diff --git a/prospector/README.md b/prospector/README.md index 968e9be13..4ccf7f6ed 100644 --- a/prospector/README.md +++ b/prospector/README.md @@ -55,6 +55,7 @@ To quickly set up Prospector, follow these steps. This will run Prospector in it By default, Prospector saves the results in a HTML file named *prospector-report.html*. Open this file in a web browser to view what Prospector was able to find! + ### 🤖 LLM Support To use Prospector with LLM support, you simply set required parameters for the API access to the LLM in *config.yaml*. These parameters can vary depending on your choice of provider, please follow what fits your needs (drop-downs below). If you do not want to use LLM support, keep the `llm_service` block in your *config.yaml* file commented out. diff --git a/prospector/cli/main.py b/prospector/cli/main.py index 696a51e06..2cdeac7d4 100644 --- a/prospector/cli/main.py +++ b/prospector/cli/main.py @@ -68,7 +68,7 @@ def main(argv): # noqa: C901 ) return - # Create the LLMService singleton for later use + # Create the LLMService Singleton for later use try: LLMService(config.llm_service) except Exception as e: @@ -104,6 +104,7 @@ def main(argv): # noqa: C901 limit_candidates=config.max_candidates, # ignore_adv_refs=config.ignore_refs, use_llm_repository_url=config.llm_service.use_llm_repository_url, + enabled_rules=config.enabled_rules, ) if config.preprocess_only: diff --git a/prospector/config-sample.yaml b/prospector/config-sample.yaml index 4faa61c8a..f89f4b369 100644 --- a/prospector/config-sample.yaml +++ b/prospector/config-sample.yaml @@ -36,6 +36,27 @@ redis_url: redis://redis:6379/0 # use_llm_repository_url: False # whether to use LLM's to obtain the repository URL +enabled_rules: + # Phase 1 Rules + - VULN_ID_IN_MESSAGE + - XREF_BUG + - XREF_GH + - COMMIT_IN_REFERENCE + - VULN_ID_IN_LINKED_ISSUE + - CHANGES_RELEVANT_FILES + - CHANGES_RELEVANT_CODE + - RELEVANT_WORDS_IN_MESSAGE + - ADV_KEYWORDS_IN_FILES + - ADV_KEYWORDS_IN_MSG + - SEC_KEYWORDS_IN_MESSAGE + - SEC_KEYWORDS_IN_LINKED_GH + - SEC_KEYWORDS_IN_LINKED_BUG + - GITHUB_ISSUE_IN_MESSAGE + - BUG_IN_MESSAGE + - COMMIT_HAS_TWINS + # Phase 2 Rules (llm_service required!): + # - COMMIT_IS_SECURITY_RELEVANT + # Report file format: "html", "json", "console" or "all" # and the file name report: diff --git a/prospector/core/prospector.py b/prospector/core/prospector.py index 0fd22f199..d1dc9c865 100644 --- a/prospector/core/prospector.py +++ b/prospector/core/prospector.py @@ -13,14 +13,14 @@ from cli.console import ConsoleWriter, MessageStatus from datamodel.advisory import AdvisoryRecord, build_advisory_record -from datamodel.commit import Commit, apply_ranking, make_from_raw_commit +from datamodel.commit import Commit, make_from_raw_commit from filtering.filter import filter_commits from git.git import Git from git.raw_commit import RawCommit from git.version_to_tag import get_possible_tags from llm.llm_service import LLMService from log.logger import get_level, logger, pretty_log -from rules.rules import apply_rules +from rules.rules import RULES_PHASE_1, apply_rules from stats.execution import ( Counter, ExecutionTimer, @@ -66,7 +66,7 @@ def prospector( # noqa: C901 use_backend: str = USE_BACKEND_ALWAYS, git_cache: str = "/tmp/git_cache", limit_candidates: int = MAX_CANDIDATES, - rules: List[str] = ["ALL"], + enabled_rules: List[str] = [rule.id for rule in RULES_PHASE_1], tag_commits: bool = True, silent: bool = False, use_llm_repository_url: bool = False, @@ -231,7 +231,9 @@ def prospector( # noqa: C901 else: logger.warning("Preprocessed commits are not being sent to backend") - ranked_candidates = evaluate_commits(preprocessed_commits, advisory_record, rules) + ranked_candidates = evaluate_commits( + preprocessed_commits, advisory_record, enabled_rules + ) # ConsoleWriter.print("Commit ranking and aggregation...") ranked_candidates = remove_twins(ranked_candidates) @@ -267,11 +269,26 @@ def filter(commits: Dict[str, RawCommit]) -> Dict[str, RawCommit]: def evaluate_commits( - commits: List[Commit], advisory: AdvisoryRecord, rules: List[str] + commits: List[Commit], + advisory: AdvisoryRecord, + enabled_rules: List[str], ) -> List[Commit]: + """This function applies rule phases. Each phase is associated with a set of rules, for example: + - Phase 1: NLP Rules + - Phase 2: LLM Rules + + Args: + commits: the list of candidate commits that rules should be applied to + advisory: the object containing all information about the advisory + rules: a (sub)set of rules to run + Returns: + a list of commits ranked according to their relevance score + Raises: + MissingMandatoryValue: if there is an error in the LLM configuration object + """ with ExecutionTimer(core_statistics.sub_collection("candidates analysis")): with ConsoleWriter("Candidate analysis") as _: - ranked_commits = apply_ranking(apply_rules(commits, advisory, rules=rules)) + ranked_commits = apply_rules(commits, advisory, enabled_rules=enabled_rules) return ranked_commits diff --git a/prospector/datamodel/commit.py b/prospector/datamodel/commit.py index 070a31921..ff2b7e1a0 100644 --- a/prospector/datamodel/commit.py +++ b/prospector/datamodel/commit.py @@ -52,6 +52,7 @@ def __eq__(self, other: "Commit") -> bool: return self.relevance == other.relevance def add_match(self, rule: Dict[str, Any]): + """Adds rule to the commit's matched rules. Makes sure that the rule is added in order of relevance.""" for i, r in enumerate(self.matched_rules): if rule["relevance"] == r["relevance"]: self.matched_rules.insert(i, rule) diff --git a/prospector/evaluation/__init__.py b/prospector/evaluation/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/prospector/evaluation/analyse.py b/prospector/evaluation/analyse.py new file mode 100644 index 000000000..0c188848b --- /dev/null +++ b/prospector/evaluation/analyse.py @@ -0,0 +1,31 @@ +import os +import json + +directory = "data_sources/reports/" + +# Now analyse the reports +for filename in os.listdir(directory): + filepath = directory + filename + with open(filepath, "r") as f: + data = json.load(f) + + if not data: + print("Error occured, JSON file could not be found.") + + results = { + "relevance": [], + "no_llm_rule_match": [], + } + + print(data["commits"][0]) + + for commit in data["commits"]: + results["relevance"].append( + { + commit["commit_id"]: sum( + [rule["relevance"] for rule in commit["matched_rules"]] + ) + } + ) + if commit["matched_rules"]: + print(commit["matched_rules"][0]["relevance"]) diff --git a/prospector/evaluation/data_interaction.py b/prospector/evaluation/data_interaction.py new file mode 100644 index 000000000..9730667fe --- /dev/null +++ b/prospector/evaluation/data_interaction.py @@ -0,0 +1,39 @@ +import json +from datetime import datetime + +from data_sources.nvd.filter_entries import ( + find_matching_entries_test, + get_cve_by_id, + get_cves, +) + + +FILEPATH_SINGLE_CVE = "evaluation/single_cve.json" +FILEPATH_MULTIPLE_CVES = "evaluation/multiple_cves.json" + + +def save_single_cve(): + with open(FILEPATH_SINGLE_CVE, "w") as f: + data = get_cve_by_id("CVE-2020-1925") + filtered_cves = find_matching_entries_test(data) + json.dump(filtered_cves, f) + print("Saved a single CVEs.") + + +def save_multiple_cves(): + with open(FILEPATH_MULTIPLE_CVES, "w") as f: + data = get_cves(10) + filtered_cves = find_matching_entries_test(data) + json.dump(filtered_cves, f) + print("Saved multiple CVEs.") + + +def load_single_cve(): + with open(FILEPATH_SINGLE_CVE, "r") as f: + json_data = json.load(f) + return json_data + + +def load_multiple_cves(): + with open(FILEPATH_MULTIPLE_CVES, "r") as f: + return json.load(f) diff --git a/prospector/evaluation/dispatch_jobs.py b/prospector/evaluation/dispatch_jobs.py new file mode 100644 index 000000000..2e3380186 --- /dev/null +++ b/prospector/evaluation/dispatch_jobs.py @@ -0,0 +1,35 @@ +import json +from datetime import datetime + +from data_sources.nvd.job_creation import create_prospector_job +from evaluation.data_interaction import ( + load_multiple_cves, + load_single_cve, + save_multiple_cves, + save_single_cve, +) +from util.report_analyzer import analyze_commit_relevance_results + + +# # Save CVE Data +# save_single_cve() +# # Load CVE Data +# cves = load_single_cve() + +# save_multiple_cves() +cves = load_multiple_cves() + +for cve in cves: + print(cve["nvd_info"]["cve"]["id"]) + # print(cve) + +# Send them to Prospector to run & save results to data_source/reports/ +for cve in cves: + res = create_prospector_job( + repository_url=cve["repo_url"], + cve_id=cve["nvd_info"]["cve"]["id"], + report_type="json", + version_interval=cve["version_interval"], + ) # Creates .json files for each CVE in app/data_sources/reports + # if res["job_data"]["job_status"]: + # reported_cves.append(cves["vulnerabilities"][0]["cve"]["id"]) diff --git a/prospector/evaluation/get_cve_results.json b/prospector/evaluation/get_cve_results.json new file mode 100644 index 000000000..60b48e3c4 --- /dev/null +++ b/prospector/evaluation/get_cve_results.json @@ -0,0 +1 @@ +{"resultsPerPage": 1045, "startIndex": 0, "totalResults": 1045, "format": "NVD_CVE", "version": "2.0", "timestamp": "2024-06-27T07:27:43.327", "vulnerabilities": [{"cve": {"id": "CVE-2024-36277", "sourceIdentifier": "vultures@jpcert.or.jp", "published": "2024-06-17T08:15:48.847", "lastModified": "2024-06-17T12:42:04.623", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Improper verification of cryptographic signature issue exists in \"FreeFrom - the nostr client\" App versions prior to 1.3.5 for Android and iOS. The affected app cannot detect event data with invalid signatures."}, {"lang": "es", "value": "Existe un problema de verificaci\u00f3n incorrecta de la firma criptogr\u00e1fica en las versiones de la aplicaci\u00f3n \"FreeFrom - the nostr client\" anteriores a la 1.3.5 para Android e iOS. La aplicaci\u00f3n afectada no puede detectar datos de eventos con firmas no v\u00e1lidas."}], "metrics": {}, "references": [{"url": "https://apps.apple.com/us/app/freefrom-the-nostr-client/id6446819930", "source": "vultures@jpcert.or.jp"}, {"url": "https://freefrom.space/", "source": "vultures@jpcert.or.jp"}, {"url": "https://jvn.jp/en/jp/JVN55045256/", "source": "vultures@jpcert.or.jp"}, {"url": "https://play.google.com/store/apps/details?id=com.freefrom", "source": "vultures@jpcert.or.jp"}]}}, {"cve": {"id": "CVE-2024-36279", "sourceIdentifier": "vultures@jpcert.or.jp", "published": "2024-06-17T08:15:48.980", "lastModified": "2024-06-17T12:42:04.623", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Reliance on obfuscation or encryption of security-relevant inputs without integrity checking issue exists in \"FreeFrom - the nostr client\" App versions prior to 1.3.5 for Android and iOS. If this vulnerability is exploited, the content of direct messages (DMs) between users may be manipulated by a man-in-the-middle attack."}, {"lang": "es", "value": "La dependencia de la ofuscaci\u00f3n o el cifrado de entradas relevantes para la seguridad sin problemas de verificaci\u00f3n de integridad existe en las versiones de la aplicaci\u00f3n \"FreeFrom - the nostr client\" anteriores a la 1.3.5 para Android e iOS. Si se explota esta vulnerabilidad, el contenido de los mensajes directos (DM) entre usuarios puede ser manipulado mediante un ataque de intermediario."}], "metrics": {}, "references": [{"url": "https://apps.apple.com/us/app/freefrom-the-nostr-client/id6446819930", "source": "vultures@jpcert.or.jp"}, {"url": "https://freefrom.space/", "source": "vultures@jpcert.or.jp"}, {"url": "https://jvn.jp/en/jp/JVN55045256/", "source": "vultures@jpcert.or.jp"}, {"url": "https://play.google.com/store/apps/details?id=com.freefrom", "source": "vultures@jpcert.or.jp"}]}}, {"cve": {"id": "CVE-2024-36289", "sourceIdentifier": "vultures@jpcert.or.jp", "published": "2024-06-17T08:15:49.063", "lastModified": "2024-06-17T12:42:04.623", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Reusing a nonce, key pair in encryption issue exists in \"FreeFrom - the nostr client\" App versions prior to 1.3.5 for Android and iOS. If this vulnerability is exploited, the content of direct messages (DMs) between users may be manipulated by a man-in-the-middle attack."}, {"lang": "es", "value": "Existe un problema de reutilizaci\u00f3n de un par de claves nonce en el cifrado en las versiones de la aplicaci\u00f3n \"FreeFrom - the nostr client\" anteriores a la 1.3.5 para Android e iOS. Si se explota esta vulnerabilidad, el contenido de los mensajes directos (DM) entre usuarios puede ser manipulado mediante un ataque de intermediario."}], "metrics": {}, "references": [{"url": "https://apps.apple.com/us/app/freefrom-the-nostr-client/id6446819930", "source": "vultures@jpcert.or.jp"}, {"url": "https://freefrom.space/", "source": "vultures@jpcert.or.jp"}, {"url": "https://jvn.jp/en/jp/JVN55045256/", "source": "vultures@jpcert.or.jp"}, {"url": "https://play.google.com/store/apps/details?id=com.freefrom", "source": "vultures@jpcert.or.jp"}]}}, {"cve": {"id": "CVE-2024-6048", "sourceIdentifier": "twcert@cert.org.tw", "published": "2024-06-17T08:15:49.150", "lastModified": "2024-06-17T12:42:04.623", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Openfind's MailGates and MailAudit fail to properly filter user input when analyzing email attachments. An unauthenticated remote attacker can exploit this vulnerability to inject system commands and execute them on the remote server."}, {"lang": "es", "value": "MailGates y MailAudit de Openfind no filtran adecuadamente la entrada del usuario al analizar los archivos adjuntos de correo electr\u00f3nico. Un atacante remoto no autenticado puede aprovechar esta vulnerabilidad para inyectar comandos del sistema y ejecutarlos en el servidor remoto."}], "metrics": {"cvssMetricV31": [{"source": "twcert@cert.org.tw", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "twcert@cert.org.tw", "type": "Primary", "description": [{"lang": "en", "value": "CWE-78"}]}], "references": [{"url": "https://www.twcert.org.tw/en/cp-139-7886-20b61-2.html", "source": "twcert@cert.org.tw"}, {"url": "https://www.twcert.org.tw/tw/cp-132-7885-a8013-1.html", "source": "twcert@cert.org.tw"}]}}, {"cve": {"id": "CVE-2024-5741", "sourceIdentifier": "security@checkmk.com", "published": "2024-06-17T12:15:48.740", "lastModified": "2024-06-17T12:42:04.623", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Stored XSS in inventory tree rendering in Checkmk before 2.3.0p7, 2.2.0p28, 2.1.0p45 and 2.0.0 (EOL)"}, {"lang": "es", "value": "XSS almacenado en la representaci\u00f3n del \u00e1rbol de inventario en Checkmk antes de 2.3.0p7, 2.2.0p28, 2.1.0p45 y 2.0.0 (EOL)"}], "metrics": {"cvssMetricV31": [{"source": "security@checkmk.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.3, "impactScore": 3.7}]}, "weaknesses": [{"source": "security@checkmk.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-80"}]}], "references": [{"url": "https://checkmk.com/werk/17009", "source": "security@checkmk.com"}]}}, {"cve": {"id": "CVE-2024-6055", "sourceIdentifier": "security@devolutions.net", "published": "2024-06-17T13:15:53.697", "lastModified": "2024-06-20T12:44:22.977", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Improper removal of sensitive information in data source export feature in Devolutions Remote Desktop Manager 2024.1.32.0 and earlier on Windows allows an attacker that obtains the exported settings to recover powershell credentials configured on the data source via stealing the configuration file."}, {"lang": "es", "value": "La eliminaci\u00f3n incorrecta de informaci\u00f3n confidencial en la funci\u00f3n de exportaci\u00f3n de fuentes de datos en Devolutions Remote Desktop Manager 2024.1.32.0 y versiones anteriores en Windows permite que un atacante que obtenga la configuraci\u00f3n exportada recupere las credenciales de PowerShell configuradas en la fuente de datos robando el archivo de configuraci\u00f3n."}], "metrics": {}, "references": [{"url": "https://devolutions.net/security/advisories/DEVO-2024-0008", "source": "security@devolutions.net"}]}}, {"cve": {"id": "CVE-2024-6057", "sourceIdentifier": "security@devolutions.net", "published": "2024-06-17T13:15:53.800", "lastModified": "2024-06-20T12:44:22.977", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Improper authentication in the vault password feature in Devolutions Remote Desktop Manager 2024.1.31.0 and earlier allows an attacker that has compromised an access to an RDM instance to bypass the vault master password via the offline mode feature."}, {"lang": "es", "value": "La autenticaci\u00f3n incorrecta en la funci\u00f3n de contrase\u00f1a de la b\u00f3veda en Devolutions Remote Desktop Manager 2024.1.31.0 y versiones anteriores permite que un atacante que haya comprometido el acceso a una instancia de RDM omita la contrase\u00f1a maestra de la b\u00f3veda a trav\u00e9s de la funci\u00f3n del modo fuera de l\u00ednea."}], "metrics": {}, "references": [{"url": "https://devolutions.net/security/advisories/DEVO-2024-0008", "source": "security@devolutions.net"}]}}, {"cve": {"id": "CVE-2024-36580", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-17T14:15:10.227", "lastModified": "2024-06-20T12:44:22.977", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A Prototype Pollution issue in cdr0 sg 1.0.10 allows an attacker to execute arbitrary code."}, {"lang": "es", "value": "Un problema de contaminaci\u00f3n de prototipos en cdr0 sg 1.0.10 permite a un atacante ejecutar c\u00f3digo arbitrario."}], "metrics": {}, "references": [{"url": "https://gist.github.com/mestrtee/a75d75eca4622ad08f7cfa903a6cc9c3", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-36583", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-17T14:15:10.330", "lastModified": "2024-06-20T12:44:22.977", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A Prototype Pollution issue in byondreal accessor <= 1.0.0 allows an attacker to execute arbitrary code via @byondreal/accessor/index."}, {"lang": "es", "value": "Un problema de contaminaci\u00f3n de prototipo en byondreal accessor <= 1.0.0 permite a un atacante ejecutar c\u00f3digo arbitrario a trav\u00e9s de @byondreal/accessor/index."}], "metrics": {}, "references": [{"url": "https://gist.github.com/mestrtee/97bc2fbfbcbde3a54d5536c9adeee34c", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-37158", "sourceIdentifier": "security-advisories@github.com", "published": "2024-06-17T14:15:10.430", "lastModified": "2024-06-20T12:44:22.977", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Evmos is the Ethereum Virtual Machine (EVM) Hub on the Cosmos Network. Preliminary checks on actions computed by the clawback vesting accounts are performed in the ante handler. Evmos core, implements two different ante handlers: one for Cosmos transactions and one for Ethereum transactions. Checks performed on the two implementation are different. The vulnerability discovered allowed a clawback account to bypass Cosmos ante handler checks by sending an Ethereum transaction targeting a precompile used to interact with a Cosmos SDK module. This vulnerability is fixed in 18.0.0.\n\n"}, {"lang": "es", "value": "Evmos es el centro de m\u00e1quinas virtuales Ethereum (EVM) en Cosmos Network. Las comprobaciones preliminares de las acciones calculadas por las cuentas de recuperaci\u00f3n de derechos se realizan en el gestor ante. El n\u00facleo de Evmos implementa dos controladores de ante diferentes: uno para transacciones Cosmos y otro para transacciones Ethereum. Las comprobaciones realizadas en las dos implementaciones son diferentes. La vulnerabilidad descubierta permiti\u00f3 que una cuenta de recuperaci\u00f3n eludiera las comprobaciones del ante handler de Cosmos enviando una transacci\u00f3n de Ethereum dirigida a una precompilaci\u00f3n utilizada para interactuar con un m\u00f3dulo SDK de Cosmos. Esta vulnerabilidad se solucion\u00f3 en 18.0.0."}], "metrics": {"cvssMetricV31": [{"source": "security-advisories@github.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW", "baseScore": 3.5, "baseSeverity": "LOW"}, "exploitabilityScore": 2.1, "impactScore": 1.4}]}, "weaknesses": [{"source": "security-advisories@github.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-691"}]}], "references": [{"url": "https://github.com/evmos/evmos/commit/b2a09ca66613d8b04decd3f2dcba8e1e77709dcb", "source": "security-advisories@github.com"}, {"url": "https://github.com/evmos/evmos/security/advisories/GHSA-pxv8-qhrh-jc7v", "source": "security-advisories@github.com"}]}}, {"cve": {"id": "CVE-2024-37159", "sourceIdentifier": "security-advisories@github.com", "published": "2024-06-17T14:15:10.693", "lastModified": "2024-06-20T12:44:22.977", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Evmos is the Ethereum Virtual Machine (EVM) Hub on the Cosmos Network. This vulnerability allowed a user to create a validator using vested tokens to deposit the self-bond. This vulnerability is fixed in 18.0.0."}, {"lang": "es", "value": "Evmos es el centro de m\u00e1quinas virtuales Ethereum (EVM) en Cosmos Network. Esta vulnerabilidad permiti\u00f3 a un usuario crear un validador utilizando tokens adquiridos para depositar el autobono. Esta vulnerabilidad se solucion\u00f3 en 18.0.0."}], "metrics": {"cvssMetricV31": [{"source": "security-advisories@github.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW", "baseScore": 3.5, "baseSeverity": "LOW"}, "exploitabilityScore": 2.1, "impactScore": 1.4}]}, "weaknesses": [{"source": "security-advisories@github.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-285"}]}], "references": [{"url": "https://github.com/evmos/evmos/commit/b2a09ca66613d8b04decd3f2dcba8e1e77709dcb", "source": "security-advisories@github.com"}, {"url": "https://github.com/evmos/evmos/security/advisories/GHSA-pxv8-qhrh-jc7v", "source": "security-advisories@github.com"}]}}, {"cve": {"id": "CVE-2024-37619", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-17T14:15:10.943", "lastModified": "2024-06-20T12:44:22.977", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "StrongShop v1.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the spec_group_id parameter at /spec/index.blade.php."}, {"lang": "es", "value": "Se descubri\u00f3 que StrongShop v1.0 conten\u00eda una vulnerabilidad de cross site scripting (XSS) reflejado a trav\u00e9s del par\u00e1metro spec_group_id en /spec/index.blade.php."}], "metrics": {}, "references": [{"url": "https://github.com/Hebing123/cve/issues/45", "source": "cve@mitre.org"}, {"url": "https://www.strongshop.cn/", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-37620", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-17T14:15:11.047", "lastModified": "2024-06-20T12:44:22.977", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "PHPVOD v4.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the id parameter at /view/admin/view.php."}, {"lang": "es", "value": "Se descubri\u00f3 que PHPVOD v4.0 conten\u00eda una vulnerabilidad de cross site scripting (XSS) reflejado a trav\u00e9s del par\u00e1metro id en /view/admin/view.php."}], "metrics": {}, "references": [{"url": "https://github.com/Hebing123/cve/issues/46", "source": "cve@mitre.org"}, {"url": "https://www.phpvod.com/", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-37621", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-17T14:15:11.153", "lastModified": "2024-06-20T12:44:22.977", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "StrongShop v1.0 was discovered to contain a Server-Side Template Injection (SSTI) vulnerability via the component /shippingOptionConfig/index.blade.php."}, {"lang": "es", "value": "Se descubri\u00f3 que StrongShop v1.0 conten\u00eda una vulnerabilidad de inyecci\u00f3n de plantilla del lado del servidor (SSTI) a trav\u00e9s del componente /shippingOptionConfig/index.blade.php."}], "metrics": {}, "references": [{"url": "https://github.com/Hebing123/cve/issues/47", "source": "cve@mitre.org"}, {"url": "https://www.strongshop.cn", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-37622", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-17T14:15:11.480", "lastModified": "2024-06-20T12:44:22.977", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Xinhu RockOA v2.6.3 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the num parameter at /flow/flow.php."}, {"lang": "es", "value": "Se descubri\u00f3 que Xinhu RockOA v2.6.3 contiene una vulnerabilidad de cross site scripting (XSS) reflejado a trav\u00e9s del par\u00e1metro num en /flow/flow.php."}], "metrics": {}, "references": [{"url": "https://github.com/rainrocka/xinhu/issues/4", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-37623", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-17T14:15:11.580", "lastModified": "2024-06-20T12:44:22.977", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Xinhu RockOA v2.6.3 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the /kaoqin/tpl_kaoqin_locationchange.html component."}, {"lang": "es", "value": "Se descubri\u00f3 que Xinhu RockOA v2.6.3 contiene una vulnerabilidad de cross site scripting (XSS) reflejado a trav\u00e9s del componente /kaoqin/tpl_kaoqin_locationchange.html."}], "metrics": {}, "references": [{"url": "https://github.com/rainrocka/xinhu/issues/5", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-37624", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-17T14:15:11.680", "lastModified": "2024-06-20T12:44:22.977", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Xinhu RockOA v2.6.3 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the /chajian/inputChajian.php. component."}, {"lang": "es", "value": "Se descubri\u00f3 que Xinhu RockOA v2.6.3 conten\u00eda una vulnerabilidad de cross site scripting (XSS) reflejado a trav\u00e9s de /chajian/inputChajian.php. componente."}], "metrics": {}, "references": [{"url": "https://github.com/rainrocka/xinhu/issues/6", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-37625", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-17T14:15:11.790", "lastModified": "2024-06-20T12:44:22.977", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "zhimengzhe iBarn v1.5 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the $search parameter at /index.php."}, {"lang": "es", "value": "Se descubri\u00f3 que zhimengzhe iBarn v1.5 conten\u00eda una vulnerabilidad de cross site scripting (XSS) reflejado a trav\u00e9s del par\u00e1metro $search en /index.php."}], "metrics": {}, "references": [{"url": "https://github.com/zhimengzhe/iBarn", "source": "cve@mitre.org"}, {"url": "https://github.com/zhimengzhe/iBarn/issues/20", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-37848", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-17T14:15:11.890", "lastModified": "2024-06-20T12:44:22.977", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "SQL Injection vulnerability in Online-Bookstore-Project-In-PHP v1.0 allows a local attacker to execute arbitrary code via the admin_delete.php component."}, {"lang": "es", "value": "Vulnerabilidad de inyecci\u00f3n SQL en Online-Bookstore-Project-In-PHP v1.0 permite a un atacante local ejecutar c\u00f3digo arbitrario a trav\u00e9s del componente admin_delete.php."}], "metrics": {}, "references": [{"url": "https://github.com/Lanxiy7th/lx_CVE_report-/issues/13", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-38469", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-17T14:15:12.070", "lastModified": "2024-06-20T12:44:22.977", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "zhimengzhe iBarn v1.5 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the $search parameter at /pay.php."}, {"lang": "es", "value": "Se descubri\u00f3 que zhimengzhe iBarn v1.5 conten\u00eda una vulnerabilidad de cross site scripting (XSS) reflejado a trav\u00e9s del par\u00e1metro $search en /pay.php."}], "metrics": {}, "references": [{"url": "https://github.com/zhimengzhe/iBarn", "source": "cve@mitre.org"}, {"url": "https://github.com/zhimengzhe/iBarn/issues/20", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-38470", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-17T14:15:12.183", "lastModified": "2024-06-20T12:44:22.977", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "zhimengzhe iBarn v1.5 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the $search parameter at /own.php."}, {"lang": "es", "value": "Se descubri\u00f3 que zhimengzhe iBarn v1.5 conten\u00eda una vulnerabilidad de cross site scripting (XSS) reflejado a trav\u00e9s del par\u00e1metro $search en /own.php."}], "metrics": {}, "references": [{"url": "https://github.com/zhimengzhe/iBarn", "source": "cve@mitre.org"}, {"url": "https://github.com/zhimengzhe/iBarn/issues/20", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-1469", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-17T15:15:50.463", "lastModified": "2024-06-17T15:15:50.463", "vulnStatus": "Rejected", "descriptions": [{"lang": "en", "value": "Rejected reason: ** REJECT ** Duplicate assignment. Please use CVE-2024-0845 instead."}], "metrics": {}, "references": []}}, {"cve": {"id": "CVE-2024-36581", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-17T15:15:51.130", "lastModified": "2024-06-20T12:44:22.977", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A Prototype Pollution issue in abw badger-database 1.2.1 allows an attacker to execute arbitrary code via dist/badger-database.esm."}, {"lang": "es", "value": "Un problema de contaminaci\u00f3n de prototipos en abw Badger-database 1.2.1 permite a un atacante ejecutar c\u00f3digo arbitrario a trav\u00e9s de dist/badger-database.esm."}], "metrics": {}, "references": [{"url": "https://gist.github.com/mestrtee/f6b2ed1b3b4bc0df994c7455fc6110bd", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-36582", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-17T15:15:51.243", "lastModified": "2024-06-20T12:44:22.977", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "alexbinary object-deep-assign 1.0.11 is vulnerable to Prototype Pollution via the extend() method of Module.deepAssign (/src/index.js)"}, {"lang": "es", "value": "alexbinary object-deep-assign 1.0.11 es vulnerable a Prototype Pollution a trav\u00e9s del m\u00e9todo extend() de Module.deepAssign (/src/index.js)"}], "metrics": {}, "references": [{"url": "https://gist.github.com/mestrtee/9fe4d3a862c62ce6b2b0d20d4c5fd346", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-4032", "sourceIdentifier": "cna@python.org", "published": "2024-06-17T15:15:52.517", "lastModified": "2024-06-20T12:44:22.977", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The \u201cipaddress\u201d module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as \u201cglobally reachable\u201d or \u201cprivate\u201d. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn\u2019t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries.\n\nCPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior."}, {"lang": "es", "value": "El m\u00f3dulo \"ipaddress\" conten\u00eda informaci\u00f3n incorrecta sobre si ciertas direcciones IPv4 e IPv6 estaban designadas como \"accesibles globalmente\" o \"privadas\". Esto afect\u00f3 las propiedades is_private e is_global de las clases ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address y ipaddress.IPv6Network, donde los valores no se devolver\u00edan de acuerdo con la informaci\u00f3n m\u00e1s reciente de los Registros de direcciones de prop\u00f3sito especial de la IANA. CPython 3.12.4 y 3.13.0a6 contienen informaci\u00f3n actualizada de estos registros y, por lo tanto, tienen el comportamiento previsto."}], "metrics": {}, "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/06/17/3", "source": "cna@python.org"}, {"url": "https://github.com/python/cpython/commit/22adf29da8d99933ffed8647d3e0726edd16f7f8", "source": "cna@python.org"}, {"url": "https://github.com/python/cpython/commit/40d75c2b7f5c67e254d0a025e0f2e2c7ada7f69f", "source": "cna@python.org"}, {"url": "https://github.com/python/cpython/commit/895f7e2ac23eff4743143beef0f0c5ac71ea27d3", "source": "cna@python.org"}, {"url": "https://github.com/python/cpython/commit/ba431579efdcbaed7a96f2ac4ea0775879a332fb", "source": "cna@python.org"}, {"url": "https://github.com/python/cpython/commit/c62c9e518b784fe44432a3f4fc265fb95b651906", "source": "cna@python.org"}, {"url": "https://github.com/python/cpython/commit/f86b17ac511e68192ba71f27e752321a3252cee3", "source": "cna@python.org"}, {"url": "https://github.com/python/cpython/issues/113171", "source": "cna@python.org"}, {"url": "https://github.com/python/cpython/pull/113179", "source": "cna@python.org"}, {"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/NRUHDUS2IV2USIZM2CVMSFL6SCKU3RZA/", "source": "cna@python.org"}, {"url": "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", "source": "cna@python.org"}, {"url": "https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml", "source": "cna@python.org"}]}}, {"cve": {"id": "CVE-2024-0397", "sourceIdentifier": "cna@python.org", "published": "2024-06-17T16:15:10.217", "lastModified": "2024-06-20T12:44:22.977", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A defect was discovered in the Python \u201cssl\u201d module where there is a memory\nrace condition with the ssl.SSLContext methods \u201ccert_store_stats()\u201d and\n\u201cget_ca_certs()\u201d. The race condition can be triggered if the methods are\ncalled at the same time as certificates are loaded into the SSLContext,\nsuch as during the TLS handshake with a certificate directory configured.\nThis issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5."}, {"lang": "es", "value": "Se descubri\u00f3 un defecto en el m\u00f3dulo \u201cssl\u201d de Python donde existe una condici\u00f3n de ejecuci\u00f3n de memoria con los m\u00e9todos ssl.SSLContext \u201ccert_store_stats()\u201d y \u201cget_ca_certs()\u201d. La condici\u00f3n de ejecuci\u00f3n se puede desencadenar si los m\u00e9todos se llaman al mismo tiempo que se cargan los certificados en SSLContext, como durante el protocolo de enlace TLS con un directorio de certificados configurado. Este problema se solucion\u00f3 en CPython 3.10.14, 3.11.9, 3.12.3 y 3.13.0a5."}], "metrics": {}, "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/06/17/2", "source": "cna@python.org"}, {"url": "https://github.com/python/cpython/commit/01c37f1d0714f5822d34063ca7180b595abf589d", "source": "cna@python.org"}, {"url": "https://github.com/python/cpython/commit/29c97287d205bf2f410f4895ebce3f43b5160524", "source": "cna@python.org"}, {"url": "https://github.com/python/cpython/commit/37324b421b72b7bc9934e27aba85d48d4773002e", "source": "cna@python.org"}, {"url": "https://github.com/python/cpython/commit/542f3272f56f31ed04e74c40635a913fbc12d286", "source": "cna@python.org"}, {"url": "https://github.com/python/cpython/commit/b228655c227b2ca298a8ffac44d14ce3d22f6faa", "source": "cna@python.org"}, {"url": "https://github.com/python/cpython/commit/bce693111bff906ccf9281c22371331aaff766ab", "source": "cna@python.org"}, {"url": "https://github.com/python/cpython/issues/114572", "source": "cna@python.org"}, {"url": "https://github.com/python/cpython/pull/114573", "source": "cna@python.org"}, {"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/BMAK5BCGKYWNJOACVUSLUF6SFGBIM4VP/", "source": "cna@python.org"}]}}, {"cve": {"id": "CVE-2024-36573", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-17T16:15:14.947", "lastModified": "2024-06-20T12:44:22.977", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "almela obx before v.0.0.4 has a Prototype Pollution issue which allows arbitrary code execution via the obx/build/index.js:656), reduce (@almela/obx/build/index.js:470), Object.set (obx/build/index.js:269) component."}, {"lang": "es", "value": "almela obx anterior a v.0.0.4 tiene un problema de contaminaci\u00f3n de prototipos que permite la ejecuci\u00f3n de c\u00f3digo arbitrario a trav\u00e9s de obx/build/index.js:656), reduce (@almela/obx/build/index.js:470), Object.set (obx/build/index.js:269) componente."}], "metrics": {}, "references": [{"url": "https://gist.github.com/mestrtee/fd8181bbc180d775f8367a2b9e0ffcd1", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-36574", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-17T16:15:15.040", "lastModified": "2024-06-20T12:44:22.977", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A Prototype Pollution issue in flatten-json 1.0.1 allows an attacker to execute arbitrary code via module.exports.unflattenJSON (flatten-json/index.js:42)"}, {"lang": "es", "value": "Un problema de contaminaci\u00f3n de prototipos en flatten-json 1.0.1 permite a un atacante ejecutar c\u00f3digo arbitrario a trav\u00e9s de module.exports.unflattenJSON (flatten-json/index.js:42)"}], "metrics": {}, "references": [{"url": "https://gist.github.com/mestrtee/d5a0c93459599f77557b5bbe78b57325", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-36575", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-17T16:15:15.140", "lastModified": "2024-06-20T12:44:22.977", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A Prototype Pollution issue in getsetprop 1.1.0 allows an attacker to execute arbitrary code via global.accessor."}, {"lang": "es", "value": "Un problema de contaminaci\u00f3n de prototipos en getsetprop 1.1.0 permite a un atacante ejecutar c\u00f3digo arbitrario a trav\u00e9s de global.accessor."}], "metrics": {}, "references": [{"url": "https://gist.github.com/mestrtee/0d830798f20839d634278d7af0155f9e", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-36577", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-17T16:15:15.233", "lastModified": "2024-06-20T12:44:22.977", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "apphp js-object-resolver < 3.1.1 is vulnerable to Prototype Pollution via Module.setNestedProperty."}, {"lang": "es", "value": "apphp js-object-resolver < 3.1.1 es vulnerable a la contaminaci\u00f3n de prototipos a trav\u00e9s de Module.setNestedProperty."}], "metrics": {}, "references": [{"url": "https://gist.github.com/mestrtee/c90189f3d8480a5f267395ec40701373", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-36578", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-17T16:15:15.333", "lastModified": "2024-06-20T12:44:22.977", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "akbr update 1.0.0 is vulnerable to Prototype Pollution via update/index.js."}, {"lang": "es", "value": "La actualizaci\u00f3n 1.0.0 de akbr es vulnerable a Prototype Pollution a trav\u00e9s de update/index.js."}], "metrics": {}, "references": [{"url": "https://gist.github.com/mestrtee/8bc749ec2b5453d887b2f4a362a65897", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2018-25103", "sourceIdentifier": "cret@cert.org", "published": "2024-06-17T18:15:12.650", "lastModified": "2024-06-20T12:44:22.977", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "There exists use-after-free vulnerabilities in lighttpd <= 1.4.50 request parsing which might read from invalid pointers to memory used in the same request, not from other requests."}, {"lang": "es", "value": "Existe una vulnerabilidad de use-after-free en lighttpd <= 1.4.50 que puede permitir el acceso para realizar una comparaci\u00f3n que no distinga entre may\u00fasculas y min\u00fasculas con el puntero reutilizado."}], "metrics": {}, "references": [{"url": "https://blogvdoo.wordpress.com/2018/11/06/giving-back-securing-open-source-iot-projects/#more-736", "source": "cret@cert.org"}, {"url": "https://github.com/lighttpd/lighttpd1.4/commit/d161f53de04bc826ce1bdaeb3dce2c72ca50a3f8", "source": "cret@cert.org"}, {"url": "https://github.com/lighttpd/lighttpd1.4/commit/df8e4f95614e476276a55e34da2aa8b00b1148e9", "source": "cret@cert.org"}, {"url": "https://www.runzero.com/blog/lighttpd/", "source": "cret@cert.org"}]}}, {"cve": {"id": "CVE-2024-36527", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-17T18:15:16.767", "lastModified": "2024-06-20T12:44:22.977", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "puppeteer-renderer v.3.2.0 and before is vulnerable to Directory Traversal. Attackers can exploit the URL parameter using the file protocol to read sensitive information from the server."}, {"lang": "es", "value": "puppeteer-renderer v.3.2.0 y anteriores es vulnerable a Directory Traversal. Los atacantes pueden explotar el par\u00e1metro URL utilizando el protocolo de archivo para leer informaci\u00f3n confidencial del servidor."}], "metrics": {}, "references": [{"url": "https://gist.github.com/7a6163/25fef08f75eed219c8ca21e332d6e911", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-36973", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-17T18:15:17.043", "lastModified": "2024-06-21T14:15:12.250", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: microchip: pci1xxxx: fix double free in the error handling of gp_aux_bus_probe()\n\nWhen auxiliary_device_add() returns error and then calls\nauxiliary_device_uninit(), callback function\ngp_auxiliary_device_release() calls ida_free() and\nkfree(aux_device_wrapper) to free memory. We should't\ncall them again in the error handling path.\n\nFix this by skipping the redundant cleanup functions."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: misc: microchip: pci1xxxx: corrige double free en el manejo de errores de gp_aux_bus_probe() Cuando auxiliar_device_add() devuelve error y luego llama a auxiliar_device_uninit(), la funci\u00f3n de devoluci\u00f3n de llamada gp_auxiliary_device_release() llama a ida_free( ) y kfree(aux_device_wrapper) para liberar memoria. No deber\u00edamos volver a llamarlos en la ruta de manejo de errores. Solucione este problema omitiendo las funciones de limpieza redundantes."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/086c6cbcc563c81d55257f9b27e14faf1d0963d3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/1efe551982297924d05a367aa2b6ec3d275d5742", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/34ae447b138680b5ed3660f7d935ff3faf88ba1a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/86c9713602f786f441630c4ee02891987f8618b9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-37661", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-17T18:15:17.463", "lastModified": "2024-06-20T12:44:22.977", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "TP-LINK TL-7DR5130 v1.0.23 is vulnerable to forged ICMP redirect message attacks. An attacker in the same WLAN as the victim can hijack the traffic between the victim and any remote server by sending out forged ICMP redirect messages."}, {"lang": "es", "value": "TP-LINK TL-7DR5130 v1.0.23 es vulnerable a ataques de mensajes de redireccionamiento ICMP falsificados. Un atacante en la misma WLAN que la v\u00edctima puede secuestrar el tr\u00e1fico entre la v\u00edctima y cualquier servidor remoto enviando mensajes de redireccionamiento ICMP falsificados."}], "metrics": {}, "references": [{"url": "https://github.com/ouuan/router-vuln-report/blob/master/icmp-redirect/tl-7dr5130-redirect.md", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-37662", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-17T18:15:17.560", "lastModified": "2024-06-20T12:44:22.977", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "TP-LINK TL-7DR5130 v1.0.23 is vulnerable to TCP DoS or hijacking attacks. An attacker in the same WLAN as the victim can disconnect or hijack the traffic between the victim and any remote server by sending out forged TCP RST messages to evict NAT mappings in the router."}, {"lang": "es", "value": "TP-LINK TL-7DR5130 v1.0.23 es vulnerable a TCP DoS o ataques de secuestro. Un atacante en la misma WLAN que la v\u00edctima puede desconectar o secuestrar el tr\u00e1fico entre la v\u00edctima y cualquier servidor remoto enviando mensajes TCP RST falsificados para desalojar las asignaciones NAT en el enrutador."}], "metrics": {}, "references": [{"url": "https://github.com/ouuan/router-vuln-report/blob/master/nat-rst/tl-7dr5130-nat-rst.md", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-37663", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-17T18:15:17.653", "lastModified": "2024-06-20T12:44:22.977", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Redmi router RB03 v1.0.57 is vulnerable to forged ICMP redirect message attacks. An attacker in the same WLAN as the victim can hijack the traffic between the victim and any remote server by sending out forged ICMP redirect messages."}, {"lang": "es", "value": "El enrutador Redmi RB03 v1.0.57 es vulnerable a ataques de mensajes de redireccionamiento ICMP falsificados. Un atacante en la misma WLAN que la v\u00edctima puede secuestrar el tr\u00e1fico entre la v\u00edctima y cualquier servidor remoto enviando mensajes de redireccionamiento ICMP falsificados."}], "metrics": {}, "references": [{"url": "https://github.com/ouuan/router-vuln-report/blob/master/icmp-redirect/redmi-rb03-redirect.md", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-37664", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-17T18:15:17.743", "lastModified": "2024-06-20T12:44:22.977", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Redmi router RB03 v1.0.57 is vulnerable to TCP DoS or hijacking attacks. An attacker in the same WLAN as the victim can disconnect or hijack the traffic between the victim and any remote server by sending out forged TCP RST messages to evict NAT mappings in the router."}, {"lang": "es", "value": "El enrutador Redmi RB03 v1.0.57 es vulnerable a TCP DoS o ataques de secuestro. Un atacante en la misma WLAN que la v\u00edctima puede desconectar o secuestrar el tr\u00e1fico entre la v\u00edctima y cualquier servidor remoto enviando mensajes TCP RST falsificados para desalojar las asignaciones NAT en el enrutador."}], "metrics": {}, "references": [{"url": "https://github.com/ouuan/router-vuln-report/blob/master/nat-rst/redmi-rb03-nat-rst.md", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-37794", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-17T18:15:17.853", "lastModified": "2024-06-20T12:44:22.977", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Improper input validation in CVC5 Solver v1.1.3 allows attackers to cause a Denial of Service (DoS) via a crafted SMT2 input file."}, {"lang": "es", "value": "La validaci\u00f3n de entrada incorrecta en CVC5 Solver v1.1.3 permite a los atacantes provocar una denegaci\u00f3n de servicio (DoS) a trav\u00e9s de un archivo de entrada SMT2 manipulado."}], "metrics": {}, "references": [{"url": "https://github.com/cvc5/cvc5/issues/10813", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-37795", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-17T18:15:17.953", "lastModified": "2024-06-20T12:44:22.977", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A segmentation fault in CVC5 Solver v1.1.3 allows attackers to cause a Denial of Service (DoS) via a crafted SMT-LIB input file containing the `set-logic` command with specific formatting errors."}, {"lang": "es", "value": "Una falla de segmentaci\u00f3n en CVC5 Solver v1.1.3 permite a los atacantes provocar una denegaci\u00f3n de servicio (DoS) a trav\u00e9s de un archivo de entrada SMT-LIB manipulado que contiene el comando `set-logic` con errores de formato espec\u00edficos."}], "metrics": {}, "references": [{"url": "https://github.com/cvc5/cvc5/issues/10813", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-6056", "sourceIdentifier": "cna@vuldb.com", "published": "2024-06-17T18:15:18.143", "lastModified": "2024-06-20T12:44:22.977", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability was found in nasirkhan Laravel Starter up to 11.8.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /forgot-password of the component Password Reset Handler. The manipulation of the argument Email leads to observable response discrepancy. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-268784. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en nasirkhan Laravel Starter hasta 11.8.0. Ha sido calificada como problem\u00e1tica. Una funci\u00f3n desconocida del archivo /forgot-password del componente Password Reset Handler es afectada por esta vulnerabilidad. La manipulaci\u00f3n del argumento Correo electr\u00f3nico conduce a una discrepancia de respuesta observable. El ataque puede lanzarse de forma remota. La complejidad de un ataque es bastante alta. Se sabe que la explotaci\u00f3n es dif\u00edcil. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. El identificador de esta vulnerabilidad es VDB-268784. NOTA: Se contact\u00f3 primeramente con el proveedor sobre esta divulgaci\u00f3n, pero no respondi\u00f3 de ninguna manera."}], "metrics": {"cvssMetricV31": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW"}, "exploitabilityScore": 2.2, "impactScore": 1.4}], "cvssMetricV2": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "accessVector": "NETWORK", "accessComplexity": "HIGH", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 2.6}, "baseSeverity": "LOW", "exploitabilityScore": 4.9, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "cna@vuldb.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-204"}]}], "references": [{"url": "https://powerful-bulb-c36.notion.site/idor-c6eb58e8fc40416ba53c7915ca0174c4?pvs=4", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.268784", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.268784", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.352978", "source": "cna@vuldb.com"}]}}, {"cve": {"id": "CVE-2024-6058", "sourceIdentifier": "cna@vuldb.com", "published": "2024-06-17T18:15:18.520", "lastModified": "2024-06-20T12:44:22.977", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability classified as problematic has been found in LabVantage LIMS 2017. This affects an unknown part of the file /labvantage/rc?command=page&page=SampleHistoricalList&_iframename=list&__crc=crc_1701669816260. The manipulation of the argument height/width leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-268785 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Una vulnerabilidad ha sido encontrada en LabVantage LIMS 2017 y clasificada como problem\u00e1tica. Una parte desconocida del archivo /labvantage/rc?command=page&page=SampleHistoricalList&_iframename=list&__crc=crc_1701669816260. La manipulaci\u00f3n del argumento alto/ancho conduce a cross site scripting. Es posible iniciar el ataque de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. A esta vulnerabilidad se le asign\u00f3 el identificador VDB-268785. NOTA: Se contact\u00f3 primeramente con el proveedor sobre esta divulgaci\u00f3n, pero no respondi\u00f3 de ninguna manera."}], "metrics": {"cvssMetricV31": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW"}, "exploitabilityScore": 2.1, "impactScore": 1.4}], "cvssMetricV2": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 4.0}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "cna@vuldb.