#ExploitObserverAlert
CVE-2023-52436
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2023-52436. In the Linux kernel, the following vulnerability has been resolved: f2fs: explicitly null-terminate the xattr list When setting an xattr, explicitly null-terminate the xattr list. This eliminates the fragile assumption that the unused xattr space is always zeroed.
CVE-2023-52436
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2023-52436. In the Linux kernel, the following vulnerability has been resolved: f2fs: explicitly null-terminate the xattr list When setting an xattr, explicitly null-terminate the xattr list. This eliminates the fragile assumption that the unused xattr space is always zeroed.
#ExploitObserverAlert
WLB-2024020064
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to WLB-2024020064. Savsoft Quiz v6.0 Enterprise - Persistent Cross-Site Scripting.
WLB-2024020064
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to WLB-2024020064. Savsoft Quiz v6.0 Enterprise - Persistent Cross-Site Scripting.
#ExploitObserverAlert
GHSA-7f2v-5877-rx3x
DESCRIPTION: Exploit Observer has 2 entries in 2 file formats related to GHSA-7f2v-5877-rx3x. Code injection in REDAXO
GHSA-7f2v-5877-rx3x
DESCRIPTION: Exploit Observer has 2 entries in 2 file formats related to GHSA-7f2v-5877-rx3x. Code injection in REDAXO
#ExploitObserverAlert
GHSA-r969-783f-6jqr
DESCRIPTION: Exploit Observer has 6 entries in 3 file formats related to GHSA-r969-783f-6jqr. Improper Neutralization of HTTP Headers in github.com/greenpau/caddy-security
GHSA-r969-783f-6jqr
DESCRIPTION: Exploit Observer has 6 entries in 3 file formats related to GHSA-r969-783f-6jqr. Improper Neutralization of HTTP Headers in github.com/greenpau/caddy-security
#ExploitObserverAlert
GHSA-9w99-78rj-hmxq
DESCRIPTION: Exploit Observer has 2 entries in 2 file formats related to GHSA-9w99-78rj-hmxq. Cross-site scripting (XSS) in the dynamic file uploads
GHSA-9w99-78rj-hmxq
DESCRIPTION: Exploit Observer has 2 entries in 2 file formats related to GHSA-9w99-78rj-hmxq. Cross-site scripting (XSS) in the dynamic file uploads
#ExploitObserverAlert
CVE-2023-52439
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2023-52439. In the Linux kernel, the following vulnerability has been resolved: uio: Fix use-after-free in uio_open core-1 core-2 ------------------------------------------------------- uio_unregister_device uio_open idev = idr_find() device_unregister(&idev->dev) put_device(&idev->dev) uio_device_release get_device(&idev->dev) kfree(idev) uio_free_minor(minor) uio_release put_device(&idev->dev) kfree(idev) ------------------------------------------------------- In the core-1 uio_unregister_device(), the device_unregister will kfree idev when the idev->dev kobject ref is 1. But after core-1 device_unregister, put_device and before doing kfree, the core-2 may get_device. Then: 1. After core-1 kfree idev, the core-2 will do use-after-free for idev. 2. When core-2 do uio_release and put_device, the idev will be double freed. To address this issue, we can get idev atomic & inc idev reference with minor_lock.
CVE-2023-52439
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2023-52439. In the Linux kernel, the following vulnerability has been resolved: uio: Fix use-after-free in uio_open core-1 core-2 ------------------------------------------------------- uio_unregister_device uio_open idev = idr_find() device_unregister(&idev->dev) put_device(&idev->dev) uio_device_release get_device(&idev->dev) kfree(idev) uio_free_minor(minor) uio_release put_device(&idev->dev) kfree(idev) ------------------------------------------------------- In the core-1 uio_unregister_device(), the device_unregister will kfree idev when the idev->dev kobject ref is 1. But after core-1 device_unregister, put_device and before doing kfree, the core-2 may get_device. Then: 1. After core-1 kfree idev, the core-2 will do use-after-free for idev. 2. When core-2 do uio_release and put_device, the idev will be double freed. To address this issue, we can get idev atomic & inc idev reference with minor_lock.
