#ExploitObserverAlert
CVE-2024-25631
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2024-25631. Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For Cilium users who have enabled an external kvstore and Wireguard transparent encryption, traffic between pods in the affected cluster is not encrypted. This issue affects Cilium v1.14 before v1.14.7 and has been patched in Cilium v1.14.7. There is no workaround to this issue.
CVE-2024-25631
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2024-25631. Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For Cilium users who have enabled an external kvstore and Wireguard transparent encryption, traffic between pods in the affected cluster is not encrypted. This issue affects Cilium v1.14 before v1.14.7 and has been patched in Cilium v1.14.7. There is no workaround to this issue.
#ExploitObserverAlert
CVE-2023-52438
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2023-52438. In the Linux kernel, the following vulnerability has been resolved: binder: fix use-after-free in shinker's callback The mmap read lock is used during the shrinker's callback, which means that using alloc->vma pointer isn't safe as it can race with munmap(). As of commit dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap") the mmap lock is downgraded after the vma has been isolated. I was able to reproduce this issue by manually adding some delays and triggering page reclaiming through the shrinker's debug sysfs. The following KASAN report confirms the UAF: ================================================================== BUG: KASAN: slab-use-after-free in zap_page_range_single+0x470/0x4b8 Read of size 8 at addr ffff356ed50e50f0 by task bash/478 CPU: 1 PID: 478 Comm: bash Not tainted 6.6.0-rc5-00055-g1c8b86a3799f-dirty #70 Hardware name: linux,dummy-virt (DT) Call trace: zap_page_range_single+0x470/0x4b8 binder_alloc_free_page+0x608/0xadc __list_lru_walk_one+0x130/0x3b0 list_lru_walk_node+0xc4/0x22c binder_shrink_scan+0x108/0x1dc shrinker_debugfs_scan_write+0x2b4/0x500 full_proxy_write+0xd4/0x140 vfs_write+0x1ac/0x758 ksys_write+0xf0/0x1dc __arm64_sys_write+0x6c/0x9c Allocated by task 492: kmem_cache_alloc+0x130/0x368 vm_area_alloc+0x2c/0x190 mmap_region+0x258/0x18bc do_mmap+0x694/0xa60 vm_mmap_pgoff+0x170/0x29c ksys_mmap_pgoff+0x290/0x3a0 __arm64_sys_mmap+0xcc/0x144 Freed by task 491: kmem_cache_free+0x17c/0x3c8 vm_area_free_rcu_cb+0x74/0x98 rcu_core+0xa38/0x26d4 rcu_core_si+0x10/0x1c __do_softirq+0x2fc/0xd24 Last potentially related work creation: __call_rcu_common.constprop.0+0x6c/0xba0 call_rcu+0x10/0x1c vm_area_free+0x18/0x24 remove_vma+0xe4/0x118 do_vmi_align_munmap.isra.0+0x718/0xb5c do_vmi_munmap+0xdc/0x1fc __vm_munmap+0x10c/0x278 __arm64_sys_munmap+0x58/0x7c Fix this issue by performing instead a vma_lookup() which will fail to find the vma that was isolated before the mmap lock downgrade. Note that this option has better performance than upgrading to a mmap write lock which would increase contention. Plus, mmap_write_trylock() has been recently removed anyway.
CVE-2023-52438
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2023-52438. In the Linux kernel, the following vulnerability has been resolved: binder: fix use-after-free in shinker's callback The mmap read lock is used during the shrinker's callback, which means that using alloc->vma pointer isn't safe as it can race with munmap(). As of commit dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap") the mmap lock is downgraded after the vma has been isolated. I was able to reproduce this issue by manually adding some delays and triggering page reclaiming through the shrinker's debug sysfs. The following KASAN report confirms the UAF: ================================================================== BUG: KASAN: slab-use-after-free in zap_page_range_single+0x470/0x4b8 Read of size 8 at addr ffff356ed50e50f0 by task bash/478 CPU: 1 PID: 478 Comm: bash Not tainted 6.6.0-rc5-00055-g1c8b86a3799f-dirty #70 Hardware name: linux,dummy-virt (DT) Call trace: zap_page_range_single+0x470/0x4b8 binder_alloc_free_page+0x608/0xadc __list_lru_walk_one+0x130/0x3b0 list_lru_walk_node+0xc4/0x22c binder_shrink_scan+0x108/0x1dc shrinker_debugfs_scan_write+0x2b4/0x500 full_proxy_write+0xd4/0x140 vfs_write+0x1ac/0x758 ksys_write+0xf0/0x1dc __arm64_sys_write+0x6c/0x9c Allocated by task 492: kmem_cache_alloc+0x130/0x368 vm_area_alloc+0x2c/0x190 mmap_region+0x258/0x18bc do_mmap+0x694/0xa60 vm_mmap_pgoff+0x170/0x29c ksys_mmap_pgoff+0x290/0x3a0 __arm64_sys_mmap+0xcc/0x144 Freed by task 491: kmem_cache_free+0x17c/0x3c8 vm_area_free_rcu_cb+0x74/0x98 rcu_core+0xa38/0x26d4 rcu_core_si+0x10/0x1c __do_softirq+0x2fc/0xd24 Last potentially related work creation: __call_rcu_common.constprop.0+0x6c/0xba0 call_rcu+0x10/0x1c vm_area_free+0x18/0x24 remove_vma+0xe4/0x118 do_vmi_align_munmap.isra.0+0x718/0xb5c do_vmi_munmap+0xdc/0x1fc __vm_munmap+0x10c/0x278 __arm64_sys_munmap+0x58/0x7c Fix this issue by performing instead a vma_lookup() which will fail to find the vma that was isolated before the mmap lock downgrade. Note that this option has better performance than upgrading to a mmap write lock which would increase contention. Plus, mmap_write_trylock() has been recently removed anyway.
