π¨ CVE-2024-9633
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.3 before 17.4.2, all versions starting from 17.5 before 17.5.4, all versions starting from 17.6 before 17.6.2. This issue allows an attacker to create a group with a name matching an existing unique Pages domain, potentially leading to domain confusion attacks.
π@cveNotify
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.3 before 17.4.2, all versions starting from 17.5 before 17.5.4, all versions starting from 17.6 before 17.6.2. This issue allows an attacker to create a group with a name matching an existing unique Pages domain, potentially leading to domain confusion attacks.
π@cveNotify
π¨ CVE-2024-47248
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in Apache NimBLE.
Specially crafted MESH message could result in memory corruption when non-default build configuration is used.
This issue affects Apache NimBLE: through 1.7.0.
Users are recommended to upgrade to version 1.8.0, which fixes the issue.
π@cveNotify
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in Apache NimBLE.
Specially crafted MESH message could result in memory corruption when non-default build configuration is used.
This issue affects Apache NimBLE: through 1.7.0.
Users are recommended to upgrade to version 1.8.0, which fixes the issue.
π@cveNotify
GitHub
nimble/mesh: Add check for rx buffer in PB ADV Β· apache/mynewt-nimble@4f75c0b
Validate if Transaction Continuation PDU can fit into buffer before
copying data.
copying data.
π¨ CVE-2024-47249
Improper Validation of Array Index vulnerability in Apache NimBLE.
Lack of input validation for HCI events from controller could result in out-of-bound memory corruption and crash.
This issue requires broken or bogus Bluetooth controller and thus severity is considered low.
This issue affects Apache NimBLE: through 1.7.0.
Users are recommended to upgrade to version 1.8.0, which fixes the issue.
π@cveNotify
Improper Validation of Array Index vulnerability in Apache NimBLE.
Lack of input validation for HCI events from controller could result in out-of-bound memory corruption and crash.
This issue requires broken or bogus Bluetooth controller and thus severity is considered low.
This issue affects Apache NimBLE: through 1.7.0.
Users are recommended to upgrade to version 1.8.0, which fixes the issue.
π@cveNotify
GitHub
nimble/host: Validate advertising instance before parsing event Β· apache/mynewt-nimble@f393308
Advertising instance is used for indexing slave state array. Since
instance is provided by host invalid handle in event means there is
bug in controller.
instance is provided by host invalid handle in event means there is
bug in controller.
π¨ CVE-2024-47250
Out-of-bounds Read vulnerability in Apache NimBLE.
Missing proper validation of HCI advertising report could lead to out-of-bound access when parsing HCI event and thus bogus GAP 'device found' events being sent.
This issue requires broken or bogus Bluetooth controller and thus severity is considered low.
This issue affects Apache NimBLE: through 1.7.0.
Users are recommended to upgrade to version 1.8.0, which fixes the issue.
π@cveNotify
Out-of-bounds Read vulnerability in Apache NimBLE.
Missing proper validation of HCI advertising report could lead to out-of-bound access when parsing HCI event and thus bogus GAP 'device found' events being sent.
This issue requires broken or bogus Bluetooth controller and thus severity is considered low.
This issue affects Apache NimBLE: through 1.7.0.
Users are recommended to upgrade to version 1.8.0, which fixes the issue.
π@cveNotify
GitHub
nimble/host: Add extended advertising report event validation Β· apache/mynewt-nimble@23d6115
Validate if HCI event received from controller has proper sizes before
passing it to GAP event.
passing it to GAP event.
π¨ CVE-2024-51569
Out-of-bounds Read vulnerability in Apache NimBLE.
Missing proper validation of HCI Number Of Completed Packets could lead to out-of-bound access when parsing HCI event and invalid read from HCI transport memory.
This issue requires broken or bogus Bluetooth controller and thus severity is considered low.
This issue affects Apache NimBLE: through 1.7.0.
Users are recommended to upgrade to version 1.8.0, which fixes the issue.
π@cveNotify
Out-of-bounds Read vulnerability in Apache NimBLE.
