ISHACK AI BOT

Ubuntu: USN-6526-1 (CVE-2023-44429): GStreamer Bad Plugins vulnerabilities Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 11/29/2023 Created 12/01/2023 Added 11/30/2023 Modified 01/28/2025 Description GStreamer AV1 Codec Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the parsing of AV1 encoded video files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22226. Solution(s) ubuntu-upgrade-gstreamer1-0-plugins-bad ubuntu-upgrade-libgstreamer-plugins-bad1-0-0 References https://attackerkb.com/topics/cve-2023-44429 CVE - 2023-44429 USN-6526-1

Huawei EulerOS: CVE-2023-49083: python-cryptography security update Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 11/29/2023 Created 01/30/2024 Added 01/29/2024 Modified 01/28/2025 Description cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6. Solution(s) huawei-euleros-2_0_sp11-upgrade-python3-cryptography References https://attackerkb.com/topics/cve-2023-49083 CVE - 2023-49083 EulerOS-SA-2024-1127

Google Chrome Vulnerability: CVE-2023-6350 Out of bounds memory access in libavif Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 11/29/2023 Created 11/30/2023 Added 11/29/2023 Modified 01/28/2025 Description Use after free in libavif in Google Chrome prior to 119.0.6045.199 allowed a remote attacker to potentially exploit heap corruption via a crafted avif file. (Chromium security severity: High) Solution(s) google-chrome-upgrade-latest References https://attackerkb.com/topics/cve-2023-6350 CVE - 2023-6350

SUSE: CVE-2023-49083: SUSE Linux Security Advisory Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 11/29/2023 Created 12/20/2023 Added 12/19/2023 Modified 01/28/2025 Description cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6. Solution(s) suse-upgrade-python2-cryptography suse-upgrade-python3-cryptography suse-upgrade-python311-cryptography References https://attackerkb.com/topics/cve-2023-49083 CVE - 2023-49083

Google Chrome Vulnerability: CVE-2023-6348 Type Confusion in Spellcheck Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 11/29/2023 Created 11/30/2023 Added 11/29/2023 Modified 01/28/2025 Description Type Confusion in Spellcheck in Google Chrome prior to 119.0.6045.199 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) Solution(s) google-chrome-upgrade-latest References https://attackerkb.com/topics/cve-2023-6348 CVE - 2023-6348

Alma Linux: CVE-2023-5868: Important: postgresql:13 security update (Multiple Advisories) Severity 4 CVSS (AV:N/AC:L/Au:S/C:P/I:N/A:N) Published 11/29/2023 Created 12/06/2023 Added 12/05/2023 Modified 02/11/2025 Description A memory disclosure vulnerability was found in PostgreSQL that allows remote users to access sensitive information by exploiting certain aggregate function calls with 'unknown'-type arguments. Handling 'unknown'-type values from string literals without type designation can disclose bytes, potentially revealing notable and confidential information. This issue exists due to excessive data output in aggregate function calls, enabling remote users to read some portion of system memory. Solution(s) alma-upgrade-pg_repack alma-upgrade-pgaudit alma-upgrade-postgres-decoderbufs alma-upgrade-postgresql alma-upgrade-postgresql-contrib alma-upgrade-postgresql-docs alma-upgrade-postgresql-plperl alma-upgrade-postgresql-plpython3 alma-upgrade-postgresql-pltcl alma-upgrade-postgresql-private-devel alma-upgrade-postgresql-private-libs alma-upgrade-postgresql-server alma-upgrade-postgresql-server-devel alma-upgrade-postgresql-static alma-upgrade-postgresql-test alma-upgrade-postgresql-test-rpm-macros alma-upgrade-postgresql-upgrade alma-upgrade-postgresql-upgrade-devel References https://attackerkb.com/topics/cve-2023-5868 CVE - 2023-5868 https://errata.almalinux.org/8/ALSA-2023-7581.html https://errata.almalinux.org/8/ALSA-2023-7714.html https://errata.almalinux.org/8/ALSA-2023-7884.html https://errata.almalinux.org/9/ALSA-2023-7784.html https://errata.almalinux.org/9/ALSA-2023-7785.html