#ExploitObserverAlert
CVE-2023-7245
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2023-7245. The nodejs framework in OpenVPN Connect 3.0 through 3.4.3 (Windows)/3.4.7 (macOS) was not properly configured, which allows a local user to execute arbitrary code within the nodejs process context via the ELECTRON_RUN_AS_NODE environment variable
CVE-2023-7245
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2023-7245. The nodejs framework in OpenVPN Connect 3.0 through 3.4.3 (Windows)/3.4.7 (macOS) was not properly configured, which allows a local user to execute arbitrary code within the nodejs process context via the ELECTRON_RUN_AS_NODE environment variable
#ExploitObserverAlert
GHSA-w3q8-m492-4pwp
DESCRIPTION: Exploit Observer has 2 entries in 2 file formats related to GHSA-w3q8-m492-4pwp. Possibility to circumvent the invitation token expiry period
GHSA-w3q8-m492-4pwp
DESCRIPTION: Exploit Observer has 2 entries in 2 file formats related to GHSA-w3q8-m492-4pwp. Possibility to circumvent the invitation token expiry period
#ExploitObserverAlert
CVE-2023-39540
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2023-39540. A denial of service vulnerability exists in the ICMP and ICMPv6 parsing functionality of Weston Embedded uC-TCP-IP v3.06.01. A specially crafted network packet can lead to an out-of-bounds read. An attacker can send a malicious packet to trigger this vulnerability.This vulnerability concerns a denial of service within the parsing an IPv4 ICMP packet.
NVD-IS: 3.6
NVD-ES: 2.2
CVE-2023-39540
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2023-39540. A denial of service vulnerability exists in the ICMP and ICMPv6 parsing functionality of Weston Embedded uC-TCP-IP v3.06.01. A specially crafted network packet can lead to an out-of-bounds read. An attacker can send a malicious packet to trigger this vulnerability.This vulnerability concerns a denial of service within the parsing an IPv4 ICMP packet.
NVD-IS: 3.6
NVD-ES: 2.2
#ExploitObserverAlert
GHSA-vj36-3ccr-6563
DESCRIPTION: Exploit Observer has 6 entries in 3 file formats related to GHSA-vj36-3ccr-6563. Authentication Bypass by Spoofing in github.com/greenpau/caddy-security
GHSA-vj36-3ccr-6563
DESCRIPTION: Exploit Observer has 6 entries in 3 file formats related to GHSA-vj36-3ccr-6563. Authentication Bypass by Spoofing in github.com/greenpau/caddy-security
#ExploitObserverAlert
CVE-2024-22097
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2024-22097. A double-free vulnerability exists in the BrainVision Header Parsing functionality of The Biosig Project libbiosig Master Branch (ab0ee111) and 2.5.0. A specially crafted .vdhr file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
NVD-IS: 5.9
NVD-ES: 3.9
CVE-2024-22097
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2024-22097. A double-free vulnerability exists in the BrainVision Header Parsing functionality of The Biosig Project libbiosig Master Branch (ab0ee111) and 2.5.0. A specially crafted .vdhr file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
NVD-IS: 5.9
NVD-ES: 3.9
#ExploitObserverAlert
TALOS-2024-1923
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to TALOS-2024-1923. Contact Cisco Talos Incident Response.
TALOS-2024-1923
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to TALOS-2024-1923. Contact Cisco Talos Incident Response.