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://gentle-khaan-c53.notion.site/Reflected-XSS-in-Labvantage-LIMS-cc960e84650a4df58ecabe82338e0272", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.268785", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.268785", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.353198", "source": "cna@vuldb.com"}]}}, {"cve": {"id": "CVE-2024-36543", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-17T19:15:58.353", "lastModified": "2024-06-20T12:44:22.977", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Incorrect access control in the Kafka Connect REST API in the STRIMZI Project 0.41.0 and earlier allows an attacker to deny the service for Kafka Mirroring, potentially mirror the topics' content to his Kafka cluster via a malicious connector (bypassing Kafka ACL if it exists), and potentially steal Kafka SASL credentials, by querying the MirrorMaker Kafka REST API."}, {"lang": "es", "value": "El control de acceso incorrecto en la API REST de Kafka Connect en el proyecto STRIMZI 0.41.0 y versiones anteriores permite a un atacante denegar el servicio de Kafka Mirroring y potencialmente reflejar el contenido de los temas en su cl\u00faster de Kafka a trav\u00e9s de un conector malicioso (evitando Kafka ACL si existe), y potencialmente robar credenciales SASL de Kafka consultando la API REST de MirrorMaker Kafka."}], "metrics": {}, "references": [{"url": "http://strimzi.com", "source": "cve@mitre.org"}, {"url": "https://github.com/almounah/vulnerability-research/tree/main/CVE-2024-36543", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-37840", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-17T19:15:58.470", "lastModified": "2024-06-20T12:44:22.977", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "SQL injection vulnerability in processscore.php in Itsourcecode Learning Management System Project In PHP With Source Code v1.0 allows remote attackers to execute arbitrary SQL commands via the LessonID parameter."}, {"lang": "es", "value": "Vulnerabilidad de inyecci\u00f3n SQL en Processscore.php en Itsourcecode Learning Management System Project In PHP With Source Code v1.0 permite a atacantes remotos ejecutar comandos SQL de su elecci\u00f3n a trav\u00e9s del par\u00e1metro LessonID."}], "metrics": {}, "references": [{"url": "https://github.com/ganzhi-qcy/cve/issues/4", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-38449", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-17T19:15:58.567", "lastModified": "2024-06-20T12:44:22.977", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A Directory Traversal vulnerability in KasmVNC 1.3.1.230e50f7b89663316c70de7b0e3db6f6b9340489 and possibly earlier versions allows remote authenticated attackers to browse parent directories and read the content of files outside the scope of the application."}, {"lang": "es", "value": "Una vulnerabilidad de Directory Traversal en KasmVNC 1.3.1.230e50f7b89663316c70de7b0e3db6f6b9340489 y posiblemente versiones anteriores permite a atacantes remotos autenticados explorar directorios principales y leer el contenido de archivos fuera del alcance de la aplicaci\u00f3n."}], "metrics": {}, "references": [{"url": "https://github.com/kasmtech/KasmVNC/issues/254", "source": "cve@mitre.org"}, {"url": "https://kasmweb.atlassian.net/servicedesk/customer/portal/3/topic/30ffee7f-4b85-4783-b118-6ae4fd8b0c52", "source": "cve@mitre.org"}, {"url": "https://kasmweb.com/kasmvnc", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-6059", "sourceIdentifier": "cna@vuldb.com", "published": "2024-06-17T19:15:59.467", "lastModified": "2024-06-20T12:44:22.977", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability, which was classified as problematic, has been found in Ingenico Estate Manager 2023. This issue affects some unknown processing of the file /emgui/rest/ums/messages of the component News Feed. The manipulation of the argument message leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-268787. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Una vulnerabilidad clasificada como problem\u00e1tica fue encontrada en Ingenico Estate Manager 2023. Un procesamiento desconocido del archivo /emgui/rest/ums/messages del componente News Feed afecta a este problema. La manipulaci\u00f3n del mensaje de argumento conduce a cross site scripting. El ataque puede iniciarse de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. El identificador asociado de esta vulnerabilidad es VDB-268787. NOTA: Se contact\u00f3 primeramente con el proveedor sobre esta divulgaci\u00f3n, pero no respondi\u00f3 de ninguna manera."}], "metrics": {"cvssMetricV31": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 2.4, "baseSeverity": "LOW"}, "exploitabilityScore": 0.9, "impactScore": 1.4}], "cvssMetricV2": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "MULTIPLE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 3.3}, "baseSeverity": "LOW", "exploitabilityScore": 6.4, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "cna@vuldb.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://gentle-khaan-c53.notion.site/Stored-XSS-in-Ingenico-The-Estate-Manager-90089eaef5574b929fe019c3d0686b63", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.268787", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.268787", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.353237", "source": "cna@vuldb.com"}]}}, {"cve": {"id": "CVE-2024-37305", "sourceIdentifier": "security-advisories@github.com", "published": "2024-06-17T20:15:12.880", "lastModified": "2024-06-20T12:44:22.977", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "oqs-provider is a provider for the OpenSSL 3 cryptography library that adds support for post-quantum cryptography in TLS, X.509, and S/MIME using post-quantum algorithms from liboqs. Flaws have been identified in the way oqs-provider handles lengths decoded with DECODE_UINT32 at the start of serialized hybrid (traditional + post-quantum) keys and signatures. Unchecked length values are later used for memory reads and writes; malformed input can lead to crashes or information leakage. Handling of plain/non-hybrid PQ key operation is not affected. This issue has been patched in in v0.6.1. All users are advised to upgrade. There are no workarounds for this issue."}, {"lang": "es", "value": "oqs-provider es un proveedor de la librer\u00eda de criptograf\u00eda OpenSSL 3 que agrega soporte para criptograf\u00eda poscu\u00e1ntica en TLS, X.509 y S/MIME utilizando algoritmos poscu\u00e1nticos de liboqs. Se han identificado fallas en la forma en que oqs-provider maneja las longitudes decodificadas con DECODE_UINT32 al inicio de firmas y claves h\u00edbridas serializadas (tradicionales + poscu\u00e1nticas). Los valores de longitud no verificados se utilizan posteriormente para lecturas y escrituras de memoria; La entrada mal formada puede provocar fallas o fugas de informaci\u00f3n. El manejo de la operaci\u00f3n de clave PQ simple/no h\u00edbrida no se ve afectado. Este problema se solucion\u00f3 en la versi\u00f3n 0.6.1. Se recomienda a todos los usuarios que actualicen. No existen workarounds para este problema."}], "metrics": {"cvssMetricV31": [{"source": "security-advisories@github.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 4.2}]}, "weaknesses": [{"source": "security-advisories@github.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-120"}, {"lang": "en", "value": "CWE-130"}, {"lang": "en", "value": "CWE-190"}, {"lang": "en", "value": "CWE-680"}, {"lang": "en", "value": "CWE-805"}]}], "references": [{"url": "https://github.com/open-quantum-safe/oqs-provider/pull/416", "source": "security-advisories@github.com"}, {"url": "https://github.com/open-quantum-safe/oqs-provider/security/advisories/GHSA-pqvr-5cr8-v6fx", "source": "security-advisories@github.com"}]}}, {"cve": {"id": "CVE-2024-37890", "sourceIdentifier": "security-advisories@github.com", "published": "2024-06-17T20:15:13.203", "lastModified": "2024-06-20T12:44:22.977", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied."}, {"lang": "es", "value": "ws es un cliente y servidor WebSocket de c\u00f3digo abierto para Node.js. Una solicitud con una cantidad de encabezados que exceda el umbral server.maxHeadersCount podr\u00eda usarse para bloquear un servidor ws. La vulnerabilidad se solucion\u00f3 en ws@8.17.1 (e55e510) y se actualiz\u00f3 a ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3) y ws@5.2.4 (4abd8f6). En versiones vulnerables de ws, el problema se puede mitigar de las siguientes maneras: 1. Reduzca la longitud m\u00e1xima permitida de los encabezados de solicitud usando las opciones --max-http-header-size=size y/o maxHeaderSize para que no haya m\u00e1s Se pueden enviar encabezados superiores al l\u00edmite server.maxHeadersCount. 2. Establezca server.maxHeadersCount en 0 para que no se aplique ning\u00fan l\u00edmite."}], "metrics": {"cvssMetricV31": [{"source": "security-advisories@github.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "security-advisories@github.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-476"}]}], "references": [{"url": "https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f", "source": "security-advisories@github.com"}, {"url": "https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e", "source": "security-advisories@github.com"}, {"url": "https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c", "source": "security-advisories@github.com"}, {"url": "https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63", "source": "security-advisories@github.com"}, {"url": "https://github.com/websockets/ws/issues/2230", "source": "security-advisories@github.com"}, {"url": "https://github.com/websockets/ws/pull/2231", "source": "security-advisories@github.com"}, {"url": "https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q", "source": "security-advisories@github.com"}, {"url": "https://nodejs.org/api/http.html#servermaxheaderscount", "source": "security-advisories@github.com"}]}}, {"cve": {"id": "CVE-2024-37891", "sourceIdentifier": "security-advisories@github.com", "published": "2024-06-17T20:15:13.450", "lastModified": "2024-06-20T12:44:22.977", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": " urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach. We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited: 1. Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support. 2. Not disabling HTTP redirects. 3. Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin. Users are advised to update to either version 1.26.19 or version 2.2.2. Users unable to upgrade may use the `Proxy-Authorization` header with urllib3's `ProxyManager`, disable HTTP redirects using `redirects=False` when sending requests, or not user the `Proxy-Authorization` header as mitigations."}, {"lang": "es", "value": "urllib3 es una librer\u00eda cliente HTTP f\u00e1cil de usar para Python. Cuando se utiliza el soporte de proxy de urllib3 con `ProxyManager`, el encabezado `Proxy-Authorization` solo se env\u00eda al proxy configurado, como se esperaba. Sin embargo, al enviar solicitudes HTTP *sin* utilizar el soporte de proxy de urllib3, es posible configurar accidentalmente el encabezado `Proxy-Authorization` aunque no tendr\u00e1 ning\u00fan efecto ya que la solicitud no utiliza un proxy de reenv\u00edo o un proxy de t\u00fanel. En esos casos, urllib3 no trata el encabezado HTTP \"Proxy-Authorization\" como si llevara material de autenticaci\u00f3n y, por lo tanto, no elimina el encabezado en redirecciones de origen cruzado. Dado que se trata de un escenario muy improbable, creemos que la gravedad de esta vulnerabilidad es baja para casi todos los usuarios. Por precauci\u00f3n, urllib3 eliminar\u00e1 autom\u00e1ticamente el encabezado \"Proxy-Authorization\" durante las redirecciones entre or\u00edgenes para evitar la peque\u00f1a posibilidad de que los usuarios hagan esto por accidente. Los usuarios deben usar el soporte de proxy de urllib3 o desactivar las redirecciones autom\u00e1ticas para lograr un procesamiento seguro del encabezado `Proxy-Authorization`, pero aun as\u00ed decidimos eliminar el encabezado de forma predeterminada para proteger a\u00fan m\u00e1s a los usuarios que no utilizan el enfoque correcto. Creemos que la cantidad de usos afectados por este aviso es baja. Requiere que todo lo siguiente sea cierto para ser explotado: 1. Configurar el encabezado `Proxy-Authorization` sin utilizar el soporte de proxy integrado de urllib3. 2. No deshabilitar las redirecciones HTTP. 3. Ya sea no utilizar un servidor de origen HTTPS o que el proxy o el origen de destino redirija a un origen malicioso. Se recomienda a los usuarios que actualicen a la versi\u00f3n 1.26.19 o a la versi\u00f3n 2.2.2. Los usuarios que no puedan actualizar pueden usar el encabezado `Proxy-Authorization` con `ProxyManager` de urllib3, deshabilitar las redirecciones HTTP usando `redirects=False` al enviar solicitudes o no usar el encabezado `Proxy-Authorization` como mitigaci\u00f3n."}], "metrics": {"cvssMetricV31": [{"source": "security-advisories@github.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 0.7, "impactScore": 3.6}]}, "weaknesses": [{"source": "security-advisories@github.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-669"}]}], "references": [{"url": "https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e", "source": "security-advisories@github.com"}, {"url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-34jh-p97f-mpxf", "source": "security-advisories@github.com"}]}}, {"cve": {"id": "CVE-2024-37893", "sourceIdentifier": "security-advisories@github.com", "published": "2024-06-17T20:15:13.700", "lastModified": "2024-06-20T12:44:22.977", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Firefly III is a free and open source personal finance manager. In affected versions an MFA bypass in the Firefly III OAuth flow may allow malicious users to bypass the MFA-check. This allows malicious users to use password spraying to gain access to Firefly III data using passwords stolen from other sources. As OAuth applications are easily enumerable using an incrementing id, an attacker could try sign an OAuth application up to a users profile quite easily if they have created one. The attacker would also need to know the victims username and password. This problem has been patched in Firefly III v6.1.17 and up. Users are advised to upgrade. Users unable to upgrade should Use a unique password for their Firefly III instance and store their password securely, i.e. in a password manager."}, {"lang": "es", "value": "Firefly III es un administrador de finanzas personales gratuito y de c\u00f3digo abierto. En las versiones afectadas, una omisi\u00f3n de MFA en el flujo OAuth del Firefly III puede permitir a usuarios malintencionados omitir la verificaci\u00f3n de MFA. Esto permite a usuarios malintencionados utilizar la pulverizaci\u00f3n de contrase\u00f1as para obtener acceso a los datos de Firefly III utilizando contrase\u00f1as robadas de otras fuentes. Como las aplicaciones OAuth se pueden enumerar f\u00e1cilmente utilizando una identificaci\u00f3n incremental, un atacante podr\u00eda intentar registrar una aplicaci\u00f3n OAuth en el perfil de un usuario con bastante facilidad si ha creado uno. El atacante tambi\u00e9n necesitar\u00eda saber el nombre de usuario y la contrase\u00f1a de la v\u00edctima. Este problema se solucion\u00f3 en Firefly III v6.1.17 y versiones posteriores. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar deben utilizar una contrase\u00f1a \u00fanica para su instancia de Firefly III y almacenarla de forma segura, es decir, en un administrador de contrase\u00f1as."}], "metrics": {"cvssMetricV31": [{"source": "security-advisories@github.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "security-advisories@github.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-288"}]}], "references": [{"url": "https://github.com/firefly-iii/firefly-iii/security/advisories/GHSA-4gm4-c4mh-4p7w", "source": "security-advisories@github.com"}, {"url": "https://owasp.org/www-community/attacks/Password_Spraying_Attack", "source": "security-advisories@github.com"}, {"url": "https://www.menlosecurity.com/what-is/highly-evasive-adaptive-threats-heat/mfa-bypass", "source": "security-advisories@github.com"}]}}, {"cve": {"id": "CVE-2024-37895", "sourceIdentifier": "security-advisories@github.com", "published": "2024-06-17T20:15:13.970", "lastModified": "2024-06-20T12:44:22.977", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Lobe Chat is an open-source LLMs/AI chat framework. In affected versions if an attacker can successfully authenticate through SSO/Access Code, they can obtain the real backend API Key by modifying the base URL to their own attack URL on the frontend and setting up a server-side request. This issue has been addressed in version 0.162.25. Users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "Lobe Chat es un framework de chat de IA/LLM de c\u00f3digo abierto. En las versiones afectadas, si un atacante puede autenticarse exitosamente a trav\u00e9s de SSO/C\u00f3digo de acceso, puede obtener la clave API de backend real modificando la URL base a su propia URL de ataque en la interfaz y configurando una solicitud del lado del servidor. Este problema se solucion\u00f3 en la versi\u00f3n 0.162.25. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}], "metrics": {"cvssMetricV31": [{"source": "security-advisories@github.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.1, "impactScore": 3.6}]}, "weaknesses": [{"source": "security-advisories@github.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}], "references": [{"url": "https://github.com/lobehub/lobe-chat/security/advisories/GHSA-p36r-qxgx-jq2v", "source": "security-advisories@github.com"}]}}, {"cve": {"id": "CVE-2024-37896", "sourceIdentifier": "security-advisories@github.com", "published": "2024-06-17T20:15:14.213", "lastModified": "2024-06-20T12:44:22.977", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Gin-vue-admin is a backstage management system based on vue and gin. Gin-vue-admin <= v2.6.5 has SQL injection vulnerability. The SQL injection vulnerabilities occur when a web application allows users to input data into SQL queries without sufficiently validating or sanitizing the input. Failing to properly enforce restrictions on user input could mean that even a basic form input field can be used to inject arbitrary and potentially dangerous SQL commands. This could lead to unauthorized access to the database, data leakage, data manipulation, or even complete compromise of the database server. This vulnerability has been addressed in commit `53d033821` which has been included in release version 2.6.6. Users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "Gin-vue-admin es un sistema de gesti\u00f3n detr\u00e1s de escena basado en vue y gin. Gin-vue-admin <= v2.6.5 tiene una vulnerabilidad de inyecci\u00f3n SQL. Las vulnerabilidades de inyecci\u00f3n SQL ocurren cuando una aplicaci\u00f3n web permite a los usuarios ingresar datos en consultas SQL sin validar o sanitizar suficientemente la entrada. No aplicar adecuadamente las restricciones a la entrada del usuario podr\u00eda significar que incluso un campo de entrada de formulario b\u00e1sico pueda usarse para inyectar comandos SQL arbitrarios y potencialmente peligrosos. Esto podr\u00eda provocar un acceso no autorizado a la base de datos, una fuga de datos, una manipulaci\u00f3n de datos o incluso un compromiso total del servidor de la base de datos. Esta vulnerabilidad se solucion\u00f3 en el commit `53d033821` que se incluy\u00f3 en la versi\u00f3n 2.6.6. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}], "metrics": {"cvssMetricV31": [{"source": "security-advisories@github.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "security-advisories@github.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://github.com/flipped-aurora/gin-vue-admin/commit/53d03382188868464ade489ab0713b54392d227f", "source": "security-advisories@github.com"}, {"url": "https://github.com/flipped-aurora/gin-vue-admin/security/advisories/GHSA-gf3r-h744-mqgp", "source": "security-advisories@github.com"}]}}, {"cve": {"id": "CVE-2024-37902", "sourceIdentifier": "security-advisories@github.com", "published": "2024-06-17T20:15:14.463", "lastModified": "2024-06-20T12:44:22.977", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "DeepJavaLibrary(DJL) is an Engine-Agnostic Deep Learning Framework in Java. DJL versions 0.1.0 through 0.27.0 do not prevent absolute path archived artifacts from inserting archived files directly into the system, overwriting system files. This is fixed in DJL 0.28.0 and patched in DJL Large Model Inference containers version 0.27.0. Users are advised to upgrade."}, {"lang": "es", "value": "DeepJavaLibrary (DJL) es un framework de aprendizaje profundo independiente del motor en Java. Las versiones de DJL 0.1.0 a 0.27.0 no impiden que los artefactos archivados de ruta absoluta inserten archivos archivados directamente en el sistema, sobrescribiendo los archivos del sistema. Esto se solucion\u00f3 en DJL 0.28.0 y se parche\u00f3 en los contenedores DJL Large Model Inference versi\u00f3n 0.27.0. Se recomienda a los usuarios que actualicen."}], "metrics": {"cvssMetricV31": [{"source": "security-advisories@github.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 6.0}]}, "weaknesses": [{"source": "security-advisories@github.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://github.com/deepjavalibrary/djl/releases/tag/v0.28.0", "source": "security-advisories@github.com"}, {"url": "https://github.com/deepjavalibrary/djl/security/advisories/GHSA-w877-jfw7-46rj", "source": "security-advisories@github.com"}]}}, {"cve": {"id": "CVE-2024-6061", "sourceIdentifier": "cna@vuldb.com", "published": "2024-06-17T20:15:14.850", "lastModified": "2024-06-20T12:44:22.977", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability has been found in GPAC 2.5-DEV-rev228-g11067ea92-master and classified as problematic. Affected by this vulnerability is the function isoffin_process of the file src/filters/isoffin_read.c of the component MP4Box. The manipulation leads to infinite loop. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The identifier of the patch is 20c0f29139a82779b86453ce7f68d0681ec7624c. It is recommended to apply a patch to fix this issue. The identifier VDB-268789 was assigned to this vulnerability."}, {"lang": "es", "value": "Una vulnerabilidad ha sido encontrada en GPAC 2.5-DEV-rev228-g11067ea92-master y clasificada como problem\u00e1tica. La funci\u00f3n isoffin_process del archivo src/filters/isoffin_read.c del componente MP4Box es afectada por esta vulnerabilidad. La manipulaci\u00f3n conduce a un bucle infinito. Es posible lanzar el ataque al servidor local. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. El identificador del parche es 20c0f29139a82779b86453ce7f68d0681ec7624c. Se recomienda aplicar un parche para solucionar este problema. A esta vulnerabilidad se le asign\u00f3 el identificador VDB-268789."}], "metrics": {"cvssMetricV31": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW", "baseScore": 3.3, "baseSeverity": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 1.4}], "cvssMetricV2": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P", "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 1.7}, "baseSeverity": "LOW", "exploitabilityScore": 3.1, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "cna@vuldb.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-835"}]}], "references": [{"url": "https://github.com/gpac/gpac/commit/20c0f29139a82779b86453ce7f68d0681ec7624c", "source": "cna@vuldb.com"}, {"url": "https://github.com/gpac/gpac/issues/2871", "source": "cna@vuldb.com"}, {"url": "https://github.com/user-attachments/files/15801058/poc1.zip", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.268789", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.268789", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.356308", "source": "cna@vuldb.com"}]}}, {"cve": {"id": "CVE-2024-6062", "sourceIdentifier": "cna@vuldb.com", "published": "2024-06-17T20:15:15.170", "lastModified": "2024-06-20T12:44:22.977", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability was found in GPAC 2.5-DEV-rev228-g11067ea92-master and classified as problematic. Affected by this issue is the function swf_svg_add_iso_sample of the file src/filters/load_text.c of the component MP4Box. The manipulation leads to null pointer dereference. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The patch is identified as 31e499d310a48bd17c8b055a0bfe0fe35887a7cd. It is recommended to apply a patch to fix this issue. VDB-268790 is the identifier assigned to this vulnerability."}, {"lang": "es", "value": "Una vulnerabilidad fue encontrada en GPAC 2.5-DEV-rev228-g11067ea92-master y clasificada como problem\u00e1tica. La funci\u00f3n swf_svg_add_iso_sample del archivo src/filters/load_text.c del componente MP4Box es afectada por esta vulnerabilidad. La manipulaci\u00f3n conduce a la desreferencia del puntero nulo. El ataque debe abordarse localmente. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. El parche se identifica como 31e499d310a48bd17c8b055a0bfe0fe35887a7cd. Se recomienda aplicar un parche para solucionar este problema. VDB-268790 es el identificador asignado a esta vulnerabilidad."}], "metrics": {"cvssMetricV31": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW", "baseScore": 3.3, "baseSeverity": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 1.4}], "cvssMetricV2": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P", "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 1.7}, "baseSeverity": "LOW", "exploitabilityScore": 3.1, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "cna@vuldb.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "references": [{"url": "https://github.com/gpac/gpac/commit/31e499d310a48bd17c8b055a0bfe0fe35887a7cd", "source": "cna@vuldb.com"}, {"url": "https://github.com/gpac/gpac/issues/2872", "source": "cna@vuldb.com"}, {"url": "https://github.com/user-attachments/files/15801126/poc2.zip", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.268790", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.268790", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.356314", "source": "cna@vuldb.com"}]}}, {"cve": {"id": "CVE-2023-37057", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-17T21:15:50.380", "lastModified": "2024-06-20T12:44:22.977", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "An issue in JLINK Unionman Technology Co. Ltd Jlink AX1800 v.1.0 allows a remote attacker to execute arbitrary code via the router's authentication mechanism."}, {"lang": "es", "value": "Un problema en JLINK Unionman Technology Co. Ltd. Jlink AX1800 v.1.0 permite a un atacante remoto ejecutar c\u00f3digo arbitrario a trav\u00e9s del mecanismo de autenticaci\u00f3n del enrutador."}], "metrics": {}, "references": [{"url": "http://jlink.com", "source": "cve@mitre.org"}, {"url": "http://www.unionman.com.cn/en/contact.html", "source": "cve@mitre.org"}, {"url": "https://github.com/ri5c/Jlink-Router-RCE", "source": "cve@mitre.org"}, {"url": "https://jlink-global.com/", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2023-37058", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-17T21:15:50.503", "lastModified": "2024-06-20T12:44:22.977", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Insecure Permissions vulnerability in JLINK Unionman Technology Co. Ltd Jlink AX1800 v.1.0 allows a remote attacker to escalate privileges via a crafted command."}, {"lang": "es", "value": "Vulnerabilidad de permisos inseguros en JLINK Unionman Technology Co. Ltd. Jlink AX1800 v.1.0 permite a un atacante remoto escalar privilegios mediante un comando manipulado."}], "metrics": {}, "references": [{"url": "http://jlink.com", "source": "cve@mitre.org"}, {"url": "https://github.com/ri5c/Jlink-Router-RCE", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-34833", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-17T21:15:50.783", "lastModified": "2024-06-20T12:44:22.977", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Sourcecodester Payroll Management System v1.0 is vulnerable to File Upload. Users can upload images via the \"save_settings\" page. An unauthenticated attacker can leverage this functionality to upload a malicious PHP file instead. Successful exploitation of this vulnerability results in the ability to execute arbitrary code as the user running the web server."}, {"lang": "es", "value": "Sourcecodester Payroll Management System v1.0 es vulnerable a la carga de archivos. Los usuarios pueden cargar im\u00e1genes a trav\u00e9s de la p\u00e1gina \"save_settings\". Un atacante no autenticado puede aprovechar esta funcionalidad para cargar un archivo PHP malicioso. La explotaci\u00f3n exitosa de esta vulnerabilidad da como resultado la capacidad de ejecutar c\u00f3digo arbitrario como usuario que ejecuta el servidor web."}], "metrics": {}, "references": [{"url": "https://github.com/ShellUnease/payroll-management-system-rce", "source": "cve@mitre.org"}, {"url": "https://packetstormsecurity.com/files/179106/Payroll-Management-System-1.0-Remote-Code-Execution.html", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-37798", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-17T21:15:51.180", "lastModified": "2024-06-20T12:44:22.977", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in search-appointment.php in the Admin Panel in Phpgurukul Beauty Parlour Management System 1.0 allows remote attackers to inject arbitrary web script or HTML via the search input field."}, {"lang": "es", "value": "Vulnerabilidad de Cross-site scripting (XSS) en search-appointment.php en el Panel de administraci\u00f3n de Phpgurukul Beauty Parlor Management System 1.0 permite a atacantes remotos inyectar scripts web o HTML arbitrarios a trav\u00e9s del campo de entrada de b\u00fasqueda."}], "metrics": {}, "references": [{"url": "https://cyberxtron.com/blog/cve-2024-37798---cross-site-scripting-xss-in-beauty-parlour-management-system--5187", "source": "cve@mitre.org"}, {"url": "https://owasp.org/www-community/attacks/xss/", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-37828", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-17T21:15:51.280", "lastModified": "2024-06-20T12:44:22.977", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A stored cross-site scripting (XSS) in Vermeg Agile Reporter v23.2.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Message field under the Set Broadcast Message module."}, {"lang": "es", "value": "Cross-site scripting (XSS) almacenado en Vermeg Agile Reporter v23.2.1 permite a los atacantes ejecutar scripts web o HTML arbitrarios a trav\u00e9s de un payload manipulado inyectado en el campo Mensaje bajo el m\u00f3dulo Establecer mensaje de difusi\u00f3n."}], "metrics": {}, "references": [{"url": "https://crashpark.weebly.com/blog/2-stored-xss-in-agilereporter-213-by-vermeg", "source": "cve@mitre.org"}, {"url": "https://www.vermeg.com/agile-reporter/", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-6063", "sourceIdentifier": "cna@vuldb.com", "published": "2024-06-17T21:15:51.443", "lastModified": "2024-06-20T12:44:22.977", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability was found in GPAC 2.5-DEV-rev228-g11067ea92-master. It has been classified as problematic. This affects the function m2tsdmx_on_event of the file src/filters/dmx_m2ts.c of the component MP4Box. The manipulation leads to null pointer dereference. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The patch is named 8767ed0a77c4b02287db3723e92c2169f67c85d5. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-268791."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en GPAC 2.5-DEV-rev228-g11067ea92-master. Ha sido clasificada como problem\u00e1tica. Esto afecta a la funci\u00f3n m2tsdmx_on_event del archivo src/filters/dmx_m2ts.c del componente MP4Box. La manipulaci\u00f3n conduce a la desreferencia del puntero nulo. Un ataque debe abordarse localmente. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. El parche se llama 8767ed0a77c4b02287db3723e92c2169f67c85d5. Se recomienda aplicar un parche para solucionar este problema. El identificador asociado de esta vulnerabilidad es VDB-268791."}], "metrics": {"cvssMetricV31": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW", "baseScore": 3.3, "baseSeverity": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 1.4}], "cvssMetricV2": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P", "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 1.7}, "baseSeverity": "LOW", "exploitabilityScore": 3.1, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "cna@vuldb.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "references": [{"url": "https://github.com/gpac/gpac/commit/8767ed0a77c4b02287db3723e92c2169f67c85d5", "source": "cna@vuldb.com"}, {"url": "https://github.com/gpac/gpac/issues/2873", "source": "cna@vuldb.com"}, {"url": "https://github.com/user-attachments/files/15801157/poc.zip", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.268791", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.268791", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.356315", "source": "cna@vuldb.com"}]}}, {"cve": {"id": "CVE-2024-6064", "sourceIdentifier": "cna@vuldb.com", "published": "2024-06-17T21:15:51.727", "lastModified": "2024-06-20T12:44:22.977", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability was found in GPAC 2.5-DEV-rev228-g11067ea92-master. It has been declared as problematic. This vulnerability affects the function xmt_node_end of the file src/scene_manager/loader_xmt.c of the component MP4Box. The manipulation leads to use after free. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The name of the patch is f4b3e4d2f91bc1749e7a924a8ab171af03a355a8/c1b9c794bad8f262c56f3cf690567980d96662f5. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-268792."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en GPAC 2.5-DEV-rev228-g11067ea92-master. Ha sido declarada problem\u00e1tica. Esta vulnerabilidad afecta a la funci\u00f3n xmt_node_end del archivo src/scene_manager/loader_xmt.c del componente MP4Box. La manipulaci\u00f3n conduce al use after free. Se requiere acceso local para abordar este ataque. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. El nombre del parche es f4b3e4d2f91bc1749e7a924a8ab171af03a355a8/c1b9c794bad8f262c56f3cf690567980d96662f5. Se recomienda aplicar un parche para solucionar este problema. El identificador de esta vulnerabilidad es VDB-268792."}], "metrics": {"cvssMetricV31": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.8, "impactScore": 3.4}], "cvssMetricV2": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P", "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 4.3}, "baseSeverity": "MEDIUM", "exploitabilityScore": 3.1, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "cna@vuldb.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-416"}]}], "references": [{"url": "https://github.com/gpac/gpac/commit/c1b9c794bad8f262c56f3cf690567980d96662f5", "source": "cna@vuldb.com"}, {"url": "https://github.com/gpac/gpac/issues/2874", "source": "cna@vuldb.com"}, {"url": "https://github.com/user-attachments/files/15801189/poc.zip", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.268792", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.268792", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.356316", "source": "cna@vuldb.com"}]}}, {"cve": {"id": "CVE-2024-6065", "sourceIdentifier": "cna@vuldb.com", "published": "2024-06-17T21:15:52.007", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability was found in itsourcecode Bakery Online Ordering System 1.0. It has been rated as critical. This issue affects some unknown processing of the file index.php. The manipulation of the argument user_email leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-268793 was assigned to this vulnerability."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en itsourcecode Bakery Online Ordering System 1.0. Ha sido calificada como cr\u00edtica. Este problema afecta un procesamiento desconocido del archivo index.php. La manipulaci\u00f3n del argumento user_email conduce a la inyecci\u00f3n de SQL. El ataque puede iniciarse de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. A esta vulnerabilidad se le asign\u00f3 el identificador VDB-268793."}], "metrics": {"cvssMetricV31": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.4}], "cvssMetricV2": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "cna@vuldb.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://github.com/ppp-src/CVE/issues/4", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.268793", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.268793", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.358386", "source": "cna@vuldb.com"}]}}, {"cve": {"id": "CVE-2024-6066", "sourceIdentifier": "cna@vuldb.com", "published": "2024-06-17T21:15:52.283", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability classified as critical has been found in SourceCodester Best House Rental Management System 1.0. Affected is an unknown function of the file payment_report.php. The manipulation of the argument month_of leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-268794 is the identifier assigned to this vulnerability."}, {"lang": "es", "value": "Una vulnerabilidad ha sido encontrada en SourceCodester Best House Rental Management System 1.0 y clasificada como cr\u00edtica. Una funci\u00f3n desconocida del archivo Payment_report.php es afectada por esta vulnerabilidad. La manipulaci\u00f3n del argumento mes_de conduce a la inyecci\u00f3n de SQL. Es posible lanzar el ataque de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. VDB-268794 es el identificador asignado a esta vulnerabilidad."}], "metrics": {"cvssMetricV31": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 3.4}], "cvssMetricV2": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 6.5}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "cna@vuldb.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://github.com/jadu101/CVE/blob/main/SourceCodester_House_Rental_Management_System_Sqli.md", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.268794", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.268794", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.358439", "source": "cna@vuldb.com"}]}}, {"cve": {"id": "CVE-2024-6067", "sourceIdentifier": "cna@vuldb.com", "published": "2024-06-17T22:15:10.657", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability classified as critical was found in SourceCodester Music Class Enrollment System 1.0. Affected by this vulnerability is an unknown functionality of the file /mces/?p=class/view_class. The manipulation of the argument id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-268795."}, {"lang": "es", "value": "Una vulnerabilidad fue encontrada en SourceCodester Music Class Enrollment System 1.0 y clasificada como cr\u00edtica. Una funcionalidad desconocida del archivo /mces/?p=class/view_class es afectada por esta vulnerabilidad. La manipulaci\u00f3n del argumento id conduce a la inyecci\u00f3n de SQL. El ataque se puede lanzar de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. El identificador asociado de esta vulnerabilidad es VDB-268795."}], "metrics": {"cvssMetricV31": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 3.4}], "cvssMetricV2": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 6.5}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "cna@vuldb.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://github.com/jadu101/CVE/blob/main/SourceCodester-Musical-Class-Enrollment-System-SQLi.md", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.268795", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.268795", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.358566", "source": "cna@vuldb.com"}]}}, {"cve": {"id": "CVE-2024-6080", "sourceIdentifier": "cna@vuldb.com", "published": "2024-06-17T23:15:51.583", "lastModified": "2024-06-20T20:15:20.583", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability classified as critical was found in Intelbras InControl 2.21.56. This vulnerability affects unknown code. The manipulation leads to unquoted search path. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. VDB-268822 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure and plans to provide a solution within the next few weeks."}, {"lang": "es", "value": "Una vulnerabilidad fue encontrada en Intelbras InControl 2.21.56 y clasificada como cr\u00edtica. Esta vulnerabilidad afecta a c\u00f3digo desconocido. La manipulaci\u00f3n conduce a una ruta de b\u00fasqueda sin comillas. Se requiere acceso local para abordar este ataque. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. VDB-268822 es el identificador asignado a esta vulnerabilidad. NOTA: Se contact\u00f3 primeramente con el proveedor sobre esta divulgaci\u00f3n, pero no respondi\u00f3 de ninguna manera."}], "metrics": {"cvssMetricV31": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:L/AC:L/Au:S/C:C/I:C/A:C", "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 6.8}, "baseSeverity": "MEDIUM", "exploitabilityScore": 3.1, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "cna@vuldb.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-428"}]}], "references": [{"url": "https://vuldb.com/?ctiid.268822", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.268822", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.353502", "source": "cna@vuldb.com"}]}}, {"cve": {"id": "CVE-2024-6082", "sourceIdentifier": "cna@vuldb.com", "published": "2024-06-17T23:15:51.920", "lastModified": "2024-06-20T19:15:50.437", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability, which was classified as problematic, has been found in PHPVibe 11.0.46. This issue affects some unknown processing of the file functionalities.global.php of the component Global Options Page. The manipulation of the argument site-logo-text leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-268823. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Una vulnerabilidad fue encontrada en PHPVibe 11.0.46 y clasificada como problem\u00e1tica. Este problema afecta un procesamiento desconocido del archivo functionalities.global.php del componente P\u00e1gina de opciones globales. La manipulaci\u00f3n del argumento sitio-logotipo-texto conduce a cross site scripting. El ataque puede iniciarse de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. El identificador asociado de esta vulnerabilidad es VDB-268823. NOTA: Se contact\u00f3 primeramente con el proveedor sobre esta divulgaci\u00f3n, pero no respondi\u00f3 de ninguna manera."}], "metrics": {"cvssMetricV31": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 2.4, "baseSeverity": "LOW"}, "exploitabilityScore": 0.9, "impactScore": 1.4}], "cvssMetricV2": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "MULTIPLE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 3.3}, "baseSeverity": "LOW", "exploitabilityScore": 6.4, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "cna@vuldb.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://github.com/WeikFu/PHPVibe-vulnerability-description/issues/1", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.268823", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.268823", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.353548", "source": "cna@vuldb.com"}]}}, {"cve": {"id": "CVE-2024-6083", "sourceIdentifier": "cna@vuldb.com", "published": "2024-06-18T00:15:09.853", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability, which was classified as critical, was found in PHPVibe 11.0.46. Affected is an unknown function of the file /app/uploading/upload-mp3.php of the component Media Upload Page. The manipulation of the argument file leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-268824. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Una vulnerabilidad fue encontrada en PHPVibe 11.0.46 y clasificada como cr\u00edtica. Una funci\u00f3n desconocida del archivo /app/uploading/upload-mp3.php del componente Media Upload Page es afectada por esta vulnerabilidad. La manipulaci\u00f3n del archivo de argumentos conduce a una carga sin restricciones. Es posible lanzar el ataque de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. El identificador de esta vulnerabilidad es VDB-268824. NOTA: Se contact\u00f3 primeramente con el proveedor sobre esta divulgaci\u00f3n, pero no respondi\u00f3 de ninguna manera."}], "metrics": {"cvssMetricV31": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 3.4}], "cvssMetricV2": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 6.5}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "cna@vuldb.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://github.com/WeikFu/PHPVibe-vulnerability-description/issues/2", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.268824", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.268824", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.353552", "source": "cna@vuldb.com"}]}}, {"cve": {"id": "CVE-2024-6084", "sourceIdentifier": "cna@vuldb.com", "published": "2024-06-18T01:15:20.333", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability has been found in itsourcecode Pool of Bethesda Online Reservation System up to 1.0 and classified as critical. Affected by this vulnerability is the function uploadImage of the file /admin/mod_room/controller.php?action=add. The manipulation of the argument image leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-268825 was assigned to this vulnerability."}, {"lang": "es", "value": "Una vulnerabilidad ha sido encontrada en itsourcecode Pool of Bethesda Online Reservation System hasta 1.0 y clasificada como cr\u00edtica. La funci\u00f3n uploadImage del archivo /admin/mod_room/controller.php?action=add es afectada por esta vulnerabilidad. La manipulaci\u00f3n de la imagen del argumento conduce a una carga sin restricciones. El ataque se puede lanzar de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. A esta vulnerabilidad se le asign\u00f3 el identificador VDB-268825."}], "metrics": {"cvssMetricV31": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.4}], "cvssMetricV2": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "cna@vuldb.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://github.com/Laster-dev/CVE/issues/2", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.268825", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.268825", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.358628", "source": "cna@vuldb.com"}]}}, {"cve": {"id": "CVE-2024-0845", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-18T03:15:09.330", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Undergoing Analysis", "descriptions": [{"lang": "en", "value": "The PDF Viewer for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the render function in all versions up to, and including, 2.9.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento PDF Viewer para Elementor para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s de la funci\u00f3n de renderizado en todas las versiones hasta la 2.9.3 incluida debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "references": [{"url": "https://plugins.trac.wordpress.org/browser/pdf-viewer-for-elementor/trunk/widgets/pdf-viewer.php#L256", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/pdf-viewer-for-elementor/trunk/widgets/pdf-viewer.php#L260", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/pdf-viewer-for-elementor/trunk/widgets/pdfjs-viewer.php#L215", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/pdf-viewer-for-elementor/trunk/widgets/pdfjs-viewer.php#L219", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4d6f9c80-ef86-4910-a88e-98f2b444ee30?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-1634", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-18T03:15:09.580", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Undergoing Analysis", "descriptions": [{"lang": "en", "value": "The Scheduling Plugin \u2013 Online Booking for WordPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'cbsb_disconnect_settings' function in all versions up to, and including, 3.5.10. This makes it possible for unauthenticated attackers to disconnect the plugin from the startbooking service and remove connection data."}, {"lang": "es", "value": "El complemento Scheduling Plugin \u2013 Online Booking for WordPress para WordPress es vulnerable a la p\u00e9rdida no autorizada de datos debido a una falta de verificaci\u00f3n de capacidad en la funci\u00f3n 'cbsb_disconnect_settings' en todas las versiones hasta la 3.5.10 incluida. Esto hace posible que atacantes no autenticados desconecten el complemento del servicio de inicio de reservas y eliminen los datos de conexi\u00f3n."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "references": [{"url": "https://wordpress.org/plugins/calendar-booking/", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/60e642f9-74ff-47f1-a49d-99c8fdb26f4a?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-4375", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-18T03:15:09.797", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Undergoing Analysis", "descriptions": [{"lang": "en", "value": "The Master Slider \u2013 Responsive Touch Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ms_layer' shortcode in all versions up to, and including, 3.9.10 due to insufficient input sanitization and output escaping on the 'css_id' user supplied attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento Master Slider \u2013 Responsive Touch Slider para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s del c\u00f3digo corto 'ms_layer' del complemento en todas las versiones hasta la 3.9.10 incluida debido a una sanitizaci\u00f3n de entrada insuficiente y a un escape de salida en el 'css_id' atributo proporcionado por el usuario. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "references": [{"url": "https://plugins.trac.wordpress.org/browser/master-slider/trunk/includes/msp-shortcodes.php#L817", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/35ead2b5-8b50-40e1-9b4a-547d97f34c4e?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-5541", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-18T03:15:10.020", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Undergoing Analysis", "descriptions": [{"lang": "en", "value": "The Ibtana \u2013 WordPress Website Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ibtana_visual_editor_register_ajax_json_endpont' function in all versions up to, and including, 1.2.3.3. This makes it possible for unauthenticated attackers to update option values for reCAPTCHA keys on the WordPress site. This can be leveraged to bypass reCAPTCHA on the site."}, {"lang": "es", "value": "El complemento Ibtana \u2013 WordPress Website Builder para WordPress es vulnerable a modificaciones no autorizadas de datos debido a una falta de verificaci\u00f3n de capacidad en la funci\u00f3n 'ibtana_visual_editor_register_ajax_json_endpont' en todas las versiones hasta la 1.2.3.3 incluida. Esto hace posible que atacantes no autenticados actualicen los valores de las opciones para las claves reCAPTCHA en el sitio de WordPress. Esto se puede aprovechar para evitar reCAPTCHA en el sitio."