SUSE: CVE-2023-6347: SUSE Linux Security Advisory Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 11/29/2023 Created 12/02/2023 Added 12/01/2023 Modified 01/28/2025 Description Use after free in Mojo in Google Chrome prior to 119.0.6045.199 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) Solution(s) suse-upgrade-chromedriver suse-upgrade-chromium suse-upgrade-opera References https://attackerkb.com/topics/cve-2023-6347 CVE - 2023-6347

Progress MOVEit Transfer: CVE-2023-6217: MOVEit Transfer XSS through MOVEit Gateway Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:P/A:N) Published 11/29/2023 Created 12/14/2024 Added 12/13/2024 Modified 01/30/2025 Description A reflected cross-site scripting (XSS) vulnerability has been identified when MOVEit Gateway is used in conjunction with MOVEit Transfer. An attacker could craft a malicious payload targeting the system which comprises a MOVEit Gateway and MOVEit Transfer deployment. If a MOVEit user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victim"s browser. Solution(s) progress-moveit-transfer-cve-2023-6217-solution References https://attackerkb.com/topics/cve-2023-6217 CVE - 2023-6217 https://community.progress.com/s/article/ka74Q000000Ck6XQAS

FreeBSD: VID-76C2110B-9E97-11EE-AE23-A0F3C100AE18 (CVE-2023-49938): slurm-wlm -- Several security issues Severity 9 CVSS (AV:N/AC:L/Au:N/C:C/I:P/A:N) Published 11/29/2023 Created 12/22/2023 Added 12/20/2023 Modified 01/28/2025 Description An issue was discovered in SchedMD Slurm 22.05.x and 23.02.x. There is Incorrect Access Control: an attacker can modified their extended group list that is used with the sbcast subsystem, and open files with an unauthorized set of extended groups. The fixed versions are 22.05.11 and 23.02.7. Solution(s) freebsd-upgrade-package-slurm-wlm References CVE-2023-49938

Debian: CVE-2023-6345: chromium -- security update Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 11/29/2023 Created 12/05/2023 Added 12/04/2023 Modified 01/28/2025 Description Integer overflow in Skia in Google Chrome prior to 119.0.6045.199 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a malicious file. (Chromium security severity: High) Solution(s) debian-upgrade-chromium References https://attackerkb.com/topics/cve-2023-6345 CVE - 2023-6345 DSA-5569-1

Gentoo Linux: CVE-2023-6350: Chromium, Google Chrome, Microsoft Edge: Multiple Vulnerabilities Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 11/29/2023 Created 02/02/2024 Added 02/01/2024 Modified 01/28/2025 Description Use after free in libavif in Google Chrome prior to 119.0.6045.199 allowed a remote attacker to potentially exploit heap corruption via a crafted avif file. (Chromium security severity: High) Solution(s) gentoo-linux-upgrade-dev-qt-qtwebengine gentoo-linux-upgrade-www-client-chromium gentoo-linux-upgrade-www-client-google-chrome gentoo-linux-upgrade-www-client-microsoft-edge References https://attackerkb.com/topics/cve-2023-6350 CVE - 2023-6350 202401-34 202402-14

Debian: CVE-2023-6348: chromium -- security update Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 11/29/2023 Created 12/05/2023 Added 12/04/2023 Modified 01/28/2025 Description Type Confusion in Spellcheck in Google Chrome prior to 119.0.6045.199 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) Solution(s) debian-upgrade-chromium References https://attackerkb.com/topics/cve-2023-6348 CVE - 2023-6348 DSA-5569-1