#ExploitObserverAlert
CVE-2024-24793
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2024-24793. A use-after-free vulnerability exists in the DICOM Element Parsing as implemented in Imaging Data Commons libdicom 1.0.5. A specially crafted DICOM file can cause premature freeing of memory that is used later. To trigger this vulnerability, an attacker would need to induce the vulnerable application to process a malicious DICOM image.The Use-After-Free happens in the `parse_meta_element_create()` parsing the elements in the File Meta Information header.
NVD-IS: 5.9
NVD-ES: 2.2
CVE-2024-24793
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2024-24793. A use-after-free vulnerability exists in the DICOM Element Parsing as implemented in Imaging Data Commons libdicom 1.0.5. A specially crafted DICOM file can cause premature freeing of memory that is used later. To trigger this vulnerability, an attacker would need to induce the vulnerable application to process a malicious DICOM image.The Use-After-Free happens in the `parse_meta_element_create()` parsing the elements in the File Meta Information header.
NVD-IS: 5.9
NVD-ES: 2.2
#ExploitObserverAlert
CVE-2024-23114
DESCRIPTION: Exploit Observer has 2 entries in 2 file formats related to CVE-2024-23114. Deserialization of Untrusted Data vulnerability in Apache Camel CassandraQL Component AggregationRepository which is vulnerable to unsafe deserialization. Under specific conditions it is possible to deserialize malicious payload.This issue affects Apache Camel: from 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0. Users are recommended to upgrade to version 4.4.0, which fixes the issue. If users are on the 4.0.x LTS releases stream, then they are suggested to upgrade to 4.0.4. If users are on 3.x, they are suggested to move to 3.21.4 or 3.22.1
CVE-2024-23114
DESCRIPTION: Exploit Observer has 2 entries in 2 file formats related to CVE-2024-23114. Deserialization of Untrusted Data vulnerability in Apache Camel CassandraQL Component AggregationRepository which is vulnerable to unsafe deserialization. Under specific conditions it is possible to deserialize malicious payload.This issue affects Apache Camel: from 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0. Users are recommended to upgrade to version 4.4.0, which fixes the issue. If users are on the 4.0.x LTS releases stream, then they are suggested to upgrade to 4.0.4. If users are on 3.x, they are suggested to move to 3.21.4 or 3.22.1
#ExploitObserverAlert
CVE-2024-21795
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2024-21795. A heap-based buffer overflow vulnerability exists in the .egi parsing functionality of The Biosig Project libbiosig 2.5.0 and Master Branch (ab0ee111). A specially crafted .egi file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
NVD-IS: 5.9
NVD-ES: 3.9
CVE-2024-21795
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2024-21795. A heap-based buffer overflow vulnerability exists in the .egi parsing functionality of The Biosig Project libbiosig 2.5.0 and Master Branch (ab0ee111). A specially crafted .egi file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
NVD-IS: 5.9
NVD-ES: 3.9
#ExploitObserverAlert
CVE-2024-25260
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2024-25260. elfutils v0.189 was discovered to contain a NULL pointer dereference via the handle_verdef() function at readelf.c.
CVE-2024-25260
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2024-25260. elfutils v0.189 was discovered to contain a NULL pointer dereference via the handle_verdef() function at readelf.c.
#ExploitObserverAlert
CVE-2024-25196
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2024-25196. Open Robotics Robotic Operating Sytstem 2 (ROS2) and Nav2 humble versions were discovered to contain a buffer overflow via the nav2_controller process. This vulnerability is triggerd via sending a crafted .yaml file.
CVE-2024-25196
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2024-25196. Open Robotics Robotic Operating Sytstem 2 (ROS2) and Nav2 humble versions were discovered to contain a buffer overflow via the nav2_controller process. This vulnerability is triggerd via sending a crafted .yaml file.
#ExploitObserverAlert
CVE-2023-47635
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2023-47635. Decidim is a participatory democracy framework. Starting in version 0.23.0 and prior to versions 0.27.5 and 0.28.0, the CSRF authenticity token check is disabled for the questionnaire templates preview. The issue does not imply a serious security thread as you need to have access also to the session cookie in order to see this resource. This URL does not allow modifying the resource but it may allow attackers to gain access to information which was not meant to be public. The issue is fixed in version 0.27.5 and 0.28.0. As a workaround, disable the templates functionality or remove all available templates.
CVE-2023-47635
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2023-47635. Decidim is a participatory democracy framework. Starting in version 0.23.0 and prior to versions 0.27.5 and 0.28.0, the CSRF authenticity token check is disabled for the questionnaire templates preview. The issue does not imply a serious security thread as you need to have access also to the session cookie in order to see this resource. This URL does not allow modifying the resource but it may allow attackers to gain access to information which was not meant to be public. The issue is fixed in version 0.27.5 and 0.28.0. As a workaround, disable the templates functionality or remove all available templates.
