.8, and Thunderbird 115.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9. Solution(s) amazon-linux-ami-2-upgrade-firefox amazon-linux-ami-2-upgrade-firefox-debuginfo amazon-linux-ami-2-upgrade-thunderbird amazon-linux-ami-2-upgrade-thunderbird-debuginfo References https://attackerkb.com/topics/cve-2024-2614 AL2/ALAS-2024-2505 AL2/ALASFIREFOX-2024-023 CVE - 2024-2614

IBM AIX: python_advisory10 (CVE-2024-0450): Vulnerability in python affects AIX Severity 7 CVSS (AV:N/AC:L/Au:S/C:N/I:C/A:N) Published 03/19/2024 Created 06/26/2024 Added 06/25/2024 Modified 10/31/2024 Description An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive. Solution(s) ibm-aix-python_advisory10 References https://attackerkb.com/topics/cve-2024-0450 CVE - 2024-0450 https://aix.software.ibm.com/aix/efixes/security/python_advisory10.asc

Rocky Linux: CVE-2024-2612: thunderbird (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/19/2024 Created 03/29/2024 Added 03/28/2024 Modified 11/18/2024 Description If an attacker could find a way to trigger a particular code path in `SafeRefPtr`, it could have triggered a crash or potentially be leveraged to achieve code execution. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9. Solution(s) rocky-upgrade-firefox rocky-upgrade-firefox-debuginfo rocky-upgrade-firefox-debugsource rocky-upgrade-thunderbird rocky-upgrade-thunderbird-debuginfo rocky-upgrade-thunderbird-debugsource References https://attackerkb.com/topics/cve-2024-2612 CVE - 2024-2612 https://errata.rockylinux.org/RLSA-2024:1484 https://errata.rockylinux.org/RLSA-2024:1494

Debian: CVE-2024-2609: firefox-esr, thunderbird -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/19/2024 Created 04/19/2024 Added 04/19/2024 Modified 04/23/2024 Description The permission prompt input delay could expire while the window is not in focus. This makes it vulnerable to clickjacking by malicious websites. This vulnerability affects Firefox < 124, Firefox ESR < 115.10, and Thunderbird < 115.10. Solution(s) debian-upgrade-firefox-esr debian-upgrade-thunderbird References https://attackerkb.com/topics/cve-2024-2609 CVE - 2024-2609 DSA-5663-1

Debian: CVE-2024-2611: firefox-esr, thunderbird -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/19/2024 Created 03/25/2024 Added 03/25/2024 Modified 03/27/2024 Description A missing delay on when pointer lock was used could have allowed a malicious page to trick a user into granting permissions. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9. Solution(s) debian-upgrade-firefox-esr debian-upgrade-thunderbird References https://attackerkb.com/topics/cve-2024-2611 CVE - 2024-2611 DLA-3769-1 DSA-5643-1 DSA-5644-1

Debian: CVE-2024-2616: firefox-esr, thunderbird -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/19/2024 Created 03/25/2024 Added 03/25/2024 Modified 03/27/2024 Description To harden ICU against exploitation, the behavior for out-of-memory conditions was changed to crash instead of attempt to continue. This vulnerability affects Firefox ESR < 115.9 and Thunderbird < 115.9. Solution(s) debian-upgrade-firefox-esr debian-upgrade-thunderbird References https://attackerkb.com/topics/cve-2024-2616 CVE - 2024-2616 DLA-3769-1 DSA-5643-1 DSA-5644-1

Debian: CVE-2024-0450: Multiple Affected Packages Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/19/2024 Created 03/27/2024 Added 03/26/2024 Modified 12/09/2024 Description An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive. Solution(s) debian-upgrade-pypy3 debian-upgrade-python2-7 debian-upgrade-python3-11 debian-upgrade-python3-9 References https://attackerkb.com/topics/cve-2024-0450 CVE - 2024-0450 DLA-3771-1 DLA-3772-1

FreeBSD: VID-A431676C-F86C-4371-B48A-B7D2B0BEC3A3 (CVE-2024-22017): electron29 -- setuid() does not affect libuv's internal io_uring Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/19/2024 Created 05/22/2024 Added 05/18/2024 Modified 05/18/2024 Description setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid(). This allows the process to perform privileged operations despite presumably having dropped such privileges through a call to setuid(). This vulnerability affects all users using version greater or equal than Node.js 18.18.0, Node.js 20.4.0 and Node.js 21. Solution(s) freebsd-upgrade-package-electron29 References CVE-2024-22017

Ubuntu: USN-6703-1 (CVE-2024-2606): Firefox vulnerabilities Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/19/2024 Created 03/22/2024 Added 03/21/2024 Modified 10/23/2024 Description Passing invalid data could have led to invalid wasm values being created, such as arbitrary integers turning into pointer values. This vulnerability affects Firefox < 124. Solution(s) ubuntu-upgrade-firefox References https://attackerkb.com/topics/cve-2024-2606 CVE - 2024-2606 USN-6703-1

Debian: CVE-2024-2614: firefox-esr, thunderbird -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/19/2024 Created 03/25/2024 Added 03/25/2024 Modified 03/27/2024 Description Memory safety bugs present in Firefox 123, Firefox ESR 115.8, and Thunderbird 115.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9. Solution(s) debian-upgrade-firefox-esr debian-upgrade-thunderbird References https://attackerkb.com/topics/cve-2024-2614 CVE - 2024-2614 DLA-3769-1 DSA-5643-1 DSA-5644-1