#ExploitObserverAlert
GHSA-8hp3-rmr7-xh88
DESCRIPTION: Exploit Observer has 6 entries in 3 file formats related to GHSA-8hp3-rmr7-xh88. Open Redirect in github.com/greenpau/caddy-security
GHSA-8hp3-rmr7-xh88
DESCRIPTION: Exploit Observer has 6 entries in 3 file formats related to GHSA-8hp3-rmr7-xh88. Open Redirect in github.com/greenpau/caddy-security
#ExploitObserverAlert
CVE-2024-22369
DESCRIPTION: Exploit Observer has 2 entries in 2 file formats related to CVE-2024-22369. Deserialization of Untrusted Data vulnerability in Apache Camel SQL ComponentThis issue affects Apache Camel: from 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0. Users are recommended to upgrade to version 4.4.0, which fixes the issue. If users are on the 4.0.x LTS releases stream, then they are suggested to upgrade to 4.0.4. If users are on 3.x, they are suggested to move to 3.21.4 or 3.22.1
CVE-2024-22369
DESCRIPTION: Exploit Observer has 2 entries in 2 file formats related to CVE-2024-22369. Deserialization of Untrusted Data vulnerability in Apache Camel SQL ComponentThis issue affects Apache Camel: from 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0. Users are recommended to upgrade to version 4.4.0, which fixes the issue. If users are on the 4.0.x LTS releases stream, then they are suggested to upgrade to 4.0.4. If users are on 3.x, they are suggested to move to 3.21.4 or 3.22.1
#ExploitObserverAlert
CVE-2024-25631
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2024-25631. Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For Cilium users who have enabled an external kvstore and Wireguard transparent encryption, traffic between pods in the affected cluster is not encrypted. This issue affects Cilium v1.14 before v1.14.7 and has been patched in Cilium v1.14.7. There is no workaround to this issue.
CVE-2024-25631
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2024-25631. Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For Cilium users who have enabled an external kvstore and Wireguard transparent encryption, traffic between pods in the affected cluster is not encrypted. This issue affects Cilium v1.14 before v1.14.7 and has been patched in Cilium v1.14.7. There is no workaround to this issue.
#ExploitObserverAlert
CVE-2023-52438
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2023-52438. In the Linux kernel, the following vulnerability has been resolved: binder: fix use-after-free in shinker's callback The mmap read lock is used during the shrinker's callback, which means that using alloc->vma pointer isn't safe as it can race with munmap(). As of commit dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap") the mmap lock is downgraded after the vma has been isolated. I was able to reproduce this issue by manually adding some delays and triggering page reclaiming through the shrinker's debug sysfs. The following KASAN report confirms the UAF: ================================================================== BUG: KASAN: slab-use-after-free in zap_page_range_single+0x470/0x4b8 Read of size 8 at addr ffff356ed50e50f0 by task bash/478 CPU: 1 PID: 478 Comm: bash Not tainted 6.6.0-rc5-00055-g1c8b86a3799f-dirty #70 Hardware name: linux,dummy-virt (DT) Call trace: zap_page_range_single+0x470/0x4b8 binder_alloc_free_page+0x608/0xadc __list_lru_walk_one+0x130/0x3b0 list_lru_walk_node+0xc4/0x22c binder_shrink_scan+0x108/0x1dc shrinker_debugfs_scan_write+0x2b4/0x500 full_proxy_write+0xd4/0x140 vfs_write+0x1ac/0x758 ksys_write+0xf0/0x1dc __arm64_sys_write+0x6c/0x9c Allocated by task 492: kmem_cache_alloc+0x130/0x368 vm_area_alloc+0x2c/0x190 mmap_region+0x258/0x18bc do_mmap+0x694/0xa60 vm_mmap_pgoff+0x170/0x29c ksys_mmap_pgoff+0x290/0x3a0 __arm64_sys_mmap+0xcc/0x144 Freed by task 491: kmem_cache_free+0x17c/0x3c8 vm_area_free_rcu_cb+0x74/0x98 rcu_core+0xa38/0x26d4 rcu_core_si+0x10/0x1c __do_softirq+0x2fc/0xd24 Last potentially related work creation: __call_rcu_common.constprop.0+0x6c/0xba0 call_rcu+0x10/0x1c vm_area_free+0x18/0x24 remove_vma+0xe4/0x118 do_vmi_align_munmap.isra.0+0x718/0xb5c do_vmi_munmap+0xdc/0x1fc __vm_munmap+0x10c/0x278 __arm64_sys_munmap+0x58/0x7c Fix this issue by performing instead a vma_lookup() which will fail to find the vma that was isolated before the mmap lock downgrade. Note that this option has better performance than upgrading to a mmap write lock which would increase contention. Plus, mmap_write_trylock() has been recently removed anyway.