Missing proper validation of HCI Number Of Completed Packets could lead to out-of-bound access when parsing HCI event and invalid read from HCI transport memory.
This issue requires broken or bogus Bluetooth controller and thus severity is considered low.
This issue affects Apache NimBLE: through 1.7.0.
Users are recommended to upgrade to version 1.8.0, which fixes the issue.
π@cveNotify
GitHub
nimble/host: Add Number Complete Packets event validation Β· apache/mynewt-nimble@4e3ac5b
Validate if HCI event received from controller has proper sizes before
passing it to GAP event
passing it to GAP event
π¨ CVE-2024-53907
An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities.
π@cveNotify
An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities.
π@cveNotify
Django Project
Archive of security issues | Django documentation
The web framework for perfectionists with deadlines.
π¨ CVE-2024-53908
An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. (Applications that use the jsonfield.has_key lookup via __ are unaffected.)
π@cveNotify
An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. (Applications that use the jsonfield.has_key lookup via __ are unaffected.)
π@cveNotify
Django Project
Archive of security issues | Django documentation
The web framework for perfectionists with deadlines.
π¨ CVE-2023-42840
The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.1, macOS Monterey 12.7.1, macOS Ventura 13.6.1. An app may be able to access user-sensitive data.
π@cveNotify
The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.1, macOS Monterey 12.7.1, macOS Ventura 13.6.1. An app may be able to access user-sensitive data.
π@cveNotify
Apple Support
About the security content of macOS Monterey 12.7.1
This document describes the security content of macOS Monterey 12.7.1.
π¨ CVE-2024-10771
Due to missing input validation during one step of the firmware update process, the product
is vulnerable to remote code execution. With network access and the user level βServiceβ, an attacker
can execute arbitrary system commands in the root userβs contexts.
π@cveNotify
Due to missing input validation during one step of the firmware update process, the product
is vulnerable to remote code execution. With network access and the user level βServiceβ, an attacker
can execute arbitrary system commands in the root userβs contexts.
π@cveNotify
π¨ CVE-2024-10772
Since the firmware update is not validated, an attacker can install modified firmware on the
device. This has a high impact on the availabilty, integrity and confidentiality up to the complete compromise of the device.
π@cveNotify
Since the firmware update is not validated, an attacker can install modified firmware on the
device. This has a high impact on the availabilty, integrity and confidentiality up to the complete compromise of the device.
π@cveNotify
π¨ CVE-2024-10773
The product is vulnerable to pass-the-hash attacks in combination with hardcoded credentials of hidden user levels. This means that an attacker can log in with the hidden user levels and gain
full access to the device.
π@cveNotify
The product is vulnerable to pass-the-hash attacks in combination with hardcoded credentials of hidden user levels. This means that an attacker can log in with the hidden user levels and gain
full access to the device.
π@cveNotify
π¨ CVE-2024-10774
Unauthenticated CROWN APIs allow access to critical functions. This leads to the accessibility of large parts of the web application without authentication.
π@cveNotify
Unauthenticated CROWN APIs allow access to critical functions. This leads to the accessibility of large parts of the web application without authentication.
π@cveNotify
π¨ CVE-2024-10776
Lua apps can be deployed, removed, started, reloaded or stopped without authorization via
AppManager. This allows an attacker to remove legitimate apps creating a DoS attack, read and write
files or load apps that use all features of the product available to a customer.
π@cveNotify
Lua apps can be deployed, removed, started, reloaded or stopped without authorization via
AppManager. This allows an attacker to remove legitimate apps creating a DoS attack, read and write
files or load apps that use all features of the product available to a customer.
π@cveNotify
π¨ CVE-2019-12749
dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of symlink mishandling in the reference implementation of DBUS_COOKIE_SHA1 in the libdbus library. (This only affects the DBUS_COOKIE_SHA1 authentication mechanism.) A malicious client with write access to its own home directory could manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a different uid to read and write in unintended locations. In the worst case, this could result in the DBusServer reusing a cookie that is known to the malicious client, and treating that cookie as evidence that a subsequent client connection came from an attacker-chosen uid, allowing authentication bypass.