Gentoo Linux: CVE-2023-49082: aiohttp: Multiple Vulnerabilities Severity 5 CVSS (AV:N/AC:L/Au:N/C:N/I:P/A:N) Published 11/29/2023 Created 08/08/2024 Added 08/08/2024 Modified 01/28/2025 Description aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). This issue has been patched in version 3.9.0. Solution(s) gentoo-linux-upgrade-dev-python-aiohttp References https://attackerkb.com/topics/cve-2023-49082 CVE - 2023-49082 202408-11

Gentoo Linux: CVE-2023-6345: Chromium, Google Chrome, Microsoft Edge: Multiple Vulnerabilities Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 11/29/2023 Created 02/02/2024 Added 02/01/2024 Modified 01/28/2025 Description Integer overflow in Skia in Google Chrome prior to 119.0.6045.199 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a malicious file. (Chromium security severity: High) Solution(s) gentoo-linux-upgrade-dev-qt-qtwebengine gentoo-linux-upgrade-www-client-chromium gentoo-linux-upgrade-www-client-google-chrome gentoo-linux-upgrade-www-client-microsoft-edge References https://attackerkb.com/topics/cve-2023-6345 CVE - 2023-6345 202401-34 202402-14

Gentoo Linux: CVE-2023-6347: Chromium, Google Chrome, Microsoft Edge: Multiple Vulnerabilities Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 11/29/2023 Created 02/02/2024 Added 02/01/2024 Modified 01/28/2025 Description Use after free in Mojo in Google Chrome prior to 119.0.6045.199 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) Solution(s) gentoo-linux-upgrade-dev-qt-qtwebengine gentoo-linux-upgrade-www-client-chromium gentoo-linux-upgrade-www-client-google-chrome gentoo-linux-upgrade-www-client-microsoft-edge References https://attackerkb.com/topics/cve-2023-6347 CVE - 2023-6347 202401-34 202402-14

Alpine Linux: CVE-2023-6347: Use After Free Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 11/29/2023 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description Use after free in Mojo in Google Chrome prior to 119.0.6045.199 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) Solution(s) alpine-linux-upgrade-qt5-qtwebengine alpine-linux-upgrade-qt6-qtwebengine References https://attackerkb.com/topics/cve-2023-6347 CVE - 2023-6347 https://security.alpinelinux.org/vuln/CVE-2023-6347

Ubuntu: USN-6879-1 (CVE-2023-48951): Virtuoso Open-Source Edition vulnerabilities Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 11/29/2023 Created 07/09/2024 Added 07/09/2024 Modified 01/28/2025 Description An issue in the box_equal function in openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) after running a SELECT statement. Solution(s) ubuntu-pro-upgrade-virtuoso-opensource ubuntu-pro-upgrade-virtuoso-opensource-6-1 ubuntu-pro-upgrade-virtuoso-opensource-6-1-bin ubuntu-pro-upgrade-virtuoso-opensource-7 ubuntu-pro-upgrade-virtuoso-opensource-7-bin References https://attackerkb.com/topics/cve-2023-48951 CVE - 2023-48951 USN-6879-1

Debian: CVE-2023-6350: chromium -- security update Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 11/29/2023 Created 12/05/2023 Added 12/04/2023 Modified 01/28/2025 Description Use after free in libavif in Google Chrome prior to 119.0.6045.199 allowed a remote attacker to potentially exploit heap corruption via a crafted avif file. (Chromium security severity: High) Solution(s) debian-upgrade-chromium References https://attackerkb.com/topics/cve-2023-6350 CVE - 2023-6350 DSA-5569-1

Debian: CVE-2023-6347: chromium -- security update Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 11/29/2023 Created 12/05/2023 Added 12/04/2023 Modified 01/28/2025 Description Use after free in Mojo in Google Chrome prior to 119.0.6045.199 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) Solution(s) debian-upgrade-chromium References https://attackerkb.com/topics/cve-2023-6347 CVE - 2023-6347 DSA-5569-1