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "references": [{"url": "https://plugins.trac.wordpress.org/browser/ibtana-visual-editor/trunk/admin/settings.php#L9", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/ibtana-visual-editor/trunk/dist/blocks.build.js", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e022febe-7295-493d-afa7-185f55b4d3b9?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-5860", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-18T04:15:11.607", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Undergoing Analysis", "descriptions": [{"lang": "en", "value": "The Tickera \u2013 WordPress Event Ticketing plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the tc_dl_delete_tickets AJAX action in all versions up to, and including, 3.5.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all tickets associated with events."}, {"lang": "es", "value": "El complemento Tickera \u2013 WordPress Event Ticketing para WordPress es vulnerable a la p\u00e9rdida no autorizada de datos debido a una falta de verificaci\u00f3n de capacidad en la acci\u00f3n tc_dl_delete_tickets AJAX en todas las versiones hasta la 3.5.2.8 incluida. Esto hace posible que los atacantes autenticados, con acceso de nivel de suscriptor y superior, eliminen todos los tickets asociados con los eventos."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "references": [{"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3103413%40tickera-event-ticketing-system&new=3103413%40tickera-event-ticketing-system&sfp_email=&sfph_mail=", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d86aa41c-24df-49ec-b273-7bb57addddde?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2023-5527", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-18T06:15:10.243", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Undergoing Analysis", "descriptions": [{"lang": "en", "value": "The Business Directory Plugin plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 6.4.3 via the class-csv-exporter.php file. This allows authenticated attackers, with author-level permissions and above, to embed untrusted input into CSV files exported by administrators, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration."}, {"lang": "es", "value": "El complemento Business Directory Plugin para WordPress es vulnerable a la inyecci\u00f3n CSV en versiones hasta la 6.4.3 incluida a trav\u00e9s del archivo class-csv-exporter.php. Esto permite a atacantes autenticados, con permisos de nivel de autor y superiores, incrustar entradas no confiables en archivos CSV exportados por administradores, lo que puede resultar en la ejecuci\u00f3n de c\u00f3digo cuando estos archivos se descargan y abren en un sistema local con una configuraci\u00f3n vulnerable."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 7.4, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.1, "impactScore": 3.7}]}, "references": [{"url": "https://plugins.trac.wordpress.org/browser/business-directory-plugin/trunk/includes/admin/class-csv-exporter.php", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/business-directory-plugin/trunk/includes/admin/helpers/csv/class-csv-exporter.php", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/changeset/3102475/business-directory-plugin/trunk/includes/admin/helpers/csv/class-csv-exporter.php", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ed037e94-68b4-4efc-9d1a-fffc4aff1c45?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-0066", "sourceIdentifier": "product-security@axis.com", "published": "2024-06-18T06:15:10.723", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Johan Fagerstr\u00f6m, member of the AXIS OS Bug Bounty Program, has found that a O3C feature may expose sensitive traffic between the client (Axis device) and (O3C) server. If O3C is not being used this flaw does not apply. \nAxis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution."}, {"lang": "es", "value": "Johan Fagerstr\u00f6m, miembro del programa AXIS OS Bug Bounty, descubri\u00f3 que una caracter\u00edstica de O3C puede exponer el tr\u00e1fico confidencial entre el cliente (dispositivo Axis) y el servidor (O3C). Si no se utiliza O3C, este defecto no se aplica. Axis ha lanzado versiones parcheadas del sistema operativo AXIS para la falla resaltada. Consulte el aviso de seguridad de Axis para obtener m\u00e1s informaci\u00f3n y soluciones."}], "metrics": {"cvssMetricV31": [{"source": "product-security@axis.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "references": [{"url": "https://www.axis.com/dam/public/03/49/2c/cve-2024-0066-en-US-442553.pdf", "source": "product-security@axis.com"}]}}, {"cve": {"id": "CVE-2024-33620", "sourceIdentifier": "vultures@jpcert.or.jp", "published": "2024-06-18T06:15:11.053", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Absolute path traversal vulnerability exists in ID Link Manager and FUJITSU Software TIME CREATOR. If this vulnerability is exploited, the file contents including sensitive information on the server may be retrieved by an unauthenticated remote attacker."}, {"lang": "es", "value": "Existe una vulnerabilidad de path traversal absoluta en ID Link Manager y FUJITSU Software TIME CREATOR. Si se explota esta vulnerabilidad, un atacante remoto no autenticado puede recuperar el contenido del archivo, incluida la informaci\u00f3n confidencial del servidor."}], "metrics": {}, "references": [{"url": "https://jvn.jp/en/jp/JVN65171386/", "source": "vultures@jpcert.or.jp"}, {"url": "https://www.fujitsu.com/jp/group/fsas/about/resources/security/2024/0617.html", "source": "vultures@jpcert.or.jp"}]}}, {"cve": {"id": "CVE-2024-33622", "sourceIdentifier": "vultures@jpcert.or.jp", "published": "2024-06-18T06:15:11.163", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Missing authentication for critical function vulnerability exists in ID Link Manager and FUJITSU Software TIME CREATOR. If this vulnerability is exploited, sensitive information may be obtained and/or the information stored in the database may be altered by a remote authenticated attacker."}, {"lang": "es", "value": "Falta autenticaci\u00f3n para una vulnerabilidad de funci\u00f3n cr\u00edtica en ID Link Manager y FUJITSU Software TIME CREATOR. Si se explota esta vulnerabilidad, un atacante remoto autenticado puede obtener informaci\u00f3n confidencial y/o la informaci\u00f3n almacenada en la base de datos puede ser alterada."}], "metrics": {}, "references": [{"url": "https://jvn.jp/en/jp/JVN65171386/", "source": "vultures@jpcert.or.jp"}, {"url": "https://www.fujitsu.com/jp/group/fsas/about/resources/security/2024/0617.html", "source": "vultures@jpcert.or.jp"}]}}, {"cve": {"id": "CVE-2024-34024", "sourceIdentifier": "vultures@jpcert.or.jp", "published": "2024-06-18T06:15:11.257", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Observable response discrepancy issue exists in ID Link Manager and FUJITSU Software TIME CREATOR. If this vulnerability is exploited, an unauthenticated remote attacker may determine if a username is valid or not."}, {"lang": "es", "value": "Existe un problema de discrepancia de respuesta observable en ID Link Manager y FUJITSU Software TIME CREATOR. Si se explota esta vulnerabilidad, un atacante remoto no autenticado puede determinar si un nombre de usuario es v\u00e1lido o no."}], "metrics": {}, "references": [{"url": "https://jvn.jp/en/jp/JVN65171386/", "source": "vultures@jpcert.or.jp"}, {"url": "https://www.fujitsu.com/jp/group/fsas/about/resources/security/2024/0617.html", "source": "vultures@jpcert.or.jp"}]}}, {"cve": {"id": "CVE-2024-37079", "sourceIdentifier": "security@vmware.com", "published": "2024-06-18T06:15:11.350", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution."}, {"lang": "es", "value": "vCenter Server contiene una vulnerabilidad de desbordamiento de mont\u00f3n en la implementaci\u00f3n del protocolo DCERPC. Un actor malintencionado con acceso a la red de vCenter Server puede desencadenar esta vulnerabilidad al enviar un paquete de red especialmente manipulado que podr\u00eda conducir a la ejecuci\u00f3n remota de c\u00f3digo."}], "metrics": {"cvssMetricV31": [{"source": "security@vmware.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "references": [{"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24453", "source": "security@vmware.com"}]}}, {"cve": {"id": "CVE-2024-37080", "sourceIdentifier": "security@vmware.com", "published": "2024-06-18T06:15:11.640", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution."}, {"lang": "es", "value": "vCenter Server contiene una vulnerabilidad de desbordamiento de mont\u00f3n en la implementaci\u00f3n del protocolo DCERPC. Un actor malintencionado con acceso a la red de vCenter Server puede desencadenar esta vulnerabilidad al enviar un paquete de red especialmente manipulado que podr\u00eda conducir a la ejecuci\u00f3n remota de c\u00f3digo."}], "metrics": {"cvssMetricV31": [{"source": "security@vmware.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "references": [{"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24453", "source": "security@vmware.com"}]}}, {"cve": {"id": "CVE-2024-37081", "sourceIdentifier": "security@vmware.com", "published": "2024-06-18T06:15:11.900", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The vCenter Server contains multiple local privilege escalation vulnerabilities due to misconfiguration of sudo.\u00a0An authenticated local user with non-administrative privileges may exploit these issues to elevate privileges to root on vCenter Server Appliance."}, {"lang": "es", "value": "vCenter Server contiene m\u00faltiples vulnerabilidades de escalada de privilegios locales debido a una mala configuraci\u00f3n de sudo. Un usuario local autenticado con privilegios no administrativos puede aprovechar estos problemas para elevar los privilegios a root en vCenter Server Appliance."}], "metrics": {"cvssMetricV31": [{"source": "security@vmware.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "references": [{"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24453", "source": "security@vmware.com"}]}}, {"cve": {"id": "CVE-2024-3276", "sourceIdentifier": "contact@wpscan.com", "published": "2024-06-18T06:15:12.270", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Undergoing Analysis", "descriptions": [{"lang": "en", "value": "The Lightbox & Modal Popup WordPress Plugin WordPress plugin before 2.7.28, foobox-image-lightbox-premium WordPress plugin before 2.7.28 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)."}, {"lang": "es", "value": "El complemento Lightbox & Modal Popup WordPress Plugin de WordPress anterior a 2.7.28, el complemento foobox-image-lightbox-premium de WordPress anterior a 2.7.28 no sanitiza ni escapa a algunas de sus configuraciones, lo que podr\u00eda permitir a usuarios con privilegios elevados, como el administrador, realizar ataques de Cross-Site Scripting Almacenado incluso cuando la capacidad unfiltered_html no est\u00e1 permitida (por ejemplo, en configuraci\u00f3n multisitio)."}], "metrics": {}, "references": [{"url": "https://wpscan.com/vulnerability/996d3247-ebdd-49d1-a1a3-ceedcf9f2f95/", "source": "contact@wpscan.com"}]}}, {"cve": {"id": "CVE-2024-4094", "sourceIdentifier": "contact@wpscan.com", "published": "2024-06-18T06:15:12.360", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Undergoing Analysis", "descriptions": [{"lang": "en", "value": "The Simple Share Buttons Adder WordPress plugin before 8.5.1 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed"}, {"lang": "es", "value": "El complemento Simple Share Buttons Adder de WordPress anterior a 8.5.1 no sanitiza ni escapa a algunas de sus configuraciones, lo que podr\u00eda permitir a usuarios con altos privilegios, como editores, realizar ataques de cross site scripting incluso cuando unfiltered_html no est\u00e1 permitido."}], "metrics": {}, "references": [{"url": "https://wpscan.com/vulnerability/04b2feba-e009-4fce-8539-5dfdb4300433/", "source": "contact@wpscan.com"}]}}, {"cve": {"id": "CVE-2024-5172", "sourceIdentifier": "contact@wpscan.com", "published": "2024-06-18T06:15:12.440", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Undergoing Analysis", "descriptions": [{"lang": "en", "value": "The Expert Invoice WordPress plugin through 1.0.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)"}, {"lang": "es", "value": "El complemento Expert Invoice de WordPress hasta la versi\u00f3n 1.0.2 no sanitiza ni escapa a algunas de sus configuraciones, lo que podr\u00eda permitir a usuarios con privilegios elevados, como el administrador, realizar ataques de Cross-Site Scripting Almacenado incluso cuando la capacidad unfiltered_html no est\u00e1 permitida (por ejemplo, en una configuraci\u00f3n multisitio)."}], "metrics": {}, "references": [{"url": "https://wpscan.com/vulnerability/65d84e69-0548-4c7d-bcde-5777d72da555/", "source": "contact@wpscan.com"}]}}, {"cve": {"id": "CVE-2024-5533", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-18T08:15:50.723", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Undergoing Analysis", "descriptions": [{"lang": "en", "value": "The Divi theme for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.25.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El tema Divi para WordPress es vulnerable a Cross-Site Scripting Almacenado en todas las versiones hasta la 4.25.1 incluida debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes. Esto hace posible que atacantes autenticados, con acceso de nivel de autor y superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "references": [{"url": "https://www.elegantthemes.com/api/changelog/divi.txt", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6571a899-f217-434f-bbed-b1faf77a8d8b?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-5899", "sourceIdentifier": "cve-coordination@google.com", "published": "2024-06-18T09:15:09.767", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "When Bazel Plugin in intellij imports a project (either using \"import project\" or \"Auto import\") the dialog for trusting the project is not displayed.\u00a0This comes from the fact that both call the method ProjectBuilder.createProject\u00a0which then calls ProjectManager.getInstance().createProject. This method, as its name suggests is intended to create a new project, not to import an existing one.\u00a0\nWe recommend upgrading to version 2024.06.04.0.2 or beyond for the IntelliJ, CLion and Android Studio Bazel plugins."}, {"lang": "es", "value": "Cuando Bazel Plugin en intellij importa un proyecto (ya sea usando \"importar proyecto\" o \"Importar autom\u00e1ticamente\"), no se muestra el cuadro de di\u00e1logo para confiar en el proyecto. Esto se debe al hecho de que ambos llaman al m\u00e9todo ProjectBuilder.createProject, que luego llama a ProjectManager.getInstance().createProject. Este m\u00e9todo, como su nombre indica, est\u00e1 destinado a crear un nuevo proyecto, no a importar uno existente. Recomendamos actualizar a la versi\u00f3n 2024.06.04.0.2 o posterior para los complementos IntelliJ, CLion y Android Studio Bazel."}], "metrics": {}, "weaknesses": [{"source": "cve-coordination@google.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}]}], "references": [{"url": "https://github.com/bazelbuild/intellij/releases/tag/v2024.06.04-aswb-stable", "source": "cve-coordination@google.com"}, {"url": "https://github.com/bazelbuild/intellij/security/advisories/GHSA-hh9f-wmhw-46vg", "source": "cve-coordination@google.com"}]}}, {"cve": {"id": "CVE-2024-5953", "sourceIdentifier": "secalert@redhat.com", "published": "2024-06-18T10:15:11.170", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A denial of service vulnerability was found in the 389-ds-base LDAP server. This issue may allow an authenticated user to cause a server denial of service while attempting to log in with a user with a malformed hash in their password."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad de denegaci\u00f3n de servicio en el servidor LDAP 389-ds-base. Este problema puede permitir que un usuario autenticado provoque una denegaci\u00f3n de servicio del servidor al intentar iniciar sesi\u00f3n con un usuario con un hash mal formado en su contrase\u00f1a."}], "metrics": {"cvssMetricV31": [{"source": "secalert@redhat.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 5.7, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.1, "impactScore": 3.6}]}, "weaknesses": [{"source": "secalert@redhat.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-1288"}]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2024-5953", "source": "secalert@redhat.com"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2292104", "source": "secalert@redhat.com"}]}}, {"cve": {"id": "CVE-2024-6108", "sourceIdentifier": "cna@vuldb.com", "published": "2024-06-18T10:15:11.653", "lastModified": "2024-06-25T18:15:11.730", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability was found in Genexis Tilgin Home Gateway 322_AS0500-03_05_13_05. It has been classified as problematic. Affected is an unknown function of the file /vood/cgi-bin/vood_view.cgi?act=index&lang=EN# of the component Login. The manipulation of the argument errmsg leads to basic cross site scripting. It is possible to launch the attack remotely. VDB-268854 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en Genexis Tilgin Home Gateway 322_AS0500-03_05_13_05. Ha sido clasificada como problem\u00e1tica. Una funci\u00f3n desconocida del archivo /vood/cgi-bin/vood_view.cgi?act=index&lang=ES# del componente Login es afectada por esta funci\u00f3n. La manipulaci\u00f3n del argumento errmsg conduce a cross site scripting b\u00e1sico. Es posible lanzar el ataque de forma remota. VDB-268854 es el identificador asignado a esta vulnerabilidad. NOTA: Se contact\u00f3 primeramente con el proveedor sobre esta divulgaci\u00f3n, pero no respondi\u00f3 de ninguna manera."}], "metrics": {"cvssMetricV31": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 1.4}], "cvssMetricV2": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 5.0}, "baseSeverity": "MEDIUM", "exploitabilityScore": 10.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "cna@vuldb.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-80"}]}], "references": [{"url": "https://vuldb.com/?ctiid.268854", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.268854", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.353708", "source": "cna@vuldb.com"}]}}, {"cve": {"id": "CVE-2024-38504", "sourceIdentifier": "cve@jetbrains.com", "published": "2024-06-18T11:15:51.467", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In JetBrains YouTrack before 2024.2.34646 the Guest User Account was enabled for attaching files to articles"}, {"lang": "es", "value": "En JetBrains YouTrack antes de 2024.2.34646, la cuenta de usuario invitado estaba habilitada para adjuntar archivos a art\u00edculos"}], "metrics": {"cvssMetricV31": [{"source": "cve@jetbrains.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "cve@jetbrains.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://www.jetbrains.com/privacy-security/issues-fixed/", "source": "cve@jetbrains.com"}]}}, {"cve": {"id": "CVE-2024-38505", "sourceIdentifier": "cve@jetbrains.com", "published": "2024-06-18T11:15:51.733", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In JetBrains YouTrack before 2024.2.34646 user access token was sent to the third-party site"}, {"lang": "es", "value": "En JetBrains YouTrack antes de 2024.2.34646 se enviaba el token de acceso del usuario al sitio de terceros"}], "metrics": {"cvssMetricV31": [{"source": "cve@jetbrains.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "cve@jetbrains.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-522"}]}], "references": [{"url": "https://www.jetbrains.com/privacy-security/issues-fixed/", "source": "cve@jetbrains.com"}]}}, {"cve": {"id": "CVE-2024-38506", "sourceIdentifier": "cve@jetbrains.com", "published": "2024-06-18T11:15:52.030", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In JetBrains YouTrack before 2024.2.34646 user without appropriate permissions could enable the auto-attach option for workflows"}, {"lang": "es", "value": "En JetBrains YouTrack anterior a 2024.2.34646, el usuario sin los permisos adecuados pod\u00eda habilitar la opci\u00f3n de conexi\u00f3n autom\u00e1tica para flujos de trabajo"}], "metrics": {"cvssMetricV31": [{"source": "cve@jetbrains.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 3.4}]}, "weaknesses": [{"source": "cve@jetbrains.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://www.jetbrains.com/privacy-security/issues-fixed/", "source": "cve@jetbrains.com"}]}}, {"cve": {"id": "CVE-2024-38507", "sourceIdentifier": "cve@jetbrains.com", "published": "2024-06-18T11:15:52.267", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In JetBrains Hub before 2024.2.34646 stored XSS via project description was possible"}, {"lang": "es", "value": "En JetBrains Hub antes de 2024.2.34646 era posible XSS Almacenado a trav\u00e9s de la descripci\u00f3n del proyecto"}], "metrics": {"cvssMetricV31": [{"source": "cve@jetbrains.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW"}, "exploitabilityScore": 0.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "cve@jetbrains.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://www.jetbrains.com/privacy-security/issues-fixed/", "source": "cve@jetbrains.com"}]}}, {"cve": {"id": "CVE-2024-5967", "sourceIdentifier": "secalert@redhat.com", "published": "2024-06-18T12:15:12.707", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability was found in Keycloak. The LDAP testing endpoint allows changing the Connection URL\u00a0 independently without re-entering the currently configured LDAP bind credentials. This flaw allows an attacker with admin\u00a0access (permission manage-realm) to change the LDAP host URL (\"Connection URL\") to a machine they control. The Keycloak server will connect to the attacker's host and try to authenticate with the configured credentials, thus leaking them to the attacker. As a consequence, an attacker who has compromised the admin console or compromised a user with sufficient privileges can leak domain credentials and attack the domain."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en Keycloak. El endpoint de prueba LDAP permite cambiar la URL de conexi\u00f3n de forma independiente sin volver a ingresar las credenciales de enlace LDAP configuradas actualmente. Esta falla permite que un atacante con acceso de administrador (permiso de administraci\u00f3n de dominio) cambie la URL del host LDAP (\"URL de conexi\u00f3n\") a una m\u00e1quina que controla. El servidor Keycloak se conectar\u00e1 al host del atacante e intentar\u00e1 autenticarse con las credenciales configuradas, filtr\u00e1ndoselas as\u00ed al atacante. Como consecuencia, un atacante que haya comprometido la consola de administraci\u00f3n o haya comprometido a un usuario con privilegios suficientes puede filtrar las credenciales del dominio y atacar el dominio."}], "metrics": {"cvssMetricV31": [{"source": "secalert@redhat.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW"}, "exploitabilityScore": 1.2, "impactScore": 1.4}]}, "weaknesses": [{"source": "secalert@redhat.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-276"}]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2024-5967", "source": "secalert@redhat.com"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2292200", "source": "secalert@redhat.com"}]}}, {"cve": {"id": "CVE-2024-6109", "sourceIdentifier": "cna@vuldb.com", "published": "2024-06-18T12:15:12.987", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability was found in itsourcecode Tailoring Management System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file addmeasurement.php. The manipulation of the argument id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-268855."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en itsourcecode Tailoring Management System 1.0. Ha sido declarada cr\u00edtica. Una funci\u00f3n desconocida del archivo addmeasurement.php es afectada por esta vulnerabilidad. La manipulaci\u00f3n del argumento id conduce a la inyecci\u00f3n de SQL. El ataque se puede lanzar de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. El identificador asociado de esta vulnerabilidad es VDB-268855."}], "metrics": {"cvssMetricV31": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 3.4}], "cvssMetricV2": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 6.5}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "cna@vuldb.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://github.com/PHJ-doit/cve/issues/1", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.268855", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.268855", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.358590", "source": "cna@vuldb.com"}]}}, {"cve": {"id": "CVE-2024-6110", "sourceIdentifier": "cna@vuldb.com", "published": "2024-06-18T12:15:13.290", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability was found in itsourcecode Magbanua Beach Resort Online Reservation System up to 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file controller.php. The manipulation of the argument image leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-268856."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en itsourcecode Magbanua Beach Resort Online Reservation System hasta 1.0. Ha sido calificada como cr\u00edtica. Una funci\u00f3n desconocida del archivo controller.php es afectada por esta vulnerabilidad. La manipulaci\u00f3n de la imagen del argumento conduce a una carga sin restricciones. El ataque puede lanzarse de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. El identificador de esta vulnerabilidad es VDB-268856. "}], "metrics": {"cvssMetricV31": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.4}], "cvssMetricV2": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "cna@vuldb.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://github.com/Laster-dev/CVE/issues/1", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.268856", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.268856", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.358592", "source": "cna@vuldb.com"}]}}, {"cve": {"id": "CVE-2024-6111", "sourceIdentifier": "cna@vuldb.com", "published": "2024-06-18T13:15:52.193", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability classified as critical has been found in itsourcecode Pool of Bethesda Online Reservation System 1.0. This affects an unknown part of the file login.php. The manipulation of the argument email leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-268857 was assigned to this vulnerability."}, {"lang": "es", "value": "Una vulnerabilidad ha sido encontrada en itsourcecode Pool of Bethesda Online Reservation System 1.0 y clasificada como cr\u00edtica. Una parte desconocida del archivo login.php afecta a esta vulnerabilidad. La manipulaci\u00f3n del argumento email conduce a la inyecci\u00f3n de SQL. Es posible iniciar el ataque de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. A esta vulnerabilidad se le asign\u00f3 el identificador VDB-268857."}], "metrics": {"cvssMetricV31": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.4}], "cvssMetricV2": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "cna@vuldb.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://github.com/wangyuan-ui/CVE/issues/1", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.268857", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.268857", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.358988", "source": "cna@vuldb.com"}]}}, {"cve": {"id": "CVE-2024-6112", "sourceIdentifier": "cna@vuldb.com", "published": "2024-06-18T13:15:52.550", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability classified as critical was found in itsourcecode Pool of Bethesda Online Reservation System 1.0. This vulnerability affects unknown code of the file index.php. The manipulation of the argument log_email leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-268858 is the identifier assigned to this vulnerability."}, {"lang": "es", "value": "Una vulnerabilidad fue encontrada en itsourcecode Pool of Bethesda Online Reservation System 1.0 y clasificada como cr\u00edtica. Esta vulnerabilidad afecta a un c\u00f3digo desconocido del archivo index.php. La manipulaci\u00f3n del argumento log_email conduce a la inyecci\u00f3n de SQL. El ataque se puede iniciar de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. VDB-268858 es el identificador asignado a esta vulnerabilidad."}], "metrics": {"cvssMetricV31": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.4}], "cvssMetricV2": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "cna@vuldb.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://github.com/wangyuan-ui/CVE/issues/2", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.268858", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.268858", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.358990", "source": "cna@vuldb.com"}]}}, {"cve": {"id": "CVE-2024-6114", "sourceIdentifier": "cna@vuldb.com", "published": "2024-06-18T13:15:52.897", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability classified as critical has been found in itsourcecode Monbela Tourist Inn Online Reservation System up to 1.0. Affected is an unknown function of the file controller.php. The manipulation of the argument image leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-268866 is the identifier assigned to this vulnerability."}, {"lang": "es", "value": "Una vulnerabilidad ha sido encontrada en itsourcecode Monbela Tourist Inn Online Reservation System y clasificada como cr\u00edtica. Una funci\u00f3n desconocida del archivo controller.php es afectada por esta vulnerabilidad. La manipulaci\u00f3n de la imagen del argumento conduce a una carga sin restricciones. Es posible lanzar el ataque de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. VDB-268866 es el identificador asignado a esta vulnerabilidad."}], "metrics": {"cvssMetricV31": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.4}], "cvssMetricV2": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "cna@vuldb.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://github.com/wangyuan-ui/CVE/issues/4", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.268866", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.268866", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.358995", "source": "cna@vuldb.com"}]}}, {"cve": {"id": "CVE-2024-6115", "sourceIdentifier": "cna@vuldb.com", "published": "2024-06-18T13:15:53.267", "lastModified": "2024-06-25T18:15:11.857", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability classified as critical was found in itsourcecode Simple Online Hotel Reservation System 1.0. Affected by this vulnerability is an unknown functionality of the file add_room.php. The manipulation of the argument photo leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-268867."}, {"lang": "es", "value": "Una vulnerabilidad fue encontrada en itsourcecode Simple Online Hotel Reservation System 1.0 y clasificada como cr\u00edtica. Una funci\u00f3n desconocida del archivo add_room.php es afectada por esta vulnerabilidad. La manipulaci\u00f3n de la foto del argumento da lugar a una subida sin restricciones. El ataque se puede lanzar de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. El identificador asociado de esta vulnerabilidad es VDB-268867."}], "metrics": {"cvssMetricV31": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.4}], "cvssMetricV2": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "cna@vuldb.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://github.com/wangyuan-ui/CVE/issues/5", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.268867", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.268867", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.358996", "source": "cna@vuldb.com"}]}}, {"cve": {"id": "CVE-2023-47726", "sourceIdentifier": "psirt@us.ibm.com", "published": "2024-06-18T14:15:10.317", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "IBM QRadar Suite Software 1.10.12.0 through 1.10.21.0 and IBM Cloud Pak for Security 1.10.12.0 through 1.10.21.0 could allow an authenticated user to execute certain arbitrary commands due to improper input validation. IBM X-Force ID: 272087."}, {"lang": "es", "value": "IBM QRadar Suite Software 1.10.12.0 a 1.10.21.0 e IBM Cloud Pak for Security 1.10.12.0 a 1.10.21.0 podr\u00edan permitir que un usuario autenticado ejecute ciertos comandos arbitrarios debido a una validaci\u00f3n de entrada incorrecta. ID de IBM X-Force: 272087."}], "metrics": {"cvssMetricV31": [{"source": "psirt@us.ibm.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "psirt@us.ibm.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-1287"}]}], "references": [{"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/272087", "source": "psirt@us.ibm.com"}, {"url": "https://https://www.ibm.com/support/pages/node/7157750", "source": "psirt@us.ibm.com"}]}}, {"cve": {"id": "CVE-2024-5750", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-18T14:15:11.383", "lastModified": "2024-06-18T14:15:11.383", "vulnStatus": "Rejected", "descriptions": [{"lang": "en", "value": "Rejected reason: ** REJECT ** Not a valid security issue."}], "metrics": {}, "references": []}}, {"cve": {"id": "CVE-2024-6116", "sourceIdentifier": "cna@vuldb.com", "published": "2024-06-18T14:15:12.440", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability, which was classified as critical, has been found in itsourcecode Simple Online Hotel Reservation System 1.0. Affected by this issue is some unknown functionality of the file edit_room.php. The manipulation of the argument photo leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-268868."}, {"lang": "es", "value": "Una vulnerabilidad fue encontrada en itsourcecode Simple Online Hotel Reservation System 1.0 y clasificada como cr\u00edtica. Una funci\u00f3n desconocida del archivo edit_room.php es afectada por esta vulnerabilidad. La manipulaci\u00f3n de la foto del argumento da lugar a una subida sin restricciones. El ataque puede lanzarse de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. El identificador de esta vulnerabilidad es VDB-268868."}], "metrics": {"cvssMetricV31": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.4}], "cvssMetricV2": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "cna@vuldb.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://github.com/wangyuan-ui/CVE/issues/6", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.268868", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.268868", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.359002", "source": "cna@vuldb.com"}]}}, {"cve": {"id": "CVE-2024-5275", "sourceIdentifier": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "published": "2024-06-18T15:15:52.493", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A hard-coded password in the FileCatalyst TransferAgent can be found which can be used to unlock the keystore from which contents may be read out, for example, the private key for certificates. Exploit of this vulnerability could lead to a machine-in-the-middle (MiTM) attack against users of the agent. This issue affects all versions of FileCatalyst Direct from 3.8.10 Build 138 and earlier and all versions of\u00a0FileCatalyst Workflow from 5.1.6 Build 130 and earlier."}, {"lang": "es", "value": "Se puede encontrar una contrase\u00f1a codificada en FileCatalyst TransferAgent que se puede usar para desbloquear el almac\u00e9n de claves desde el cual se pueden leer los contenidos, por ejemplo, la clave privada para los certificados. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda dar lugar a un ataque de m\u00e1quina intermedia (MiTM) contra los usuarios del agente. Este problema afecta a todas las versiones de FileCatalyst Direct desde 3.8.10 Build 138 y anteriores y a todas las versiones de FileCatalyst Workflow desde 5.1.6 Build 130 y anteriores."}], "metrics": {"cvssMetricV31": [{"source": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-259"}]}], "references": [{"url": "https://support.fortra.com/filecatalyst/kb-articles/action-required-by-june-18th-2024-filecatalyst-transferagent-ssl-and-localhost-changes-MWQwYjI3ZGItZmQyMS1lZjExLTg0MGItMDAyMjQ4MGE0MDNm", "source": "df4dee71-de3a-4139-9588-11b62fe6c0ff"}, {"url": "https://www.fortra.com/security/advisory/fi-2024-007", "source": "df4dee71-de3a-4139-9588-11b62fe6c0ff"}]}}, {"cve": {"id": "CVE-2024-21685", "sourceIdentifier": "security@atlassian.com", "published": "2024-06-18T17:15:51.243", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "This High severity Information Disclosure vulnerability was introduced in versions 9.4.0, 9.12.0, and 9.15.0 of Jira Core Data Center. \r\n\t\r\n\tThis Information Disclosure vulnerability, with a CVSS Score of 7.4, allows an unauthenticated attacker to view sensitive information via an Information Disclosure vulnerability which has high impact to confidentiality, no impact to integrity, no impact to availability, and requires user interaction. \r\n\t\r\n\tAtlassian recommends that Jira Core Data Center customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:\r\n\t\t\r\n\t\tJira Core Data Center 9.4: Upgrade to a release greater than or equal to 9.4.21\r\n\t\t\r\n\t\tJira Core Data Center 9.12: Upgrade to a release greater than or equal to 9.12.8\r\n\t\t\r\n\t\tJira Core Data Center 9.16: Upgrade to a release greater than or equal to 9.16.0\r\n\t\t\r\n\t\t\r\n\t\r\n\tSee the release notes. You can download the latest version of Jira Core Data Center from the download center. \r\n\t\r\n\tThis vulnerability was found internally."}, {"lang": "es", "value": "Esta vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n de alta gravedad se introdujo en las versiones 9.4.0, 9.12.0 y 9.15.0 de Jira Core Data Center. Esta vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n, con una puntuaci\u00f3n CVSS de 7,4, permite a un atacante no autenticado ver informaci\u00f3n confidencial a trav\u00e9s de una vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n que tiene un alto impacto en la confidencialidad, ning\u00fan impacto en la integridad, ning\u00fan impacto en la disponibilidad y requiere la interacci\u00f3n del usuario. Atlassian recomienda que los clientes de Jira Core Data Center actualicen a la \u00faltima versi\u00f3n; si no pueden hacerlo, actualicen su instancia a una de las versiones fijas admitidas especificadas: Jira Core Data Center 9.4: actualice a una versi\u00f3n superior o igual a 9.4. 21 Jira Core Data Center 9.12: actualice a una versi\u00f3n superior o igual a 9.12.8 Jira Core Data Center 9.16: actualice a una versi\u00f3n superior o igual a 9.16.0 Consulte las notas de la versi\u00f3n. Puede descargar la \u00faltima versi\u00f3n de Jira Core Data Center desde el centro de descargas. Esta vulnerabilidad se encontr\u00f3 internamente."}], "metrics": {"cvssMetricV30": [{"source": "security@atlassian.com", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 4.0}]}, "references": [{"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1409286211", "source": "security@atlassian.com"}, {"url": "https://jira.atlassian.com/browse/JRASERVER-77713", "source": "security@atlassian.com"}]}}, {"cve": {"id": "CVE-2024-37799", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-18T17:15:51.910", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "CodeProjects Restaurant Reservation System v1.0 was discovered to contain a SQL injection vulnerability via the reserv_id parameter at view_reservations.php."}, {"lang": "es", "value": "Se descubri\u00f3 que CodeProjects Restaurant Reservation System v1.0 contiene una vulnerabilidad de inyecci\u00f3n SQL a trav\u00e9s del par\u00e1metro reserv_id en view_reservations.php."}], "metrics": {}, "references": [{"url": "https://code-projects.org/restaurant-reservation-system-in-php-with-source-code/", "source": "cve@mitre.org"}, {"url": "https://github.com/himanshubindra/CVEs/blob/main/CVE-2024-37799", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-37800", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-18T17:15:52.027", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Undergoing Analysis", "descriptions": [{"lang": "en", "value": "CodeProjects Restaurant Reservation System v1.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the Date parameter at index.php."}, {"lang": "es", "value": "Se descubri\u00f3 que CodeProjects Restaurant Reservation System v1.0 contiene una vulnerabilidad de cross-site scripting (XSS) reflejado a trav\u00e9s del par\u00e1metro Fecha en index.php."}], "metrics": {}, "references": [{"url": "https://code-projects.org/restaurant-reservation-system-in-php-with-source-code/", "source": "cve@mitre.org"}, {"url": "https://github.com/SandeepRajauriya/CVEs/blob/main/CVE-2024-37800", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-37802", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-18T17:15:52.133", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Undergoing Analysis", "descriptions": [{"lang": "en", "value": "CodeProjects Health Care hospital Management System v1.0 was discovered to contain a SQL injection vulnerability in the Patient Info module via the searvalu parameter."}, {"lang": "es", "value": "Se descubri\u00f3 que CodeProjects Health Care hospital Management System v1.0 conten\u00eda una vulnerabilidad de inyecci\u00f3n SQL en el m\u00f3dulo de informaci\u00f3n del paciente a trav\u00e9s del par\u00e1metro servalu."}], "metrics": {}, "references": [{"url": "https://code-projects.org/health-care-hospital-in-php-css-js-and-mysql-free-download/", "source": "cve@mitre.org"}, {"url": "https://github.com/SandeepRajauriya/CVEs/blob/main/CVE-2024-37802", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-37803", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-18T17:15:52.237", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Undergoing Analysis", "descriptions": [{"lang": "en", "value": "Multiple stored cross-site scripting (XSS) vulnerabilities in CodeProjects Health Care hospital Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the fname and lname parameters under the Staff Info page."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de cross-site scripting (XSS) almacenado en CodeProjects Health Care hospital Management System v1.0 permiten a los atacantes ejecutar scripts web o HTML arbitrarios a trav\u00e9s de un payload manipulado inyectado en los par\u00e1metros fname y lname en la p\u00e1gina de informaci\u00f3n del personal."}], "metrics": {}, "references": [{"url": "https://code-projects.org/health-care-hospital-in-php-css-js-and-mysql-free-download/", "source": "cve@mitre.org"}, {"url": "https://github.com/himanshubindra/CVEs/blob/main/CVE-2024-37803", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-37904", "sourceIdentifier": "security-advisories@github.com", "published": "2024-06-18T17:15:52.337", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Minder is an open source Software Supply Chain Security Platform. Minder's Git provider is vulnerable to a denial of service from a maliciously configured GitHub repository. The Git provider clones users repositories using the `github.com/go-git/go-git/v5` library on lines `L55-L89`. The Git provider does the following on the lines `L56-L62`. First, it sets the `CloneOptions`, specifying the url, the depth etc. It then validates the options. It then sets up an in-memory filesystem, to which it clones and Finally, it clones the repository. The `(g *Git) Clone()` method is vulnerable to a DoS attack: A Minder user can instruct Minder to clone a large repository which will exhaust memory and crash the Minder server. The root cause of this vulnerability is a combination of the following conditions: 1. Users can control the Git URL which Minder clones, 2. Minder does not enforce a size limit to the repository, 3. Minder clones the entire repository into memory. This issue has been addressed in commit `7979b43` which has been included in release version v0.0.52. Users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "Minder es una plataforma de seguridad de la cadena de suministro de software de c\u00f3digo abierto. El proveedor Git de Minder es vulnerable a una denegaci\u00f3n de servicio desde un repositorio GitHub configurado maliciosamente. El proveedor de Git clona los repositorios de los usuarios utilizando la librer\u00eda `github.com/go-git/go-git/v5` en las l\u00edneas `L55-L89`. El proveedor de Git hace lo siguiente en las l\u00edneas \"L56-L62\". Primero, establece `CloneOptions`, especificando la URL, la profundidad, etc. Luego valida las opciones. Luego configura un sistema de archivos en memoria, al cual clona y, finalmente, clona el repositorio. El m\u00e9todo `(g *Git) Clone()` es vulnerable a un ataque DoS: un usuario de Minder puede indicarle a Minder que clone un repositorio grande que agotar\u00e1 la memoria y bloquear\u00e1 el servidor de Minder. La causa principal de esta vulnerabilidad es una combinaci\u00f3n de las siguientes condiciones: 1. Los usuarios pueden controlar la URL de Git que Minder clona, 2. Minder no impone un l\u00edmite de tama\u00f1o al repositorio, 3. Minder clona todo el repositorio en la memoria. Este problema se solucion\u00f3 en el commit `7979b43` que se incluy\u00f3 en la versi\u00f3n v0.0.52. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}], "metrics": {"cvssMetricV31": [{"source": "security-advisories@github.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 5.7, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.1, "impactScore": 3.6}]}, "weaknesses": [{"source": "security-advisories@github.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}]}], "references": [{"url": "https://github.com/stacklok/minder/blob/85985445c8ac3e51f03372e99c7b2f08a6d274aa/internal/providers/git/git.go#L55-L89", "source": "security-advisories@github.com"}, {"url": "https://github.com/stacklok/minder/blob/85985445c8ac3e51f03372e99c7b2f08a6d274aa/internal/providers/git/git.go#L56-L62", "source": "security-advisories@github.com"}, {"url": "https://github.com/stacklok/minder/commit/7979b43", "source": "security-advisories@github.com"}, {"url": "https://github.com/stacklok/minder/security/advisories/GHSA-hpcg-xjq5-g666", "source": "security-advisories@github.com"}]}}, {"cve": {"id": "CVE-2024-38347", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-18T17:15:52.583", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Undergoing Analysis", "descriptions": [{"lang": "en", "value": "CodeProjects Health Care hospital Management System v1.0 was discovered to contain a SQL injection vulnerability in the Room Information module via the id parameter."}, {"lang": "es", "value": "Se descubri\u00f3 que CodeProjects Health Care hospital Management System v1.0 conten\u00eda una vulnerabilidad de inyecci\u00f3n SQL en el m\u00f3dulo de informaci\u00f3n de la habitaci\u00f3n a trav\u00e9s del par\u00e1metro id."}], "metrics": {}, "references": [{"url": "https://code-projects.org/health-care-hospital-in-php-css-js-and-mysql-free-download/", "source": "cve@mitre.org"}, {"url": "https://github.com/SandeepRajauriya/CVEs/blob/main/CVE-2024-38347", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-38348", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-18T17:15:52.677", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Undergoing Analysis", "descriptions": [{"lang": "en", "value": "CodeProjects Health Care hospital Management System v1.0 was discovered to contain a SQL injection vulnerability in the Staff Info module via the searvalu parameter."}, {"lang": "es", "value": "Se descubri\u00f3 que CodeProjects Health Care hospital Management System v1.0 conten\u00eda una vulnerabilidad de inyecci\u00f3n SQL en el m\u00f3dulo de informaci\u00f3n del personal a trav\u00e9s del par\u00e1metro servalu."}], "metrics": {}, "references": [{"url": "https://code-projects.org/health-care-hospital-in-php-css-js-and-mysql-free-download/", "source": "cve@mitre.org"}, {"url": "https://github.com/SandeepRajauriya/CVEs/blob/main/CVE-2024-38348", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-38351", "sourceIdentifier": "security-advisories@github.com", "published": "2024-06-18T17:15:52.777", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Pocketbase is an open source web backend written in go. In affected versions a malicious user may be able to compromise other user accounts. In order to be exploited users must have both OAuth2 and Password auth methods enabled. A possible attack scenario could be: 1. a malicious actor register with the targeted user's email (it is unverified), 2. at some later point in time the targeted user stumble on your app and decides to sign-up with OAuth2 (_this step could be also initiated by the attacker by sending an invite email to the targeted user_), 3. on successful OAuth2 auth we search for an existing PocketBase user matching with the OAuth2 user's email and associate them, 4. because we haven't changed the password of the existing PocketBase user during the linking, the malicious actor has access to the targeted user account and will be able to login with the initially created email/password. To prevent this for happening we now reset the password for this specific case if the previously created user wasn't verified (an exception to this is if the linking is explicit/manual, aka. when you send `Authorization:TOKEN` with the OAuth2 auth call). Additionally to warn existing users we now send an email alert in case the user has logged in with password but has at least one OAuth2 account linked. The flow will be further improved with ongoing refactoring and we will start sending emails for \"unrecognized device\" logins (OTP and MFA is already implemented and will be available with the next v0.23.0 release in the near future). For the time being users are advised to update to version 0.22.14. There are no known workarounds for this vulnerability.