π@cveNotify
dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of symlink mishandling in the reference implementation of DBUS_COOKIE_SHA1 in the libdbus library. (This only affects the DBUS_COOKIE_SHA1 authentication mechanism.) A malicious client with write access to its own home directory could manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a different uid to read and write in unintended locations. In the worst case, this could result in the DBusServer reusing a cookie that is known to the malicious client, and treating that cookie as evidence that a subsequent client connection came from an attacker-chosen uid, allowing authentication bypass.
π@cveNotify
π¨ CVE-2023-27561
runc through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. NOTE: this issue exists because of a CVE-2019-19921 regression.
π@cveNotify
runc through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. NOTE: this issue exists because of a CVE-2019-19921 regression.
π@cveNotify
Gist
runc_poc.md
GitHub Gist: instantly share code, notes, and snippets.
π¨ CVE-2023-28642
runc is a CLI tool for spawning and running containers according to the OCI specification. It was found that AppArmor can be bypassed when `/proc` inside the container is symlinked with a specific mount configuration. This issue has been fixed in runc version 1.1.5, by prohibiting symlinked `/proc`. See PR #3785 for details. users are advised to upgrade. Users unable to upgrade should avoid using an untrusted container image.
π@cveNotify
runc is a CLI tool for spawning and running containers according to the OCI specification. It was found that AppArmor can be bypassed when `/proc` inside the container is symlinked with a specific mount configuration. This issue has been fixed in runc version 1.1.5, by prohibiting symlinked `/proc`. See PR #3785 for details. users are advised to upgrade. Users unable to upgrade should avoid using an untrusted container image.
π@cveNotify
GitHub
[1.1 backport] Prohibit /proc and /sys to be symlinks by thaJeztah Β· Pull Request #3785 Β· opencontainers/runc
backport of Prohibit /proc and /sys to be symlinks #3773
fixes CVE-2019-19921 re-introduction/regression #3751
fixes CVE-2023-27561
Commit 3291d66 introduced a check for /proc and /sys, making sur...
fixes CVE-2019-19921 re-introduction/regression #3751
fixes CVE-2023-27561
Commit 3291d66 introduced a check for /proc and /sys, making sur...
π¨ CVE-2023-29405
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.
π@cveNotify
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.
π@cveNotify
π¨ CVE-2023-42366
A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the next_token function at awk.c:1159.
π@cveNotify
A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the next_token function at awk.c:1159.
π@cveNotify
π¨ CVE-2024-1671
Inappropriate implementation in Site Isolation in Google Chrome prior to 122.0.6261.57 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Medium)
π@cveNotify
Inappropriate implementation in Site Isolation in Google Chrome prior to 122.0.6261.57 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Medium)
π@cveNotify
Chrome Releases
Stable Channel Update for Desktop
The Chrome team is delighted to announce the promotion of Chrome 122 to the stable channel for Windows, Mac and Linux. This will roll out ov...
π¨ CVE-2023-42823
The issue was resolved by sanitizing logging This issue is fixed in watchOS 10.1, macOS Sonoma 14.1, tvOS 17.1, macOS Monterey 12.7.1, iOS 16.7.2 and iPadOS 16.7.2, iOS 17.1 and iPadOS 17.1, macOS Ventura 13.6.1. An app may be able to access user-sensitive data.
π@cveNotify
The issue was resolved by sanitizing logging This issue is fixed in watchOS 10.1, macOS Sonoma 14.1, tvOS 17.1, macOS Monterey 12.7.1, iOS 16.7.2 and iPadOS 16.7.2, iOS 17.1 and iPadOS 17.1, macOS Ventura 13.6.1. An app may be able to access user-sensitive data.
π@cveNotify
Apple Support
About the security content of iOS 16.7.2 and iPadOS 16.7.2
This document describes the security content of iOS 16.7.2 and iPadOS 16.7.2.
π¨ CVE-2024-26244
Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
π@cveNotify
Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
π@cveNotify