CVE-2023-52438
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2023-52438. In the Linux kernel, the following vulnerability has been resolved: binder: fix use-after-free in shinker's callback The mmap read lock is used during the shrinker's callback, which means that using alloc->vma pointer isn't safe as it can race with munmap(). As of commit dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap") the mmap lock is downgraded after the vma has been isolated. I was able to reproduce this issue by manually adding some delays and triggering page reclaiming through the shrinker's debug sysfs. The following KASAN report confirms the UAF: ================================================================== BUG: KASAN: slab-use-after-free in zap_page_range_single+0x470/0x4b8 Read of size 8 at addr ffff356ed50e50f0 by task bash/478 CPU: 1 PID: 478 Comm: bash Not tainted 6.6.0-rc5-00055-g1c8b86a3799f-dirty #70 Hardware name: linux,dummy-virt (DT) Call trace: zap_page_range_single+0x470/0x4b8 binder_alloc_free_page+0x608/0xadc __list_lru_walk_one+0x130/0x3b0 list_lru_walk_node+0xc4/0x22c binder_shrink_scan+0x108/0x1dc shrinker_debugfs_scan_write+0x2b4/0x500 full_proxy_write+0xd4/0x140 vfs_write+0x1ac/0x758 ksys_write+0xf0/0x1dc __arm64_sys_write+0x6c/0x9c Allocated by task 492: kmem_cache_alloc+0x130/0x368 vm_area_alloc+0x2c/0x190 mmap_region+0x258/0x18bc do_mmap+0x694/0xa60 vm_mmap_pgoff+0x170/0x29c ksys_mmap_pgoff+0x290/0x3a0 __arm64_sys_mmap+0xcc/0x144 Freed by task 491: kmem_cache_free+0x17c/0x3c8 vm_area_free_rcu_cb+0x74/0x98 rcu_core+0xa38/0x26d4 rcu_core_si+0x10/0x1c __do_softirq+0x2fc/0xd24 Last potentially related work creation: __call_rcu_common.constprop.0+0x6c/0xba0 call_rcu+0x10/0x1c vm_area_free+0x18/0x24 remove_vma+0xe4/0x118 do_vmi_align_munmap.isra.0+0x718/0xb5c do_vmi_munmap+0xdc/0x1fc __vm_munmap+0x10c/0x278 __arm64_sys_munmap+0x58/0x7c Fix this issue by performing instead a vma_lookup() which will fail to find the vma that was isolated before the mmap lock downgrade. Note that this option has better performance than upgrading to a mmap write lock which would increase contention. Plus, mmap_write_trylock() has been recently removed anyway.
#ExploitObserverAlert
CVE-2023-7245
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2023-7245. The nodejs framework in OpenVPN Connect 3.0 through 3.4.3 (Windows)/3.4.7 (macOS) was not properly configured, which allows a local user to execute arbitrary code within the nodejs process context via the ELECTRON_RUN_AS_NODE environment variable
CVE-2023-7245
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2023-7245. The nodejs framework in OpenVPN Connect 3.0 through 3.4.3 (Windows)/3.4.7 (macOS) was not properly configured, which allows a local user to execute arbitrary code within the nodejs process context via the ELECTRON_RUN_AS_NODE environment variable
#ExploitObserverAlert
GHSA-w3q8-m492-4pwp
DESCRIPTION: Exploit Observer has 2 entries in 2 file formats related to GHSA-w3q8-m492-4pwp. Possibility to circumvent the invitation token expiry period
GHSA-w3q8-m492-4pwp
DESCRIPTION: Exploit Observer has 2 entries in 2 file formats related to GHSA-w3q8-m492-4pwp. Possibility to circumvent the invitation token expiry period
#ExploitObserverAlert
CVE-2023-39540
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2023-39540. A denial of service vulnerability exists in the ICMP and ICMPv6 parsing functionality of Weston Embedded uC-TCP-IP v3.06.01. A specially crafted network packet can lead to an out-of-bounds read. An attacker can send a malicious packet to trigger this vulnerability.This vulnerability concerns a denial of service within the parsing an IPv4 ICMP packet.
NVD-IS: 3.6
NVD-ES: 2.2
CVE-2023-39540
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2023-39540. A denial of service vulnerability exists in the ICMP and ICMPv6 parsing functionality of Weston Embedded uC-TCP-IP v3.06.01. A specially crafted network packet can lead to an out-of-bounds read. An attacker can send a malicious packet to trigger this vulnerability.This vulnerability concerns a denial of service within the parsing an IPv4 ICMP packet.