\n\n"}, {"lang": "es", "value": "Pocketbase es un backend web de c\u00f3digo abierto escrito en go. En las versiones afectadas, un usuario malintencionado puede comprometer las cuentas de otros usuarios. Para ser explotados, los usuarios deben tener habilitados los m\u00e9todos de autenticaci\u00f3n OAuth2 y Contrase\u00f1a. Un posible escenario de ataque podr\u00eda ser: 1. un actor malintencionado se registra con el correo electr\u00f3nico del usuario objetivo (no est\u00e1 verificado), 2. en alg\u00fan momento posterior, el usuario objetivo tropieza con su aplicaci\u00f3n y decide registrarse con OAuth2 (_este paso El atacante tambi\u00e9n podr\u00eda iniciarlo enviando un correo electr\u00f3nico de invitaci\u00f3n al usuario objetivo_), 3. en una autenticaci\u00f3n OAuth2 exitosa, buscamos un usuario de PocketBase existente que coincida con el correo electr\u00f3nico del usuario OAuth2 y lo asociamos, 4. porque no hemos cambiado el contrase\u00f1a del usuario de PocketBase existente durante la vinculaci\u00f3n, el actor malicioso tiene acceso a la cuenta de usuario objetivo y podr\u00e1 iniciar sesi\u00f3n con el correo electr\u00f3nico/contrase\u00f1a creado inicialmente. Para evitar que esto suceda, ahora restablecemos la contrase\u00f1a para este caso espec\u00edfico si el usuario creado anteriormente no fue verificado (una excepci\u00f3n a esto es si el enlace es expl\u00edcito/manual, tambi\u00e9n conocido como cuando env\u00eda `Autorizaci\u00f3n:TOKEN` con OAuth2 llamada de autenticaci\u00f3n). Adem\u00e1s, para advertir a los usuarios existentes, ahora enviamos una alerta por correo electr\u00f3nico en caso de que el usuario haya iniciado sesi\u00f3n con contrase\u00f1a pero tenga al menos una cuenta OAuth2 vinculada. El flujo se mejorar\u00e1 a\u00fan m\u00e1s con la refactorizaci\u00f3n continua y comenzaremos a enviar correos electr\u00f3nicos para inicios de sesi\u00f3n de \"dispositivos no reconocidos\" (OTP y MFA ya est\u00e1n implementados y estar\u00e1n disponibles con la pr\u00f3xima versi\u00f3n v0.23.0 en un futuro pr\u00f3ximo). Por el momento, se recomienda a los usuarios que actualicen a la versi\u00f3n 0.22.14. No se conocen workarounds para esta vulnerabilidad."}], "metrics": {"cvssMetricV31": [{"source": "security-advisories@github.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "security-advisories@github.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-287"}]}], "references": [{"url": "https://github.com/pocketbase/pocketbase/discussions/4355", "source": "security-advisories@github.com"}, {"url": "https://github.com/pocketbase/pocketbase/security/advisories/GHSA-m93w-4fxv-r35v", "source": "security-advisories@github.com"}]}}, {"cve": {"id": "CVE-2022-23829", "sourceIdentifier": "psirt@amd.com", "published": "2024-06-18T19:15:56.957", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A potential weakness in AMD SPI protection features may allow a malicious attacker with Ring0 (kernel mode) access to bypass the native System Management Mode (SMM) ROM protections."}, {"lang": "es", "value": "Una posible debilidad en las funciones de protecci\u00f3n AMD SPI puede permitir que un atacante malicioso con acceso Ring0 (modo kernel) evite las protecciones ROM nativas del modo de administraci\u00f3n del sistema (SMM)."}], "metrics": {"cvssMetricV31": [{"source": "psirt@amd.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH"}, "exploitabilityScore": 1.5, "impactScore": 6.0}]}, "references": [{"url": "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-1041.html", "source": "psirt@amd.com"}]}}, {"cve": {"id": "CVE-2024-22002", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-18T19:15:59.397", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "CORSAIR iCUE 5.9.105 with iCUE Murals on Windows allows unprivileged users to insert DLL files in the cuepkg-1.2.6 subdirectory of the installation directory."}, {"lang": "es", "value": "CORSAIR iCUE 5.9.105 con iCUE Murals en Windows permite a usuarios sin privilegios insertar archivos DLL en el subdirectorio cuepkg-1.2.6 del directorio de instalaci\u00f3n."}], "metrics": {}, "references": [{"url": "https://github.com/0xkickit/iCUE_DllHijack_LPE-CVE-2024-22002", "source": "cve@mitre.org"}, {"url": "https://twitter.com/0xkickit", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-37791", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-18T19:16:00.120", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "DuxCMS3 v3.1.3 was discovered to contain a SQL injection vulnerability via the keyword parameter at /article/Content/index?class_id."}, {"lang": "es", "value": "Se descubri\u00f3 que DuxCMS3 v3.1.3 conten\u00eda una vulnerabilidad de inyecci\u00f3n SQL a trav\u00e9s del par\u00e1metro de palabra clave en /article/Content/index?class_id."}], "metrics": {}, "references": [{"url": "https://github.com/duxphp/DuxCMS3/", "source": "cve@mitre.org"}, {"url": "https://github.com/duxphp/DuxCMS3/issues/5", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-36974", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-18T20:15:13.257", "lastModified": "2024-06-21T14:15:12.330", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP\n\nIf one TCA_TAPRIO_ATTR_PRIOMAP attribute has been provided,\ntaprio_parse_mqprio_opt() must validate it, or userspace\ncan inject arbitrary data to the kernel, the second time\ntaprio_change() is called.\n\nFirst call (with valid attributes) sets dev->num_tc\nto a non zero value.\n\nSecond call (with arbitrary mqprio attributes)\nreturns early from taprio_parse_mqprio_opt()\nand bad things can happen."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/sched: taprio: validar siempre TCA_TAPRIO_ATTR_PRIOMAP Si se ha proporcionado un atributo TCA_TAPRIO_ATTR_PRIOMAP, taprio_parse_mqprio_opt() debe validarlo, o el espacio de usuario puede inyectar datos arbitrarios al kernel, la segunda vez taprio_change () se llama. La primera llamada (con atributos v\u00e1lidos) establece dev->num_tc en un valor distinto de cero. La segunda llamada (con atributos mqprio arbitrarios) regresa temprano desde taprio_parse_mqprio_opt() y pueden suceder cosas malas."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/0bf6cc96612bd396048f57d63f1ad454a846e39c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/724050ae4b76e4fae05a923cb54101d792cf4404", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c37a27a35eadb59286c9092c49c241270c802ae2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f921a58ae20852d188f70842431ce6519c4fdc36", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-36975", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-18T20:15:13.340", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKEYS: trusted: Do not use WARN when encode fails\n\nWhen asn1_encode_sequence() fails, WARN is not the correct solution.\n\n1. asn1_encode_sequence() is not an internal function (located\n in lib/asn1_encode.c).\n2. Location is known, which makes the stack trace useless.\n3. Results a crash if panic_on_warn is set.\n\nIt is also noteworthy that the use of WARN is undocumented, and it\nshould be avoided unless there is a carefully considered rationale to\nuse it.\n\nReplace WARN with pr_err, and print the return value instead, which is\nonly useful piece of information."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: LLAVES: confiable: no usar WARN cuando falla la codificaci\u00f3n Cuando falla asn1_encode_sequence(), WARN no es la soluci\u00f3n correcta. 1. asn1_encode_sequence() no es una funci\u00f3n interna (ubicada en lib/asn1_encode.c). 2. Se conoce la ubicaci\u00f3n, lo que hace que el seguimiento de la pila sea in\u00fatil. 3. Se produce un bloqueo si se configura p\u00e1nico_on_warn. Tambi\u00e9n es digno de menci\u00f3n que el uso de WARN no est\u00e1 documentado y debe evitarse a menos que exista una justificaci\u00f3n cuidadosamente considerada para su uso. Reemplace WARN con pr_err e imprima el valor de retorno, que es solo informaci\u00f3n \u00fatil."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/050bf3c793a07f96bd1e2fd62e1447f731ed733b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/1c652e1e10676f942149052d9329b8bf2703529a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/681935009fec3fc22af97ee312d4a24ccf3cf087", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/96f650995c70237b061b497c66755e32908f8972", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d32c6e09f7c4bec3ebc4941323f0aa6366bc1487", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ff91cc12faf798f573dab2abc976c1d5b1862fea", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-36976", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-18T20:15:13.437", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"media: v4l2-ctrls: show all owned controls in log_status\"\n\nThis reverts commit 9801b5b28c6929139d6fceeee8d739cc67bb2739.\n\nThis patch introduced a potential deadlock scenario:\n\n[Wed May 8 10:02:06 2024] Possible unsafe locking scenario:\n\n[Wed May 8 10:02:06 2024] CPU0 CPU1\n[Wed May 8 10:02:06 2024] ---- ----\n[Wed May 8 10:02:06 2024] lock(vivid_ctrls:1620:(hdl_vid_cap)->_lock);\n[Wed May 8 10:02:06 2024] lock(vivid_ctrls:1608:(hdl_user_vid)->_lock);\n[Wed May 8 10:02:06 2024] lock(vivid_ctrls:1620:(hdl_vid_cap)->_lock);\n[Wed May 8 10:02:06 2024] lock(vivid_ctrls:1608:(hdl_user_vid)->_lock);\n\nFor now just revert."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: Revertir \"media: v4l2-ctrls: mostrar todos los controles de propiedad en log_status\" Esto revierte el commit 9801b5b28c6929139d6fceeee8d739cc67bb2739. Este parche introdujo un posible escenario de bloqueo: [mi\u00e9rcoles 8 de mayo 10:02:06 2024] Posible escenario de bloqueo inseguro: [mi\u00e9rcoles 8 de mayo 10:02:06 2024] CPU0 CPU1 [mi\u00e9rcoles 8 de mayo 10:02:06 2024] -- -- ---- [mi\u00e9rcoles 8 de mayo 10:02:06 2024] lock(vivid_ctrls:1620:(hdl_vid_cap)->_lock); [Mi\u00e9rcoles 8 de mayo 10:02:06 2024] lock(vivid_ctrls:1608:(hdl_user_vid)->_lock); [Mi\u00e9rcoles 8 de mayo 10:02:06 2024] lock(vivid_ctrls:1620:(hdl_vid_cap)->_lock); [Mi\u00e9rcoles 8 de mayo 10:02:06 2024] lock(vivid_ctrls:1608:(hdl_user_vid)->_lock); Por ahora simplemente revertir."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/2e0ce54a9c5c7013b1257be044d99cbe7305e9f1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/eba63df7eb1f95df6bfb67722a35372b6994928d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-36977", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-18T20:15:13.517", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: Wait unconditionally after issuing EndXfer command\n\nCurrently all controller IP/revisions except DWC3_usb3 >= 310a\nwait 1ms unconditionally for ENDXFER completion when IOC is not\nset. This is because DWC_usb3 controller revisions >= 3.10a\nsupports GUCTL2[14: Rst_actbitlater] bit which allows polling\nCMDACT bit to know whether ENDXFER command is completed.\n\nConsider a case where an IN request was queued, and parallelly\nsoft_disconnect was called (due to ffs_epfile_release). This\neventually calls stop_active_transfer with IOC cleared, hence\nsend_gadget_ep_cmd() skips waiting for CMDACT cleared during\nEndXfer. For DWC3 controllers with revisions >= 310a, we don't\nforcefully wait for 1ms either, and we proceed by unmapping the\nrequests. If ENDXFER didn't complete by this time, it leads to\nSMMU faults since the controller would still be accessing those\nrequests.\n\nFix this by ensuring ENDXFER completion by adding 1ms delay in\n__dwc3_stop_active_transfer() unconditionally."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: usb: dwc3: Espere incondicionalmente despu\u00e9s de emitir el comando EndXfer Actualmente, todas las IP/revisiones del controlador excepto DWC3_usb3 >= 310a esperan 1 ms incondicionalmente para que ENDXFER se complete cuando el IOC no est\u00e1 configurado. Esto se debe a que las revisiones del controlador DWC_usb3 >= 3.10a admiten el bit GUCTL2[14: Rst_actbitlater] que permite sondear el bit CMDACT para saber si se complet\u00f3 el comando ENDXFER. Considere un caso en el que se puso en cola una solicitud IN y, en paralelo, se llam\u00f3 a soft_disconnect (debido a ffs_epfile_release). Esto eventualmente llama a stop_active_transfer con el IOC borrado, por lo tanto, send_gadget_ep_cmd() omite la espera de que CMDACT se borre durante EndXfer. Para los controladores DWC3 con revisiones >= 310a, tampoco esperamos forzosamente 1 ms y procedemos a desasignar las solicitudes. Si ENDXFER no se complet\u00f3 en este momento, se producir\u00e1n fallas de SMMU ya que el controlador a\u00fan estar\u00eda accediendo a esas solicitudes. Solucione este problema asegurando la finalizaci\u00f3n de ENDXFER agregando un retraso de 1 ms en __dwc3_stop_active_transfer() incondicionalmente."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/1ba145f05b5c8f0b1a947a0633b5edff5dd1f1c5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/1d26ba0944d398f88aaf997bda3544646cf21945", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/341eb08dbca9eae05308c442fbfab1813a44c97a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4a387e032909c6dc2b479452c5bbe9a252057925", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ec96bcf5f96a7a5c556b0e881ac3e5c3924d542c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-37821", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-18T20:15:13.640", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "An arbitrary file upload vulnerability in the Upload Template function of Dolibarr ERP CRM up to v19.0.1 allows attackers to execute arbitrary code via uploading a crafted .SQL file."}, {"lang": "es", "value": "Una vulnerabilidad de carga de archivos arbitrarios en la funci\u00f3n Cargar plantilla de Dolibarr ERP CRM hasta v19.0.1 permite a los atacantes ejecutar c\u00f3digo arbitrario cargando un archivo .SQL manipulado."}], "metrics": {}, "references": [{"url": "http://dolibarr.com", "source": "cve@mitre.org"}, {"url": "https://github.com/alexbsec/CVEs/blob/master/2024/CVE-2024-37821.md", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-38273", "sourceIdentifier": "patrick@puiterwijk.org", "published": "2024-06-18T20:15:13.740", "lastModified": "2024-06-27T03:15:50.130", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Insufficient capability checks meant it was possible for users to gain access to BigBlueButton join URLs they did not have permission to access."}, {"lang": "es", "value": "Las comprobaciones de capacidad insuficientes significaron que era posible que los usuarios obtuvieran acceso a las URL de uni\u00f3n de BigBlueButton a las que no ten\u00edan permiso para acceder."}], "metrics": {}, "weaknesses": [{"source": "patrick@puiterwijk.org", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "references": [{"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F7AZYR7EXV6E5SQE2GYTNQE3NOENJCQ6/", "source": "patrick@puiterwijk.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GHTIX55J4Q4LEOMLNEA4OZSWVEENQX7E/", "source": "patrick@puiterwijk.org"}, {"url": "https://moodle.org/mod/forum/discuss.php?d=459498", "source": "patrick@puiterwijk.org"}]}}, {"cve": {"id": "CVE-2024-38274", "sourceIdentifier": "patrick@puiterwijk.org", "published": "2024-06-18T20:15:13.860", "lastModified": "2024-06-27T03:15:50.233", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Insufficient escaping of calendar event titles resulted in a stored XSS risk in the event deletion prompt."}, {"lang": "es", "value": "El escape insuficiente de los t\u00edtulos de los eventos del calendario result\u00f3 en un riesgo XSS almacenado en el mensaje de eliminaci\u00f3n del evento."}], "metrics": {}, "weaknesses": [{"source": "patrick@puiterwijk.org", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F7AZYR7EXV6E5SQE2GYTNQE3NOENJCQ6/", "source": "patrick@puiterwijk.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GHTIX55J4Q4LEOMLNEA4OZSWVEENQX7E/", "source": "patrick@puiterwijk.org"}, {"url": "https://moodle.org/mod/forum/discuss.php?d=459499", "source": "patrick@puiterwijk.org"}]}}, {"cve": {"id": "CVE-2024-38275", "sourceIdentifier": "patrick@puiterwijk.org", "published": "2024-06-18T20:15:13.970", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The cURL wrapper in Moodle retained the original request headers when following redirects, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs."}, {"lang": "es", "value": "El contenedor cURL en Moodle retuvo los encabezados de solicitud originales al seguir redirecciones, por lo que la informaci\u00f3n del encabezado de autorizaci\u00f3n HTTP podr\u00eda enviarse involuntariamente en solicitudes para redireccionar URL."}], "metrics": {}, "weaknesses": [{"source": "patrick@puiterwijk.org", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-226"}]}], "references": [{"url": "https://moodle.org/mod/forum/discuss.php?d=459500", "source": "patrick@puiterwijk.org"}]}}, {"cve": {"id": "CVE-2024-38276", "sourceIdentifier": "patrick@puiterwijk.org", "published": "2024-06-18T20:15:14.093", "lastModified": "2024-06-27T03:15:50.300", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Incorrect CSRF token checks resulted in multiple CSRF risks."}, {"lang": "es", "value": "Las comprobaciones incorrectas de tokens CSRF dieron lugar a m\u00faltiples riesgos de CSRF."}], "metrics": {}, "weaknesses": [{"source": "patrick@puiterwijk.org", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}]}], "references": [{"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F7AZYR7EXV6E5SQE2GYTNQE3NOENJCQ6/", "source": "patrick@puiterwijk.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GHTIX55J4Q4LEOMLNEA4OZSWVEENQX7E/", "source": "patrick@puiterwijk.org"}, {"url": "https://moodle.org/mod/forum/discuss.php?d=459501", "source": "patrick@puiterwijk.org"}]}}, {"cve": {"id": "CVE-2024-38277", "sourceIdentifier": "patrick@puiterwijk.org", "published": "2024-06-18T20:15:14.210", "lastModified": "2024-06-27T03:15:50.370", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A unique key should be generated for a user's QR login key and their auto-login key, so the same key cannot be used interchangeably between the two."}, {"lang": "es", "value": "Se debe generar una clave \u00fanica para la clave de inicio de sesi\u00f3n QR de un usuario y su clave de inicio de sesi\u00f3n autom\u00e1tico, de modo que la misma clave no se pueda usar indistintamente entre las dos."}], "metrics": {}, "weaknesses": [{"source": "patrick@puiterwijk.org", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-324"}]}], "references": [{"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F7AZYR7EXV6E5SQE2GYTNQE3NOENJCQ6/", "source": "patrick@puiterwijk.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GHTIX55J4Q4LEOMLNEA4OZSWVEENQX7E/", "source": "patrick@puiterwijk.org"}, {"url": "https://moodle.org/mod/forum/discuss.php?d=459502", "source": "patrick@puiterwijk.org"}]}}, {"cve": {"id": "CVE-2024-6128", "sourceIdentifier": "cna@vuldb.com", "published": "2024-06-18T21:15:56.877", "lastModified": "2024-06-21T16:15:12.570", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability, which was classified as problematic, has been found in spa-cartcms 1.9.0.6. This issue affects some unknown processing of the file /checkout of the component Checkout Page. The manipulation of the argument quantity with the input -10 leads to enforcement of behavioral workflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-268895."}, {"lang": "es", "value": "Una vulnerabilidad fue encontrada en spa-cartcms 1.9.0.6 y clasificada como problem\u00e1tica. Este problema afecta un procesamiento desconocido del archivo /checkout de la p\u00e1gina de pago del componente. La manipulaci\u00f3n del argumento cantidad con la entrada -10 conduce a la aplicaci\u00f3n del flujo de trabajo conductual. El ataque puede iniciarse de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. El identificador asociado de esta vulnerabilidad es VDB-268895."}], "metrics": {"cvssMetricV31": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.9, "impactScore": 1.4}], "cvssMetricV2": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 5.0}, "baseSeverity": "MEDIUM", "exploitabilityScore": 10.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "cna@vuldb.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-841"}]}], "references": [{"url": "https://msecureltd.blogspot.com/2024/04/friday-fun-pentest-series-5-spa.html", "source": "cna@vuldb.com"}, {"url": "https://seclists.org/fulldisclosure/2024/Jun/6", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.268895", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.268895", "source": "cna@vuldb.com"}]}}, {"cve": {"id": "CVE-2024-6129", "sourceIdentifier": "cna@vuldb.com", "published": "2024-06-18T21:15:57.217", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability, which was classified as problematic, was found in spa-cartcms 1.9.0.6. Affected is an unknown function of the file /login of the component Username Handler. The manipulation of the argument email leads to observable behavioral discrepancy. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-268896."}, {"lang": "es", "value": "Una vulnerabilidad fue encontrada en spa-cartcms 1.9.0.6 y clasificada como problem\u00e1tica. Una funci\u00f3n desconocida del archivo /login del componente Username Handler es afectada por esta vulnerabilidad. La manipulaci\u00f3n del argumento del correo electr\u00f3nico conduce a una discrepancia de comportamiento observable. Es posible lanzar el ataque de forma remota. La complejidad de un ataque es bastante alta. Se dice que la explotabilidad es dif\u00edcil. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. El identificador de esta vulnerabilidad es VDB-268896."}], "metrics": {"cvssMetricV31": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW"}, "exploitabilityScore": 2.2, "impactScore": 1.4}], "cvssMetricV2": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "accessVector": "NETWORK", "accessComplexity": "HIGH", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 2.6}, "baseSeverity": "LOW", "exploitabilityScore": 4.9, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "cna@vuldb.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-205"}]}], "references": [{"url": "https://msecureltd.blogspot.com/2024/04/friday-fun-pentest-series-5-spa.html", "source": "cna@vuldb.com"}, {"url": "https://seclists.org/fulldisclosure/2024/Jun/6", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.268896", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.268896", "source": "cna@vuldb.com"}]}}, {"cve": {"id": "CVE-2024-5970", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-18T22:15:09.487", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The MaxGalleria plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's maxgallery_thumb shortcode in all versions up to, and including, 6.4.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento MaxGalleria para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s del c\u00f3digo corto maxgallery_thumb del complemento en todas las versiones hasta la 6.4.4 incluida debido a una sanitizaci\u00f3n de entrada insuficiente y a un escape de salida en los atributos proporcionados por el usuario. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "references": [{"url": "https://plugins.trac.wordpress.org/browser/maxgalleria/tags/6.4.4/maxgalleria-shortcode-thumb.php#L45", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a0bb1036-3e45-4ac9-b920-3b9629a3a724?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-6142", "sourceIdentifier": "zdi-disclosures@trendmicro.com", "published": "2024-06-19T00:15:49.580", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Actiontec WCB6200Q uh_tcp_recv_content Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Actiontec WCB6200Q routers. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the HTTP server. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length buffer. An attacker can leverage this vulnerability to execute code in the context of the HTTP server. Was ZDI-CAN-21410."}, {"lang": "es", "value": "Vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo por desbordamiento del b\u00fafer en Actiontec WCB6200Q uh_tcp_recv_content. Esta vulnerabilidad permite a atacantes adyacentes a la red ejecutar c\u00f3digo arbitrario en instalaciones afectadas de enrutadores Actiontec WCB6200Q. No se requiere autenticaci\u00f3n para aprovechar esta vulnerabilidad. La falla espec\u00edfica existe dentro del servidor HTTP. El problema se debe a la falta de una validaci\u00f3n adecuada de la longitud de los datos proporcionados por el usuario antes de copiarlos en un b\u00fafer de longitud fija. Un atacante puede aprovechar esta vulnerabilidad para ejecutar c\u00f3digo en el contexto del servidor HTTP. Era ZDI-CAN-21410."}], "metrics": {"cvssMetricV30": [{"source": "zdi-disclosures@trendmicro.com", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "zdi-disclosures@trendmicro.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-120"}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-805/", "source": "zdi-disclosures@trendmicro.com"}]}}, {"cve": {"id": "CVE-2024-6143", "sourceIdentifier": "zdi-disclosures@trendmicro.com", "published": "2024-06-19T00:15:49.847", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Actiontec WCB6200Q uh_tcp_recv_header Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Actiontec WCB6200Q routers. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the HTTP server. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length buffer. An attacker can leverage this vulnerability to execute code in the context of the HTTP server. Was ZDI-CAN-21414."}, {"lang": "es", "value": "Vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo por desbordamiento del b\u00fafer en Actiontec WCB6200Q uh_tcp_recv_header. Esta vulnerabilidad permite a atacantes adyacentes a la red ejecutar c\u00f3digo arbitrario en instalaciones afectadas de enrutadores Actiontec WCB6200Q. No se requiere autenticaci\u00f3n para aprovechar esta vulnerabilidad. La falla espec\u00edfica existe dentro del servidor HTTP. El problema se debe a la falta de una validaci\u00f3n adecuada de la longitud de los datos proporcionados por el usuario antes de copiarlos en un b\u00fafer de longitud fija. Un atacante puede aprovechar esta vulnerabilidad para ejecutar c\u00f3digo en el contexto del servidor HTTP. Era ZDI-CAN-21414."}], "metrics": {"cvssMetricV30": [{"source": "zdi-disclosures@trendmicro.com", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "zdi-disclosures@trendmicro.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-120"}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-806/", "source": "zdi-disclosures@trendmicro.com"}]}}, {"cve": {"id": "CVE-2024-6144", "sourceIdentifier": "zdi-disclosures@trendmicro.com", "published": "2024-06-19T00:15:50.133", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Actiontec WCB6200Q Multipart Boundary Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Actiontec WCB6200Q routers. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the HTTP server. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the HTTP server. Was ZDI-CAN-21416."}, {"lang": "es", "value": "Vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo de desbordamiento de b\u00fafer basado en pila de los l\u00edmites multiparte Actiontec WCB6200Q. Esta vulnerabilidad permite a atacantes adyacentes a la red ejecutar c\u00f3digo arbitrario en instalaciones afectadas de enrutadores Actiontec WCB6200Q. No se requiere autenticaci\u00f3n para aprovechar esta vulnerabilidad. La falla espec\u00edfica existe dentro del servidor HTTP. El problema se debe a la falta de una validaci\u00f3n adecuada de la longitud de los datos proporcionados por el usuario antes de copiarlos en un b\u00fafer basado en pila de longitud fija. Un atacante puede aprovechar esta vulnerabilidad para ejecutar c\u00f3digo en el contexto del servidor HTTP. Era ZDI-CAN-21416."}], "metrics": {"cvssMetricV30": [{"source": "zdi-disclosures@trendmicro.com", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "zdi-disclosures@trendmicro.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-121"}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-807/", "source": "zdi-disclosures@trendmicro.com"}]}}, {"cve": {"id": "CVE-2024-6145", "sourceIdentifier": "zdi-disclosures@trendmicro.com", "published": "2024-06-19T00:15:50.413", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Actiontec WCB6200Q Cookie Format String Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Actiontec WCB6200Q routers. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the HTTP server. A crafted Cookie header in an HTTP request can trigger the use of a format specifier from a user-supplied string. An attacker can leverage this vulnerability to execute code in the context of the HTTP server. Was ZDI-CAN-21417."}, {"lang": "es", "value": "Vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo de cadena de formato de cookie Actiontec WCB6200Q. Esta vulnerabilidad permite a atacantes adyacentes a la red ejecutar c\u00f3digo arbitrario en instalaciones afectadas de enrutadores Actiontec WCB6200Q. No se requiere autenticaci\u00f3n para aprovechar esta vulnerabilidad. La falla espec\u00edfica existe dentro del servidor HTTP. Un encabezado de cookie manipulado en una solicitud HTTP puede desencadenar el uso de un especificador de formato a partir de una cadena proporcionada por el usuario. Un atacante puede aprovechar esta vulnerabilidad para ejecutar c\u00f3digo en el contexto del servidor HTTP. Era ZDI-CAN-21417."}], "metrics": {"cvssMetricV30": [{"source": "zdi-disclosures@trendmicro.com", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "zdi-disclosures@trendmicro.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-134"}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-808/", "source": "zdi-disclosures@trendmicro.com"}]}}, {"cve": {"id": "CVE-2024-6146", "sourceIdentifier": "zdi-disclosures@trendmicro.com", "published": "2024-06-19T00:15:50.703", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Actiontec WCB6200Q uh_get_postdata_withupload Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Actiontec WCB6200Q routers. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the HTTP server. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the HTTP server. Was ZDI-CAN-21418."}, {"lang": "es", "value": "Vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo de desbordamiento de b\u00fafer basado en pila en Actiontec WCB6200Q uh_get_postdata_withupload. Esta vulnerabilidad permite a atacantes adyacentes a la red ejecutar c\u00f3digo arbitrario en instalaciones afectadas de enrutadores Actiontec WCB6200Q. No se requiere autenticaci\u00f3n para aprovechar esta vulnerabilidad. La falla espec\u00edfica existe dentro del servidor HTTP. El problema se debe a la falta de una validaci\u00f3n adecuada de la longitud de los datos proporcionados por el usuario antes de copiarlos en un b\u00fafer basado en pila de longitud fija. Un atacante puede aprovechar esta vulnerabilidad para ejecutar c\u00f3digo en el contexto del servidor HTTP. Era ZDI-CAN-21418."}], "metrics": {"cvssMetricV30": [{"source": "zdi-disclosures@trendmicro.com", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "zdi-disclosures@trendmicro.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-121"}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-809/", "source": "zdi-disclosures@trendmicro.com"}]}}, {"cve": {"id": "CVE-2024-6125", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-19T02:15:09.873", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The Login with phone number plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 1.7.34. This is due to the plugin generating too weak a reset code, and the code used to reset the password has no attempt or time limit. This makes it possible for unauthenticated attackers to reset the password of arbitrary users by guessing a 6-digit numeric reset code."}, {"lang": "es", "value": "El complemento Login with phone number para WordPress es vulnerable a restablecimientos de contrase\u00f1a no autorizados en versiones hasta la 1.7.34 incluida. Esto se debe a que el complemento genera un c\u00f3digo de restablecimiento demasiado d\u00e9bil y el c\u00f3digo utilizado para restablecer la contrase\u00f1a no tiene l\u00edmite de intento ni de tiempo. Esto hace posible que atacantes no autenticados restablezcan la contrase\u00f1a de usuarios arbitrarios adivinando un c\u00f3digo de restablecimiento num\u00e9rico de 6 d\u00edgitos."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}]}, "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3104085/login-with-phone-number#file5", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/301a67a5-226c-413a-9198-66747d1b1fd3?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-2381", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-19T04:15:10.753", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The AliExpress Dropshipping with AliNext Lite plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_save_image function in all versions up to, and including, 3.3.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible."}, {"lang": "es", "value": "El complemento AliExpress Dropshipping con AliNext Lite para WordPress es vulnerable a la carga de archivos arbitrarios debido a la falta de validaci\u00f3n del tipo de archivo en la funci\u00f3n ajax_save_image en todas las versiones hasta la 3.3.5 incluida. Esto hace posible que atacantes autenticados, con acceso de nivel de suscriptor y superior, carguen archivos arbitrarios en el servidor del sitio afectado, lo que puede hacer posible la ejecuci\u00f3n remota de c\u00f3digo."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "references": [{"url": "https://plugins.trac.wordpress.org/browser/ali2woo-lite/trunk//includes/classes/controller/WooCommerceProductEditController.php#L108", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c3248327-6e10-420e-83cf-a23296eb2e6f?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-3984", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-19T04:15:11.213", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The EmbedSocial \u2013 Social Media Feeds, Reviews and Galleries plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'embedsocial_reviews' shortcode in all versions up to, and including, 1.1.29 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento EmbedSocial \u2013 Social Media Feeds, Reviews and Galleries para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s del c\u00f3digo corto 'embedsocial_reviews' del complemento en todas las versiones hasta la 1.1.29 incluida debido a una sanitizaci\u00f3n de entrada insuficiente y a un escape de salida del usuario. atributos proporcionados. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "references": [{"url": "https://plugins.trac.wordpress.org/browser/embedalbum-pro/trunk/embedalbum_pro.php#L194", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6593b0de-db7a-4b7e-bd74-cc2b1e36ac60?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-4450", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-19T04:15:11.497", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The AliExpress Dropshipping with AliNext Lite plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the ImportAjaxController.php file in all versions up to, and including, 3.3.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform several actions like importing and modifying products."}, {"lang": "es", "value": "El complemento AliExpress Dropshipping con AliNext Lite para WordPress es vulnerable al acceso no autorizado debido a una falta de verificaci\u00f3n de capacidad en varias funciones en el archivo ImportAjaxController.php en todas las versiones hasta la 3.3.5 incluida. Esto hace posible que los atacantes autenticados, con acceso a nivel de suscriptor y superior, realicen varias acciones como importar y modificar productos."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 3.4}]}, "references": [{"url": "https://plugins.trac.wordpress.org/browser/ali2woo-lite/trunk/includes/classes/controller/ImportAjaxController.php", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/01836c2c-0976-493e-8b13-1c7c702d1d2c?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-4541", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-19T04:15:11.793", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The Custom Product List Table plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.0. This is due to missing or incorrect nonce validation when modifying products. This makes it possible for unauthenticated attackers to add, delete, bulk edit, approve or cancel products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El complemento Custom Product List Table para WordPress es vulnerable a Cross-Site Request Forgery en todas las versiones hasta la 3.0.0 incluida. Esto se debe a una validaci\u00f3n nonce faltante o incorrecta al modificar productos. Esto hace posible que atacantes no autenticados agreguen, eliminen, editen en masa, aprueben o cancelen productos a trav\u00e9s de una solicitud falsificada, siempre que puedan enga\u00f1ar a un administrador del sitio para que realice una acci\u00f3n como hacer clic en un enlace."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "references": [{"url": "https://wordpress.org/plugins/custom-product-list-table/#description", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4c046e0c-32d2-47d1-9890-d05d69217161?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-4623", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-19T04:15:12.107", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The Blogmentor \u2013 Blog Layouts for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018pagination_style\u2019 parameter in all versions up to, and including, 1.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento Blogmentor \u2013 Blog Layouts for Elementor para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s del par\u00e1metro 'pagination_style' en todas las versiones hasta la 1.5 incluida debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "references": [{"url": "https://plugins.trac.wordpress.org/browser/blogmentor/trunk/includes/elements/blogmentor-blog-posts.php#L977", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b0925ceb-581c-4748-abfb-9962e53b7db9?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-4663", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-19T04:15:12.403", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The OSM Map Widget for Elementor plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the \u2018id\u2019 parameter in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}, {"lang": "es", "value": "El complemento OSM Map Widget para Elementor para WordPress es vulnerable a Cross-Site Scripting Reflejado a trav\u00e9s del par\u00e1metro 'id' en todas las versiones hasta la 1.2.2 incluida debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes. Esto hace posible que atacantes no autenticados inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutan si logran enga\u00f1ar a un usuario para que realice una acci\u00f3n como hacer clic en un enlace."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "references": [{"url": "https://plugins.trac.wordpress.org/browser/osm-map-elementor/trunk/osm-map.php#L1478", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/402d0399-bc48-4740-86a4-8bf3424fb035?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-4787", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-19T04:15:12.730", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The Cost Calculator Builder PRO for WordPress is vulnerable to arbitrary email sending vulnerability in versions up to, and including, 3.1.75. This is due to insufficient limitations on the email recipient and the content in the 'send_pdf' and the 'send_pdf_front' functions which are reachable via AJAX. This makes it possible for unauthenticated attackers to send emails with any content to any recipient."}, {"lang": "es", "value": "Cost Calculator Builder PRO para WordPress es vulnerable a una vulnerabilidad de env\u00edo de correo electr\u00f3nico arbitrario en versiones hasta la 3.1.75 incluida. Esto se debe a limitaciones insuficientes en el destinatario del correo electr\u00f3nico y el contenido de las funciones 'send_pdf' y 'send_pdf_front' a las que se puede acceder a trav\u00e9s de AJAX. Esto hace posible que atacantes no autenticados env\u00eden correos electr\u00f3nicos con cualquier contenido a cualquier destinatario."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "references": [{"url": "https://docs.stylemixthemes.com/cost-calculator-builder/changelog-1/changelog-pro-version", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/035ada56-541d-47b3-8348-3401d94bb509?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-4873", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-19T04:15:12.990", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The Replace Image plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.10 via the image replacement functionality due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to replace images uploaded by higher level users such as admins."}, {"lang": "es", "value": "El complemento Replace Image para WordPress es vulnerable a Insecure Direct Object Reference en todas las versiones hasta la 1.1.10 incluida a trav\u00e9s de la funcionalidad de reemplazo de imagen debido a la falta de validaci\u00f3n en una clave controlada por el usuario. Esto hace posible que atacantes autenticados, con acceso de nivel de autor y superior, reemplacen im\u00e1genes cargadas por usuarios de nivel superior, como administradores."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "references": [{"url": "https://wordpress.org/plugins/replace-image/", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5a5d3a62-f7e5-4776-bed9-7ff3f81da452?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-5021", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-19T04:15:13.310", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The WordPress Picture / Portfolio / Media Gallery plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.0.1 via the 'file_get_contents' function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."}, {"lang": "es", "value": "El complemento WordPress Picture / Portfolio / Media Gallery para WordPress es vulnerable a Server-Side Request Forgery en todas las versiones hasta la 3.0.1 incluida a trav\u00e9s de la funci\u00f3n 'file_get_contents'. Esto hace posible que atacantes no autenticados realicen solicitudes web a ubicaciones arbitrarias que se originan en la aplicaci\u00f3n web y pueden usarse para consultar y modificar informaci\u00f3n de servicios internos."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 4.7}]}, "references": [{"url": "https://plugins.trac.wordpress.org/browser/nimble-portfolio/trunk/includes/prettyphoto/download-image.php#L17", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/224a2d6d-7fdc-43a8-a8c9-26213b604433?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-5649", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-19T04:15:13.583", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The Universal Slider plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.6.5 via deserialization of untrusted input 'fsl_get_gallery_value' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code."}, {"lang": "es", "value": "El complemento Universal Slider para WordPress es vulnerable a la inyecci\u00f3n de objetos PHP en todas las versiones hasta la 1.6.5 incluida a trav\u00e9s de la deserializaci\u00f3n de la funci\u00f3n 'fsl_get_gallery_value' de entrada no confiable. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten un objeto PHP. No hay ninguna cadena POP conocida presente en el software vulnerable. Si hay una cadena POP presente a trav\u00e9s de un complemento o tema adicional instalado en el sistema de destino, podr\u00eda permitir al atacante eliminar archivos arbitrarios, recuperar datos confidenciales o ejecutar c\u00f3digo."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "references": [{"url": "https://plugins.trac.wordpress.org/browser/fusion-slider/trunk/fusion-slider.php#L692", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8f8bd107-5459-4093-8593-deedec6ffcd6?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-5724", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-19T04:15:13.860", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The Photo Video Gallery Master plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.5.3 via deserialization of untrusted input 'PVGM_all_photos_details' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code."}, {"lang": "es", "value": "El complemento Photo Video Gallery Master para WordPress es vulnerable a la inyecci\u00f3n de objetos PHP en todas las versiones hasta la 1.5.3 incluida a trav\u00e9s de la deserializaci\u00f3n del par\u00e1metro de entrada no confiable 'PVGM_all_photos_details'. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten un objeto PHP. No hay ninguna cadena POP conocida presente en el software vulnerable. Si hay una cadena POP presente a trav\u00e9s de un complemento o tema adicional instalado en el sistema de destino, podr\u00eda permitir al atacante eliminar archivos arbitrarios, recuperar datos confidenciales o ejecutar c\u00f3digo."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "references": [{"url": "https://plugins.trac.wordpress.org/browser/photo-video-gallery-master/trunk/photo-video-gallery-master.php#L301", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8376556e-ed78-4a0e-a23f-9b2a39db94d9?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-5768", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-19T04:15:14.160", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The MIMO Woocommerce Order Tracking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mimo_update_provider' function in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update shipping provider information, including adding stored cross-site scripting."}, {"lang": "es", "value": "El complemento MIMO Woocommerce Order Tracking para WordPress es vulnerable a modificaciones no autorizadas de datos debido a una falta de verificaci\u00f3n de capacidad en la funci\u00f3n 'mimo_update_provider' en todas las versiones hasta la 1.0.2 incluida. Esto hace posible que los atacantes autenticados, con acceso a nivel de suscriptor y superior, actualicen la informaci\u00f3n del proveedor de env\u00edo, incluida la adici\u00f3n de cross-site scripting almacenado."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "references": [{"url": "https://plugins.trac.wordpress.org/browser/mimo-woocommerce-order-tracking/tags/1.0.2/mimo-woocommerce-order-tracking.php#L304", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/aa26e595-947c-4327-bbe1-c347688f1209?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-35298", "sourceIdentifier": "vultures@jpcert.or.jp", "published": "2024-06-19T05:15:51.907", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Improper authorization in handler for custom URL scheme issue in 'ZOZOTOWN' App for Android versions prior to 7.39.6 allows an attacker to lead a user to access an arbitrary website via another application installed on the user's device. As a result, the user may become a victim of a phishing attack."}, {"lang": "es", "value": "La autorizaci\u00f3n inadecuada en el controlador para un problema de esquema de URL personalizado en la aplicaci\u00f3n 'ZOZOTOWN' para versiones de Android anteriores a 7.39.6 permite a un atacante llevar a un usuario a acceder a un sitio web arbitrario a trav\u00e9s de otra aplicaci\u00f3n instalada en el dispositivo del usuario. Como resultado, el usuario puede convertirse en v\u00edctima de un ataque de phishing."}], "metrics": {}, "references": [{"url": "https://jvn.jp/en/jp/JVN37818611/", "source": "vultures@jpcert.or.jp"}]}}, {"cve": {"id": "CVE-2024-3229", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-19T05:15:52.067", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The Salon booking system plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the SLN_Action_Ajax_ImportAssistants function along with missing authorization checks in all versions up to, and including, 10.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible."}, {"lang": "es", "value": "El complemento Salon booking system para WordPress es vulnerable a cargas arbitrarias de archivos debido a la falta de validaci\u00f3n del tipo de archivo en la funci\u00f3n SLN_Action_Ajax_ImportAssistants junto con la falta de comprobaciones de autorizaci\u00f3n en todas las versiones hasta la 10.2 incluida. Esto hace posible que atacantes no autenticados carguen archivos arbitrarios en el servidor del sitio afectado, lo que puede hacer posible la ejecuci\u00f3n remota de c\u00f3digo."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3103584/salon-booking-system/trunk/src/SLN/Action/Ajax/ImportAssistants.php", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3bbbf5be-5c0a-4514-88ac-003083c0bba3?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2023-6692", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-19T06:15:10.873", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The Ultimate Blocks \u2013 WordPress Blocks Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's tab anchor metabox in all versions up to, and including, 3.0.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento Ultimate Blocks \u2013 WordPress Blocks Plugin para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s del metabox de anclaje de pesta\u00f1a del complemento en todas las versiones hasta la 3.0.8 incluida debido a una sanitizaci\u00f3n de entrada insuficiente y a un escape de salida en los atributos proporcionados por el usuario. Esto hace posible que atacantes autenticados con permisos de nivel de colaborador y superiores inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "references": [{"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3022998%40ultimate-blocks%2Ftrunk&old=3016254%40ultimate-blocks%2Ftrunk&sfp_email=&sfph_mail=", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/33e7006f-3fb9-4493-9ce5-67698c877159?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-5208", "sourceIdentifier": "security@huntr.dev", "published": "2024-06-19T06:15:11.420", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "An uncontrolled resource consumption vulnerability exists in the `upload-link` endpoint of mintplex-labs/anything-llm. This vulnerability allows attackers to cause a denial of service (DOS) by shutting down the server through sending invalid upload requests. Specifically, the server can be made to shut down by sending an empty body with a 'Content-Length: 0' header or by sending a body with arbitrary content, such as 'asdasdasd', with a 'Content-Length: 9' header. The vulnerability is reproducible by users with at least a 'Manager' role, sending a crafted request to any workspace. This issue indicates that a previous fix was not effective in mitigating the vulnerability."}, {"lang": "es", "value": "Existe una vulnerabilidad de consumo de recursos incontrolado en el endpoint `upload-link` de mintplex-labs/anything-llm. Esta vulnerabilidad permite a los atacantes provocar una denegaci\u00f3n de servicio (DOS) apagando el servidor mediante el env\u00edo de solicitudes de carga no v\u00e1lidas. Espec\u00edficamente, se puede hacer que el servidor se apague enviando un cuerpo vac\u00edo con un encabezado 'Content-Length: 0' o enviando un cuerpo con contenido arbitrario, como 'asdasdasd', con un encabezado 'Content-Length: 9'. . La vulnerabilidad es reproducible por usuarios con al menos un rol de \"Administrador\", enviando una solicitud manipulada a cualquier espacio de trabajo. Este problema indica que una soluci\u00f3n anterior no fue eficaz para mitigar la vulnerabilidad."