Alma Linux: CVE-2023-5869: Important: postgresql:13 security update (Multiple Advisories) Severity 9 CVSS (AV:N/AC:L/Au:S/C:C/I:C/A:C) Published 11/29/2023 Created 12/06/2023 Added 12/05/2023 Modified 02/11/2025 Description A flaw was found in PostgreSQL that allows authenticated database users to execute arbitrary code through missing overflow checks during SQL array value modification. This issue exists due to an integer overflow during array modification where a remote user can trigger the overflow by providing specially crafted data. This enables the execution of arbitrary code on the target system, allowing users to write arbitrary bytes to memory and extensively read the server's memory. Solution(s) alma-upgrade-pg_repack alma-upgrade-pgaudit alma-upgrade-postgres-decoderbufs alma-upgrade-postgresql alma-upgrade-postgresql-contrib alma-upgrade-postgresql-docs alma-upgrade-postgresql-plperl alma-upgrade-postgresql-plpython3 alma-upgrade-postgresql-pltcl alma-upgrade-postgresql-private-devel alma-upgrade-postgresql-private-libs alma-upgrade-postgresql-server alma-upgrade-postgresql-server-devel alma-upgrade-postgresql-static alma-upgrade-postgresql-test alma-upgrade-postgresql-test-rpm-macros alma-upgrade-postgresql-upgrade alma-upgrade-postgresql-upgrade-devel References https://attackerkb.com/topics/cve-2023-5869 CVE - 2023-5869 https://errata.almalinux.org/8/ALSA-2023-7581.html https://errata.almalinux.org/8/ALSA-2023-7714.html https://errata.almalinux.org/8/ALSA-2023-7790.html https://errata.almalinux.org/8/ALSA-2023-7884.html https://errata.almalinux.org/9/ALSA-2023-7784.html https://errata.almalinux.org/9/ALSA-2023-7785.html View more

Debian: CVE-2023-6346: chromium -- security update Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 11/29/2023 Created 12/05/2023 Added 12/04/2023 Modified 01/28/2025 Description Use after free in WebAudio in Google Chrome prior to 119.0.6045.199 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) Solution(s) debian-upgrade-chromium References https://attackerkb.com/topics/cve-2023-6346 CVE - 2023-6346 DSA-5569-1

Google Chrome Vulnerability: CVE-2023-6346 Use after free in WebAudio Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 11/29/2023 Created 11/30/2023 Added 11/29/2023 Modified 01/28/2025 Description Use after free in WebAudio in Google Chrome prior to 119.0.6045.199 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) Solution(s) google-chrome-upgrade-latest References https://attackerkb.com/topics/cve-2023-6346 CVE - 2023-6346

Gentoo Linux: CVE-2023-49083: cryptography: Multiple Vulnerabilities Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 11/29/2023 Created 07/02/2024 Added 07/03/2024 Modified 01/28/2025 Description cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6. Solution(s) gentoo-linux-upgrade-dev-python-cryptography References https://attackerkb.com/topics/cve-2023-49083 CVE - 2023-49083 202407-06

Alpine Linux: CVE-2023-6346: Use After Free Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 11/29/2023 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description Use after free in WebAudio in Google Chrome prior to 119.0.6045.199 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) Solution(s) alpine-linux-upgrade-qt6-qtwebengine References https://attackerkb.com/topics/cve-2023-6346 CVE - 2023-6346 https://security.alpinelinux.org/vuln/CVE-2023-6346

SUSE: CVE-2023-6346: SUSE Linux Security Advisory Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 11/29/2023 Created 12/02/2023 Added 12/01/2023 Modified 01/28/2025 Description Use after free in WebAudio in Google Chrome prior to 119.0.6045.199 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) Solution(s) suse-upgrade-chromedriver suse-upgrade-chromium suse-upgrade-opera References https://attackerkb.com/topics/cve-2023-6346 CVE - 2023-6346