#ExploitObserverAlert
TALOS-2024-1925
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to TALOS-2024-1925. Contact Cisco Talos Incident Response.
TALOS-2024-1925
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to TALOS-2024-1925. Contact Cisco Talos Incident Response.
#ExploitObserverAlert
CVE-2023-39541
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2023-39541. A denial of service vulnerability exists in the ICMP and ICMPv6 parsing functionality of Weston Embedded uC-TCP-IP v3.06.01. A specially crafted network packet can lead to an out-of-bounds read. An attacker can send a malicious packet to trigger this vulnerability.This vulnerability concerns a denial of service within the parsing an IPv6 ICMPv6 packet.
NVD-IS: 3.6
NVD-ES: 2.2
CVE-2023-39541
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2023-39541. A denial of service vulnerability exists in the ICMP and ICMPv6 parsing functionality of Weston Embedded uC-TCP-IP v3.06.01. A specially crafted network packet can lead to an out-of-bounds read. An attacker can send a malicious packet to trigger this vulnerability.This vulnerability concerns a denial of service within the parsing an IPv6 ICMPv6 packet.
NVD-IS: 3.6
NVD-ES: 2.2
#ExploitObserverAlert
CVE-2024-26267
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2024-26267. In Liferay Portal 7.2.0 through 7.4.3.25, and older unsupported versions, and Liferay DXP 7.4 before update 26, 7.3 before update 5, 7.2 before fix pack 19, and older unsupported versions the default value of the portal property `http.header.version.verbosity` is set to `full`, which allows remote attackers to easily identify the version of the application that is running and the vulnerabilities that affect that version via 'Liferay-Portal` response header.
CVE-2024-26267
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2024-26267. In Liferay Portal 7.2.0 through 7.4.3.25, and older unsupported versions, and Liferay DXP 7.4 before update 26, 7.3 before update 5, 7.2 before fix pack 19, and older unsupported versions the default value of the portal property `http.header.version.verbosity` is set to `full`, which allows remote attackers to easily identify the version of the application that is running and the vulnerabilities that affect that version via 'Liferay-Portal` response header.
#ExploitObserverAlert
GHSA-8h95-jcp5-pjpr
DESCRIPTION: Exploit Observer has 6 entries in 3 file formats related to GHSA-8h95-jcp5-pjpr. Improper Validation of Array Index in github.com/greenpau/caddy-security
GHSA-8h95-jcp5-pjpr
DESCRIPTION: Exploit Observer has 6 entries in 3 file formats related to GHSA-8h95-jcp5-pjpr. Improper Validation of Array Index in github.com/greenpau/caddy-security
#ExploitObserverAlert
CVE-2023-45318
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2023-45318. A heap-based buffer overflow vulnerability exists in the HTTP Server functionality of Weston Embedded uC-HTTP git commit 80d4004. A specially crafted network packet can lead to arbitrary code execution. An attacker can send a malicious packet to trigger this vulnerability.
NVD-IS: 6.0
NVD-ES: 3.9
CVE-2023-45318
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2023-45318. A heap-based buffer overflow vulnerability exists in the HTTP Server functionality of Weston Embedded uC-HTTP git commit 80d4004. A specially crafted network packet can lead to arbitrary code execution. An attacker can send a malicious packet to trigger this vulnerability.
NVD-IS: 6.0
NVD-ES: 3.9
#ExploitObserverAlert
GHSA-4g9r-vxhx-9pgx
DESCRIPTION: Exploit Observer has 4 entries in 3 file formats related to GHSA-4g9r-vxhx-9pgx. Apache Commons Compress: Denial of service caused by an infinite loop for a corrupted DUMP file
GHSA-4g9r-vxhx-9pgx
DESCRIPTION: Exploit Observer has 4 entries in 3 file formats related to GHSA-4g9r-vxhx-9pgx. Apache Commons Compress: Denial of service caused by an infinite loop for a corrupted DUMP file
#ExploitObserverAlert
CVE-2024-25197
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2024-25197. Open Robotics Robotic Operating Sytstem 2 (ROS2) and Nav2 humble versions were discovered to contain a NULL pointer dereference via the isCurrent() function at /src/layered_costmap.cpp.
CVE-2024-25197
DESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2024-25197. Open Robotics Robotic Operating Sytstem 2 (ROS2) and Nav2 humble versions were discovered to contain a NULL pointer dereference via the isCurrent() function at /src/layered_costmap.cpp.