}], "metrics": {"cvssMetricV30": [{"source": "security@huntr.dev", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "security@huntr.dev", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}]}], "references": [{"url": "https://github.com/mintplex-labs/anything-llm/commit/e2439c6d4c3cfdacd96cd1b7b92d1f89c3cc8459", "source": "security@huntr.dev"}, {"url": "https://huntr.com/bounties/6c8bdfa1-ec56-4b02-bde9-cfc27470e6ca", "source": "security@huntr.dev"}]}}, {"cve": {"id": "CVE-2024-5343", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-19T06:15:11.723", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The Photo Gallery, Images, Slider in Rbs Image Gallery plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.19. This is due to missing or incorrect nonce validation on the 'rbs_ajax_create_article' and 'rbs_ajax_reset_views' functions. This makes it possible for unauthenticated attackers to create new posts and reset gallery view counts via a forged request granted they can trick a Contributor+ level user into performing an action such as clicking on a link."}, {"lang": "es", "value": "El complemento Photo Gallery, Images, Slider in Rbs Image Gallery para WordPress es vulnerable a Cross-Site Request Forgery en todas las versiones hasta la 3.2.19 incluida. Esto se debe a una validaci\u00f3n nonce faltante o incorrecta en las funciones 'rbs_ajax_create_article' y 'rbs_ajax_reset_views'. Esto hace posible que atacantes no autenticados creen nuevas publicaciones y restablezcan el recuento de vistas de la galer\u00eda a trav\u00e9s de una solicitud falsificada, siempre que puedan enga\u00f1ar a un usuario de nivel Contributor+ para que realice una acci\u00f3n como hacer clic en un enlace."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "references": [{"url": "https://plugins.trac.wordpress.org/browser/robo-gallery/tags/3.2.19/includes/extensions/rbs_create_post_ajax.php#L247", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/robo-gallery/tags/3.2.19/includes/extensions/rbs_create_post_ajax.php#L94", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/robo-gallery/tags/3.2.19/includes/rbs_gallery_ajax.php#L19", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/changeset/3100759/", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/045fbe5b-0e63-4820-97a7-017dd72eb73a?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-5574", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-19T06:15:11.993", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The WP Magazine Modules Lite plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1.2 via the 'blockLayout' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other \u201csafe\u201d file types can be uploaded and included."}, {"lang": "es", "value": "El complemento WP Magazine Modules Lite para WordPress es vulnerable a la inclusi\u00f3n de archivos locales en todas las versiones hasta la 1.1.2 incluida a trav\u00e9s del par\u00e1metro 'blockLayout'. Esto hace posible que atacantes autenticados, con acceso de nivel Colaborador y superior, incluyan y ejecuten archivos arbitrarios en el servidor, permitiendo la ejecuci\u00f3n de cualquier c\u00f3digo PHP en esos archivos. Esto se puede utilizar para eludir los controles de acceso, obtener datos confidenciales o lograr la ejecuci\u00f3n de c\u00f3digo en los casos en que se puedan cargar e incluir im\u00e1genes y otros tipos de archivos \"seguros\"."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH"}, "exploitabilityScore": 1.6, "impactScore": 5.9}]}, "references": [{"url": "https://plugins.trac.wordpress.org/browser/wp-magazine-modules-lite/trunk/includes/src/banner/element.php#L1363", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/changeset/3104046/", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0aeaf421-513b-4c9d-bd36-58af28c86bc1?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-5853", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-19T06:15:12.287", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The Image Optimizer, Resizer and CDN \u2013 Sirv plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the sirv_upload_file_by_chanks AJAX action in all versions up to, and including, 7.2.6. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible."}, {"lang": "es", "value": "El complemento Image Optimizer, Resizer y CDN \u2013 Sirv para WordPress es vulnerable a cargas de archivos arbitrarias debido a la falta de validaci\u00f3n del tipo de archivo en la acci\u00f3n AJAX sirv_upload_file_by_chanks en todas las versiones hasta la 7.2.6 incluida. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, carguen archivos arbitrarios en el servidor del sitio afectado, lo que puede hacer posible la ejecuci\u00f3n remota de c\u00f3digo."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.1, "impactScore": 6.0}]}, "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3103410/sirv/trunk/sirv.php", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e89b40ec-1952-46e3-a91b-bd38e62f8929?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-6132", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-19T06:15:12.520", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The Pexels: Free Stock Photos plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'pexels_fsp_images_options_validate' function in all versions up to, and including, 1.2.2. This makes it possible for authenticated attackers, with contributor-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible."}, {"lang": "es", "value": "El complemento Pexels: Free Stock Photos para WordPress es vulnerable a la carga de archivos arbitrarios debido a la falta de validaci\u00f3n del tipo de archivo en la funci\u00f3n 'pexels_fsp_images_options_validate' en todas las versiones hasta la 1.2.2 incluida. Esto hace posible que atacantes autenticados, con permisos de nivel de colaborador y superiores, carguen archivos arbitrarios en el servidor del sitio afectado, lo que puede hacer posible la ejecuci\u00f3n remota de c\u00f3digo."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "references": [{"url": "https://plugins.trac.wordpress.org/browser/wp-pexels-free-stock-photos/trunk/settings.php#L239", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/79dd492e-d4da-4209-83a8-d8059263ae92?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-1407", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-19T07:15:45.730", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The Paid Memberships Pro \u2013 Content Restriction, User Registration, & Paid Subscriptions plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.12.10. This is due to missing or incorrect nonce validation on multiple functions. This makes it possible for unauthenticated attackers to subscribe to, modify, or cancel membership for a user via a forged request granted they can trick a user into performing an action such as clicking on a link."}, {"lang": "es", "value": "El complemento Paid Memberships Pro \u2013 Content Restriction, User Registration, & Paid Subscriptions para WordPress es vulnerable a Cross-Site Request Forgery en todas las versiones hasta la 2.12.10 incluida. Esto se debe a una validaci\u00f3n nonce faltante o incorrecta en m\u00faltiples funciones. Esto hace posible que atacantes no autenticados se suscriban, modifiquen o cancelen la membres\u00eda de un usuario a trav\u00e9s de una solicitud falsificada, siempre que puedan enga\u00f1ar a un usuario para que realice una acci\u00f3n como hacer clic en un enlace."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "references": [{"url": "https://github.com/strangerstudios/paid-memberships-pro/pull/2839", "source": "security@wordfence.com"}, {"url": "https://github.com/strangerstudios/paid-memberships-pro/pull/2893", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/paid-memberships-pro/tags/2.12.10/includes/functions.php", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3058329%40paid-memberships-pro%2Ftrunk&old=3033153%40paid-memberships-pro%2Ftrunk&sfp_email=&sfph_mail=", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c46bcbd1-566d-4b21-84a1-f25e3df7ddc7?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-36252", "sourceIdentifier": "vultures@jpcert.or.jp", "published": "2024-06-19T07:15:46.200", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Improper restriction of communication channel to intended endpoints issue exists in Ricoh Streamline NX PC Client ver.3.6.x and earlier. If this vulnerability is exploited, arbitrary code may be executed on the PC where the product is installed."}, {"lang": "es", "value": "Existe un problema de restricci\u00f3n inadecuada del canal de comunicaci\u00f3n a los endpoints previstos en Ricoh Streamline NX PC Client versi\u00f3n 3.6.x y versiones anteriores. Si se explota esta vulnerabilidad, se puede ejecutar c\u00f3digo arbitrario en la PC donde est\u00e1 instalado el producto."}], "metrics": {}, "references": [{"url": "https://jvn.jp/en/jp/JVN00442488/", "source": "vultures@jpcert.or.jp"}, {"url": "https://www.ricoh.com/products/security/vulnerabilities/vul?id=ricoh-2024-000004", "source": "vultures@jpcert.or.jp"}]}}, {"cve": {"id": "CVE-2024-36480", "sourceIdentifier": "vultures@jpcert.or.jp", "published": "2024-06-19T07:15:46.340", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Use of hard-coded credentials issue exists in Ricoh Streamline NX PC Client ver.3.7.2 and earlier. If this vulnerability is exploited, an attacker may obtain LocalSystem Account of the PC where the product is installed. As a result, unintended operations may be performed on the PC."}, {"lang": "es", "value": "Existe un problema de uso de credenciales codificadas en Ricoh Streamline NX PC Client versi\u00f3n 3.7.2 y versiones anteriores. Si se explota esta vulnerabilidad, un atacante puede obtener la cuenta LocalSystem de la PC donde est\u00e1 instalado el producto. Como resultado, es posible que se realicen operaciones no deseadas en la PC."}], "metrics": {}, "references": [{"url": "https://jvn.jp/en/jp/JVN00442488/", "source": "vultures@jpcert.or.jp"}, {"url": "https://www.ricoh.com/products/security/vulnerabilities/vul?id=ricoh-2024-000005", "source": "vultures@jpcert.or.jp"}]}}, {"cve": {"id": "CVE-2024-36978", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T07:15:46.437", "lastModified": "2024-06-21T14:15:12.407", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: sch_multiq: fix possible OOB write in multiq_tune()\n\nq->bands will be assigned to qopt->bands to execute subsequent code logic\nafter kmalloc. So the old q->bands should not be used in kmalloc.\nOtherwise, an out-of-bounds write will occur."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: sched: sch_multiq: corrige posible escritura OOB en multiq_tune() q->bands se asignar\u00e1n a qopt->bands para ejecutar la l\u00f3gica de c\u00f3digo posterior despu\u00e9s de kmalloc. Por lo tanto, las antiguas q->bands no deber\u00edan usarse en kmalloc. De lo contrario, se producir\u00e1 una escritura fuera de los l\u00edmites."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/0f208fad86631e005754606c3ec80c0d44a11882", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/54c2c171c11a798fe887b3ff72922aa9d1411c1e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/affc18fdc694190ca7575b9a86632a73b9fe043d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d6fb5110e8722bc00748f22caeb650fe4672f129", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-37124", "sourceIdentifier": "vultures@jpcert.or.jp", "published": "2024-06-19T07:15:46.547", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Use of potentially dangerous function issue exists in Ricoh Streamline NX PC Client. If this vulnerability is exploited, an attacker may create an arbitrary file in the PC where the product is installed."}, {"lang": "es", "value": "Existe un problema de uso de funciones potencialmente peligrosas en Ricoh Streamline NX PC Client. Si se aprovecha esta vulnerabilidad, un atacante puede crear un archivo arbitrario en la PC donde est\u00e1 instalado el producto."}], "metrics": {}, "references": [{"url": "https://jvn.jp/en/jp/JVN00442488/", "source": "vultures@jpcert.or.jp"}, {"url": "https://www.ricoh.com/products/security/vulnerabilities/vul?id=ricoh-2024-000006", "source": "vultures@jpcert.or.jp"}]}}, {"cve": {"id": "CVE-2024-37387", "sourceIdentifier": "vultures@jpcert.or.jp", "published": "2024-06-19T07:15:46.647", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Use of potentially dangerous function issue exists in Ricoh Streamline NX PC Client. If this vulnerability is exploited, files in the PC where the product is installed may be altered."}, {"lang": "es", "value": "Existe un problema de uso de funciones potencialmente peligrosas en Ricoh Streamline NX PC Client. Si se aprovecha esta vulnerabilidad, es posible que se modifiquen los archivos del PC donde est\u00e1 instalado el producto."}], "metrics": {}, "references": [{"url": "https://jvn.jp/en/jp/JVN00442488/", "source": "vultures@jpcert.or.jp"}, {"url": "https://www.ricoh.com/products/security/vulnerabilities/vul?id=ricoh-2024-000007", "source": "vultures@jpcert.or.jp"}]}}, {"cve": {"id": "CVE-2024-37881", "sourceIdentifier": "vultures@jpcert.or.jp", "published": "2024-06-19T07:15:46.743", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "SiteGuard WP Plugin provides a functionality to customize the path to the login page wp-login.php and implements a measure to avoid redirection from other URLs. However, SiteGuard WP Plugin versions prior to 1.7.7 missed to implement a measure to avoid redirection from wp-register.php. As a result, the customized path to the login page may be exposed."}, {"lang": "es", "value": "SiteGuard WP Plugin proporciona una funcionalidad para personalizar la ruta a la p\u00e1gina de inicio de sesi\u00f3n wp-login.php e implementa una medida para evitar la redirecci\u00f3n desde otras URL. Sin embargo, las versiones del complemento SiteGuard WP anteriores a la 1.7.7 no implementaron una medida para evitar la redirecci\u00f3n desde wp-register.php. Como resultado, la ruta personalizada a la p\u00e1gina de inicio de sesi\u00f3n puede quedar expuesta."}], "metrics": {}, "references": [{"url": "https://jvn.jp/en/jp/JVN60331535/", "source": "vultures@jpcert.or.jp"}, {"url": "https://plugins.trac.wordpress.org/changeset/3094238/siteguard/trunk/classes/siteguard-rename-login.php?old=2888160&old_path=siteguard%2Ftrunk%2Fclasses%2Fsiteguard-rename-login.php", "source": "vultures@jpcert.or.jp"}, {"url": "https://www.jp-secure.com/siteguard_wp_plugin_en/vuls/WPV2024001_en.html", "source": "vultures@jpcert.or.jp"}]}}, {"cve": {"id": "CVE-2024-3894", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-19T07:15:46.847", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The Photo Gallery, Images, Slider in Rbs Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an Image Title in all versions up to, and including, 3.2.19 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento Photo Gallery, Images, Slider in Rbs Image Gallery para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s de un t\u00edtulo de imagen en todas las versiones hasta la 3.2.19 incluida debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes. Esto hace posible que atacantes autenticados, con acceso a nivel de autor y superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "references": [{"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3100759%40robo-gallery%2Ftrunk&old=3066013%40robo-gallery%2Ftrunk&sfp_email=&sfph_mail=", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8e75d72d-d999-4755-8c90-7fb7d630ab00?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-0789", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-19T08:15:48.873", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The WP Maintenance plugin for WordPress is vulnerable to IP Address Spoofing in all versions up to, and including, 6.1.9.2 due to insufficient IP address validation and use of user-supplied HTTP headers as a primary method for IP retrieval. This makes it possible for unauthenticated attackers to bypass maintenance mode."}, {"lang": "es", "value": "El complemento WP Maintenance para WordPress es vulnerable a la suplantaci\u00f3n de direcciones IP en todas las versiones hasta la 6.1.9.2 incluida debido a una validaci\u00f3n insuficiente de la direcci\u00f3n IP y al uso de encabezados HTTP proporcionados por el usuario como m\u00e9todo principal para la recuperaci\u00f3n de IP. Esto hace posible que atacantes no autenticados eviten el modo de mantenimiento."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "references": [{"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3078682%40wp-maintenance%2Ftrunk&old=3069916%40wp-maintenance%2Ftrunk&sfp_email=&sfph_mail=", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8f6bbaa1-c50f-4dad-9e5b-04bdffd4a0ae?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2023-6495", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-19T09:15:10.433", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The YARPP \u2013 Yet Another Related Posts Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to and including 5.30.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}, {"lang": "es", "value": "El complemento YARPP \u2013 Yet Another Related Posts Plugin para WordPress, es vulnerable a cross-site scripting almacenado a trav\u00e9s de la configuraci\u00f3n de administrador en todas las versiones hasta la 5.30.9 incluida debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes. Esto hace posible que atacantes autenticados, con permisos de nivel de administrador y superiores, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada. Esto solo afecta a las instalaciones multisitio y a las instalaciones en las que se ha deshabilitado unfiltered_html."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.3, "impactScore": 2.7}]}, "references": [{"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3037032%40yet-another-related-posts-plugin%2Ftrunk&old=2999784%40yet-another-related-posts-plugin%2Ftrunk&sfp_email=&sfph_mail=", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d586e455-c73f-4916-a926-4d53699bb434?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-0383", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-19T09:15:10.807", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's [wprm-recipe-instructions] and [wprm-recipe-ingredients] shortcodes in all versions up to, and including, 9.1.0 due to insufficient restrictions on the 'group_tag' attribute . This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento WP Recipe Maker para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s de los c\u00f3digos cortos [wprm-recipe-instructions] y [wprm-recipe-ingredients] del complemento en todas las versiones hasta la 9.1.0 incluida debido a restricciones insuficientes. en el atributo 'group_tag'. Esto hace posible que atacantes autenticados con permisos de nivel de colaborador y superiores inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3019769/wp-recipe-maker/trunk/includes/public/shortcodes/recipe/class-wprm-sc-ingredients.php", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/changeset/3019769/wp-recipe-maker/trunk/includes/public/shortcodes/recipe/class-wprm-sc-instructions.php", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/104b3c01-4623-43cb-aed4-16e3be62e1f9?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-4632", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-19T09:15:11.740", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The WooCommerce Checkout & Funnel Builder by CartFlows \u2013 Create High Converting Stores For WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018custom_upload_mimes\u2019 function in versions up to, and including, 2.0.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento WooCommerce Checkout & Funnel Builder by CartFlows \u2013 Create High Converting Stores For WooCommerce para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s de la funci\u00f3n 'custom_upload_mimes' en versiones hasta la 2.0.7 incluida debido a una sanitizaci\u00f3n de entrada y salida insuficiente escapando. Esto hace posible que atacantes autenticados, con permisos de nivel de colaborador y superiores, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "references": [{"url": "https://plugins.trac.wordpress.org/browser/cartflows/tags/2.0.7/classes/importer/batch-process/class-cartflows-batch-process.php#L247", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/changeset/3087760/", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e9a89613-cfd9-4a96-b8eb-4b17376be433?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2023-50900", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-19T10:15:09.683", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in Averta Master Slider.This issue affects Master Slider: from n/a through 3.9.10."}, {"lang": "es", "value": "Vulnerabilidad de Cross-Site Request Forgery (CSRF) en Averta Master Slider. Este problema afecta a Master Slider: desde n/a hasta 3.9.10."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-352"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/master-slider/wordpress-master-slider-plugin-3-9-10-cross-site-request-forgery-csrf-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2024-5676", "sourceIdentifier": "1e3a9e0f-5156-4bf8-b8a3-cc311bfc0f4a", "published": "2024-06-19T10:15:10.740", "lastModified": "2024-06-24T05:15:09.600", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The Paradox IP150 Internet Module in version 1.40.00 is vulnerable to Cross-Site Request Forgery (CSRF) attacks due to a lack of countermeasures and the use of the HTTP method `GET` to introduce changes in the system."}, {"lang": "es", "value": "El m\u00f3dulo de Internet Paradox IP150 en la versi\u00f3n 1.40.00 es vulnerable a ataques de Cross-Site Request Forgery (CSRF) debido a la falta de contramedidas y al uso del m\u00e9todo HTTP `GET` para introducir cambios en el sistema."}], "metrics": {"cvssMetricV31": [{"source": "1e3a9e0f-5156-4bf8-b8a3-cc311bfc0f4a", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.6, "impactScore": 5.2}]}, "weaknesses": [{"source": "1e3a9e0f-5156-4bf8-b8a3-cc311bfc0f4a", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}]}], "references": [{"url": "http://seclists.org/fulldisclosure/2024/Jun/8", "source": "1e3a9e0f-5156-4bf8-b8a3-cc311bfc0f4a"}, {"url": "https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20240321-01_Paradox_Cross_Site_Request_Forgery", "source": "1e3a9e0f-5156-4bf8-b8a3-cc311bfc0f4a"}, {"url": "https://www.paradox.com/Products/default.asp?CATID=3&SUBCATID=38&PRD=563", "source": "1e3a9e0f-5156-4bf8-b8a3-cc311bfc0f4a"}]}}, {"cve": {"id": "CVE-2023-47771", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-19T11:15:49.640", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in ThemePunch OHG Essential Grid.This issue affects Essential Grid: from n/a through 3.0.18."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en ThemePunch OHG Essential Grid. Este problema afecta a Essential Grid: desde n/a hasta 3.0.18."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.3, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.5}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/essential-grid/wordpress-essential-grid-plugin-3-0-18-multiple-authenticated-broken-access-control-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2023-47783", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-19T11:15:49.933", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Thrive Themes Thrive Theme Builder.This issue affects Thrive Theme Builder: from n/a before 3.24.0."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Thrive Themes Thrive Theme Builder. Este problema afecta a Thrive Theme Builder: desde n/a antes de 3.24.0."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.3, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.5}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/thrive-theme/wordpress-thrive-theme-builder-theme-3-20-1-multiple-authenticated-broken-access-control-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2023-47788", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-19T11:15:50.177", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Automattic Jetpack.This issue affects Jetpack: from n/a before 12.7."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Automattic Jetpack. Este problema afecta a Jetpack: desde n/a antes de 12.7."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/jetpack/wordpress-jetpack-plugin-12-7-contributor-broken-access-control-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2023-48759", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-19T11:15:50.407", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Crocoblock JetElements For Elementor.This issue affects JetElements For Elementor: from n/a through 2.6.13."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Crocoblock JetElements para Elementor. Este problema afecta a JetElements para Elementor: desde n/a hasta 2.6.13."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/jet-elements/wordpress-jetelements-for-elementor-plugin-2-6-13-unauthenticated-arbitrary-attachment-download-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2023-48760", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-19T11:15:50.647", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Crocoblock JetElements For Elementor.This issue affects JetElements For Elementor: from n/a through 2.6.13."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Crocoblock JetElements para Elementor. Este problema afecta a JetElements para Elementor: desde n/a hasta 2.6.13."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "LOW", "baseScore": 8.2, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 4.2}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/jet-elements/wordpress-jetelements-for-elementor-plugin-2-6-13-unauthenticated-broken-access-control-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2023-48761", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-19T11:15:50.877", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Crocoblock JetElements For Elementor.This issue affects JetElements For Elementor: from n/a through 2.6.13."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Crocoblock JetElements para Elementor. Este problema afecta a JetElements para Elementor: desde n/a hasta 2.6.13."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 3.4}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/jet-elements/wordpress-jetelements-for-elementor-plugin-2-6-13-broken-access-control-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2024-35765", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-19T11:15:51.117", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wpsoul Greenshift \u2013 animation and page builder blocks allows Stored XSS.This issue affects Greenshift \u2013 animation and page builder blocks: from n/a through 8.8.9.1."}, {"lang": "es", "value": "Vulnerabilidad de neutralizaci\u00f3n inadecuada de la entrada durante la generaci\u00f3n de p\u00e1ginas web (XSS o 'Cross-site Scripting') en Wpsoul Greenshift \u2013 animation and page builder blocks permiten XSS Almacenado. Este problema afecta a Greenshift \u2013 animation and page builder blocks: desde n/a hasta 8.8. 9.1."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.3, "impactScore": 3.7}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/greenshift-animation-and-page-builder-blocks/wordpress-greenshift-animation-and-page-builder-blocks-plugin-8-8-9-1-cross-site-scripting-xss-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2024-35780", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-19T11:15:51.370", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in Live Composer Team Page Builder: Live Composer.This issue affects Page Builder: Live Composer: from n/a through 1.5.42."}, {"lang": "es", "value": "Vulnerabilidad de deserializaci\u00f3n de datos no confiables en Live Composer Team Page Builder: Live Composer. Este problema afecta a Page Builder: Live Composer: desde n/a hasta 1.5.42."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.5, "baseSeverity": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 6.0}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-502"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/live-composer-page-builder/wordpress-page-builder-live-composer-plugin-1-5-42-contributor-php-object-injection-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2023-40004", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-19T12:15:09.687", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in ServMask All-in-One WP Migration Box Extension, ServMask All-in-One WP Migration OneDrive Extension, ServMask All-in-One WP Migration Dropbox Extension, ServMask All-in-One WP Migration Google Drive Extension.This issue affects All-in-One WP Migration Box Extension: from n/a through 1.53; All-in-One WP Migration OneDrive Extension: from n/a through 1.66; All-in-One WP Migration Dropbox Extension: from n/a through 3.75; All-in-One WP Migration Google Drive Extension: from n/a through 2.79."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en ServMask All-in-One WP Migration Box Extension, ServMask All-in-One WP Migration OneDrive Extension, ServMask All-in-One WP Migration Dropbox Extension, ServMask All-in-One WP Migration Google Drive Extension. El problema afecta a la extensi\u00f3n All-in-One WP Migration Box: desde n/a hasta 1.53; Extension OneDrive de migraci\u00f3n de WP todo en uno: desde n/a hasta 1.66; Extension de Dropbox de migraci\u00f3n de WP todo en uno: desde n/a hasta 3.75; Extension de Google Drive de migraci\u00f3n de WP todo en uno: desde n/a hasta 2.79."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.4}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://patchstack.com/articles/pre-auth-access-token-manipulation-in-all-in-one-wp-migration-extensions?_s_id=cve", "source": "audit@patchstack.com"}, {"url": "https://patchstack.com/database/vulnerability/all-in-one-wp-migration-box-extension/wordpress-all-in-one-wp-migration-box-extension-plugin-1-53-unauthenticated-access-token-manipulation-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}, {"url": "https://patchstack.com/database/vulnerability/all-in-one-wp-migration-dropbox-extension/wordpress-all-in-one-wp-migration-dropbox-extension-plugin-3-75-unauthenticated-access-token-manipulation-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}, {"url": "https://patchstack.com/database/vulnerability/all-in-one-wp-migration-gdrive-extension/wordpress-all-in-one-wp-migration-google-drive-extension-plugin-2-79-unauthenticated-access-token-manipulation-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}, {"url": "https://patchstack.com/database/vulnerability/all-in-one-wp-migration-onedrive-extension/wordpress-all-in-one-wp-migration-onedrive-extension-plugin-1-66-unauthenticated-access-token-manipulation-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2023-40608", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-19T12:15:09.960", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Paid Memberships Pro Paid Memberships Pro CCBill Gateway.This issue affects Paid Memberships Pro CCBill Gateway: from n/a through 0.3."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Paid Memberships Pro Paid Memberships Pro CCBill Gateway. Este problema afecta a Paid Memberships Pro CCBill Gateway: desde n/a hasta 0.3."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 4.2}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/pmpro-ccbill/wordpress-paid-memberships-pro-ccbill-gateway-plugin-0-3-unauthenticated-broken-access-control-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2023-44148", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-19T12:15:10.200", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Brainstorm Force Astra Bulk Edit.This issue affects Astra Bulk Edit: from n/a through 1.2.7."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Brainstorm Force Astra Bulk Edit. Este problema afecta a Astra Bulk Edit: desde n/a hasta 1.2.7."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/astra-bulk-edit/wordpress-astra-bulk-edit-plugin-1-2-7-broken-access-control-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2023-44151", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-19T12:15:10.437", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Brainstorm Force Pre-Publish Checklist.This issue affects Pre-Publish Checklist: from n/a through 1.1.1."}, {"lang": "es", "value": "Vulnerabilidad de falta de autorizaci\u00f3n en Brainstorm Force Pre-Publish Checklist. Este problema afecta a Pre-Publish Checklist: desde n/a hasta 1.1.1."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/pre-publish-checklist/wordpress-pre-publish-checklist-plugin-1-1-1-broken-access-control-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2023-45658", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-19T12:15:10.677", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in POSIMYTH Nexter.This issue affects Nexter: from n/a through 2.0.3."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en POSIMYTH Nexter. Este problema afecta a Nexter: desde n/a hasta 2.0.3."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 4.7}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/nexter/wordpress-nexter-theme-2-0-3-broken-access-control-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2023-46146", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-19T12:15:10.930", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Themify Themify Ultra.This issue affects Themify Ultra: from n/a through 7.3.5."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Themify Themify Ultra. Este problema afecta a Themify Ultra: desde n/a hasta 7.3.5."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.3, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.5}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/themify-ultra/wordpress-themify-ultra-theme-7-3-3-multiple-broken-access-control-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2023-46148", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-19T12:15:11.160", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Themify Themify Ultra.This issue affects Themify Ultra: from n/a through 7.3.5."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Themify Themify Ultra. Este problema afecta a Themify Ultra: desde n/a hasta 7.3.5."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/themify-ultra/wordpress-themify-ultra-theme-7-3-3-authenticated-arbitrary-settings-change-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2023-47681", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-19T12:15:11.393", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in QuadLayers WooCommerce Checkout Manager.This issue affects WooCommerce Checkout Manager: from n/a through 7.3.0."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en QuadLayers WooCommerce Checkout Manager. Este problema afecta a WooCommerce Checkout Manager: desde n/a hasta 7.3.0."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/woocommerce-checkout-manager/wordpress-woocommerce-checkout-manager-plugin-7-3-0-broken-access-control-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2023-47770", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-19T12:15:11.630", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Muffin Group Betheme.This issue affects Betheme: from n/a through 27.1.1."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Muffin Group Betheme. Este problema afecta a Betheme: desde n/a hasta 27.1.1."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "HIGH", "baseScore": 7.6, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 4.7}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/betheme/wordpress-betheme-theme-27-1-1-contributor-broken-access-control-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2023-35049", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-19T13:15:52.287", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in WooCommerce WooCommerce Stripe Payment Gateway.This issue affects WooCommerce Stripe Payment Gateway: from n/a through 7.4.0."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en WooCommerce WooCommerce Stripe Payment Gateway. Este problema afecta a WooCommerce Stripe Payment Gateway: desde n/a hasta 7.4.0."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/woocommerce-gateway-stripe/wordpress-woocommerce-stripe-payment-gateway-plugin-7-4-0-unauthenticated-broken-access-control-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2023-35050", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-19T13:15:52.600", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Elementor Elementor Pro.This issue affects Elementor Pro: from n/a through 3.13.0."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Elementor Elementor Pro. Este problema afecta a Elementor Pro: desde n/a hasta 3.13.0."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/elementor-pro/wordpress-elementor-pro-plugin-3-13-0-subscriber-broken-access-control-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2023-36512", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-19T13:15:52.893", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Woo AutomateWoo.This issue affects AutomateWoo: from n/a through 5.7.5."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Woo AutomateWoo. Este problema afecta a AutomateWoo: desde n/a hasta 5.7.5."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/automatewoo/wordpress-automatewoo-plugin-5-7-5-broken-access-control-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2023-37870", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-19T13:15:53.163", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Woo WooCommerce Warranty Requests.This issue affects WooCommerce Warranty Requests: from n/a through 2.1.9."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Woo WooCommerce Warranty Requests. Este problema afecta a WooCommerce Warranty Requests: desde n/a hasta 2.1.9."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/woocommerce-warranty/wordpress-woocommerce-warranty-requests-plugin-2-1-9-broken-access-control-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2023-38386", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-19T13:15:53.440", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Saturday Drive Ninja Forms.This issue affects Ninja Forms: from n/a through 3.6.25."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Saturday Drive Ninja Forms. Este problema afecta a Ninja Forms: desde n/a hasta 3.6.25."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 4.7}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/ninja-forms/wordpress-ninja-forms-plugin-3-6-25-contributor-broken-access-control-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2023-39922", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-19T13:15:53.700", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in ThemeFusion Avada.This issue affects Avada: from n/a through 7.11.1."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en ThemeFusion Avada. Este problema afecta a Avada: desde n/a hasta 7.11.1."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/avada/wordpress-avada-theme-7-11-1-authenticated-broken-access-control-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2023-39990", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-19T13:15:54.157", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Paid Memberships Pro.This issue affects Paid Memberships Pro: from n/a through 1.2.3."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Paid Memberships Pro. Este problema afecta a Paid Memberships Pro: desde n/a hasta 1.2.3."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/pmpro-courses/wordpress-paid-memberships-pro-courses-for-membership-add-on-plugin-1-2-3-broken-access-control-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2023-39993", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-19T13:15:54.400", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Wpmet Elements kit Elementor addons.This issue affects Elements kit Elementor addons: from n/a through 2.9.0."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Wpmet Elements kit Elementor addons. Este problema afecta a Elements kit Elementor addons: desde n/a hasta 2.9.0."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/elementskit-lite/wordpress-elementskit-lite-plugin-2-9-0-broken-access-control-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2023-39998", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-19T13:15:54.633", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Muffingroup Betheme.This issue affects Betheme: from n/a through 27.1.1."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Muffingroup Betheme. Este problema afecta a Betheme: desde n/a hasta 27.1.1."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 8.2, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.3, "impactScore": 5.3}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/betheme/wordpress-betheme-theme-27-1-1-author-broken-access-control-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2023-41805", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-19T13:15:55.360", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Brainstorm Force Premium Starter Templates, Brainstorm Force Starter Templates astra-sites.This issue affects Premium Starter Templates: from n/a through 3.2.5; Starter Templates: from n/a through 3.2.5."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Brainstorm Force Premium Starter Templates, Brainstorm Force Starter Templates astra-sites. Este problema afecta a Premium Starter Templates: desde n/a hasta 3.2.5; Starter Templates: desde n/a hasta 3.2.5."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/astra-pro-sites/wordpress-premium-starter-templates-plugin-3-2-5-broken-access-control-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}, {"url": "https://patchstack.com/database/vulnerability/astra-sites/wordpress-starter-templates-plugin-3-2-5-broken-access-control-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2023-36676", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-19T14:15:11.867", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Brainstorm Force Spectra.This issue affects Spectra: from n/a through 2.6.6."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Brainstorm Force Spectra. Este problema afecta a Spectra: desde n/a hasta 2.6.6."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/ultimate-addons-for-gutenberg/wordpress-spectra-plugin-2-6-6-broken-access-control-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2023-36683", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-19T14:15:12.137", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in WP SCHEMA PRO Schema Pro.This issue affects Schema Pro: from n/a through 2.7.8."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en WP SCHEMA PRO Schema Pro. Este problema afecta a Schema Pro: desde n/a hasta 2.7.8."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/wp-schema-pro/wordpress-schema-pro-plugin-2-7-8-broken-access-control-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2023-36684", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-19T14:15:12.380", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Brainstorm Force Convert Pro.This issue affects Convert Pro: from n/a through 1.7.5."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Brainstorm Force Convert Pro. Este problema afecta a Convert Pro: desde n/a hasta 1.7.5."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/convertpro/wordpress-convert-pro-plugin-1-7-5-broken-access-control-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2023-37869", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-19T14:15:12.617", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Premium Addons Premium Addons PRO.This issue affects Premium Addons PRO: from n/a through 2.9.0."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Premium Addons Premium Addons PRO. Este problema afecta a Premium Addons PRO: desde n/a hasta 2.9.0."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/premium-addons-pro/wordpress-premium-addons-pro-plugin-2-9-0-broken-access-control-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2023-37872", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-19T14:15:12.853", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Woo WooCommerce Ship to Multiple Addresses.This issue affects WooCommerce Ship to Multiple Addresses: from n/a through 3.8.5."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Woo WooCommerce Ship to Multiple Addresses. Este problema afecta a WooCommerce Ship to Multiple Addresses: desde n/a hasta 3.8.5."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/woocommerce-shipping-multiple-addresses/wordpress-woocommerce-ship-to-multiple-addresses-plugin-3-8-5-broken-access-control-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2023-39310", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-19T14:15:13.100", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in ThemeFusion Fusion Builder.This issue affects Fusion Builder: from n/a through 3.11.1."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en ThemeFusion Fusion Builder. Este problema afecta a Fusion Builder: desde n/a hasta 3.11.1."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/fusion-builder/wordpress-avada-builder-plugin-3-11-1-authenticated-broken-access-control-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2024-23443", "sourceIdentifier": "bressers@elastic.co", "published": "2024-06-19T14:15:13.360", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A high-privileged user, allowed to create custom osquery packs 17 could affect the availability of Kibana by uploading a maliciously crafted osquery pack."}, {"lang": "es", "value": "Un usuario con altos privilegios, al que se le permite crear paquetes de osquery personalizados 17, podr\u00eda afectar la disponibilidad de Kibana al cargar un paquete de osquery creado con fines malintencionados."}], "metrics": {"cvssMetricV31": [{"source": "bressers@elastic.co", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 4.9, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "bressers@elastic.co", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}]}], "references": [{"url": "https://discuss.elastic.co/t/kibana-8-14-0-7-17-22-security-update-esa-2024-11/361460", "source": "bressers@elastic.co"}]}}, {"cve": {"id": "CVE-2024-36979", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:13.620", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: mst: fix vlan use-after-free\n\nsyzbot reported a suspicious rcu usage[1] in bridge's mst code. While\nfixing it I noticed that nothing prevents a vlan to be freed while\nwalking the list from the same path (br forward delay timer). Fix the rcu\nusage and also make sure we are not accessing freed memory by making\nbr_mst_vlan_set_state use rcu read lock.\n\n[1]\n WARNING: suspicious RCU usage\n 6.9.0-rc6-syzkaller #0 Not tainted\n -----------------------------\n net/bridge/br_private.h:1599 suspicious rcu_dereference_protected() usage!\n ...\n stack backtrace:\n CPU: 1 PID: 8017 Comm: syz-executor.1 Not tainted 6.9.0-rc6-syzkaller #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\n Call Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n lockdep_rcu_suspicious+0x221/0x340 kernel/locking/lockdep.c:6712\n nbp_vlan_group net/bridge/br_private.h:1599 [inline]\n br_mst_set_state+0x1ea/0x650 net/bridge/br_mst.c:105\n br_set_state+0x28a/0x7b0 net/bridge/br_stp.c:47\n br_forward_delay_timer_expired+0x176/0x440 net/bridge/br_stp_timer.c:88\n call_timer_fn+0x18e/0x650 kernel/time/timer.c:1793\n expire_timers kernel/time/timer.c:1844 [inline]\n __run_timers kernel/time/timer.c:2418 [inline]\n __run_timer_base+0x66a/0x8e0 kernel/time/timer.c:2429\n run_timer_base kernel/time/timer.c:2438 [inline]\n run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2448\n __do_softirq+0x2c6/0x980 kernel/softirq.c:554\n invoke_softirq kernel/softirq.c:428 [inline]\n __irq_exit_rcu+0xf2/0x1c0 kernel/softirq.c:633\n irq_exit_rcu+0x9/0x30 kernel/softirq.c:645\n instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]\n sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043\n \n \n asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702\n RIP: 0010:lock_acquire+0x264/0x550 kernel/locking/lockdep.c:5758\n Code: 2b 00 74 08 4c 89 f7 e8 ba d1 84 00 f6 44 24 61 02 0f 85 85 01 00 00 41 f7 c7 00 02 00 00 74 01 fb 48 c7 44 24 40 0e 36 e0 45 <4b> c7 44 25 00 00 00 00 00 43 c7 44 25 09 00 00 00 00 43 c7 44 25\n RSP: 0018:ffffc90013657100 EFLAGS: 00000206\n RAX: 0000000000000001 RBX: 1ffff920026cae2c RCX: 0000000000000001\n RDX: dffffc0000000000 RSI: ffffffff8bcaca00 RDI: ffffffff8c1eaa60\n RBP: ffffc90013657260 R08: ffffffff92efe507 R09: 1ffffffff25dfca0\n R10: dffffc0000000000 R11: fffffbfff25dfca1 R12: 1ffff920026cae28\n R13: dffffc0000000000 R14: ffffc90013657160 R15: 0000000000000246"}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: net: bridge: mst: fix vlan use-after-free syzbot inform\u00f3 un uso sospechoso de rcu[1] en el c\u00f3digo mst del puente. Mientras lo solucionaba, not\u00e9 que nada impide que se libere una VLAN mientras se recorre la lista desde el mismo camino (br temporizador de retardo de avance). Corrija el uso de rcu y tambi\u00e9n aseg\u00farese de que no accedamos a la memoria liberada haciendo que br_mst_vlan_set_state use el bloqueo de lectura de rcu. [1] ADVERTENCIA: uso sospechoso de RCU 6.9.0-rc6-syzkaller #0 No contaminado ----------------------- net/ bridge/br_private.h:1599 \u00a1uso sospechoso de rcu_dereference_protected()! ... seguimiento de pila: CPU: 1 PID: 8017 Comm: syz-executor.1 No contaminado 6.9.0-rc6-syzkaller #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 27/03/2024 Llamada Seguimiento: __dump_stack lib/dump_stack.c:88 [en l\u00ednea] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 lockdep_rcu_suspicious+0x221/0x340 kernel/locking/lockdep.c:6712 nbp_vlan_group net/bridge/br_private.h :1599 [en l\u00ednea] br_mst_set_state+0x1ea/0x650 net/bridge/br_mst.c:105 br_set_state+0x28a/0x7b0 net/bridge/br_stp.c:47 br_forward_delay_timer_expired+0x176/0x440 net/bridge/br_stp_timer.c:88 n+0x18e /0x650 kernel/time/timer.c:1793 expire_timers kernel/time/timer.c:1844 [en l\u00ednea] __run_timers kernel/time/timer.c:2418 [en l\u00ednea] __run_timer_base+0x66a/0x8e0 kernel/time/timer.c: 2429 run_timer_base kernel/time/timer.c:2438 [en l\u00ednea] run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2448 __do_softirq+0x2c6/0x980 kernel/softirq.c:554 invoke_softirq kernel/softirq.c:428 [en l\u00ednea ] __irq_exit_rcu+0xf2/0x1c0 kernel/softirq.c:633 irq_exit_rcu+0x9/0x30 kernel/softirq.c:645 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [en l\u00ednea] 0xc0 arco/x86 /kernel/apic/apic.c:1043 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 RIP: 0010:lock_acquire+0x264/0x550 kernel/locking/lockdep. c:5758 C\u00f3digo: 2b 00 74 08 4c 89 f7 e8 ba d1 84 00 f6 44 24 61 02 0f 85 85 01 00 00 41 f7 c7 00 02 00 00 74 01 fb 48 c7 44 24 40 0e 36 e0 <4b> c7 44 25 00 00 00 00 00 43 c7 44 25 09 00 00 00 00 43 c7 44 25 RSP: 0018:ffffc90013657100 EFLAGS: 00000206 RAX: 0000000000000001 RBX: ffff920026cae2c RCX: 0000000000000001 RDX: dffffc0000000000 RSI: ffffffff8bcaca00 RDI: ffffffff8c1eaa60 RBP: ffffc90013657260 R08: ffffffff92efe507 R09: 1ffffffff25dfca0 R10: dffffc0000000000 R11: ffffbfff25dfca1 R12: 1ffff920026cae28 R13: dffffc0000000000 R14: ffffc90013657160 5: 0000000000000246"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/3a7c1661ae1383364cd6092d851f5e5da64d476b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4488617e5e995a09abe4d81add5fb165674edb59", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8ca9a750fc711911ef616ceb627d07357b04545e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a2b01e65d9ba8af2bb086d3b7288ca53a07249ac", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e43dd2b1ec746e105b7db5f9ad6ef14685a615a4", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38329", "sourceIdentifier": "psirt@us.ibm.com", "published": "2024-06-19T14:15:13.723", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "IBM Storage Protect for Virtual Environments: Data Protection for VMware 8.1.0.0 through 8.1.22.0 could allow a remote authenticated attacker to bypass security restrictions, caused by improper validation of user permission. By sending a specially crafted request, an attacker could exploit this vulnerability to change its settings, trigger backups, restore backups, and also delete all previous backups via log rotation. IBM X-Force ID: 294994."