NVD-IS: 3.6
NVD-ES: 2.2
#ExploitObserverAlert
GHSA-vj36-3ccr-6563
DESCRIPTION: Exploit Observer has 6 entries in 3 file formats related to GHSA-vj36-3ccr-6563. Authentication Bypass by Spoofing in github.com/greenpau/caddy-security
GHSA-vj36-3ccr-6563
DESCRIPTION: Exploit Observer has 6 entries in 3 file formats related to GHSA-vj36-3ccr-6563. Authentication Bypass by Spoofing in github.com/greenpau/caddy-security
#ExploitObserverAlert
CVE-2024-22097
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2024-22097. A double-free vulnerability exists in the BrainVision Header Parsing functionality of The Biosig Project libbiosig Master Branch (ab0ee111) and 2.5.0. A specially crafted .vdhr file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
NVD-IS: 5.9
NVD-ES: 3.9
CVE-2024-22097
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2024-22097. A double-free vulnerability exists in the BrainVision Header Parsing functionality of The Biosig Project libbiosig Master Branch (ab0ee111) and 2.5.0. A specially crafted .vdhr file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
NVD-IS: 5.9
NVD-ES: 3.9
#ExploitObserverAlert
TALOS-2024-1923
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to TALOS-2024-1923. Contact Cisco Talos Incident Response.
TALOS-2024-1923
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to TALOS-2024-1923. Contact Cisco Talos Incident Response.
#ExploitObserverAlert
CVE-2024-24793
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2024-24793. A use-after-free vulnerability exists in the DICOM Element Parsing as implemented in Imaging Data Commons libdicom 1.0.5. A specially crafted DICOM file can cause premature freeing of memory that is used later. To trigger this vulnerability, an attacker would need to induce the vulnerable application to process a malicious DICOM image.The Use-After-Free happens in the `parse_meta_element_create()` parsing the elements in the File Meta Information header.
NVD-IS: 5.9
NVD-ES: 2.2
CVE-2024-24793
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2024-24793. A use-after-free vulnerability exists in the DICOM Element Parsing as implemented in Imaging Data Commons libdicom 1.0.5. A specially crafted DICOM file can cause premature freeing of memory that is used later. To trigger this vulnerability, an attacker would need to induce the vulnerable application to process a malicious DICOM image.The Use-After-Free happens in the `parse_meta_element_create()` parsing the elements in the File Meta Information header.
NVD-IS: 5.9
NVD-ES: 2.2
#ExploitObserverAlert
CVE-2024-23114
DESCRIPTION: Exploit Observer has 2 entries in 2 file formats related to CVE-2024-23114. Deserialization of Untrusted Data vulnerability in Apache Camel CassandraQL Component AggregationRepository which is vulnerable to unsafe deserialization. Under specific conditions it is possible to deserialize malicious payload.This issue affects Apache Camel: from 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0. Users are recommended to upgrade to version 4.4.0, which fixes the issue. If users are on the 4.0.x LTS releases stream, then they are suggested to upgrade to 4.0.4. If users are on 3.x, they are suggested to move to 3.21.4 or 3.22.1
CVE-2024-23114
DESCRIPTION: Exploit Observer has 2 entries in 2 file formats related to CVE-2024-23114. Deserialization of Untrusted Data vulnerability in Apache Camel CassandraQL Component AggregationRepository which is vulnerable to unsafe deserialization. Under specific conditions it is possible to deserialize malicious payload.This issue affects Apache Camel: from 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0. Users are recommended to upgrade to version 4.4.0, which fixes the issue. If users are on the 4.0.x LTS releases stream, then they are suggested to upgrade to 4.0.4. If users are on 3.x, they are suggested to move to 3.21.4 or 3.22.1
#ExploitObserverAlert
CVE-2024-21795
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2024-21795. A heap-based buffer overflow vulnerability exists in the .egi parsing functionality of The Biosig Project libbiosig 2.5.0 and Master Branch (ab0ee111). A specially crafted .egi file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
NVD-IS: 5.9
NVD-ES: 3.9
CVE-2024-21795
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2024-21795. A heap-based buffer overflow vulnerability exists in the .egi parsing functionality of The Biosig Project libbiosig 2.5.0 and Master Branch (ab0ee111). A specially crafted .egi file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
NVD-IS: 5.9
NVD-ES: 3.9
#ExploitObserverAlert
CVE-2024-25260
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2024-25260. elfutils v0.189 was discovered to contain a NULL pointer dereference via the handle_verdef() function at readelf.c.
CVE-2024-25260
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2024-25260. elfutils v0.189 was discovered to contain a NULL pointer dereference via the handle_verdef() function at readelf.c.
#ExploitObserverAlert
CVE-2024-25196
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2024-25196. Open Robotics Robotic Operating Sytstem 2 (ROS2) and Nav2 humble versions were discovered to contain a buffer overflow via the nav2_controller process. This vulnerability is triggerd via sending a crafted .yaml file.
CVE-2024-25196
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2024-25196. Open Robotics Robotic Operating Sytstem 2 (ROS2) and Nav2 humble versions were discovered to contain a buffer overflow via the nav2_controller process. This vulnerability is triggerd via sending a crafted .yaml file.