MFSA2024-12 Firefox: Security Vulnerabilities fixed in Firefox 124 (CVE-2024-2611) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/19/2024 Created 03/20/2024 Added 03/20/2024 Modified 03/21/2024 Description A missing delay on when pointer lock was used could have allowed a malicious page to trick a user into granting permissions. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9. Solution(s) mozilla-firefox-upgrade-124_0 References https://attackerkb.com/topics/cve-2024-2611 CVE - 2024-2611 http://www.mozilla.org/security/announce/2024/mfsa2024-12.html

MFSA2024-13 Firefox: Security Vulnerabilities fixed in Firefox ESR 115.9 (CVE-2024-2612) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/19/2024 Created 03/20/2024 Added 03/20/2024 Modified 03/21/2024 Description If an attacker could find a way to trigger a particular code path in `SafeRefPtr`, it could have triggered a crash or potentially be leveraged to achieve code execution. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9. Solution(s) mozilla-firefox-esr-upgrade-115_9 References https://attackerkb.com/topics/cve-2024-2612 CVE - 2024-2612 http://www.mozilla.org/security/announce/2024/mfsa2024-13.html

MFSA2024-12 Firefox: Security Vulnerabilities fixed in Firefox 124 (CVE-2024-2607) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/19/2024 Created 03/20/2024 Added 03/20/2024 Modified 03/21/2024 Description Return registers were overwritten which could have allowed an attacker to execute arbitrary code. *Note:* This issue only affected Armv7-A systems. Other operating systems are unaffected. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9. Solution(s) mozilla-firefox-upgrade-124_0 References https://attackerkb.com/topics/cve-2024-2607 CVE - 2024-2607 http://www.mozilla.org/security/announce/2024/mfsa2024-12.html

MFSA2024-12 Firefox: Security Vulnerabilities fixed in Firefox 124 (CVE-2023-5388) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/19/2024 Created 03/20/2024 Added 03/20/2024 Modified 03/21/2024 Description NSS was susceptible to a timing side-channel attack when performing RSA decryption. This attack could potentially allow an attacker to recover the private data. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9. Solution(s) mozilla-firefox-upgrade-124_0 References https://attackerkb.com/topics/cve-2023-5388 CVE - 2023-5388 http://www.mozilla.org/security/announce/2024/mfsa2024-12.html

MFSA2024-13 Firefox: Security Vulnerabilities fixed in Firefox ESR 115.9 (CVE-2024-2605) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/19/2024 Created 03/20/2024 Added 03/20/2024 Modified 03/21/2024 Description An attacker could have leveraged the Windows Error Reporter to run arbitrary code on the system escaping the sandbox. *Note:* This issue only affected Windows operating systems. Other operating systems are unaffected. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9. Solution(s) mozilla-firefox-esr-upgrade-115_9 References https://attackerkb.com/topics/cve-2024-2605 CVE - 2024-2605 http://www.mozilla.org/security/announce/2024/mfsa2024-13.html

MFSA2024-12 Firefox: Security Vulnerabilities fixed in Firefox 124 (CVE-2024-2608) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/19/2024 Created 03/20/2024 Added 03/20/2024 Modified 03/21/2024 Description `AppendEncodedAttributeValue(), ExtraSpaceNeededForAttrEncoding()` and `AppendEncodedCharacters()` could have experienced integer overflows, causing underallocation of an output buffer leading to an out of bounds write. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9. Solution(s) mozilla-firefox-upgrade-124_0 References https://attackerkb.com/topics/cve-2024-2608 CVE - 2024-2608 http://www.mozilla.org/security/announce/2024/mfsa2024-12.html

MFSA2024-12 Firefox: Security Vulnerabilities fixed in Firefox 124 (CVE-2024-2605) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/19/2024 Created 03/20/2024 Added 03/20/2024 Modified 03/21/2024 Description An attacker could have leveraged the Windows Error Reporter to run arbitrary code on the system escaping the sandbox. *Note:* This issue only affected Windows operating systems. Other operating systems are unaffected. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9. Solution(s) mozilla-firefox-upgrade-124_0 References https://attackerkb.com/topics/cve-2024-2605 CVE - 2024-2605 http://www.mozilla.org/security/announce/2024/mfsa2024-12.html

MFSA2024-13 Firefox: Security Vulnerabilities fixed in Firefox ESR 115.9 (CVE-2024-2607) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/19/2024 Created 03/20/2024 Added 03/20/2024 Modified 03/21/2024 Description Return registers were overwritten which could have allowed an attacker to execute arbitrary code. *Note:* This issue only affected Armv7-A systems. Other operating systems are unaffected. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9. Solution(s) mozilla-firefox-esr-upgrade-115_9 References https://attackerkb.com/topics/cve-2024-2607 CVE - 2024-2607 http://www.mozilla.org/security/announce/2024/mfsa2024-13.html

MFSA2024-12 Firefox: Security Vulnerabilities fixed in Firefox 124 (CVE-2024-2614) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/19/2024 Created 03/20/2024 Added 03/20/2024 Modified 03/21/2024 Description Memory safety bugs present in Firefox 123, Firefox ESR 115.8, and Thunderbird 115.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9. Solution(s) mozilla-firefox-upgrade-124_0 References https://attackerkb.com/topics/cve-2024-2614 CVE - 2024-2614 http://www.mozilla.org/security/announce/2024/mfsa2024-12.html

MFSA2024-12 Firefox: Security Vulnerabilities fixed in Firefox 124 (CVE-2024-2610) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/19/2024 Created 03/20/2024 Added 03/20/2024 Modified 03/21/2024 Description Using a markup injection an attacker could have stolen nonce values. This could have been used to bypass strict content security policies. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9. Solution(s) mozilla-firefox-upgrade-124_0 References https://attackerkb.com/topics/cve-2024-2610 CVE - 2024-2610 http://www.mozilla.org/security/announce/2024/mfsa2024-12.html