}, {"lang": "es", "value": "IBM Storage Protect for Virtual Environments: Data Protection for VMware 8.1.0.0 a 8.1.22.0 podr\u00eda permitir a un atacante autenticado remoto eludir las restricciones de seguridad causadas por una validaci\u00f3n inadecuada del permiso del usuario. Al enviar una solicitud especialmente manipulada, un atacante podr\u00eda aprovechar esta vulnerabilidad para cambiar su configuraci\u00f3n, activar copias de seguridad, restaurar copias de seguridad y tambi\u00e9n eliminar todas las copias de seguridad anteriores mediante la rotaci\u00f3n de registros. ID de IBM X-Force: 294994."}], "metrics": {"cvssMetricV31": [{"source": "psirt@us.ibm.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.1, "impactScore": 4.0}]}, "weaknesses": [{"source": "psirt@us.ibm.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-285"}]}], "references": [{"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/294994", "source": "psirt@us.ibm.com"}, {"url": "https://www.ibm.com/support/pages/node/7157929", "source": "psirt@us.ibm.com"}]}}, {"cve": {"id": "CVE-2024-38538", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:14.107", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: xmit: make sure we have at least eth header len bytes\n\nsyzbot triggered an uninit value[1] error in bridge device's xmit path\nby sending a short (less than ETH_HLEN bytes) skb. To fix it check if\nwe can actually pull that amount instead of assuming.\n\nTested with dropwatch:\n drop at: br_dev_xmit+0xb93/0x12d0 [bridge] (0xffffffffc06739b3)\n origin: software\n timestamp: Mon May 13 11:31:53 2024 778214037 nsec\n protocol: 0x88a8\n length: 2\n original length: 2\n drop reason: PKT_TOO_SMALL\n\n[1]\nBUG: KMSAN: uninit-value in br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65\n br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65\n __netdev_start_xmit include/linux/netdevice.h:4903 [inline]\n netdev_start_xmit include/linux/netdevice.h:4917 [inline]\n xmit_one net/core/dev.c:3531 [inline]\n dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547\n __dev_queue_xmit+0x34db/0x5350 net/core/dev.c:4341\n dev_queue_xmit include/linux/netdevice.h:3091 [inline]\n __bpf_tx_skb net/core/filter.c:2136 [inline]\n __bpf_redirect_common net/core/filter.c:2180 [inline]\n __bpf_redirect+0x14a6/0x1620 net/core/filter.c:2187\n ____bpf_clone_redirect net/core/filter.c:2460 [inline]\n bpf_clone_redirect+0x328/0x470 net/core/filter.c:2432\n ___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:1997\n __bpf_prog_run512+0xb5/0xe0 kernel/bpf/core.c:2238\n bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]\n __bpf_prog_run include/linux/filter.h:657 [inline]\n bpf_prog_run include/linux/filter.h:664 [inline]\n bpf_test_run+0x499/0xc30 net/bpf/test_run.c:425\n bpf_prog_test_run_skb+0x14ea/0x1f20 net/bpf/test_run.c:1058\n bpf_prog_test_run+0x6b7/0xad0 kernel/bpf/syscall.c:4269\n __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5678\n __do_sys_bpf kernel/bpf/syscall.c:5767 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:5765 [inline]\n __x64_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5765\n x64_sys_call+0x96b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:322\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f"}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: net: bridge: xmit: aseg\u00farese de tener al menos el encabezado eth len bytes syzbot desencaden\u00f3 un error de valor uninit[1] en la ruta xmit del dispositivo puente al enviar un mensaje corto (menos de ETH_HLEN bytes) skb. Para solucionarlo, compruebe si realmente podemos retirar esa cantidad en lugar de suponerla. Probado con dropwatch: soltar en: br_dev_xmit+0xb93/0x12d0 [puente] (0xffffffffc06739b3) origen: marca de tiempo del software: lunes 13 de mayo 11:31:53 2024 778214037 protocolo nsec: 0x88a8 longitud: 2 longitud original: 2 motivo de ca\u00edda: PKT_TOO_SMALL [1 ] ERROR: KMSAN: valor uninit en br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65 br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65 __netdev_start_xmit include/linux/netdevice.h:4903 [en l\u00ednea] netdev_start_xmit include/linux/netdevice.h:4917 [en l\u00ednea] xmit_one net/core/dev.c:3531 [en l\u00ednea] dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547 __dev_queue_xmit+0x34db/0x5350 net/core/dev .c:4341 dev_queue_xmit include/linux/netdevice.h:3091 [en l\u00ednea] __bpf_tx_skb net/core/filter.c:2136 [en l\u00ednea] __bpf_redirect_common net/core/filter.c:2180 [en l\u00ednea] __bpf_redirect+0x14a6/0x1620 net/ Core/Filter.C: 2187 ____BPF_CLONE_REDIRECT NET/CORE/FILTRO.C: 2460 [Inline] BPF_CLONE_REDIRECT+0x328/0x470 NET/Core/Filter.c: 2432 ___ BPF_PROG_RUN+0X13FE/0XE0F0 KERNEL/BPF/BPF/CORE. 0xb5/0xe0 kernel/bpf/core.c:2238 bpf_dispatcher_nop_func include/linux/bpf.h:1234 [en l\u00ednea] __bpf_prog_run include/linux/filter.h:657 [en l\u00ednea] bpf_prog_run include/linux/filter.h:664 [en l\u00ednea ] bpf_test_run+0x499/0xc30 net/bpf/test_run.c:425 bpf_prog_test_run_skb+0x14ea/0x1f20 net/bpf/test_run.c:1058 bpf_prog_test_run+0x6b7/0xad0 kernel/bpf/syscall.c:4269 pf+0x6aa/0xd90 n\u00facleo/ bpf/syscall.c:5678 __do_sys_bpf kernel/bpf/syscall.c:5767 [en l\u00ednea] __se_sys_bpf kernel/bpf/syscall.c:5765 [en l\u00ednea] __x64_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5765 ys_call+0x96b /0x3b50 arch/x86/include/generated/asm/syscalls_64.h:322 do_syscall_x64 arch/x86/entry/common.c:52 [en l\u00ednea] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 Entry_SYSCALL_64_after_hwframe+ 0x77/0x7f"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/1abb371147905ba250b4cc0230c4be7e90bea4d5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/28126b83f86ab9cc7936029c2dff845d3dcedba2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5b5d669f569807c7ab07546e73c0741845a2547a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8bd67ebb50c0145fd2ca8681ab65eb7e8cde1afc", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f482fd4ce919836a49012b2d31b00fc36e2488f2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38539", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:14.193", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/cma: Fix kmemleak in rdma_core observed during blktests nvme/rdma use siw\n\nWhen running blktests nvme/rdma, the following kmemleak issue will appear.\n\nkmemleak: Kernel memory leak detector initialized (mempool available:36041)\nkmemleak: Automatic memory scanning thread started\nkmemleak: 2 new suspected memory leaks (see /sys/kernel/debug/kmemleak)\nkmemleak: 8 new suspected memory leaks (see /sys/kernel/debug/kmemleak)\nkmemleak: 17 new suspected memory leaks (see /sys/kernel/debug/kmemleak)\nkmemleak: 4 new suspected memory leaks (see /sys/kernel/debug/kmemleak)\n\nunreferenced object 0xffff88855da53400 (size 192):\n comm \"rdma\", pid 10630, jiffies 4296575922\n hex dump (first 32 bytes):\n 37 00 00 00 00 00 00 00 c0 ff ff ff 1f 00 00 00 7...............\n 10 34 a5 5d 85 88 ff ff 10 34 a5 5d 85 88 ff ff .4.].....4.]....\n backtrace (crc 47f66721):\n [] kmalloc_trace+0x30d/0x3b0\n [] alloc_gid_entry+0x47/0x380 [ib_core]\n [] add_modify_gid+0x166/0x930 [ib_core]\n [] ib_cache_update.part.0+0x6d8/0x910 [ib_core]\n [] ib_cache_setup_one+0x24a/0x350 [ib_core]\n [] ib_register_device+0x9e/0x3a0 [ib_core]\n [] 0xffffffffc2a3d389\n [] nldev_newlink+0x2b8/0x520 [ib_core]\n [] rdma_nl_rcv_msg+0x2c3/0x520 [ib_core]\n []\nrdma_nl_rcv_skb.constprop.0.isra.0+0x23c/0x3a0 [ib_core]\n [] netlink_unicast+0x445/0x710\n [] netlink_sendmsg+0x761/0xc40\n [] __sys_sendto+0x3a9/0x420\n [] __x64_sys_sendto+0xdc/0x1b0\n [] do_syscall_64+0x93/0x180\n [] entry_SYSCALL_64_after_hwframe+0x71/0x79\n\nThe root cause: rdma_put_gid_attr is not called when sgid_attr is set\nto ERR_PTR(-ENODEV)."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: RDMA/cma: corrija kmemleak en rdma_core observado durante el uso de blktests nvme/rdma siw Al ejecutar blktests nvme/rdma, aparecer\u00e1 el siguiente problema de kmemleak. kmemleak: detector de p\u00e9rdida de memoria del kernel inicializado (mempool disponible: 36041) kmemleak: hilo de escaneo autom\u00e1tico de memoria iniciado kmemleak: 2 nuevas p\u00e9rdidas de memoria sospechosas (ver /sys/kernel/debug/kmemleak) kmemleak: 8 nuevas p\u00e9rdidas de memoria sospechosas (ver /sys/ kernel/debug/kmemleak) kmemleak: 17 nuevas p\u00e9rdidas de memoria sospechosas (ver /sys/kernel/debug/kmemleak) kmemleak: 4 nuevas p\u00e9rdidas de memoria sospechosas (ver /sys/kernel/debug/kmemleak) objeto sin referencia 0xffff88855da53400 (tama\u00f1o 192): comm \"rdma\", pid 10630, sjiffies 4296575922 volcado hexadecimal (primeros 32 bytes): 37 00 00 00 00 00 00 00 c0 ff ff ff 1f 00 00 00 7................. 10 34 a5 5d 85 88 ff ff 10 34 a5 5d 85 88 ff ff .4.].....4.].... backtrace (crc 47f66721): [] kmalloc_trace+0x30d/0x3b0 [< ffffffffc2640ff7>] alloc_gid_entry+0x47/0x380 [ib_core] [] add_modify_gid+0x166/0x930 [ib_core] [] ib_cache_update.part.0+0x6d8/0x910 [ib_core] [] ib_cache_setup_one+0x24a/ 0x350 [ib_core] [] ib_register_device+0x9e/0x3a0 [ib_core] [] 0xffffffffc2a3d389 [] nldev_newlink+0x2b8/0x520 [ib_core] ffffffffc2645fe3>] rdma_nl_rcv_msg+0x2c3/0x520 [ib_core] [ ] rdma_nl_rcv_skb.constprop.0.isra.0+0x23c/0x3a0 [ib_core] [] netlink_unicast+0x445/0x710 [] 0 [] __sys_sendto+0x3a9/0x420 [] __x64_sys_sendto+0xdc/0x1b0 [] do_syscall_64+0x93/0x180 [] Entry_SYSCALL_64_after_hwframe+0x71/0x79 La causa ra\u00edz: _gid_attr no se llama cuando sgid_attr est\u00e1 configurado en ERR_PTR(-ENODEV)."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/3eb127dc408bf7959a4920d04d16ce10e863686a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/6564fc1818404254d1c9f7d75b403b4941516d26", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9c0731832d3b7420cbadba6a7f334363bc8dfb15", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b3a7fb93afd888793ef226e9665fbda98a95c48e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38540", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:14.290", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq\n\nUndefined behavior is triggered when bnxt_qplib_alloc_init_hwq is called\nwith hwq_attr->aux_depth != 0 and hwq_attr->aux_stride == 0.\nIn that case, \"roundup_pow_of_two(hwq_attr->aux_stride)\" gets called.\nroundup_pow_of_two is documented as undefined for 0.\n\nFix it in the one caller that had this combination.\n\nThe undefined behavior was detected by UBSAN:\n UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13\n shift exponent 64 is too large for 64-bit type 'long unsigned int'\n CPU: 24 PID: 1075 Comm: (udev-worker) Not tainted 6.9.0-rc6+ #4\n Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.7 10/25/2023\n Call Trace:\n \n dump_stack_lvl+0x5d/0x80\n ubsan_epilogue+0x5/0x30\n __ubsan_handle_shift_out_of_bounds.cold+0x61/0xec\n __roundup_pow_of_two+0x25/0x35 [bnxt_re]\n bnxt_qplib_alloc_init_hwq+0xa1/0x470 [bnxt_re]\n bnxt_qplib_create_qp+0x19e/0x840 [bnxt_re]\n bnxt_re_create_qp+0x9b1/0xcd0 [bnxt_re]\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? __kmalloc+0x1b6/0x4f0\n ? create_qp.part.0+0x128/0x1c0 [ib_core]\n ? __pfx_bnxt_re_create_qp+0x10/0x10 [bnxt_re]\n create_qp.part.0+0x128/0x1c0 [ib_core]\n ib_create_qp_kernel+0x50/0xd0 [ib_core]\n create_mad_qp+0x8e/0xe0 [ib_core]\n ? __pfx_qp_event_handler+0x10/0x10 [ib_core]\n ib_mad_init_device+0x2be/0x680 [ib_core]\n add_client_context+0x10d/0x1a0 [ib_core]\n enable_device_and_get+0xe0/0x1d0 [ib_core]\n ib_register_device+0x53c/0x630 [ib_core]\n ? srso_alias_return_thunk+0x5/0xfbef5\n bnxt_re_probe+0xbd8/0xe50 [bnxt_re]\n ? __pfx_bnxt_re_probe+0x10/0x10 [bnxt_re]\n auxiliary_bus_probe+0x49/0x80\n ? driver_sysfs_add+0x57/0xc0\n really_probe+0xde/0x340\n ? pm_runtime_barrier+0x54/0x90\n ? __pfx___driver_attach+0x10/0x10\n __driver_probe_device+0x78/0x110\n driver_probe_device+0x1f/0xa0\n __driver_attach+0xba/0x1c0\n bus_for_each_dev+0x8f/0xe0\n bus_add_driver+0x146/0x220\n driver_register+0x72/0xd0\n __auxiliary_driver_register+0x6e/0xd0\n ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]\n bnxt_re_mod_init+0x3e/0xff0 [bnxt_re]\n ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]\n do_one_initcall+0x5b/0x310\n do_init_module+0x90/0x250\n init_module_from_file+0x86/0xc0\n idempotent_init_module+0x121/0x2b0\n __x64_sys_finit_module+0x5e/0xb0\n do_syscall_64+0x82/0x160\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? syscall_exit_to_user_mode_prepare+0x149/0x170\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? syscall_exit_to_user_mode+0x75/0x230\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? do_syscall_64+0x8e/0x160\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? __count_memcg_events+0x69/0x100\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? count_memcg_events.constprop.0+0x1a/0x30\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? handle_mm_fault+0x1f0/0x300\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? do_user_addr_fault+0x34e/0x640\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? srso_alias_return_thunk+0x5/0xfbef5\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n RIP: 0033:0x7f4e5132821d\n Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e3 db 0c 00 f7 d8 64 89 01 48\n RSP: 002b:00007ffca9c906a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139\n RAX: ffffffffffffffda RBX: 0000563ec8a8f130 RCX: 00007f4e5132821d\n RDX: 0000000000000000 RSI: 00007f4e518fa07d RDI: 000000000000003b\n RBP: 00007ffca9c90760 R08: 00007f4e513f6b20 R09: 00007ffca9c906f0\n R10: 0000563ec8a8faa0 R11: 0000000000000246 R12: 00007f4e518fa07d\n R13: 0000000000020000 R14: 0000563ec8409e90 R15: 0000563ec8a8fa60\n \n ---[ end trace ]---"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bnxt_re: evita el comportamiento de cambio indefinido en bnxt_qplib_alloc_init_hwq El comportamiento indefinido se activa cuando se llama a bnxt_qplib_alloc_init_hwq con hwq_attr->aux_ Depth != 0 y hwq_attr->aux_stride == 0. En ese caso, \" Se llama a roundup_pow_of_two(hwq_attr->aux_stride)\". roundup_pow_of_two est\u00e1 documentado como indefinido para 0. Corr\u00edjalo en la \u00fanica persona que llam\u00f3 que ten\u00eda esta combinaci\u00f3n. UBSAN detect\u00f3 el comportamiento indefinido: UBSAN: desplazamiento fuera de los l\u00edmites en ./include/linux/log2.h:57:13 el exponente de desplazamiento 64 es demasiado grande para CPU 'long unsigned int' de tipo de 64 bits: 24 PID: 1075 Comm: (udev-worker) Not tainted 6.9.0-rc6+ #4 Nombre del hardware: Abacus electric, sro - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.7 25/10/2023 Seguimiento de llamadas: < TAREA> dump_stack_lvl+0x5d/0x80 ubsan_epilogue+0x5/0x30 __ubsan_handle_shift_out_of_bounds.cold+0x61/0xec __roundup_pow_of_two+0x25/0x35 [bnxt_re] bnxt_qplib_alloc_init_hwq+0xa1/0x470 bnxt_re] bnxt_qplib_create_qp+0x19e/0x840 [bnxt_re] bnxt_re_create_qp+0x9b1/0xcd0 [bnxt_re ] ? srso_alias_return_thunk+0x5/0xfbef5? srso_alias_return_thunk+0x5/0xfbef5? __kmalloc+0x1b6/0x4f0 ? create_qp.part.0+0x128/0x1c0 [ib_core]? __pfx_bnxt_re_create_qp+0x10/0x10 [bnxt_re] create_qp.part.0+0x128/0x1c0 [ib_core] ib_create_qp_kernel+0x50/0xd0 [ib_core] create_mad_qp+0x8e/0xe0 [ib_core] ? __pfx_qp_event_handler+0x10/0x10 [ib_core] ib_mad_init_device+0x2be/0x680 [ib_core] add_client_context+0x10d/0x1a0 [ib_core] enable_device_and_get+0xe0/0x1d0 [ib_register_device+0x53c/0x63 0 [ib_core] ? srso_alias_return_thunk+0x5/0xfbef5 bnxt_re_probe+0xbd8/0xe50 [bnxt_re] ? __pfx_bnxt_re_probe+0x10/0x10 [bnxt_re] sonda_bus_auxiliar+0x49/0x80 ? driver_sysfs_add+0x57/0xc0 realmente_probe+0xde/0x340? pm_runtime_barrier+0x54/0x90? __pfx___driver_attach+0x10/0x10 __driver_probe_device+0x78/0x110 driver_probe_device+0x1f/0xa0 __driver_attach+0xba/0x1c0 bus_for_each_dev+0x8f/0xe0 bus_add_driver+0x146/0x220 driver_register+0x72/ 0xd0 __auxiliary_driver_register+0x6e/0xd0 ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re] bnxt_re_mod_init+0x3e/0xff0 [bnxt_re] ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re] do_one_initcall+0x5b/0x310 do_init_module+0x90/0x250 init_module_from_file+0x86/0xc0 idempotent_init_module+0x121/0x2b0 __x64_sys_finit _module+0x5e/0xb0 do_syscall_64+0x82/0x160 ? srso_alias_return_thunk+0x5/0xfbef5? syscall_exit_to_user_mode_prepare+0x149/0x170? srso_alias_return_thunk+0x5/0xfbef5? syscall_exit_to_user_mode+0x75/0x230? srso_alias_return_thunk+0x5/0xfbef5? do_syscall_64+0x8e/0x160? srso_alias_return_thunk+0x5/0xfbef5? __count_memcg_events+0x69/0x100? srso_alias_return_thunk+0x5/0xfbef5? count_memcg_events.constprop.0+0x1a/0x30? srso_alias_return_thunk+0x5/0xfbef5? handle_mm_fault+0x1f0/0x300? srso_alias_return_thunk+0x5/0xfbef5? do_user_addr_fault+0x34e/0x640? srso_alias_return_thunk+0x5/0xfbef5? srso_alias_return_thunk+0x5/0xfbef5 Entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f4e5132821d C\u00f3digo: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 9 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e3 db 0c 00 f7 d8 64 89 01 48 RSP: 002b:00007ffca9c906a8 EFLAGS: 00000246 IG_RAX: 0000000000000139 RAX: ffffffffffffffda RBX: 0000563ec8a8f130 RCX: 00007f4e5132821d RDX: 0000000000000000 RSI: 00007f4e518fa07d RDI: 000000000000003b RBP: 00007ffca9c90760 R08: 00007f4e513f6b20 00007ffca9c906f0 R10: 0000563ec8a8faa0 R11: 0000000000000246 R12: 00007f4e518fa07d R13: 0000000000020000 R14: 0000563ec8409e90 R15: 0563ec8a8fa60 ---[ finalizar rastreo ] ---"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/627493443f3a8458cb55cdae1da254a7001123bc", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/78cfd17142ef70599d6409cbd709d94b3da58659", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8b799c00cea6fcfe5b501bbaeb228c8821acb753", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a658f011d89dd20cf2c7cb4760ffd79201700b98", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38541", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:14.383", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nof: module: add buffer overflow check in of_modalias()\n\nIn of_modalias(), if the buffer happens to be too small even for the 1st\nsnprintf() call, the len parameter will become negative and str parameter\n(if not NULL initially) will point beyond the buffer's end. Add the buffer\noverflow check after the 1st snprintf() call and fix such check after the\nstrlen() call (accounting for the terminating NUL char)."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: of: m\u00f3dulo: agregar control de desbordamiento del b\u00fafer of_modalias() En of_modalias(), si el b\u00fafer es demasiado peque\u00f1o incluso para la primera llamada a snprintf(), el par\u00e1metro len se vuelve negativo y el par\u00e1metro str (si no es NULL inicialmente) apuntar\u00e1 m\u00e1s all\u00e1 del final del b\u00fafer. Agregue la verificaci\u00f3n de desbordamiento del b\u00fafer despu\u00e9s de la primera llamada a snprintf() y corrija dicha verificaci\u00f3n despu\u00e9s de la llamada strlen() (teniendo en cuenta el car\u00e1cter NUL de terminaci\u00f3n)."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/0b0d5701a8bf02f8fee037e81aacf6746558bfd6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/cf7385cb26ac4f0ee6c7385960525ad534323252", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e45b69360a63165377b30db4a1dfddd89ca18e9a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ee332023adfd5882808f2dabf037b32d6ce36f9e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38542", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:14.487", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mana_ib: boundary check before installing cq callbacks\n\nAdd a boundary check inside mana_ib_install_cq_cb to prevent index overflow."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: RDMA/mana_ib: verificaci\u00f3n de los l\u00edmites antes de instalar devoluciones de llamadas de cq Agregue una verificaci\u00f3n de los l\u00edmites dentro de mana_ib_install_cq_cb para evitar el desbordamiento del \u00edndice."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/168f6fbde0eabd71d1f4133df7d001a950b96977", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f12afddfb142587d786df9e3cc4862190d3e2ec8", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f79edef79b6a2161f4124112f9b0c46891bb0b74", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38543", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:14.587", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlib/test_hmm.c: handle src_pfns and dst_pfns allocation failure\n\nThe kcalloc() in dmirror_device_evict_chunk() will return null if the\nphysical memory has run out. As a result, if src_pfns or dst_pfns is\ndereferenced, the null pointer dereference bug will happen.\n\nMoreover, the device is going away. If the kcalloc() fails, the pages\nmapping a chunk could not be evicted. So add a __GFP_NOFAIL flag in\nkcalloc().\n\nFinally, as there is no need to have physically contiguous memory, Switch\nkcalloc() to kvcalloc() in order to avoid failing allocations."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: lib/test_hmm.c: maneja el error de asignaci\u00f3n de src_pfns y dst_pfns El kcalloc() en dmirror_device_evict_chunk() devolver\u00e1 nulo si la memoria f\u00edsica se ha agotado. Como resultado, si se desreferencia src_pfns o dst_pfns, se producir\u00e1 el error de desreferencia del puntero nulo. Adem\u00e1s, el dispositivo va a desaparecer. Si kcalloc() falla, las p\u00e1ginas que asignan un fragmento no podr\u00e1n ser desalojadas. Entonces agregue una bandera __GFP_NOFAIL en kcalloc(). Finalmente, como no es necesario tener memoria f\u00edsicamente contigua, cambie kcalloc() a kvcalloc() para evitar asignaciones fallidas."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/1a21fdeea502658e315bd939409b755974f4fb64", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3b20d18f475bd17309db640dbe7d7c7ebb5bc2bc", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/65e528a69cb3ed4a286c45b4afba57461c8b5b33", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c2af060d1c18beaec56351cf9c9bcbbc5af341a3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ce47e8ead9a72834cc68431d53f8092ce69bebb7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38544", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:14.687", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix seg fault in rxe_comp_queue_pkt\n\nIn rxe_comp_queue_pkt() an incoming response packet skb is enqueued to the\nresp_pkts queue and then a decision is made whether to run the completer\ntask inline or schedule it. Finally the skb is dereferenced to bump a 'hw'\nperformance counter. This is wrong because if the completer task is\nalready running in a separate thread it may have already processed the skb\nand freed it which can cause a seg fault. This has been observed\ninfrequently in testing at high scale.\n\nThis patch fixes this by changing the order of enqueuing the packet until\nafter the counter is accessed."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: RDMA/rxe: corrige la falla de segmentaci\u00f3n en rxe_comp_queue_pkt En rxe_comp_queue_pkt(), un paquete de respuesta entrante skb se pone en cola en la cola resp_pkts y luego se toma una decisi\u00f3n si se ejecuta la tarea de finalizaci\u00f3n en l\u00ednea o programarla. Finalmente, se elimina la referencia al skb para aumentar un contador de rendimiento 'hw'. Esto es incorrecto porque si la tarea de finalizaci\u00f3n ya se est\u00e1 ejecutando en un hilo separado, es posible que ya haya procesado el skb y lo haya liberado, lo que puede causar una falla de segmentaci\u00f3n. Esto se ha observado con poca frecuencia en pruebas a gran escala. Este parche soluciona este problema cambiando el orden de poner en cola el paquete hasta que se accede al contador."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/21b4c6d4d89030fd4657a8e7c8110fd941049794", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/2b23b6097303ed0ba5f4bc036a1c07b6027af5c6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/30df4bef8b8e183333e9b6e9d4509d552c7da6eb", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/bbad88f111a1829f366c189aa48e7e58e57553fc", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/faa8d0ecf6c9c7c2ace3ca3e552180ada6f75e19", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38545", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:14.787", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hns: Fix UAF for cq async event\n\nThe refcount of CQ is not protected by locks. When CQ asynchronous\nevents and CQ destruction are concurrent, CQ may have been released,\nwhich will cause UAF.\n\nUse the xa_lock() to protect the CQ refcount."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: RDMA/hns: corrige UAF para el evento cq async El recuento de CQ no est\u00e1 protegido por bloqueos. Cuando los eventos asincr\u00f3nicos de CQ y la destrucci\u00f3n de CQ son simult\u00e1neos, es posible que se haya liberado CQ, lo que provocar\u00e1 UAF. Utilice xa_lock() para proteger el recuento de CQ."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/37a7559dc1358a8d300437e99ed8ecdab0671507", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/39d26cf46306bdc7ae809ecfdbfeff5aa1098911", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/63da190eeb5c9d849b71f457b15b308c94cbaf08", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/763780ef0336a973e933e40e919339381732dcaf", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a942ec2745ca864cd8512142100e4027dc306a42", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38546", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:14.877", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: vc4: Fix possible null pointer dereference\n\nIn vc4_hdmi_audio_init() of_get_address() may return\nNULL which is later dereferenced. Fix this bug by adding NULL check.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm: vc4: corrige posible desreferencia del puntero nulo En vc4_hdmi_audio_init() of_get_address() puede devolver NULL, que luego se desreferencia. Corrija este error agregando una verificaci\u00f3n NULL. Encontrado por el Centro de verificaci\u00f3n de Linux (linuxtesting.org) con SVACE."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/2a345fe928c21de6f3c3c7230ff509d715153a31", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/2d9adecc88ab678785b581ab021f039372c324cb", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/42c22b63056cea259d5313bf138a834840af85a5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/6cf1874aec42058a5ad621a23b5b2f248def0e96", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/80431ea3634efb47a3004305d76486db9dd8ed49", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/bd7827d46d403f8cdb43d16744cb1114e4726b21", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c534b63bede6cb987c2946ed4d0b0013a52c5ba7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38547", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:14.973", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: atomisp: ssh_css: Fix a null-pointer dereference in load_video_binaries\n\nThe allocation failure of mycs->yuv_scaler_binary in load_video_binaries()\nis followed with a dereference of mycs->yuv_scaler_binary after the\nfollowing call chain:\n\nsh_css_pipe_load_binaries()\n |-> load_video_binaries(mycs->yuv_scaler_binary == NULL)\n |\n |-> sh_css_pipe_unload_binaries()\n |-> unload_video_binaries()\n\nIn unload_video_binaries(), it calls to ia_css_binary_unload with argument\n&pipe->pipe_settings.video.yuv_scaler_binary[i], which refers to the\nsame memory slot as mycs->yuv_scaler_binary. Thus, a null-pointer\ndereference is triggered."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: media: atomisp: ssh_css: corrige una desreferencia de puntero nulo en load_video_binaries La falla de asignaci\u00f3n de mycs->yuv_scaler_binary en load_video_binaries() va seguida de una desreferencia de mycs->yuv_scaler_binary despu\u00e9s de siguiente cadena de llamadas: sh_css_pipe_load_binaries() |-> load_video_binaries(mycs->yuv_scaler_binary == NULL) | |-> sh_css_pipe_unload_binaries() |-> unload_video_binaries() En unload_video_binaries(), llama a ia_css_binary_unload con el argumento &pipe->pipe_settings.video.yuv_scaler_binary[i], que se refiere a la misma ranura de memoria que mycs->yuv_scaler_binary. Por lo tanto, se activa una desreferencia de puntero nulo."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/3b621e9e9e148c0928ab109ac3d4b81487469acb", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4b68b861b514a5c09220d622ac3784c0ebac6c80", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/6482c433863b257b0b9b687c28ce80b89d5f89f0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/69b27ff82f87379afeaaea4b2f339032fdd8486e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/82c2c85aead3ea3cbceef4be077cf459c5df2272", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a1ab99dcc8604afe7e3bccb01b10da03bdd7ea35", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/cc20c87b04db86c8e3e810bcdca686b406206069", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38548", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:15.063", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: bridge: cdns-mhdp8546: Fix possible null pointer dereference\n\nIn cdns_mhdp_atomic_enable(), the return value of drm_mode_duplicate() is\nassigned to mhdp_state->current_mode, and there is a dereference of it in\ndrm_mode_set_name(), which will lead to a NULL pointer dereference on\nfailure of drm_mode_duplicate().\n\nFix this bug add a check of mhdp_state->current_mode."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm: bridge: cdns-mhdp8546: corrige posible desreferencia del puntero nulo En cdns_mhdp_atomic_enable(), el valor de retorno de drm_mode_duplicate() se asigna a mhdp_state->current_mode, y hay una desreferencia de \u00e9l en drm_mode_set_name(), lo que conducir\u00e1 a una desreferencia del puntero NULL en caso de falla de drm_mode_duplicate(). Solucione este error y agregue una verificaci\u00f3n de mhdp_state->current_mode."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/32fb2ef124c3301656ac6c789a2ef35ef69a66da", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/47889711da20be9b43e1e136e5cb68df37cbcc79", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/85d1a27402f81f2e04b0e67d20f749c2a14edbb3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/89788cd9824c28ffcdea40232c458233353d1896", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/935a92a1c400285545198ca2800a4c6c519c650a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ca53b7efd4ba6ae92fd2b3085cb099c745e96965", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/dcf53e6103b26e7458be71491d0641f49fbd5840", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38549", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:15.163", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mediatek: Add 0 size check to mtk_drm_gem_obj\n\nAdd a check to mtk_drm_gem_init if we attempt to allocate a GEM object\nof 0 bytes. Currently, no such check exists and the kernel will panic if\na userspace application attempts to allocate a 0x0 GBM buffer.\n\nTested by attempting to allocate a 0x0 GBM buffer on an MT8188 and\nverifying that we now return EINVAL."}, {"lang": "es", "value": "En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: drm/mediatek: Agregar verificaci\u00f3n de tama\u00f1o 0 a mtk_drm_gem_obj Agregar una verificaci\u00f3n a mtk_drm_gem_init si intentamos asignar un objeto GEM de 0 bytes. Actualmente, no existe tal verificaci\u00f3n y el kernel entrar\u00e1 en p\u00e1nico si una aplicaci\u00f3n de espacio de usuario intenta asignar un b\u00fafer GBM 0x0. Probado intentando asignar un b\u00fafer GBM 0x0 en un MT8188 y verificando que ahora devolvemos EINVAL."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/0e3b6f9123726858cac299e1654e3d20424cabe4", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/13562c2d48c9ee330de1077d00146742be368f05", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/1e4350095e8ab2577ee05f8c3b044e661b5af9a0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/79078880795478d551a05acc41f957700030d364", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9489951e3ae505534c4013db4e76b1b5a3151ac7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/af26ea99019caee1500bf7e60c861136c0bf8594", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/be34a1b351ea7faeb15dde8c44fe89de3980ae67", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d17b75ee9c2e44d3a3682c4ea5ab713ea6073350", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/fb4aabdb1b48c25d9e1ee28f89440fd2ce556405", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38550", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:15.270", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: kirkwood: Fix potential NULL dereference\n\nIn kirkwood_dma_hw_params() mv_mbus_dram_info() returns NULL if\nCONFIG_PLAT_ORION macro is not defined.\nFix this bug by adding NULL check.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: ASoC: kirkwood: corrige una posible desreferencia NULL En kirkwood_dma_hw_params() mv_mbus_dram_info() devuelve NULL si la macro CONFIG_PLAT_ORION no est\u00e1 definida. Corrija este error agregando una verificaci\u00f3n NULL. Encontrado por el Centro de verificaci\u00f3n de Linux (linuxtesting.org) con SVACE."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/1a7254525ca7a6f3e37d7882d7f7ad97f6235f7c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5bf5154739cd676b6d0958079070557c8d96afb6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/802b49e39da669b54bd9b77dc3c649999a446bf6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d48d0c5fd733bd6d8d3ddb2ed553777ab4724169", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/de9987cec6fde1dd41dfcb971433e05945852489", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ea60ab95723f5738e7737b56dda95e6feefa5b50", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38551", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:15.357", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: mediatek: Assign dummy when codec not specified for a DAI link\n\nMediaTek sound card drivers are checking whether a DAI link is present\nand used on a board to assign the correct parameters and this is done\nby checking the codec DAI names at probe time.\n\nIf no real codec is present, assign the dummy codec to the DAI link\nto avoid NULL pointer during string comparison."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ASoC: mediatek: Asignar dummy cuando el c\u00f3dec no est\u00e1 especificado para un enlace DAI Los controladores de la tarjeta de sonido MediaTek est\u00e1n comprobando si hay un enlace DAI presente y utilizado en una placa para asignar los par\u00e1metros correctos y esto se realiza comprobando los nombres DAI del c\u00f3dec en el momento de la sonda. Si no hay ning\u00fan c\u00f3dec real, asigne el c\u00f3dec ficticio al enlace DAI para evitar el puntero NULL durante la comparaci\u00f3n de cadenas."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/0c052b1c11d8119f3048b1f7b3c39a90500cacf9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5f39231888c63f0a7708abc86b51b847476379d8", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/87b8dca6e06f9b1681bc52bf7bfa85c663a11158", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/cbbcabc7f0979f6542372cf88d7a9da7143a4226", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38552", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:15.450", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix potential index out of bounds in color transformation function\n\nFixes index out of bounds issue in the color transformation function.\nThe issue could occur when the index 'i' exceeds the number of transfer\nfunction points (TRANSFER_FUNC_POINTS).\n\nThe fix adds a check to ensure 'i' is within bounds before accessing the\ntransfer function points. If 'i' is out of bounds, an error message is\nlogged and the function returns false to indicate an error.\n\nReported by smatch:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:405 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:406 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:407 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max"}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: drm/amd/display: corrige un posible \u00edndice fuera de los l\u00edmites en la funci\u00f3n de transformaci\u00f3n de color. Corrige el problema de \u00edndice fuera de los l\u00edmites en la funci\u00f3n de transformaci\u00f3n de color. El problema podr\u00eda ocurrir cuando el \u00edndice 'i' excede la cantidad de puntos de funci\u00f3n de transferencia (TRANSFER_FUNC_POINTS). La soluci\u00f3n agrega una verificaci\u00f3n para garantizar que 'i' est\u00e9 dentro de los l\u00edmites antes de acceder a los puntos de funci\u00f3n de transferencia. Si 'i' est\u00e1 fuera de los l\u00edmites, se registra un mensaje de error y la funci\u00f3n devuelve falso para indicar un error. Reportado por smatch: drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:405 cm_helper_translate_curve_to_hw_format() error: desbordamiento del b\u00fafer 'output_tf->tf_pts.red' 1025 <= controladores s32max/gpu /drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:406 cm_helper_translate_curve_to_hw_format() error: desbordamiento del b\u00fafer 'output_tf->tf_pts.green' 1025 <= controladores s32max/gpu/drm/amd/amdgpu/ ../display/dc/dcn10/dcn10_cm_common.c:407 error de cm_helper_translate_curve_to_hw_format(): desbordamiento del b\u00fafer 'output_tf->tf_pts.blue' 1025 <= s32max"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/04bc4d1090c343025d69149ca669a27c5b9c34a7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/123edbae64f4d21984359b99c6e79fcde31c6123", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4e8c8b37ee84b3b19c448d2b8e4c916d2f5b9c86", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/604c506ca43fce52bb882cff9c1fdf2ec3b4029c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/63ae548f1054a0b71678d0349c7dc9628ddd42ca", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7226ddf3311c5e5a7726ad7d4e7b079bb3cfbb29", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/98b8a6bfd30d07a19cfacdf82b50f84bf3360869", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ced9c4e2289a786b8fa684d8893b7045ea53ef7e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e280ab978c81443103d7c61bdd1d8d708cf6ed6d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38553", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:15.550", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fec: remove .ndo_poll_controller to avoid deadlocks\n\nThere is a deadlock issue found in sungem driver, please refer to the\ncommit ac0a230f719b (\"eth: sungem: remove .ndo_poll_controller to avoid\ndeadlocks\"). The root cause of the issue is that netpoll is in atomic\ncontext and disable_irq() is called by .ndo_poll_controller interface\nof sungem driver, however, disable_irq() might sleep. After analyzing\nthe implementation of fec_poll_controller(), the fec driver should have\nthe same issue. Due to the fec driver uses NAPI for TX completions, the\n.ndo_poll_controller is unnecessary to be implemented in the fec driver,\nso fec_poll_controller() can be safely removed."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: fec: elimine .ndo_poll_controller para evitar interbloqueos. Se encontr\u00f3 un problema de interbloqueo en el controlador sungem; consulte el commit ac0a230f719b (\"eth: sungem: elimine .ndo_poll_controller para evitar interbloqueos \"). La causa principal del problema es que netpoll est\u00e1 en un contexto at\u00f3mico y la interfaz .ndo_poll_controller del controlador sungem llama a enable_irq(); sin embargo, enable_irq() puede estar inactivo. Despu\u00e9s de analizar la implementaci\u00f3n de fec_poll_controller(), el controlador fec deber\u00eda tener el mismo problema. Debido a que el controlador fec utiliza NAPI para las completaciones de TX, no es necesario implementar .ndo_poll_controller en el controlador fec, por lo que fec_poll_controller() se puede eliminar de forma segura."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/87bcbc9b7e0b43a69d44efa5f32f11e32d08fa6f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/accdd6b912c4219b8e056d1f1ad2e85bc66ee243", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c2e0c58b25a0a0c37ec643255558c5af4450c9f5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d38625f71950e79e254515c5fc585552dad4b33e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38554", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:15.627", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nax25: Fix reference count leak issue of net_device\n\nThere is a reference count leak issue of the object \"net_device\" in\nax25_dev_device_down(). When the ax25 device is shutting down, the\nax25_dev_device_down() drops the reference count of net_device one\nor zero times depending on if we goto unlock_put or not, which will\ncause memory leak.\n\nIn order to solve the above issue, decrease the reference count of\nnet_device after dev->ax25_ptr is set to null."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ax25: Solucionar el problema de fuga del recuento de referencias de net_device Hay un problema de fuga del recuento de referencias del objeto \"net_device\" en ax25_dev_device_down(). Cuando el dispositivo ax25 se est\u00e1 apagando, ax25_dev_device_down() elimina el recuento de referencia de net_device una o cero veces dependiendo de si vamos a unlock_put o no, lo que provocar\u00e1 una p\u00e9rdida de memoria. Para resolver el problema anterior, reduzca el recuento de referencias de net_device despu\u00e9s de que dev->ax25_ptr se establezca en nulo."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/36e56b1b002bb26440403053f19f9e1a8bc075b2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3ec437f9bbae68e9b38115c4c91de995f73f6bad", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8bad3a20a27be8d935f2aae08d3c6e743754944a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/965d940fb7414b310a22666503d2af69459c981b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/eef95df9b752699bddecefa851f64858247246e9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38555", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:15.720", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Discard command completions in internal error\n\nFix use after free when FW completion arrives while device is in\ninternal error state. Avoid calling completion handler in this case,\nsince the device will flush the command interface and trigger all\ncompletions manually.\n\nKernel log:\n------------[ cut here ]------------\nrefcount_t: underflow; use-after-free.\n...\nRIP: 0010:refcount_warn_saturate+0xd8/0xe0\n...\nCall Trace:\n\n? __warn+0x79/0x120\n? refcount_warn_saturate+0xd8/0xe0\n? report_bug+0x17c/0x190\n? handle_bug+0x3c/0x60\n? exc_invalid_op+0x14/0x70\n? asm_exc_invalid_op+0x16/0x20\n? refcount_warn_saturate+0xd8/0xe0\ncmd_ent_put+0x13b/0x160 [mlx5_core]\nmlx5_cmd_comp_handler+0x5f9/0x670 [mlx5_core]\ncmd_comp_notifier+0x1f/0x30 [mlx5_core]\nnotifier_call_chain+0x35/0xb0\natomic_notifier_call_chain+0x16/0x20\nmlx5_eq_async_int+0xf6/0x290 [mlx5_core]\nnotifier_call_chain+0x35/0xb0\natomic_notifier_call_chain+0x16/0x20\nirq_int_handler+0x19/0x30 [mlx5_core]\n__handle_irq_event_percpu+0x4b/0x160\nhandle_irq_event+0x2e/0x80\nhandle_edge_irq+0x98/0x230\n__common_interrupt+0x3b/0xa0\ncommon_interrupt+0x7b/0xa0\n\n\nasm_common_interrupt+0x22/0x40"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/mlx5: descartar la finalizaci\u00f3n de comandos en caso de error interno. Se corrige el use-after-free cuando llega la finalizaci\u00f3n del FW mientras el dispositivo est\u00e1 en estado de error interno. Evite llamar al controlador de finalizaci\u00f3n en este caso, ya que el dispositivo limpiar\u00e1 la interfaz de comando y activar\u00e1 todas las finalizaciones manualmente. Registro del kernel: ------------[ cortar aqu\u00ed ]------------ refcount_t: underflow; use-after-free. ... RIP: 0010:refcount_warn_saturate+0xd8/0xe0 ... Seguimiento de llamadas: ? __advertir+0x79/0x120 ? refcount_warn_saturate+0xd8/0xe0? report_bug+0x17c/0x190? handle_bug+0x3c/0x60? exc_invalid_op+0x14/0x70? asm_exc_invalid_op+0x16/0x20? refcount_warn_saturate+0xd8/0xe0 cmd_ent_put+0x13b/0x160 [mlx5_core] mlx5_cmd_comp_handler+0x5f9/0x670 [mlx5_core] cmd_comp_notifier+0x1f/0x30 [mlx5_core] notifier_call_chain+0x35/0xb0 cadena+0x16/0x20 mlx5_eq_async_int+0xf6/0x290 [mlx5_core] notifier_call_chain+0x35 /0xb0 atomic_notifier_call_chain+0x16/0x20 irq_int_handler+0x19/0x30 [mlx5_core] __handle_irq_event_percpu+0x4b/0x160 handle_irq_event+0x2e/0x80 handle_edge_irq+0x98/0x230 __common_interrupt+0x3b/0 xa0 interrupci\u00f3n_com\u00fan+0x7b/0xa0 asm_interrupci\u00f3n_com\u00fan+0x22 /0x40"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/1337ec94bc5a9eed250e33f5f5c89a28a6bfabdb", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/1d5dce5e92a70274de67a59e1e674c3267f94cd7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3cb92b0ad73d3f1734e812054e698d655e9581b0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7ac4c69c34240c6de820492c0a28a0bd1494265a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/bf8aaf0ae01c27ae3c06aa8610caf91e50393396", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/db9b31aa9bc56ff0d15b78f7e827d61c4a096e40", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f6fbb8535e990f844371086ab2c1221f71f993d3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38556", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:15.810", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Add a timeout to acquire the command queue semaphore\n\nPrevent forced completion handling on an entry that has not yet been\nassigned an index, causing an out of bounds access on idx = -22.\nInstead of waiting indefinitely for the sem, blocking flow now waits for\nindex to be allocated or a sem acquisition timeout before beginning the\ntimer for FW completion.\n\nKernel log example:\nmlx5_core 0000:06:00.0: wait_func_handle_exec_timeout:1128:(pid 185911): cmd[-22]: CREATE_UCTX(0xa04) No done completion"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/mlx5: agrega un tiempo de espera para adquirir el sem\u00e1foro de la cola de comandos. Evita el manejo de finalizaci\u00f3n forzada en una entrada a la que a\u00fan no se le ha asignado un \u00edndice, lo que provoca un acceso fuera de los l\u00edmites en idx = -22. En lugar de esperar indefinidamente el sem, el flujo de bloqueo ahora espera a que se asigne el \u00edndice o a que se agote el tiempo de espera de adquisici\u00f3n del sem antes de iniciar el temporizador para completar el FW. Ejemplo de registro del kernel: mlx5_core 0000:06:00.0: wait_func_handle_exec_timeout:1128:(pid 185911): cmd[-22]: CREATE_UCTX(0xa04) No se complet\u00f3"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/2d0962d05c93de391ce85f6e764df895f47c8918", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/485d65e1357123a697c591a5aeb773994b247ad7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4baae687a20ef2b82fde12de3c04461e6f2521d6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/94024332a129c6e4275569d85c0c1bfb2ae2d71b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f9caccdd42e999b74303c9b0643300073ed5d319", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38557", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:15.900", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Reload only IB representors upon lag disable/enable\n\nOn lag disable, the bond IB device along with all of its\nrepresentors are destroyed, and then the slaves' representors get reloaded.\n\nIn case the slave IB representor load fails, the eswitch error flow\nunloads all representors, including ethernet representors, where the\nnetdevs get detached and removed from lag bond. Such flow is inaccurate\nas the lag driver is not responsible for loading/unloading ethernet\nrepresentors. Furthermore, the flow described above begins by holding\nlag lock to prevent bond changes during disable flow. However, when\nreaching the ethernet representors detachment from lag, the lag lock is\nrequired again, triggering the following deadlock:\n\nCall trace:\n__switch_to+0xf4/0x148\n__schedule+0x2c8/0x7d0\nschedule+0x50/0xe0\nschedule_preempt_disabled+0x18/0x28\n__mutex_lock.isra.13+0x2b8/0x570\n__mutex_lock_slowpath+0x1c/0x28\nmutex_lock+0x4c/0x68\nmlx5_lag_remove_netdev+0x3c/0x1a0 [mlx5_core]\nmlx5e_uplink_rep_disable+0x70/0xa0 [mlx5_core]\nmlx5e_detach_netdev+0x6c/0xb0 [mlx5_core]\nmlx5e_netdev_change_profile+0x44/0x138 [mlx5_core]\nmlx5e_netdev_attach_nic_profile+0x28/0x38 [mlx5_core]\nmlx5e_vport_rep_unload+0x184/0x1b8 [mlx5_core]\nmlx5_esw_offloads_rep_load+0xd8/0xe0 [mlx5_core]\nmlx5_eswitch_reload_reps+0x74/0xd0 [mlx5_core]\nmlx5_disable_lag+0x130/0x138 [mlx5_core]\nmlx5_lag_disable_change+0x6c/0x70 [mlx5_core] // hold ldev->lock\nmlx5_devlink_eswitch_mode_set+0xc0/0x410 [mlx5_core]\ndevlink_nl_cmd_eswitch_set_doit+0xdc/0x180\ngenl_family_rcv_msg_doit.isra.17+0xe8/0x138\ngenl_rcv_msg+0xe4/0x220\nnetlink_rcv_skb+0x44/0x108\ngenl_rcv+0x40/0x58\nnetlink_unicast+0x198/0x268\nnetlink_sendmsg+0x1d4/0x418\nsock_sendmsg+0x54/0x60\n__sys_sendto+0xf4/0x120\n__arm64_sys_sendto+0x30/0x40\nel0_svc_common+0x8c/0x120\ndo_el0_svc+0x30/0xa0\nel0_svc+0x20/0x30\nel0_sync_handler+0x90/0xb8\nel0_sync+0x160/0x180\n\nThus, upon lag enable/disable, load and unload only the IB representors\nof the slaves preventing the deadlock mentioned above.\n\nWhile at it, refactor the mlx5_esw_offloads_rep_load() function to have\na static helper method for its internal logic, in symmetry with the\nrepresentor unload design."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/mlx5: recarga solo los representantes IB al desactivar/activar el retraso. Al desactivar el retraso, el dispositivo IB de enlace junto con todos sus representantes se destruyen y luego se recargan los representantes de los esclavos. . En caso de que falle la carga del representante IB esclavo, el flujo de error de conmutaci\u00f3n descarga todos los representantes, incluidos los representantes de Ethernet, donde los netdevs se desconectan y se eliminan del v\u00ednculo de retraso. Dicho flujo es inexacto ya que el controlador de retraso no es responsable de cargar/descargar representantes de Ethernet. Adem\u00e1s, el flujo descrito anteriormente comienza manteniendo el bloqueo de retardo para evitar cambios de uni\u00f3n durante la desactivaci\u00f3n del flujo. Sin embargo, cuando se alcanza la separaci\u00f3n del retraso de los representantes de Ethernet, se requiere nuevamente el bloqueo del retraso, lo que desencadena el siguiente punto muerto: Seguimiento de llamadas: __switch_to+0xf4/0x148 __schedule+0x2c8/0x7d0 Schedule+0x50/0xe0 Schedule_preempt_disabled+0x18/0x28 __mutex_lock.isra. 13+0x2b8/0x570 __mutex_lock_slowpath+0x1c/0x28 mutex_lock+0x4c/0x68 mlx5_lag_remove_netdev+0x3c/0x1a0 [mlx5_core] mlx5e_uplink_rep_disable+0x70/0xa0 [mlx5_core] 6c/0xb0 [mlx5_core] mlx5e_netdev_change_profile+0x44/0x138 [mlx5_core] mlx5e_netdev_attach_nic_profile+0x28 /0x38 [mlx5_core] mlx5e_vport_rep_unload+0x184/0x1b8 [mlx5_core] mlx5_esw_offloads_rep_load+0xd8/0xe0 [mlx5_core] mlx5_eswitch_reload_reps+0x74/0xd0 [mlx5_core] 138 [mlx5_core] mlx5_lag_disable_change+0x6c/0x70 [mlx5_core] // mantenga presionado ldev- >bloquear mlx5_devlink_eswitch_mode_set+0xc0/0x410 [mlx5_core] devlink_nl_cmd_eswitch_set_doit+0xdc/0x180 genl_family_rcv_msg_doit.isra.17+0xe8/0x138 genl_rcv_msg+0xe4/0x220 b+0x44/0x108 genl_rcv+0x40/0x58 netlink_unicast+0x198/0x268 netlink_sendmsg+0x1d4/0x418 sock_sendmsg +0x54/0x60 __sys_sendto+0xf4/0x120 __arm64_sys_sendto+0x30/0x40 el0_svc_common+0x8c/0x120 do_el0_svc+0x30/0xa0 el0_svc+0x20/0x30 el0_sync_handler+0x90/0xb8 el0_sync+0x160/0x180 Por lo tanto, tras el retraso habilitar/deshabilitar, cargar y descargar s\u00f3lo los representantes IB de los esclavos evitan el punto muerto mencionado anteriormente. Mientras lo hace, refactorice la funci\u00f3n mlx5_esw_offloads_rep_load() para tener un m\u00e9todo auxiliar est\u00e1tico para su l\u00f3gica interna, en simetr\u00eda con el dise\u00f1o de descarga del representante."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/0f06228d4a2dcc1fca5b3ddb0eefa09c05b102c4", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/0f320f28f54b1b269a755be2e3fb3695e0b80b07", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e93fc8d959e56092e2eca1e5511c2d2f0ad6807a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f03c714a0fdd1f93101a929d0e727c28a66383fc", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38558", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:15.983", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: fix overwriting ct original tuple for ICMPv6\n\nOVS_PACKET_CMD_EXECUTE has 3 main attributes:\n - OVS_PACKET_ATTR_KEY - Packet metadata in a netlink format.\n - OVS_PACKET_ATTR_PACKET - Binary packet content.\n - OVS_PACKET_ATTR_ACTIONS - Actions to execute on the packet.\n\nOVS_PACKET_ATTR_KEY is parsed first to populate sw_flow_key structure\nwith the metadata like conntrack state, input port, recirculation id,\netc. Then the packet itself gets parsed to populate the rest of the\nkeys from the packet headers.\n\nWhenever the packet parsing code starts parsing the ICMPv6 header, it\nfirst zeroes out fields in the key corresponding to Neighbor Discovery\ninformation even if it is not an ND packet.\n\nIt is an 'ipv6.nd' field. However, the 'ipv6' is a union that shares\nthe space between 'nd' and 'ct_orig' that holds the original tuple\nconntrack metadata parsed from the OVS_PACKET_ATTR_KEY.\n\nND packets should not normally have conntrack state, so it's fine to\nshare the space, but normal ICMPv6 Echo packets or maybe other types of\nICMPv6 can have the state attached and it should not be overwritten.\n\nThe issue results in all but the last 4 bytes of the destination\naddress being wiped from the original conntrack tuple leading to\nincorrect packet matching and potentially executing wrong actions\nin case this packet recirculates within the datapath or goes back\nto userspace.\n\nND fields should not be accessed in non-ND packets, so not clearing\nthem should be fine. Executing memset() only for actual ND packets to\navoid the issue.\n\nInitializing the whole thing before parsing is needed because ND packet\nmay not contain all the options.\n\nThe issue only affects the OVS_PACKET_CMD_EXECUTE path and doesn't\naffect packets entering OVS datapath from network interfaces, because\nin this case CT metadata is populated from skb after the packet is\nalready parsed."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: openvswitch: corrige la sobrescritura de la tupla original de ct para ICMPv6 OVS_PACKET_CMD_EXECUTE tiene 3 atributos principales: - OVS_PACKET_ATTR_KEY - Metadatos de paquetes en formato netlink. - OVS_PACKET_ATTR_PACKET: contenido del paquete binario. - OVS_PACKET_ATTR_ACTIONS: acciones a ejecutar en el paquete. OVS_PACKET_ATTR_KEY se analiza primero para completar la estructura sw_flow_key con metadatos como el estado de conexi\u00f3n, el puerto de entrada, la identificaci\u00f3n de recirculaci\u00f3n, etc. Luego, el paquete en s\u00ed se analiza para completar el resto de las claves de los encabezados del paquete. Siempre que el c\u00f3digo de an\u00e1lisis de paquetes comienza a analizar el encabezado ICMPv6, primero pone a cero los campos en la clave correspondiente a la informaci\u00f3n de descubrimiento de vecinos, incluso si no es un paquete ND. Es un campo 'ipv6.nd'. Sin embargo, 'ipv6' es una uni\u00f3n que comparte el espacio entre 'nd' y 'ct_orig' que contiene los metadatos de conntrack de tupla originales analizados a partir de OVS_PACKET_ATTR_KEY. Los paquetes ND normalmente no deber\u00edan tener estado de seguimiento, por lo que est\u00e1 bien compartir el espacio, pero los paquetes ICMPv6 Echo normales o tal vez otros tipos de ICMPv6 pueden tener el estado adjunto y no deben sobrescribirse. El problema provoca que todos, excepto los \u00faltimos 4 bytes de la direcci\u00f3n de destino, se borren de la tupla conntrack original, lo que provoca una coincidencia incorrecta de paquetes y, potencialmente, la ejecuci\u00f3n de acciones incorrectas en caso de que este paquete recircule dentro de la ruta de datos o regrese al espacio de usuario. No se debe acceder a los campos ND en paquetes que no sean ND, por lo que no borrarlos deber\u00eda estar bien. Ejecutar memset() solo para paquetes ND reales para evitar el problema. Es necesario inicializar todo antes del an\u00e1lisis porque es posible que el paquete ND no contenga todas las opciones. El problema solo afecta la ruta OVS_PACKET_CMD_EXECUTE y no afecta a los paquetes que ingresan a la ruta de datos OVS desde las interfaces de red, porque en este caso los metadatos CT se completan desde skb despu\u00e9s de que el paquete ya se haya analizado."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/0b532f59437f688563e9c58bdc1436fefa46e3b5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/431e9215576d7b728f3f53a704d237a520092120", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/483eb70f441e2df66ade78aa7217e6e4caadfef3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5ab6aecbede080b44b8e34720ab72050bf1e6982", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/6a51ac92bf35d34b4996d6eb67e2fe469f573b11", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/78741b4caae1e880368cb2f5110635f3ce45ecfd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7c988176b6c16c516474f6fceebe0f055af5eb56", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9ec8b0ccadb908d92f7ee211a4eff05fd932f3f6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d73fb8bddf89503c9fae7c42e50d44c89909aad6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38559", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:16.077", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qedf: Ensure the copied buf is NUL terminated\n\nCurrently, we allocate a count-sized kernel buffer and copy count from\nuserspace to that buffer. Later, we use kstrtouint on this buffer but we\ndon't ensure that the string is terminated inside the buffer, this can\nlead to OOB read when using kstrtouint. Fix this issue by using\nmemdup_user_nul instead of memdup_user."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: scsi: qedf: aseg\u00farese de que el buf copiado tenga terminaci\u00f3n NUL. Actualmente, asignamos un b\u00fafer del kernel del tama\u00f1o de un conteo y copiamos el conteo desde el espacio de usuario a ese b\u00fafer. M\u00e1s adelante, usamos kstrtouint en este b\u00fafer pero no nos aseguramos de que la cadena termine dentro del b\u00fafer, esto puede provocar una lectura OOB cuando usamos kstrtouint. Solucione este problema utilizando memdup_user_nul en lugar de memdup_user."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/177f43c6892e6055de6541fe9391a8a3d1f95fc9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/1f84a2744ad813be23fc4be99fb74bfb24aadb95", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4907f5ad246fa9b51093ed7dfc7da9ebbd3f20b8", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/563e609275927c0b75fbfd0d90441543aa7b5e0d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/769b9fd2af02c069451fe9108dba73355d9a021c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a75001678e1d38aa607d5b898ec7ff8ed0700d59", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d0184a375ee797eb657d74861ba0935b6e405c62", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d93318f19d1e1a6d5f04f5d965eaa9055bb7c613", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/dccd97b39ab2f2b1b9a47a1394647a4d65815255", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38560", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:16.187", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: bfa: Ensure the copied buf is NUL terminated\n\nCurrently, we allocate a nbytes-sized kernel buffer and copy nbytes from\nuserspace to that buffer. Later, we use sscanf on this buffer but we don't\nensure that the string is terminated inside the buffer, this can lead to\nOOB read when using sscanf. Fix this issue by using memdup_user_nul instead\nof memdup_user."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: scsi: bfa: aseg\u00farese de que el buf copiado tenga terminaci\u00f3n NUL. Actualmente, asignamos un b\u00fafer del kernel de tama\u00f1o nbytes y copiamos nbytes del espacio de usuario a ese b\u00fafer. M\u00e1s adelante, usamos sscanf en este b\u00fafer pero no nos aseguramos de que la cadena termine dentro del b\u00fafer, esto puede provocar una lectura OOB cuando usamos sscanf. Solucione este problema utilizando memdup_user_nul en lugar de memdup_user."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/00b425ff0891283207d7bad607a2412225274d7a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/13d0cecb4626fae67c00c84d3c7851f6b62f7df3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/1708e3cf2488788cba5489e4f913d227de757baf", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/204714e68015d6946279719fd464ecaf57240f35", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/481fc0c8617304a67649027c4a44723a139a0462", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/595a6b98deec01b6dbb20139f71edcd5fb760ec2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7510fab46b1cbd1680e2a096e779aec3334b4143", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7d3e694c4fe30f3aba9cd5ae86fb947a54c3db5c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ecb76200f5557a2886888aaa53702da1ab9e6cdf", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38561", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:16.313", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nkunit: Fix kthread reference\n\nThere is a race condition when a kthread finishes after the deadline and\nbefore the call to kthread_stop(), which may lead to use after free."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: kunit: Fix kthread reference Hay una condici\u00f3n de ejecuci\u00f3n cuando un kthread finaliza despu\u00e9s de la fecha l\u00edmite y antes de la llamada a kthread_stop(), lo que puede llevar a su use-after-free."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/1ec7ccb4cd4b6f72c2998b07880fa7aaf8dfe1d4", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/1f2ebd3758e1cef6a1f998a1f7ea73310dcb1699", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8f5c841a559ccb700c8d27a3ca645b7a5f59b4f5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b0b755cb5a5e0d7168c3ab1b3814b0d3cad9f017", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f8aa1b98ce40184521ed95ec26cc115a255183b2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38562", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:16.393", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: nl80211: Avoid address calculations via out of bounds array indexing\n\nBefore request->channels[] can be used, request->n_channels must be set.\nAdditionally, address calculations for memory after the \"channels\" array\nneed to be calculated from the allocation base (\"request\") rather than\nvia the first \"out of bounds\" index of \"channels\", otherwise run-time\nbounds checking will throw a warning."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: wifi: nl80211: evitar c\u00e1lculos de direcciones mediante indexaci\u00f3n de matrices fuera de los l\u00edmites Antes de poder utilizar request->channels[], se debe configurar request->n_channels. Adem\u00e1s, los c\u00e1lculos de direcciones para la memoria despu\u00e9s de la matriz de \"canales\" deben calcularse a partir de la base de asignaci\u00f3n (\"solicitud\") en lugar de mediante el primer \u00edndice \"fuera de los l\u00edmites\" de \"canales\"; de lo contrario, la verificaci\u00f3n de los l\u00edmites en tiempo de ejecuci\u00f3n arrojar\u00e1 un advertencia."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/4e2a5566462b53db7d4c4722da86eedf0b8f546c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/838c7b8f1f278404d9d684c34a8cb26dc41aaaa1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8fa4d56564ee7cc2ee348258d88efe191d70dd7f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ed74398642fcb19f6ff385c35a7d512c6663e17b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38563", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:16.480", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7996: fix potential memory leakage when reading chip temperature\n\nWithout this commit, reading chip temperature will cause memory leakage."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: wifi: mt76: mt7996: corrige una posible p\u00e9rdida de memoria al leer la temperatura del chip Sin esta confirmaci\u00f3n, la lectura de la temperatura del chip provocar\u00e1 una p\u00e9rdida de memoria."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/474b9412f33be87076b40a49756662594598a85e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/84e81f9b4818b8efe89beb12a246d5d510631939", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ef46dbb93fc9279fb7de883aac22abffe214e6b5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38564", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:16.560", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Add BPF_PROG_TYPE_CGROUP_SKB attach type enforcement in BPF_LINK_CREATE\n\nbpf_prog_attach uses attach_type_to_prog_type to enforce proper\nattach type for BPF_PROG_TYPE_CGROUP_SKB. link_create uses\nbpf_prog_get and relies on bpf_prog_attach_check_attach_type\nto properly verify prog_type <> attach_type association.\n\nAdd missing attach_type enforcement for the link_create case.\nOtherwise, it's currently possible to attach cgroup_skb prog\ntypes to other cgroup hooks."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: bpf: agregue la aplicaci\u00f3n del tipo de archivo adjunto BPF_PROG_TYPE_CGROUP_SKB en BPF_LINK_CREATE bpf_prog_attach usa adjunto_type_to_prog_type para aplicar el tipo de archivo adjunto adecuado para BPF_PROG_TYPE_CGROUP_SKB. link_create usa bpf_prog_get y se basa en bpf_prog_attach_check_attach_type para verificar correctamente la asociaci\u00f3n prog_type <> adjunto_tipo. Agregue la aplicaci\u00f3n de adjunto_tipo faltante para el caso link_create. De lo contrario, actualmente es posible adjuntar tipos de programa cgroup_skb a otros enlaces de cgroup."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/543576ec15b17c0c93301ac8297333c7b6e84ac7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/6675c541f540a29487a802d3135280b69b9f568d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/67929e973f5a347f05fef064fea4ae79e7cdb5fd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b34bbc76651065a5eafad8ddff1eb8d1f8473172", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38565", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:16.667", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ar5523: enable proper endpoint verification\n\nSyzkaller reports [1] hitting a warning about an endpoint in use\nnot having an expected type to it.\n\nFix the issue by checking for the existence of all proper\nendpoints with their according types intact.\n\nSadly, this patch has not been tested on real hardware.\n\n[1] Syzkaller report:\n------------[ cut here ]------------\nusb 1-1: BOGUS urb xfer, pipe 3 != type 1\nWARNING: CPU: 0 PID: 3643 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504\n...\nCall Trace:\n \n ar5523_cmd+0x41b/0x780 drivers/net/wireless/ath/ar5523/ar5523.c:275\n ar5523_cmd_read drivers/net/wireless/ath/ar5523/ar5523.c:302 [inline]\n ar5523_host_available drivers/net/wireless/ath/ar5523/ar5523.c:1376 [inline]\n ar5523_probe+0x14b0/0x1d10 drivers/net/wireless/ath/ar5523/ar5523.c:1655\n usb_probe_interface+0x30f/0x7f0 drivers/usb/core/driver.c:396\n call_driver_probe drivers/base/dd.c:560 [inline]\n really_probe+0x249/0xb90 drivers/base/dd.c:639\n __driver_probe_device+0x1df/0x4d0 drivers/base/dd.c:778\n driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:808\n __device_attach_driver+0x1d4/0x2e0 drivers/base/dd.c:936\n bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:427\n __device_attach+0x1e4/0x530 drivers/base/dd.c:1008\n bus_probe_device+0x1e8/0x2a0 drivers/base/bus.c:487\n device_add+0xbd9/0x1e90 drivers/base/core.c:3517\n usb_set_configuration+0x101d/0x1900 drivers/usb/core/message.c:2170\n usb_generic_driver_probe+0xbe/0x100 drivers/usb/core/generic.c:238\n usb_probe_device+0xd8/0x2c0 drivers/usb/core/driver.c:293\n call_driver_probe drivers/base/dd.c:560 [inline]\n really_probe+0x249/0xb90 drivers/base/dd.c:639\n __driver_probe_device+0x1df/0x4d0 drivers/base/dd.c:778\n driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:808\n __device_attach_driver+0x1d4/0x2e0 drivers/base/dd.c:936\n bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:427\n __device_attach+0x1e4/0x530 drivers/base/dd.c:1008\n bus_probe_device+0x1e8/0x2a0 drivers/base/bus.c:487\n device_add+0xbd9/0x1e90 drivers/base/core.c:3517\n usb_new_device.cold+0x685/0x10ad drivers/usb/core/hub.c:2573\n hub_port_connect drivers/usb/core/hub.c:5353 [inline]\n hub_port_connect_change drivers/usb/core/hub.c:5497 [inline]\n port_event drivers/usb/core/hub.c:5653 [inline]\n hub_event+0x26cb/0x45d0 drivers/usb/core/hub.c:5735\n process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289\n worker_thread+0x669/0x1090 kernel/workqueue.c:2436\n kthread+0x2e8/0x3a0 kernel/kthread.c:376\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306\n "}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: wifi: ar5523: habilite la verificaci\u00f3n adecuada del endpoint Syzkaller informa [1] que aparece una advertencia sobre un endpoint en uso que no tiene el tipo esperado. Solucione el problema verificando la existencia de todos los endpoints adecuados con sus tipos correspondientes intactos. Lamentablemente, este parche no se ha probado en hardware real. [1] Informe Syzkaller: ------------[ cortar aqu\u00ed ]------------ usb 1-1: BOGUS urb xfer, tuber\u00eda 3 != tipo 1 ADVERTENCIA : CPU: 0 PID: 3643 en drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504 ... Seguimiento de llamadas: ar5523_cmd+0x41b/0x780 drivers /net/wireless/ath/ar5523/ar5523.c:275 ar5523_cmd_read drivers/net/wireless/ath/ar5523/ar5523.c:302 [en l\u00ednea] ar5523_host_available drivers/net/wireless/ath/ar5523/ar5523.c:1376 [ en l\u00ednea] ar5523_probe+0x14b0/0x1d10 drivers/net/wireless/ath/ar5523/ar5523.c:1655 usb_probe_interface+0x30f/0x7f0 drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:560 [en l\u00ednea ] very_probe+0x249/0xb90 drivers/base/dd.c:639 __driver_probe_device+0x1df/0x4d0 drivers/base/dd.c:778 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:808 __device_attach_driver+0x1d4/0x2e0 drivers/ base/dd.c:936 bus_for_each_drv+0x163/0x1e0 controladores/base/bus.c:427 __device_attach+0x1e4/0x530 controladores/base/dd.c:1008 bus_probe_device+0x1e8/0x2a0 controladores/base/bus.c:487 device_add +0xbd9/0x1e90 controladores/base/core.c:3517 usb_set_configuration+0x101d/0x1900 controladores/usb/core/message.c:2170 usb_generic_driver_probe+0xbe/0x100 controladores/usb/core/generic.c:238 usb_probe_device+0xd8/0x2c0 drivers/usb/core/driver.c:293 call_driver_probe drivers/base/dd.c:560 [en l\u00ednea] very_probe+0x249/0xb90 drivers/base/dd.c:639 __driver_probe_device+0x1df/0x4d0 drivers/base/dd.c :778 driver_probe_device+0x4c/0x1a0 controladores/base/dd.c:808 __device_attach_driver+0x1d4/0x2e0 controladores/base/dd.c:936 bus_for_each_drv+0x163/0x1e0 controladores/base/bus.c:427 __device_attach+0x1e4/0x530 controladores /base/dd.c:1008 bus_probe_device+0x1e8/0x2a0 controladores/base/bus.c:487 device_add+0xbd9/0x1e90 controladores/base/core.c:3517 usb_new_device.cold+0x685/0x10ad controladores/usb/core/hub .c:2573 hub_port_connect drivers/usb/core/hub.c:5353 [en l\u00ednea] hub_port_connect_change drivers/usb/core/hub.c:5497 [en l\u00ednea] port_event drivers/usb/core/hub.c:5653 [en l\u00ednea] hub_event +0x26cb/0x45d0 controladores/usb/core/hub.c:5735 Process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289 trabajador_thread+0x669/0x1090 kernel/workqueue.c:2436 kthread+0x2e8/0x3a0 kernel/kthread.c: 376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 "}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/34f7ebff1b9699e0b89fa58b693bc098c2f5ec72", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/68a5a00c5d38978a3f8460c6f182f7beec8688ff", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/79ddf5f2020fd593d50f1363bb5131283d74f78f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7bbf76c9bb2c58375e183074e44f9712483f0603", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b33a81e4ecfb022b028cae37d1c1ce28ac1b359d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b4c24de37a6bb383394a6fef2b85a6db41d426f5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/beeed260b92af158592f5e8d2dab65dae45c6f70", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e120b6388d7d88635d67dcae6483f39c37111850", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ee25389df80138907bc9dcdf4a2be2067cde9a81", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38566", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:16.767", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix verifier assumptions about socket->sk\n\nThe verifier assumes that 'sk' field in 'struct socket' is valid\nand non-NULL when 'socket' pointer itself is trusted and non-NULL.\nThat may not be the case when socket was just created and\npassed to LSM socket_accept hook.\nFix this verifier assumption and adjust tests."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: bpf: corrige las suposiciones del verificador sobre socket->sk. El verificador asume que el campo 'sk' en 'struct socket' es v\u00e1lido y no NULL cuando el puntero 'socket' en s\u00ed es confiable y no NULL. Puede que ese no sea el caso cuando el socket se acaba de crear y se pas\u00f3 al gancho LSM socket_accept. Corrija esta suposici\u00f3n del verificador y ajuste las pruebas."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/0db63c0b86e981a1e97d2596d64ceceba1a5470e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/39f8a29330f433000e716eefc4b9abda05b71a82", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/6f5ae91172a93abac9720ba94edf3ec8f4d7f24f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c58ccdd2483a1d990748cdaf94206b5d5986a001", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38567", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:16.850", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: carl9170: add a proper sanity check for endpoints\n\nSyzkaller reports [1] hitting a warning which is caused by presence\nof a wrong endpoint type at the URB sumbitting stage. While there\nwas a check for a specific 4th endpoint, since it can switch types\nbetween bulk and interrupt, other endpoints are trusted implicitly.\nSimilar warning is triggered in a couple of other syzbot issues [2].\n\nFix the issue by doing a comprehensive check of all endpoints\ntaking into account difference between high- and full-speed\nconfiguration.\n\n[1] Syzkaller report:\n...\nWARNING: CPU: 0 PID: 4721 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504\n...\nCall Trace:\n \n carl9170_usb_send_rx_irq_urb+0x273/0x340 drivers/net/wireless/ath/carl9170/usb.c:504\n carl9170_usb_init_device drivers/net/wireless/ath/carl9170/usb.c:939 [inline]\n carl9170_usb_firmware_finish drivers/net/wireless/ath/carl9170/usb.c:999 [inline]\n carl9170_usb_firmware_step2+0x175/0x240 drivers/net/wireless/ath/carl9170/usb.c:1028\n request_firmware_work_func+0x130/0x240 drivers/base/firmware_loader/main.c:1107\n process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289\n worker_thread+0x669/0x1090 kernel/workqueue.c:2436\n kthread+0x2e8/0x3a0 kernel/kthread.c:376\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308\n \n\n[2] Related syzkaller crashes:"}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: wifi: carl9170: agregue una verificaci\u00f3n de integridad adecuada para los endpoints Syzkaller informa [1] que aparece una advertencia causada por la presencia de un tipo de endpoint incorrecto en la etapa de env\u00edo de URB. Si bien hubo una verificaci\u00f3n para un cuarto endpoint espec\u00edfico, dado que puede cambiar de tipo entre masivo e interrupci\u00f3n, se conf\u00eda impl\u00edcitamente en otros endpoints. Se activa una advertencia similar en un par de otros problemas de syzbot [2]. Solucione el problema realizando una verificaci\u00f3n exhaustiva de todos los endpoints teniendo en cuenta la diferencia entre la configuraci\u00f3n de alta y m\u00e1xima velocidad. [1] Informe de Syzkaller: ... ADVERTENCIA: CPU: 0 PID: 4721 en drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504 ... Seguimiento de llamadas : carl9170_usb_send_rx_irq_urb+0x273/0x340 drivers/net/wireless/ath/carl9170/usb.c:504 carl9170_usb_init_device drivers/net/wireless/ath/carl9170/usb.c:939 [en l\u00ednea] carl9170_usb_firmware_finish drivers/net /inal\u00e1mbrico/ ath/carl9170/usb.c:999 [en l\u00ednea] carl9170_usb_firmware_step2+0x175/0x240 drivers/net/wireless/ath/carl9170/usb.c:1028 request_firmware_work_func+0x130/0x240 drivers/base/firmware_loader/main.c:1107 Process_one_work+ 0x9bf/0x1710 kernel/workqueue.c:2289 trabajador_thread+0x669/0x1090 kernel/workqueue.c:2436 kthread+0x2e8/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 [2] Fallos relacionados con syzkaller:"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/03ddc74bdfd71b84a55c9f2185d8787f258422cd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/0fa08a55201ab9be72bacb8ea93cf752d338184f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/265c3cda471c26e0f25d0c755da94e1eb15d7a0c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/62eb07923f3693d55b0c2d9a5a4f1ad72cb6b8fd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/6a9892bf24c906b4d6b587f8759ca38bff672582", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8650725bb0a48b206d5a8ddad3a7488f9a5985b7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ac3ed46a8741d464bc70ebdf7433c1d786cf329d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b6dd09b3dac89b45d1ea3e3bd035a3859c0369a0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/eb0f2fc3ff5806cc572cd9055ce7c52a01e97645", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38568", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:16.950", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers/perf: hisi: hns3: Fix out-of-bound access when valid event group\n\nThe perf tool allows users to create event groups through following\ncmd [1], but the driver does not check whether the array index is out\nof bounds when writing data to the event_group array. If the number of\nevents in an event_group is greater than HNS3_PMU_MAX_HW_EVENTS, the\nmemory write overflow of event_group array occurs.\n\nAdd array index check to fix the possible array out of bounds violation,\nand return directly when write new events are written to array bounds.\n\nThere are 9 different events in an event_group.\n[1] perf stat -e '{pmu/event1/, ... ,pmu/event9/}"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drivers/perf: hisi: hns3: corrige el acceso fuera de los l\u00edmites cuando el grupo de eventos es v\u00e1lido. La herramienta perf permite a los usuarios crear grupos de eventos mediante el siguiente cmd [1], pero el controlador no comprueba si el \u00edndice de la matriz est\u00e1 fuera de los l\u00edmites al escribir datos en la matriz event_group. Si el n\u00famero de eventos en un event_group es mayor que HNS3_PMU_MAX_HW_EVENTS, se produce un desbordamiento de escritura en la memoria de la matriz event_group. Agregue la verificaci\u00f3n del \u00edndice de la matriz para corregir la posible infracci\u00f3n de la matriz fuera de los l\u00edmites y regrese directamente cuando se escriban nuevos eventos en los l\u00edmites de la matriz. Hay 9 eventos diferentes en un grupo de eventos. [1] estad\u00edstica de rendimiento -e '{pmu/event1/, ...,pmu/event9/}"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/3669baf308308385a2ab391324abdde5682af5aa", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/81bdd60a3d1d3b05e6cc6674845afb1694dd3a0e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/aa2d3d678895c8eedd003f1473f87d3f06fe6ec7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b5120d322763c15c978bc47beb3b6dff45624304", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/be1fa711e59c874d049f592aef1d4685bdd22bdf", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38569", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:17.060", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers/perf: hisi_pcie: Fix out-of-bound access when valid event group\n\nThe perf tool allows users to create event groups through following\ncmd [1], but the driver does not check whether the array index is out of\nbounds when writing data to the event_group array. If the number of events\nin an event_group is greater than HISI_PCIE_MAX_COUNTERS, the memory write\noverflow of event_group array occurs.\n\nAdd array index check to fix the possible array out of bounds violation,\nand return directly when write new events are written to array bounds.\n\nThere are 9 different events in an event_group.\n[1] perf stat -e '{pmu/event1/, ... ,pmu/event9/}'"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drivers/perf: hisi_pcie: corrige el acceso fuera de los l\u00edmites cuando el grupo de eventos es v\u00e1lido. La herramienta perf permite a los usuarios crear grupos de eventos mediante el siguiente cmd [1], pero el controlador no compruebe si el \u00edndice de la matriz est\u00e1 fuera de los l\u00edmites al escribir datos en la matriz event_group. Si el n\u00famero de eventos en un event_group es mayor que HISI_PCIE_MAX_COUNTERS, se produce un desbordamiento de escritura en la memoria de la matriz event_group. Agregue la verificaci\u00f3n del \u00edndice de la matriz para corregir la posible infracci\u00f3n de la matriz fuera de los l\u00edmites y regrese directamente cuando se escriban nuevos eventos en los l\u00edmites de la matriz. Hay 9 eventos diferentes en un grupo de eventos. [1] estad\u00edstica de rendimiento -e '{pmu/event1/, ...,pmu/event9/}'"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/3d1face00ebb7996842aee4214d7d0fb0c77b1e9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/567d34626c22b36579ec0abfdf5eda2949044220", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/77fce82678ea5fd51442e62febec2004f79e041b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8e9aab2492178f25372f1820bfd9289fbd74efd0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ff48247144d13a3a0817127703724256008efa78", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38570", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:17.153", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Fix potential glock use-after-free on unmount\n\nWhen a DLM lockspace is released and there ares still locks in that\nlockspace, DLM will unlock those locks automatically. Commit\nfb6791d100d1b started exploiting this behavior to speed up filesystem\nunmount: gfs2 would simply free glocks it didn't want to unlock and then\nrelease the lockspace. This didn't take the bast callbacks for\nasynchronous lock contention notifications into account, which remain\nactive until until a lock is unlocked or its lockspace is released.\n\nTo prevent those callbacks from accessing deallocated objects, put the\nglocks that should not be unlocked on the sd_dead_glocks list, release\nthe lockspace, and only then free those glocks.\n\nAs an additional measure, ignore unexpected ast and bast callbacks if\nthe receiving glock is dead."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: gfs2: soluciona el posible use-after-free de glock al desmontar Cuando se libera un espacio de bloqueo de DLM y todav\u00eda hay bloqueos en ese espacio de bloqueo, DLM desbloquear\u00e1 esos bloqueos autom\u00e1ticamente. El commit fb6791d100d1b comenz\u00f3 a explotar este comportamiento para acelerar el desmontaje del sistema de archivos: gfs2 simplemente liberar\u00eda las glocks que no quer\u00eda desbloquear y luego liberar\u00eda el espacio de bloqueo. Esto no tuvo en cuenta las devoluciones de llamada de bast para notificaciones de contenci\u00f3n de bloqueo asincr\u00f3nicas, que permanecen activas hasta que se desbloquea un bloqueo o se libera su espacio de bloqueo. Para evitar que esas devoluciones de llamada accedan a objetos desasignados, coloque las glocks que no deben desbloquearse en la lista sd_dead_glocks, libere el espacio de bloqueo y solo entonces libere esas glocks. Como medida adicional, ignore las devoluciones de llamada inesperadas de ast y bast si la glock receptora est\u00e1 muerta."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/0636b34b44589b142700ac137b5f69802cfe2e37", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/501cd8fabf621d10bd4893e37f6ce6c20523c8ca", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d98779e687726d8f8860f1c54b5687eec5f63a73", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e42e8a24d7f02d28763d16ca7ec5fc6d1f142af0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38571", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:17.250", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal/drivers/tsens: Fix null pointer dereference\n\ncompute_intercept_slope() is called from calibrate_8960() (in tsens-8960.c)\nas compute_intercept_slope(priv, p1, NULL, ONE_PT_CALIB) which lead to null\npointer dereference (if DEBUG or DYNAMIC_DEBUG set).\nFix this bug by adding null pointer check.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: Thermal/drivers/tsens: se corrigi\u00f3 la desreferencia del puntero nulo Compute_intercept_slope() se llama desde calibrate_8960() (en tsens-8960.c) como Compute_intercept_slope(priv, p1, NULL, ONE_PT_CALIB) lo que conduce a la desreferencia del puntero nulo (si DEBUG o DYNAMIC_DEBUG est\u00e1n configurados). Corrija este error agregando una verificaci\u00f3n de puntero nulo. Encontrado por el Centro de verificaci\u00f3n de Linux (linuxtesting.org) con SVACE."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/06d17744b77bc6cb29a6c785f4fad8c4163ee653", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/11c731386ed82053c2759b6fea1a82ae946e5e0f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/27600e0c5272a262b0903e35ae1df37d33c5c1ad", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/2d5ca6e4a2872e92a32fdfd87e04dd7d3ced7278", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d998ddc86a27c92140b9f7984ff41e3d1d07a48f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/fcf5f1b5f308f2eb422f6aca55d295b25890906b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38572", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:17.333", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix out-of-bound access of qmi_invoke_handler()\n\nCurrently, there is no terminator entry for ath12k_qmi_msg_handlers hence\nfacing below KASAN warning,\n\n ==================================================================\n BUG: KASAN: global-out-of-bounds in qmi_invoke_handler+0xa4/0x148\n Read of size 8 at addr ffffffd00a6428d8 by task kworker/u8:2/1273\n\n CPU: 0 PID: 1273 Comm: kworker/u8:2 Not tainted 5.4.213 #0\n Workqueue: qmi_msg_handler qmi_data_ready_work\n Call trace:\n dump_backtrace+0x0/0x20c\n show_stack+0x14/0x1c\n dump_stack+0xe0/0x138\n print_address_description.isra.5+0x30/0x330\n __kasan_report+0x16c/0x1bc\n kasan_report+0xc/0x14\n __asan_load8+0xa8/0xb0\n qmi_invoke_handler+0xa4/0x148\n qmi_handle_message+0x18c/0x1bc\n qmi_data_ready_work+0x4ec/0x528\n process_one_work+0x2c0/0x440\n worker_thread+0x324/0x4b8\n kthread+0x210/0x228\n ret_from_fork+0x10/0x18\n\n The address belongs to the variable:\n ath12k_mac_mon_status_filter_default+0x4bd8/0xfffffffffffe2300 [ath12k]\n [...]\n ==================================================================\n\nAdd a dummy terminator entry at the end to assist the qmi_invoke_handler()\nin traversing up to the terminator entry without accessing an\nout-of-boundary index.\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: wifi: ath12k: corrige el acceso fuera de los l\u00edmites de qmi_invoke_handler() Actualmente, no hay ninguna entrada de terminador para ath12k_qmi_msg_handlers, por lo que se enfrenta a la siguiente advertencia de KASAN, ======== ==================================================== ======== ERROR: KASAN: global fuera de los l\u00edmites en qmi_invoke_handler+0xa4/0x148 Lectura de tama\u00f1o 8 en la direcci\u00f3n ffffffd00a6428d8 por tarea kworker/u8:2/1273 CPU: 0 PID: 1273 Comm: kworker /u8:2 No contaminado 5.4.213 #0 Cola de trabajo: qmi_msg_handler qmi_data_ready_work Rastreo de llamadas: dump_backtrace+0x0/0x20c show_stack+0x14/0x1c dump_stack+0xe0/0x138 print_address_description.isra.5+0x30/0x330 __kasan_report+0x16 c/0x1bc kasan_report+0xc /0x14 __asan_load8+0xa8/0xb0 qmi_invoke_handler+0xa4/0x148 qmi_handle_message+0x18c/0x1bc qmi_data_ready_work+0x4ec/0x528 Process_one_work+0x2c0/0x440 trabajador_thread+0x324/0x4b8 0x228 ret_from_fork+0x10/0x18 La direcci\u00f3n pertenece a la variable: ath12k_mac_mon_status_filter_default +0x4bd8/0xfffffffffffe2300 [ath12k] [...] ======================================= ============================ Agregue una entrada de terminador ficticia al final para ayudar a qmi_invoke_handler() a atravesar hasta la entrada del terminador sin acceder a un \u00edndice fuera de los l\u00edmites. Probado en: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/95575de7dede7b1ed3b9718dab9dda97914ea775", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a1abdb63628b04855a929850772de97435ed1555", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b48d40f5840c505b7af700594aa8379eec28e925", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e1bdff48a1bb4a4ac660c19c55a820968c48b3f2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38573", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:17.420", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncppc_cpufreq: Fix possible null pointer dereference\n\ncppc_cpufreq_get_rate() and hisi_cppc_cpufreq_get_rate() can be called from\ndifferent places with various parameters. So cpufreq_cpu_get() can return\nnull as 'policy' in some circumstances.\nFix this bug by adding null return check.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: cppc_cpufreq: se corrige la posible desreferencia del puntero nulo. cppc_cpufreq_get_rate() y hisi_cppc_cpufreq_get_rate() se pueden llamar desde diferentes lugares con varios par\u00e1metros. Entonces cpufreq_cpu_get() puede devolver nulo como 'pol\u00edtica' en algunas circunstancias. Corrija este error agregando una verificaci\u00f3n de devoluci\u00f3n nula. Encontrado por el Centro de verificaci\u00f3n de Linux (linuxtesting.org) con SVACE."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/769c4f355b7962895205b86ad35617873feef9a5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9a185cc5a79ba408e1c73375706630662304f618", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b18daa4ec727c0266de5bfc78e818d168cc4aedf", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/cf7de25878a1f4508c69dc9f6819c21ba177dbfe", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/dfec15222529d22b15e5b0d63572a9e39570cab4", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f84b9b25d045e67a7eee5e73f21278c8ab06713c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38574", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:17.520", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibbpf: Prevent null-pointer dereference when prog to load has no BTF\n\nIn bpf_objec_load_prog(), there's no guarantee that obj->btf is non-NULL\nwhen passing it to btf__fd(), and this function does not perform any\ncheck before dereferencing its argument (as bpf_object__btf_fd() used to\ndo). As a consequence, we get segmentation fault errors in bpftool (for\nexample) when trying to load programs that come without BTF information.\n\nv2: Keep btf__fd() in the fix instead of reverting to bpf_object__btf_fd()."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: libbpf: evita la desreferencia del puntero nulo cuando el programa a cargar no tiene BTF. En bpf_objec_load_prog(), no hay garant\u00eda de que obj->btf no sea NULL al pasarlo a btf__fd() , y esta funci\u00f3n no realiza ninguna verificaci\u00f3n antes de eliminar la referencia a su argumento (como sol\u00eda hacer bpf_object__btf_fd()). Como consecuencia, obtenemos errores de segmentaci\u00f3n en bpftool (por ejemplo) cuando intentamos cargar programas que vienen sin informaci\u00f3n BTF. v2: Mantenga btf__fd() en la soluci\u00f3n en lugar de volver a bpf_object__btf_fd()."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/1fd91360a75833b7110af9834ae26c977e1273e0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9bf48fa19a4b1d186e08b20bf7e5de26a15644fb", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ef80b59acfa4dee4b5eaccb15572b69248831104", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38575", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:17.603", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: pcie: handle randbuf allocation failure\n\nThe kzalloc() in brcmf_pcie_download_fw_nvram() will return null\nif the physical memory has run out. As a result, if we use\nget_random_bytes() to generate random bytes in the randbuf, the\nnull pointer dereference bug will happen.\n\nIn order to prevent allocation failure, this patch adds a separate\nfunction using buffer on kernel stack to generate random bytes in\nthe randbuf, which could prevent the kernel stack from overflow."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: wifi: brcmfmac: pcie: manejar fallo de asignaci\u00f3n de randbuf El kzalloc() en brcmf_pcie_download_fw_nvram() devolver\u00e1 nulo si la memoria f\u00edsica se ha agotado. Como resultado, si usamos get_random_bytes() para generar bytes aleatorios en randbuf, se producir\u00e1 el error de desreferencia del puntero nulo. Para evitar fallas en la asignaci\u00f3n, este parche agrega una funci\u00f3n separada que utiliza el b\u00fafer en la pila del kernel para generar bytes aleatorios en randbuf, lo que podr\u00eda evitar que la pila del kernel se desborde."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/0eb2c0528e232b3c32cde9d5e1c9f80ba2996e49", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/316f790ebcf94bdf59f794b7cdea4068dc676d4c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3729ca9e48d19a03ae049e2bde510e161c2f3720", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7c15eb344b0d4d3468c9b2a7591ad2b859b29b88", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c37466406f075476c2702ecc01917928af871f3b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38576", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:17.700", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcu: Fix buffer overflow in print_cpu_stall_info()\n\nThe rcuc-starvation output from print_cpu_stall_info() might overflow the\nbuffer if there is a huge difference in jiffies difference. The situation\nmight seem improbable, but computers sometimes get very confused about\ntime, which can result in full-sized integers, and, in this case,\nbuffer overflow.\n\nAlso, the unsigned jiffies difference is printed using %ld, which is\nnormally for signed integers. This is intentional for debugging purposes,\nbut it is not obvious from the code.\n\nThis commit therefore changes sprintf() to snprintf() and adds a\nclarifying comment about intention of %ld format.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: rcu: corrige el desbordamiento del b\u00fafer en print_cpu_stall_info() La salida rcuc-starvation de print_cpu_stall_info() podr\u00eda desbordar el b\u00fafer si hay una gran diferencia en santiam\u00e9n. La situaci\u00f3n puede parecer improbable, pero las computadoras a veces se confunden mucho con el tiempo, lo que puede resultar en n\u00fameros enteros de tama\u00f1o completo y, en este caso, en un desbordamiento del b\u00fafer. Adem\u00e1s, la diferencia de santiam\u00e9n sin signo se imprime usando %ld, que normalmente es para enteros con signo. Esto es intencional con fines de depuraci\u00f3n, pero no es obvio en el c\u00f3digo. Por lo tanto, esta confirmaci\u00f3n cambia sprintf() a snprintf() y agrega un comentario aclaratorio sobre la intenci\u00f3n del formato %ld. Encontrado por el Centro de verificaci\u00f3n de Linux (linuxtesting.org) con SVACE."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/3758f7d9917bd7ef0482c4184c0ad673b4c4e069", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4c3e2ef4d8ddd313c8ce3ac30505940bea8d6257", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9351e1338539cb7f319ffc1210fa9b2aa27384b5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/afb39909bfb5c08111f99e21bf5be7505f59ff1c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e2228ed3fe7aa838fba87c79a76fb1ad9ea47138", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38577", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:17.787", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcu-tasks: Fix show_rcu_tasks_trace_gp_kthread buffer overflow\n\nThere is a possibility of buffer overflow in\nshow_rcu_tasks_trace_gp_kthread() if counters, passed\nto sprintf() are huge. Counter numbers, needed for this\nare unrealistically high, but buffer overflow is still\npossible.\n\nUse snprintf() with buffer size instead of sprintf().\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: rcu-tasks: Corrige show_rcu_tasks_trace_gp_kthread desbordamiento del b\u00fafer. Existe la posibilidad de que se produzca un desbordamiento del b\u00fafer en show_rcu_tasks_trace_gp_kthread() si los contadores pasados a sprintf() son enormes. Los n\u00fameros de contador necesarios para esto son excesivamente altos, pero a\u00fan es posible un desbordamiento del b\u00fafer. Utilice snprintf() con tama\u00f1o de b\u00fafer en lugar de sprintf(). Encontrado por el Centro de verificaci\u00f3n de Linux (linuxtesting.org) con SVACE."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/08186d0c5fb64a1cc4b43e009314ee6b173ed222", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/1a240e138071b25944ded0f5b3e357aa99fabcb7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/32d988f48ed287e676a29a15ac30701c35849aec", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/6593d857ce5b5b802fb73d8091ac9c84b92c1697", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/cc5645fddb0ce28492b15520306d092730dffa48", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38578", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:17.870", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\necryptfs: Fix buffer size for tag 66 packet\n\nThe 'TAG 66 Packet Format' description is missing the cipher code and\nchecksum fields that are packed into the message packet. As a result,\nthe buffer allocated for the packet is 3 bytes too small and\nwrite_tag_66_packet() will write up to 3 bytes past the end of the\nbuffer.\n\nFix this by increasing the size of the allocation so the whole packet\nwill always fit in the buffer.\n\nThis fixes the below kasan slab-out-of-bounds bug:\n\n BUG: KASAN: slab-out-of-bounds in ecryptfs_generate_key_packet_set+0x7d6/0xde0\n Write of size 1 at addr ffff88800afbb2a5 by task touch/181\n\n CPU: 0 PID: 181 Comm: touch Not tainted 6.6.13-gnu #1 4c9534092be820851bb687b82d1f92a426598dc6\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2/GNU Guix 04/01/2014\n Call Trace:\n \n dump_stack_lvl+0x4c/0x70\n print_report+0xc5/0x610\n ? ecryptfs_generate_key_packet_set+0x7d6/0xde0\n ? kasan_complete_mode_report_info+0x44/0x210\n ? ecryptfs_generate_key_packet_set+0x7d6/0xde0\n kasan_report+0xc2/0x110\n ? ecryptfs_generate_key_packet_set+0x7d6/0xde0\n __asan_store1+0x62/0x80\n ecryptfs_generate_key_packet_set+0x7d6/0xde0\n ? __pfx_ecryptfs_generate_key_packet_set+0x10/0x10\n ? __alloc_pages+0x2e2/0x540\n ? __pfx_ovl_open+0x10/0x10 [overlay 30837f11141636a8e1793533a02e6e2e885dad1d]\n ? dentry_open+0x8f/0xd0\n ecryptfs_write_metadata+0x30a/0x550\n ? __pfx_ecryptfs_write_metadata+0x10/0x10\n ? ecryptfs_get_lower_file+0x6b/0x190\n ecryptfs_initialize_file+0x77/0x150\n ecryptfs_create+0x1c2/0x2f0\n path_openat+0x17cf/0x1ba0\n ? __pfx_path_openat+0x10/0x10\n do_filp_open+0x15e/0x290\n ? __pfx_do_filp_open+0x10/0x10\n ? __kasan_check_write+0x18/0x30\n ? _raw_spin_lock+0x86/0xf0\n ? __pfx__raw_spin_lock+0x10/0x10\n ? __kasan_check_write+0x18/0x30\n ? alloc_fd+0xf4/0x330\n do_sys_openat2+0x122/0x160\n ? __pfx_do_sys_openat2+0x10/0x10\n __x64_sys_openat+0xef/0x170\n ? __pfx___x64_sys_openat+0x10/0x10\n do_syscall_64+0x60/0xd0\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n RIP: 0033:0x7f00a703fd67\n Code: 25 00 00 41 00 3d 00 00 41 00 74 37 64 8b 04 25 18 00 00 00 85 c0 75 5b 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 85 00 00 00 48 83 c4 68 5d 41 5c c3 0f 1f\n RSP: 002b:00007ffc088e30b0 EFLAGS: 00000246 ORIG_RAX: 0000000000000101\n RAX: ffffffffffffffda RBX: 00007ffc088e3368 RCX: 00007f00a703fd67\n RDX: 0000000000000941 RSI: 00007ffc088e48d7 RDI: 00000000ffffff9c\n RBP: 00007ffc088e48d7 R08: 0000000000000001 R09: 0000000000000000\n R10: 00000000000001b6 R11: 0000000000000246 R12: 0000000000000941\n R13: 0000000000000000 R14: 00007ffc088e48d7 R15: 00007f00a7180040\n \n\n Allocated by task 181:\n kasan_save_stack+0x2f/0x60\n kasan_set_track+0x29/0x40\n kasan_save_alloc_info+0x25/0x40\n __kasan_kmalloc+0xc5/0xd0\n __kmalloc+0x66/0x160\n ecryptfs_generate_key_packet_set+0x6d2/0xde0\n ecryptfs_write_metadata+0x30a/0x550\n ecryptfs_initialize_file+0x77/0x150\n ecryptfs_create+0x1c2/0x2f0\n path_openat+0x17cf/0x1ba0\n do_filp_open+0x15e/0x290\n do_sys_openat2+0x122/0x160\n __x64_sys_openat+0xef/0x170\n do_syscall_64+0x60/0xd0\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8"}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: ecryptfs: corrige el tama\u00f1o del b\u00fafer para el paquete etiqueta 66. A la descripci\u00f3n 'Formato de paquete TAG 66' le faltan el c\u00f3digo de cifrado y los campos de suma de verificaci\u00f3n que est\u00e1n empaquetados en el paquete de mensaje. Como resultado, el b\u00fafer asignado para el paquete es 3 bytes demasiado peque\u00f1o y write_tag_66_packet() escribir\u00e1 hasta 3 bytes m\u00e1s all\u00e1 del final del b\u00fafer. Solucione este problema aumentando el tama\u00f1o de la asignaci\u00f3n para que todo el paquete siempre quepa en el b\u00fafer. Esto corrige el siguiente error de kasan slab-out-of-bounds: ERROR: KASAN: slab-out-of-bounds in ecryptfs_generate_key_packet_set+0x7d6/0xde0 Escritura de tama\u00f1o 1 en la direcci\u00f3n ffff88800afbb2a5 mediante tarea t\u00e1ctil/181 CPU: 0 PID: 181 Comm : touch No contaminado 6.6.13-gnu #1 4c9534092be820851bb687b82d1f92a426598dc6 Nombre del hardware: PC est\u00e1ndar QEMU (i440FX + PIIX, 1996), BIOS 1.16.2/GNU Guix 01/04/2014 Seguimiento de llamadas: 3d 00 f0 ff ff 0f 87 85 00 00 00 48 83 c4 68 5d 41 5c c3 0f 1f RSP: 002b:00007ffc088e30b0 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX : ffffffffffffffda RBX: 00007ffc088e3368 RCX: 00007f00a703fd67 RDX: 0000000000000941 RSI: 00007ffc088e48d7 RDI: 00000000ffffff9c RBP: 00007ffc088e4 8d7 R08: 0000000000000001 R09: 0000000000000000 R10: 00000000000001b6 R11: 0000000000000246 R12: 0000000000000941 R13: 00000 R14: 00007ffc088e48d7 R15: 00007f00a7180040 Asignado por tarea 181: kasan_save_stack+0x2f/0x60 kasan_set_track+0x29/0x40 kasan_save_alloc_info+0x25/0x40 __kasan_kmalloc+0xc5/0xd0 __kmalloc+0x66/0x160 ecryptfs_generate_key_packet_set+0x6d2/0xde0 _write_metadata+0x30a/0x550 ecryptfs_initialize_file+0x77/0x150 ecryptfs_create+0x1c2/0x2f0 ruta_openat+ 0x17cf/0x1ba0 do_filp_open+0x15e/0x290 do_sys_openat2+0x122/0x160 __x64_sys_openat+0xef/0x170 do_syscall_64+0x60/0xd0 Entry_SYSCALL_64_after_hwframe+0x6e/0xd8"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/0d0f8ba042af16519f1ef7dd10463a33b21b677c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/12db25a54ce6bb22b0af28010fff53ef9cb3fe93", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/1c125b9287e58f364d82174efb167414b92b11f1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/235b85981051cd68fc215fd32a81c6f116bfc4df", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/2ed750b7ae1b5dc72896d7dd114c419afd3d1910", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/85a6a1aff08ec9f5b929d345d066e2830e8818e5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a20f09452e2f58f761d11ad7b96b5c894c91030e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/edbfc42ab080e78c6907d40a42c9d10b69e445c1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f6008487f1eeb8693f8d2a36a89c87d9122ddf74", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38579", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:17.960", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: bcm - Fix pointer arithmetic\n\nIn spu2_dump_omd() value of ptr is increased by ciph_key_len\ninstead of hash_iv_len which could lead to going beyond the\nbuffer boundaries.\nFix this bug by changing ciph_key_len to hash_iv_len.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: crypto: bcm - Arreglar la aritm\u00e9tica de punteros En spu2_dump_omd() el valor de ptr aumenta en ciph_key_len en lugar de hash_iv_len, lo que podr\u00eda llevar a ir m\u00e1s all\u00e1 de los l\u00edmites del b\u00fafer. Corrija este error cambiando ciph_key_len a hash_iv_len. Encontrado por el Centro de verificaci\u00f3n de Linux (linuxtesting.org) con SVACE."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/2b3460cbf454c6b03d7429e9ffc4fe09322eb1a9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3b7a40740f04e2f27114dfd6225c5e721dda9d57", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/49833a8da6407e7e9b532cc4054fdbcaf78f5fdd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c0082ee420639a97e40cae66778b02b341b005e5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c256b616067bfd6d274c679c06986b78d2402434", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c69a1e4b419c2c466dd8c5602bdebadc353973dd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d0f14ae223c2421b334c1f1a9e48f1e809aee3a0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e719c8991c161977a67197775067ab456b518c7b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ebed0d666fa709bae9e8cafa8ec6e7ebd1d318c6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38580", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:18.057", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nepoll: be better about file lifetimes\n\nepoll can call out to vfs_poll() with a file pointer that may race with\nthe last 'fput()'. That would make f_count go down to zero, and while\nthe ep->mtx locking means that the resulting file pointer tear-down will\nbe blocked until the poll returns, it means that f_count is already\ndead, and any use of it won't actually get a reference to the file any\nmore: it's dead regardless.\n\nMake sure we have a valid ref on the file pointer before we call down to\nvfs_poll() from the epoll routines."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: epoll: mejore la duraci\u00f3n de los archivos epoll puede llamar a vfs_poll() con un puntero de archivo que puede competir con el \u00faltimo 'fput()'. Eso har\u00eda que f_count bajara a cero, y aunque el bloqueo ep->mtx significa que el desmontaje del puntero del archivo resultante se bloquear\u00e1 hasta que regrese la encuesta, significa que f_count ya est\u00e1 muerto y no se podr\u00e1 utilizar. De hecho, ya no obtengo una referencia al archivo: est\u00e1 muerto de todos modos. Aseg\u00farese de tener una referencia v\u00e1lida en el puntero del archivo antes de llamar a vfs_poll() desde las rutinas de epoll."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/16e3182f6322575eb7c12e728ad3c7986a189d5d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4efaa5acf0a1d2b5947f98abb3acf8bfd966422b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4f65f4defe4e23659275ce5153541cd4f76ce2d2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/559214eb4e5c3d05e69428af2fae2691ba1eb784", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/cbfd1088e24ec4c1199756a37cb8e4cd0a4b016e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38581", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:18.150", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/mes: fix use-after-free issue\n\nDelete fence fallback timer to fix the ramdom\nuse-after-free issue.\n\nv2: move to amdgpu_mes.c"}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: drm/amdgpu/mes: soluciona el problema de use-after-free. Elimina el temporizador de reserva de valla para solucionar el problema de use-after-free. v2: pasar a amdgpu_mes.c"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/0f98c144c15c8fc0f3176c994bd4e727ef718a5c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/39cfce75168c11421d70b8c0c65f6133edccb82a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/70b1bf6d9edc8692d241f59a65f073aec6d501de", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/948255282074d9367e01908b3f5dcf8c10fc9c3d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38582", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:18.273", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix potential hang in nilfs_detach_log_writer()\n\nSyzbot has reported a potential hang in nilfs_detach_log_writer() called\nduring nilfs2 unmount.\n\nAnalysis revealed that this is because nilfs_segctor_sync(), which\nsynchronizes with the log writer thread, can be called after\nnilfs_segctor_destroy() terminates that thread, as shown in the call trace\nbelow:\n\nnilfs_detach_log_writer\n nilfs_segctor_destroy\n nilfs_segctor_kill_thread --> Shut down log writer thread\n flush_work\n nilfs_iput_work_func\n nilfs_dispose_list\n iput\n nilfs_evict_inode\n nilfs_transaction_commit\n nilfs_construct_segment (if inode needs sync)\n nilfs_segctor_sync --> Attempt to synchronize with\n log writer thread\n *** DEADLOCK ***\n\nFix this issue by changing nilfs_segctor_sync() so that the log writer\nthread returns normally without synchronizing after it terminates, and by\nforcing tasks that are already waiting to complete once after the thread\nterminates.\n\nThe skipped inode metadata flushout will then be processed together in the\nsubsequent cleanup work in nilfs_segctor_destroy()."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: nilfs2: soluciona un posible bloqueo en nilfs_detach_log_writer() Syzbot ha informado de un posible bloqueo en nilfs_detach_log_writer() llamado durante el desmontaje de nilfs2. El an\u00e1lisis revel\u00f3 que esto se debe a que nilfs_segctor_sync(), que se sincroniza con el hilo del escritor de registros, puede ser llamado despu\u00e9s de que nilfs_segctor_destroy() finalice ese hilo, como se muestra en el seguimiento de llamadas a continuaci\u00f3n: nilfs_detach_log_writer nilfs_segctor_destroy nilfs_segctor_kill_thread --> Apagar el hilo del escritor de registros Flush_work nilfs_iput_work_func nilfs_dispose_list iput nilfs_evict_inode nilfs_transaction_commit nilfs_construct_segment (si el inodo necesita sincronizaci\u00f3n) nilfs_segctor_sync --> Intente sincronizar con el hilo del escritor de registros *** DEADLOCK *** Solucione este problema cambiando nilfs_segctor_sync() para que el hilo del escritor de registros regrese normalmente sin sincronizarse despu\u00e9s de que termine y forzando las tareas que ya est\u00e1n esperando a completarse una vez que finaliza el hilo. La eliminaci\u00f3n de metadatos del inodo omitido se procesar\u00e1 en conjunto en el trabajo de limpieza posterior en nilfs_segctor_destroy()."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/06afce714d87c7cd1dcfccbcd800c5c5d2cf1cfd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/1c3844c5f4eac043954ebf6403fa9fd1f0e9c1c0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/6e5c8e8e024e147b834f56f2115aad241433679b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/911d38be151921a5d152bb55e81fd752384c6830", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a8799662fed1f8747edae87a1937549288baca6a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/bc9cee50a4a4ca23bdc49f75ea8242d8a2193b3b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c516db6ab9eabbedbc430b4f93b0d8728e9b427f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/eb85dace897c5986bc2f36b3c783c6abb8a4292e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/eff7cdf890b02596b8d73e910bdbdd489175dbdb", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38583", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:18.397", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix use-after-free of timer for log writer thread\n\nPatch series \"nilfs2: fix log writer related issues\".\n\nThis bug fix series covers three nilfs2 log writer-related issues,\nincluding a timer use-after-free issue and potential deadlock issue on\nunmount, and a potential freeze issue in event synchronization found\nduring their analysis. Details are described in each commit log.\n\n\nThis patch (of 3):\n\nA use-after-free issue has been reported regarding the timer sc_timer on\nthe nilfs_sc_info structure.\n\nThe problem is that even though it is used to wake up a sleeping log\nwriter thread, sc_timer is not shut down until the nilfs_sc_info structure\nis about to be freed, and is used regardless of the thread's lifetime.\n\nFix this issue by limiting the use of sc_timer only while the log writer\nthread is alive."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: nilfs2: corrige el use-after-free del temporizador para el hilo del escritor de registros Serie de parches \"nilfs2: corrige problemas relacionados con el escritor de registros\". Esta serie de correcci\u00f3n de errores cubre tres problemas relacionados con el escritor de registros nilfs2, incluido un problema de use-after-free del temporizador y un posible problema de bloqueo al desmontar, y un posible problema de congelaci\u00f3n en la sincronizaci\u00f3n de eventos encontrado durante su an\u00e1lisis. Los detalles se describen en cada registro de confirmaci\u00f3n. Este parche (de 3): Se inform\u00f3 un problema de use-after-free con respecto al temporizador sc_timer en la estructura nilfs_sc_info. El problema es que, aunque se utiliza para reactivar un subproceso de escritura de registros inactivo, sc_timer no se cierra hasta que la estructura nilfs_sc_info est\u00e1 a punto de liberarse y se utiliza independientemente de la vida \u00fatil del subproceso. Solucione este problema limitando el uso de sc_timer solo mientras el subproceso del escritor de registros est\u00e9 activo."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/2f12b2c03c5dae1a0de0a9e5853177e3d6eee3c6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/67fa90d4a2ccd9ebb0e1e168c7d0b5d0cf3c7148", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/68e738be5c518fc3c4e9146b66f67c8fee0135fb", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/822ae5a8eac30478578a75f7e064f0584931bf2d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/82933c84f188dcfe89eb26b0b48ab5d1ca99d164", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/86a30d6302deddb9fb97ba6fc4b04d0e870b582a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e65ccf3a4de4f0c763d94789615b83e11f204438", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f5d4e04634c9cf68bdf23de08ada0bb92e8befe7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f9186bba4ea282b07293c1c892441df3a5441cb0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38584", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:18.530", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ti: icssg_prueth: Fix NULL pointer dereference in prueth_probe()\n\nIn the prueth_probe() function, if one of the calls to emac_phy_connect()\nfails due to of_phy_connect() returning NULL, then the subsequent call to\nphy_attached_info() will dereference a NULL pointer.\n\nCheck the return code of emac_phy_connect and fail cleanly if there is an\nerror."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: ti: icssg_prueth: corrige la desreferencia del puntero NULL en prueth_probe() En la funci\u00f3n prueth_probe(), si una de las llamadas a emac_phy_connect() falla debido a que of_phy_connect() devuelve NULL , entonces la llamada posterior a phy_attached_info() eliminar\u00e1 la referencia a un puntero NULL. Verifique el c\u00f3digo de retorno de emac_phy_connect y falle limpiamente si hay un error."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/1e1d5bd7f4682e6925dd960aba2a1aa1d93da53a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5cd17f0e74cb99d209945b9f1f06d411aa667eb1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b0a82ebabbdc4c307f781bb0e5cd617949a3900d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b31c7e78086127a7fcaa761e8d336ee855a920c6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38585", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:18.610", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntools/nolibc/stdlib: fix memory error in realloc()\n\nPass user_p_len to memcpy() instead of heap->len to prevent realloc()\nfrom copying an extra sizeof(heap) bytes from beyond the allocated\nregion."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: tools/nolibc/stdlib: corrige el error de memoria en realloc() Pase user_p_len a memcpy() en lugar de heap->len para evitar que realloc() copie un tama\u00f1o extra de(heap) bytes m\u00e1s all\u00e1 de la regi\u00f3n asignada."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/4e6f225aefeb712cdb870176b6621f02cf235b8c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5996b2b2dac739f2a27da13de8eee5b85b2550b3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/791f4641142e2aced85de082e5783b4fb0b977c2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8019d3dd921f39a237a9fab6d2ce716bfac0f983", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f678c3c336559cf3255a32153e9a17c1be4e7c15", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38586", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:18.700", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nr8169: Fix possible ring buffer corruption on fragmented Tx packets.\n\nAn issue was found on the RTL8125b when transmitting small fragmented\npackets, whereby invalid entries were inserted into the transmit ring\nbuffer, subsequently leading to calls to dma_unmap_single() with a null\naddress.\n\nThis was caused by rtl8169_start_xmit() not noticing changes to nr_frags\nwhich may occur when small packets are padded (to work around hardware\nquirks) in rtl8169_tso_csum_v2().\n\nTo fix this, postpone inspecting nr_frags until after any padding has been\napplied."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: r8169: corrige una posible corrupci\u00f3n del b\u00fafer en anillo en paquetes Tx fragmentados. Se encontr\u00f3 un problema en el RTL8125b al transmitir peque\u00f1os paquetes fragmentados, por el cual se insertaban entradas no v\u00e1lidas en el b\u00fafer del anillo de transmisi\u00f3n, lo que posteriormente generaba llamadas a dma_unmap_single() con una direcci\u00f3n nula. Esto se debi\u00f3 a que rtl8169_start_xmit() no not\u00f3 los cambios en nr_frags que pueden ocurrir cuando se rellenan paquetes peque\u00f1os (para evitar peculiaridades del hardware) en rtl8169_tso_csum_v2(). Para solucionar este problema, posponga la inspecci\u00f3n de nr_frags hasta que se haya aplicado el relleno."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/078d5b7500d70af2de6b38e226b03f0b932026a6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/0c48185a95309556725f818b82120bb74e9c627d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/54e7a0d111240c92c0f02ceba6eb8f26bf6d6479", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/68222d7b4b72aa321135cd453dac37f00ec41fd1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b6d21cf40de103d63ae78551098a7c06af8c98dd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c71e3a5cffd5309d7f84444df03d5b72600cc417", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38587", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:18.800", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspeakup: Fix sizeof() vs ARRAY_SIZE() bug\n\nThe \"buf\" pointer is an array of u16 values. This code should be\nusing ARRAY_SIZE() (which is 256) instead of sizeof() (which is 512),\notherwise it can the still got out of bounds."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: Speakup: corrige el error sizeof() vs ARRAY_SIZE() El puntero \"buf\" es una matriz de valores u16. Este c\u00f3digo deber\u00eda usar ARRAY_SIZE() (que es 256) en lugar de sizeof() (que es 512), de lo contrario a\u00fan puede salirse de los l\u00edmites."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/008ab3c53bc4f0b2f20013c8f6c204a3203d0b8b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/07ef95cc7a579731198c93beed281e3a79a0e586", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3726f75a1ccc16cd335c0ccfad1d92ee08ecba5e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/42f0a3f67158ed6b2908d2b9ffbf7e96d23fd358", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/504178fb7d9f6cdb0496d5491efb05f45597e535", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c6e1650cf5df1bd6638eeee231a683ef30c7d4eb", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/cd7f3978c2ec741aedd1d860b2adb227314cf996", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d52c04474feac8e305814a5228e622afe481b2ef", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/eb1ea64328d4cc7d7a912c563f8523d5259716ef", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38588", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:18.907", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nftrace: Fix possible use-after-free issue in ftrace_location()\n\nKASAN reports a bug:\n\n BUG: KASAN: use-after-free in ftrace_location+0x90/0x120\n Read of size 8 at addr ffff888141d40010 by task insmod/424\n CPU: 8 PID: 424 Comm: insmod Tainted: G W 6.9.0-rc2+\n [...]\n Call Trace:\n \n dump_stack_lvl+0x68/0xa0\n print_report+0xcf/0x610\n kasan_report+0xb5/0xe0\n ftrace_location+0x90/0x120\n register_kprobe+0x14b/0xa40\n kprobe_init+0x2d/0xff0 [kprobe_example]\n do_one_initcall+0x8f/0x2d0\n do_init_module+0x13a/0x3c0\n load_module+0x3082/0x33d0\n init_module_from_file+0xd2/0x130\n __x64_sys_finit_module+0x306/0x440\n do_syscall_64+0x68/0x140\n entry_SYSCALL_64_after_hwframe+0x71/0x79\n\nThe root cause is that, in lookup_rec(), ftrace record of some address\nis being searched in ftrace pages of some module, but those ftrace pages\nat the same time is being freed in ftrace_release_mod() as the\ncorresponding module is being deleted:\n\n CPU1 | CPU2\n register_kprobes() { | delete_module() {\n check_kprobe_address_safe() { |\n arch_check_ftrace_location() { |\n ftrace_location() { |\n lookup_rec() // USE! | ftrace_release_mod() // Free!\n\nTo fix this issue:\n 1. Hold rcu lock as accessing ftrace pages in ftrace_location_range();\n 2. Use ftrace_location_range() instead of lookup_rec() in\n ftrace_location();\n 3. Call synchronize_rcu() before freeing any ftrace pages both in\n ftrace_process_locs()/ftrace_release_mod()/ftrace_free_mem()."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ftrace: Solucionar posible problema de use-after-free en ftrace_location() KASAN informa un error: ERROR: KASAN: use-after-free en ftrace_location+0x90/0x120 Lectura de tama\u00f1o 8 en addr ffff888141d40010 por tarea insmod/424 CPU: 8 PID: 424 Comm: insmod Tainted: GW 6.9.0-rc2+ [...] Rastreo de llamadas: dump_stack_lvl+0x68/0xa0 print_report+0xcf/0x610 kasan_report+0xb5/ 0xe0 ftrace_location+0x90/0x120 Register_kprobe+0x14b/0xa40 kprobe_init+0x2d/0xff0 [kprobe_example] do_one_initcall+0x8f/0x2d0 do_init_module+0x13a/0x3c0 load_module+0x3082/0x33d0 init_module_from _file+0xd2/0x130 __x64_sys_finit_module+0x306/0x440 do_syscall_64+0x68/0x140 entrada_SYSCALL_64_after_hwframe +0x71/0x79 La causa principal es que, en lookup_rec(), el registro ftrace de alguna direcci\u00f3n se busca en las p\u00e1ginas ftrace de alg\u00fan m\u00f3dulo, pero esas p\u00e1ginas ftrace al mismo tiempo se liberan en ftrace_release_mod() como lo est\u00e1 el m\u00f3dulo correspondiente. siendo eliminado: CPU1 | CPU2 registro_kprobes() { | eliminar_m\u00f3dulo() { check_kprobe_address_safe() { | arch_check_ftrace_location() { | ftrace_ubicaci\u00f3n() { | lookup_rec() // \u00a1UTILIZAR! | ftrace_release_mod() // \u00a1Gratis! Para solucionar este problema: 1. Mantenga presionado rcu lock mientras accede a las p\u00e1ginas de ftrace en ftrace_location_range(); 2. Utilice ftrace_location_range() en lugar de lookup_rec() en ftrace_location(); 3. Llame a sincronizar_rcu() antes de liberar cualquier p\u00e1gina ftrace tanto en ftrace_process_locs()/ftrace_release_mod()/ftrace_free_mem()."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/31310e373f4c8c74e029d4326b283e757edabc0b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/66df065b3106964e667b37bf8f7e55ec69d0c1f6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7b4881da5b19f65709f5c18c1a4d8caa2e496461", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/dbff5f0bfb2416b8b55c105ddbcd4f885e98fada", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e60b613df8b6253def41215402f72986fee3fc8d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38589", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:19.000", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: fix possible dead-lock in nr_rt_ioctl()\n\nsyzbot loves netrom, and found a possible deadlock in nr_rt_ioctl [1]\n\nMake sure we always acquire nr_node_list_lock before nr_node_lock(nr_node)\n\n[1]\nWARNING: possible circular locking dependency detected\n6.9.0-rc7-syzkaller-02147-g654de42f3fc6 #0 Not tainted\n------------------------------------------------------\nsyz-executor350/5129 is trying to acquire lock:\n ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]\n ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: nr_node_lock include/net/netrom.h:152 [inline]\n ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: nr_dec_obs net/netrom/nr_route.c:464 [inline]\n ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: nr_rt_ioctl+0x1bb/0x1090 net/netrom/nr_route.c:697\n\nbut task is already holding lock:\n ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]\n ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_dec_obs net/netrom/nr_route.c:462 [inline]\n ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_rt_ioctl+0x10a/0x1090 net/netrom/nr_route.c:697\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-> #1 (nr_node_list_lock){+...}-{2:2}:\n lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754\n __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]\n _raw_spin_lock_bh+0x35/0x50 kernel/locking/spinlock.c:178\n spin_lock_bh include/linux/spinlock.h:356 [inline]\n nr_remove_node net/netrom/nr_route.c:299 [inline]\n nr_del_node+0x4b4/0x820 net/netrom/nr_route.c:355\n nr_rt_ioctl+0xa95/0x1090 net/netrom/nr_route.c:683\n sock_do_ioctl+0x158/0x460 net/socket.c:1222\n sock_ioctl+0x629/0x8e0 net/socket.c:1341\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:904 [inline]\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n-> #0 (&nr_node->node_lock){+...}-{2:2}:\n check_prev_add kernel/locking/lockdep.c:3134 [inline]\n check_prevs_add kernel/locking/lockdep.c:3253 [inline]\n validate_chain+0x18cb/0x58e0 kernel/locking/lockdep.c:3869\n __lock_acquire+0x1346/0x1fd0 kernel/locking/lockdep.c:5137\n lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754\n __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]\n _raw_spin_lock_bh+0x35/0x50 kernel/locking/spinlock.c:178\n spin_lock_bh include/linux/spinlock.h:356 [inline]\n nr_node_lock include/net/netrom.h:152 [inline]\n nr_dec_obs net/netrom/nr_route.c:464 [inline]\n nr_rt_ioctl+0x1bb/0x1090 net/netrom/nr_route.c:697\n sock_do_ioctl+0x158/0x460 net/socket.c:1222\n sock_ioctl+0x629/0x8e0 net/socket.c:1341\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:904 [inline]\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nother info that might help us debug this:\n\n Possible unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n lock(nr_node_list_lock);\n lock(&nr_node->node_lock);\n lock(nr_node_list_lock);\n lock(&nr_node->node_lock);\n\n *** DEADLOCK ***\n\n1 lock held by syz-executor350/5129:\n #0: ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]\n #0: ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_dec_obs net/netrom/nr_route.c:462 [inline]\n #0: ffffffff8f70\n---truncated---"}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: netrom: solucion\u00f3 un posible bloqueo en nr_rt_ioctl() syzbot ama netrom y encontr\u00f3 un posible bloqueo en nr_rt_ioctl [1] Aseg\u00farese de adquirir siempre nr_node_list_lock antes de nr_node_lock(nr_node) [1 ] ADVERTENCIA: se detect\u00f3 posible dependencia de bloqueo circular 6.9.0-rc7-syzkaller-02147-g654de42f3fc6 #0 No contaminado --------------------- --------------------- syz-executor350/5129 est\u00e1 intentando adquirir el bloqueo: ffff8880186e2070 (&nr_node->node_lock){+... }-{2:2}, en: spin_lock_bh include/linux/spinlock.h:356 [en l\u00ednea] ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, en: nr_node_lock include/net/ netrom.h:152 [en l\u00ednea] ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, en: nr_dec_obs net/netrom/nr_route.c:464 [en l\u00ednea] ffff8880186e2070 (&nr_node->node_lock) {+...}-{2:2}, en: nr_rt_ioctl+0x1bb/0x1090 net/netrom/nr_route.c:697 pero la tarea ya est\u00e1 bloqueada: fffffffff8f7053b8 (nr_node_list_lock){+...}-{2: 2}, en: spin_lock_bh include/linux/spinlock.h:356 [en l\u00ednea] fffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, en: nr_dec_obs net/netrom/nr_route.c:462 [en l\u00ednea] ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, en: nr_rt_ioctl+0x10a/0x1090 net/netrom/nr_route.c:697 cuyo bloqueo ya depende del nuevo bloqueo. la cadena de dependencia existente (en orden inverso) es: -> #1 (nr_node_list_lock){+...}-{2:2}: lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754 __raw_spin_lock_bh include/linux/ spinlock_api_smp.h:126 [en l\u00ednea] _raw_spin_lock_bh+0x35/0x50 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:356 [en l\u00ednea] nr_remove_node net/netrom/nr_route.c:299 [en l\u00ednea] nr_del_node+ 0x4b4/0x820 net/netrom/nr_route.c:355 nr_rt_ioctl+0xa95/0x1090 net/netrom/nr_route.c:683 sock_do_ioctl+0x158/0x460 net/socket.c:1222 sock_ioctl+0x629/0x8e0 net/socket.c:13 41 vfs_ioctl fs/ioctl.c:51 [en l\u00ednea] __do_sys_ioctl fs/ioctl.c:904 [en l\u00ednea] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890 do_syscall_x64 arch/x86/entry/common.c:52 [en l\u00ednea] do_syscall_64 +0xf5/0x240 arch/x86/entry/common.c:83 Entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #0 (&nr_node->node_lock){+...}-{2:2}: check_prev_add kernel/locking/lockdep. c:3134 [en l\u00ednea] check_prevs_add kernel/locking/lockdep.c:3253 [en l\u00ednea] validar_chain+0x18cb/0x58e0 kernel/locking/lockdep.c:3869 __lock_acquire+0x1346/0x1fd0 kernel/locking/lockdep.c:5137 lock_acquire+0x1ed /0x550 kernel/locking/lockdep.c:5754 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [en l\u00ednea] _raw_spin_lock_bh+0x35/0x50 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:356 [en l\u00ednea ] nr_node_lock include/net/netrom.h:152 [en l\u00ednea] nr_dec_obs net/netrom/nr_route.c:464 [en l\u00ednea] nr_rt_ioctl+0x1bb/0x1090 net/netrom/nr_route.c:697 sock_do_ioctl+0x158/0x460 net/socket. c:1222 sock_ioctl+0x629/0x8e0 net/socket.c:1341 vfs_ioctl fs/ioctl.c:51 [en l\u00ednea] __do_sys_ioctl fs/ioctl.c:904 [en l\u00ednea] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890 llamada_x64 arch/x86/entry/common.c:52 [en l\u00ednea] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 Entry_SYSCALL_64_after_hwframe+0x77/0x7f otra informaci\u00f3n que podr\u00eda ayudarnos a depurar esto: Posible escenario de bloqueo inseguro: CPU0 CPU1 ---- ---- bloqueo(nr_node_list_lock); bloquear(&nr_nodo->nodo_lock); bloquear(nr_node_list_lock); bloquear(&nr_nodo->nodo_lock); *** DEADLOCK *** 1 bloqueo retenido por syz-executor350/5129: #0: ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, en: spin_lock_bh include/linux/spinlock.h:356 [ en l\u00ednea] #0: ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, en: nr_dec_obs net/netrom/nr_route.c:462 [en l\u00ednea] #0: ffffffff8f70 ---truncado---"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/1fbfb483c1a290dce3f41f52d45cc46dd88b7691", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3db2fc45d1d2a6457f06ebdfd45b9820e5b5c2b7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/421c50fa81836775bf0fd6ce0e57a6eb27af24d5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5bc50a705cfac8f64ce51c95611c3dd0554ef9c3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5fb7e2a4335fc67d6952ad2a6613c46e0b05f7c5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b117e5b4f27c2c9076561b6be450a9619f0b79de", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b9d663fbf74290cb68fbc66ae4367bd56837ad1d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e03e7f20ebf7e1611d40d1fdc1bde900fd3335f6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f28bdc2ee5d9300cc77bd3d97b5b3cdd14960fd8", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38590", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:19.113", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hns: Modify the print level of CQE error\n\nToo much print may lead to a panic in kernel. Change ibdev_err() to\nibdev_err_ratelimited(), and change the printing level of cqe dump\nto debug level."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: RDMA/hns: Modifique el nivel de impresi\u00f3n del error CQE. Demasiada impresi\u00f3n puede provocar p\u00e1nico en el kernel. Cambie ibdev_err() a ibdev_err_ratelimited() y cambie el nivel de impresi\u00f3n del volcado cqe al nivel de depuraci\u00f3n."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/06cf121346bbd3d83a5eea05bb87666c6b279990", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/17f3741c65c4a042ae8ba094068b07a4b77e213c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/349e859952285ab9689779fb46de163f13f18f43", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/45b31be4dd22827903df15c548b97b416790139b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/6f541a89ced8305da459e3ab0006e7528cf7da7b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/817a10a6df9354e67561922d2b7fce48dfbebc55", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/cc699b7eb2bc963c12ffcd37f80f45330d2924bd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38591", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:19.207", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hns: Fix deadlock on SRQ async events.\n\nxa_lock for SRQ table may be required in AEQ. Use xa_store_irq()/\nxa_erase_irq() to avoid deadlock."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: RDMA/hns: corrige el punto muerto en eventos as\u00edncronos de SRQ. Es posible que se requiera xa_lock para la tabla SRQ en AEQ. Utilice xa_store_irq()/ xa_erase_irq() para evitar un punto muerto."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/22c915af31bd84ffaa46145e317f53333f94a868", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4a3be1a0ffe04c085dd7f79be97c91b0c786df3d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/72dc542f0d8977e7d41d610db6bb65c47cad43e9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/756ddbe665ea7f9416951bd76731b174d136eea0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b46494b6f9c19f141114a57729e198698f40af37", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d271e66abac5c7eb8de345b9b44d89f777437a4c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38592", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:19.297", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mediatek: Init `ddp_comp` with devm_kcalloc()\n\nIn the case where `conn_routes` is true we allocate an extra slot in\nthe `ddp_comp` array but mtk_drm_crtc_create() never seemed to\ninitialize it in the test case I ran. For me, this caused a later\ncrash when we looped through the array in mtk_drm_crtc_mode_valid().\nThis showed up for me when I booted with `slub_debug=FZPUA` which\npoisons the memory initially. Without `slub_debug` I couldn't\nreproduce, presumably because the later code handles the value being\nNULL and in most cases (not guaranteed in all cases) the memory the\nallocator returned started out as 0.\n\nIt really doesn't hurt to initialize the array with devm_kcalloc()\nsince the array is small and the overhead of initting a handful of\nelements to 0 is small. In general initting memory to zero is a safer\npractice and usually it's suggested to only use the non-initting alloc\nfunctions if you really need to.\n\nLet's switch the function to use an allocation function that zeros the\nmemory. For me, this avoids the crash."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/mediatek: Init `ddp_comp` con devm_kcalloc() En el caso de que `conn_routes` sea verdadero, asignamos una ranura adicional en la matriz `ddp_comp` pero mtk_drm_crtc_create() nunca apareci\u00f3 para inicializarlo en el caso de prueba que ejecut\u00e9. Para m\u00ed, esto provoc\u00f3 un bloqueo posterior cuando recorrimos la matriz en mtk_drm_crtc_mode_valid(). Esto me apareci\u00f3 cuando arranqu\u00e9 con `slub_debug=FZPUA` que envenena la memoria inicialmente. Sin `slub_debug` no pude reproducir, presumiblemente porque el c\u00f3digo posterior maneja que el valor sea NULL y en la mayor\u00eda de los casos (no garantizado en todos los casos) la memoria que devolvi\u00f3 el asignador comenz\u00f3 como 0. Realmente no est\u00e1 de m\u00e1s inicializar el array con devm_kcalloc() ya que la matriz es peque\u00f1a y la sobrecarga de iniciar un pu\u00f1ado de elementos en 0 es peque\u00f1a. En general, iniciar la memoria a cero es una pr\u00e1ctica m\u00e1s segura y, por lo general, se sugiere usar solo las funciones de asignaci\u00f3n que no son de inicio si realmente es necesario. Cambiemos la funci\u00f3n para usar una funci\u00f3n de asignaci\u00f3n que ponga a cero la memoria. Para m\u00ed, esto evita el accidente."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/01a2c5123e27b3c4685bf2fc4c2e879f6e0c7b33", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9fe2cc3fa44f7ad7ba5f29c1a68b2b924c17b9b1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/cf69d0af7db917b82aceaa44b7b1b9376609da22", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38593", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:19.387", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: micrel: Fix receiving the timestamp in the frame for lan8841\n\nThe blamed commit started to use the ptp workqueue to get the second\npart of the timestamp. And when the port was set down, then this\nworkqueue is stopped. But if the config option NETWORK_PHY_TIMESTAMPING\nis not enabled, then the ptp_clock is not initialized so then it would\ncrash when it would try to access the delayed work.\nSo then basically by setting up and then down the port, it would crash.\nThe fix consists in checking if the ptp_clock is initialized and only\nthen cancel the delayed work."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: net: micrel: Se corrigi\u00f3 la recepci\u00f3n de la marca de tiempo en el framework para lan8841. El commit culpable comenz\u00f3 a usar la cola de trabajo ptp para obtener la segunda parte de la marca de tiempo. Y cuando se establece el puerto, esta cola de trabajo se detiene. Pero si la opci\u00f3n de configuraci\u00f3n NETWORK_PHY_TIMESTAMPING no est\u00e1 habilitada, entonces ptp_clock no se inicializa, por lo que se bloquear\u00e1 cuando intente acceder al trabajo retrasado. Entonces, b\u00e1sicamente, al configurar y luego desactivar el puerto, fallar\u00eda. La soluci\u00f3n consiste en comprobar si el ptp_clock est\u00e1 inicializado y s\u00f3lo entonces cancelar el trabajo retrasado."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/3ddf170e4a604f5d4d9459a36993f5e92b53e8b0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3fd4282d5f25c3c97fef3ef0b89b82ef4e2bc975", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/64a47cf634ae44e92be24ebc982410841093bd7b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/aea27a92a41dae14843f92c79e9e42d8f570105c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38594", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:19.467", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: move the EST lock to struct stmmac_priv\n\nReinitialize the whole EST structure would also reset the mutex\nlock which is embedded in the EST structure, and then trigger\nthe following warning. To address this, move the lock to struct\nstmmac_priv. We also need to reacquire the mutex lock when doing\nthis initialization.\n\nDEBUG_LOCKS_WARN_ON(lock->magic != lock)\nWARNING: CPU: 3 PID: 505 at kernel/locking/mutex.c:587 __mutex_lock+0xd84/0x1068\n Modules linked in:\n CPU: 3 PID: 505 Comm: tc Not tainted 6.9.0-rc6-00053-g0106679839f7-dirty #29\n Hardware name: NXP i.MX8MPlus EVK board (DT)\n pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : __mutex_lock+0xd84/0x1068\n lr : __mutex_lock+0xd84/0x1068\n sp : ffffffc0864e3570\n x29: ffffffc0864e3570 x28: ffffffc0817bdc78 x27: 0000000000000003\n x26: ffffff80c54f1808 x25: ffffff80c9164080 x24: ffffffc080d723ac\n x23: 0000000000000000 x22: 0000000000000002 x21: 0000000000000000\n x20: 0000000000000000 x19: ffffffc083bc3000 x18: ffffffffffffffff\n x17: ffffffc08117b080 x16: 0000000000000002 x15: ffffff80d2d40000\n x14: 00000000000002da x13: ffffff80d2d404b8 x12: ffffffc082b5a5c8\n x11: ffffffc082bca680 x10: ffffffc082bb2640 x9 : ffffffc082bb2698\n x8 : 0000000000017fe8 x7 : c0000000ffffefff x6 : 0000000000000001\n x5 : ffffff8178fe0d48 x4 : 0000000000000000 x3 : 0000000000000027\n x2 : ffffff8178fe0d50 x1 : 0000000000000000 x0 : 0000000000000000\n Call trace:\n __mutex_lock+0xd84/0x1068\n mutex_lock_nested+0x28/0x34\n tc_setup_taprio+0x118/0x68c\n stmmac_setup_tc+0x50/0xf0\n taprio_change+0x868/0xc9c"}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: net: stmmac: mover el bloqueo EST a la estructura stmmac_priv Reinicializar toda la estructura EST tambi\u00e9n restablecer\u00eda el bloqueo mutex que est\u00e1 incrustado en la estructura EST y luego activar\u00eda la siguiente advertencia. Para solucionar esto, mueva el candado a la estructura stmmac_priv. Tambi\u00e9n necesitamos volver a adquirir el bloqueo mutex al realizar esta inicializaci\u00f3n. DEBUG_LOCKS_WARN_ON(lock->magic != lock) ADVERTENCIA: CPU: 3 PID: 505 en kernel/locking/mutex.c:587 __mutex_lock+0xd84/0x1068 M\u00f3dulos vinculados en: CPU: 3 PID: 505 Comm: tc No contaminado 6.9. 0-rc6-00053-g0106679839f7-dirty #29 Nombre del hardware: NXP i.MX8MPlus Placa EVK (DT) pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc: __mutex_lock+0xd84/ 0x1068 lr: __mutex_lock+0xd84/0x1068 sp: ffffffc0864e3570 x29: ffffffc0864e3570 x28: ffffffc0817bdc78 x27: 0000000000000003 x26: ffffff80c54f1808 : ffffff80c9164080 x24: ffffffc080d723ac x23: 0000000000000000 x22: 0000000000000002 x21: 00000000000000000 x20: 0000000000000000 x19: c083bc3000 x18: ffffffffffffffff x17: ffffffc08117b080 x16: 0000000000000002 x15: ffffff80d2d40000 x14: 00000000000002da x13: ffffff80d2d404b8 x12: ffffffc082b5a5c8 x11: ffffffc082bca680 x10: 2bb2640 x9: ffffffc082bb2698 x8: 0000000000017fe8 x7: c0000000fffffff x6: 0000000000000001 x5: ffffff8178fe0d48 x4: 0000000000000000 x3: 00000000 00000027 x2: ffffff8178fe0d50 x1: 0000000000000000 x0: 0000000000000000 Rastreo de llamadas: __mutex_lock+0xd84/0x1068 mutex_lock_nested+0x28/0x34 tc_setup_taprio+0x118/0x68c stmmac_setup_tc+0x50/0xf0 taprio_change+0x868/0xc9c"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/36ac9e7f2e5786bd37c5cd91132e1f39c29b8197", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/487f9030b1ef34bab123f2df2a4ccbe01ba84416", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/6f476aff2d8da1a189621c4c16a76a6c534e4312", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38595", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:19.550", "lastModified": "2024-06-20T12:44:01.637", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix peer devlink set for SF representor devlink port\n\nThe cited patch change register devlink flow, and neglect to reflect\nthe changes for peer devlink set logic. Peer devlink set is\ntriggering a call trace if done after devl_register.[1]\n\nHence, align peer devlink set logic with register devlink flow.\n\n[1]\nWARNING: CPU: 4 PID: 3394 at net/devlink/core.c:155 devlink_rel_nested_in_add+0x177/0x180\nCPU: 4 PID: 3394 Comm: kworker/u40:1 Not tainted 6.9.0-rc4_for_linust_min_debug_2024_04_16_14_08 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nWorkqueue: mlx5_vhca_event0 mlx5_vhca_state_work_handler [mlx5_core]\nRIP: 0010:devlink_rel_nested_in_add+0x177/0x180\nCall Trace:\n \n ? __warn+0x78/0x120\n ? devlink_rel_nested_in_add+0x177/0x180\n ? report_bug+0x16d/0x180\n ? handle_bug+0x3c/0x60\n ? exc_invalid_op+0x14/0x70\n ? asm_exc_invalid_op+0x16/0x20\n ? devlink_port_init+0x30/0x30\n ? devlink_port_type_clear+0x50/0x50\n ? devlink_rel_nested_in_add+0x177/0x180\n ? devlink_rel_nested_in_add+0xdd/0x180\n mlx5_sf_mdev_event+0x74/0xb0 [mlx5_core]\n notifier_call_chain+0x35/0xb0\n blocking_notifier_call_chain+0x3d/0x60\n mlx5_blocking_notifier_call_chain+0x22/0x30 [mlx5_core]\n mlx5_sf_dev_probe+0x185/0x3e0 [mlx5_core]\n auxiliary_bus_probe+0x38/0x80\n ? driver_sysfs_add+0x51/0x80\n really_probe+0xc5/0x3a0\n ? driver_probe_device+0x90/0x90\n __driver_probe_device+0x80/0x160\n driver_probe_device+0x1e/0x90\n __device_attach_driver+0x7d/0x100\n bus_for_each_drv+0x80/0xd0\n __device_attach+0xbc/0x1f0\n bus_probe_device+0x86/0xa0\n device_add+0x64f/0x860\n __auxiliary_device_add+0x3b/0xa0\n mlx5_sf_dev_add+0x139/0x330 [mlx5_core]\n mlx5_sf_dev_state_change_handler+0x1e4/0x250 [mlx5_core]\n notifier_call_chain+0x35/0xb0\n blocking_notifier_call_chain+0x3d/0x60\n mlx5_vhca_state_work_handler+0x151/0x200 [mlx5_core]\n process_one_work+0x13f/0x2e0\n worker_thread+0x2bd/0x3c0\n ? rescuer_thread+0x410/0x410\n kthread+0xc4/0xf0\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x2d/0x50\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork_asm+0x11/0x20\n "}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/mlx5: corrige el conjunto de enlaces de desarrollo de pares para el puerto devlink del representante SF. El flujo de devlink del registro de cambios de parche citado y no refleja los cambios para la l\u00f3gica del conjunto de enlaces de desarrollo de pares. El conjunto de devlink de pares activa un seguimiento de llamadas si se realiza despu\u00e9s de devl_register.[1] Por lo tanto, alinee la l\u00f3gica del conjunto de devlink de pares con el flujo de registro de devlink. [1] ADVERTENCIA: CPU: 4 PID: 3394 en net/devlink/core.c:155 devlink_rel_nested_in_add+0x177/0x180 CPU: 4 PID: 3394 Comm: kworker/u40:1 No contaminado 6.9.0-rc4_for_linust_min_debug_2024_04_16_14_0 8 #1 Nombre del hardware : PC est\u00e1ndar QEMU (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 01/04/2014 Cola de trabajo: mlx5_vhca_event0 mlx5_vhca_state_work_handler [mlx5_core] RIP 0010:devlink_rel_nested_in_ agregar+0x177/0x180 Llamar Seguimiento: ? __advertir+0x78/0x120 ? devlink_rel_nested_in_add+0x177/0x180? report_bug+0x16d/0x180? handle_bug+0x3c/0x60? exc_invalid_op+0x14/0x70? asm_exc_invalid_op+0x16/0x20? devlink_port_init+0x30/0x30? devlink_port_type_clear+0x50/0x50? devlink_rel_nested_in_add+0x177/0x180? devlink_rel_nested_in_add+0xdd/0x180 mlx5_sf_mdev_event+0x74/0xb0 [mlx5_core] notifier_call_chain+0x35/0xb0 blocking_notifier_call_chain+0x3d/0x60 mlx5_blocking_notifier_call_chain+0x22/0x30 [mlx5_core] x5_sf_dev_probe+0x185/0x3e0 [mlx5_core] auxiliar_bus_probe+0x38/0x80? driver_sysfs_add+0x51/0x80 realmente_probe+0xc5/0x3a0? driver_probe_device+0x90/0x90 __driver_probe_device+0x80/0x160 driver_probe_device+0x1e/0x90 __device_attach_driver+0x7d/0x100 bus_for_each_drv+0x80/0xd0 __device_attach+0xbc/0x1f0 bus_probe_device+0x8 6/0xa0 dispositivo_add+0x64f/0x860 __auxiliary_device_add+0x3b/0xa0 mlx5_sf_dev_add+0x139/0x330 [mlx5_core] mlx5_sf_dev_state_change_handler+0x1e4/0x250 [mlx5_core] notifier_call_chain+0x35/0xb0 blocking_notifier_call_chain+0x3d/0x60 mlx5_vhca_state_work_handler+0x151/0x200 [mlx5_core Process_one_work+0x13f] /0x2e0 hilo_trabajador+0x2bd/0x3c0 ? hilo_rescate+0x410/0x410 kthread+0xc4/0xf0 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x2d/0x50 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork_asm+0x11/0x20 "}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/05d9d7b66836d87c914f8fdd4b062b78e373458d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3c453e8cc672de1f9c662948dba43176bc68d7f0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a0501201751034ebe7a22bd9483ed28fea1cd213", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38596", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:19.640", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Fix data races in unix_release_sock/unix_stream_sendmsg\n\nA data-race condition has been identified in af_unix. In one data path,\nthe write function unix_release_sock() atomically writes to\nsk->sk_shutdown using WRITE_ONCE. However, on the reader side,\nunix_stream_sendmsg() does not read it atomically. Consequently, this\nissue is causing the following KCSAN splat to occur:\n\n\tBUG: KCSAN: data-race in unix_release_sock / unix_stream_sendmsg\n\n\twrite (marked) to 0xffff88867256ddbb of 1 bytes by task 7270 on cpu 28:\n\tunix_release_sock (net/unix/af_unix.c:640)\n\tunix_release (net/unix/af_unix.c:1050)\n\tsock_close (net/socket.c:659 net/socket.c:1421)\n\t__fput (fs/file_table.c:422)\n\t__fput_sync (fs/file_table.c:508)\n\t__se_sys_close (fs/open.c:1559 fs/open.c:1541)\n\t__x64_sys_close (fs/open.c:1541)\n\tx64_sys_call (arch/x86/entry/syscall_64.c:33)\n\tdo_syscall_64 (arch/x86/entry/common.c:?)\n\tentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\n\tread to 0xffff88867256ddbb of 1 bytes by task 989 on cpu 14:\n\tunix_stream_sendmsg (net/unix/af_unix.c:2273)\n\t__sock_sendmsg (net/socket.c:730 net/socket.c:745)\n\t____sys_sendmsg (net/socket.c:2584)\n\t__sys_sendmmsg (net/socket.c:2638 net/socket.c:2724)\n\t__x64_sys_sendmmsg (net/socket.c:2753 net/socket.c:2750 net/socket.c:2750)\n\tx64_sys_call (arch/x86/entry/syscall_64.c:33)\n\tdo_syscall_64 (arch/x86/entry/common.c:?)\n\tentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\n\tvalue changed: 0x01 -> 0x03\n\nThe line numbers are related to commit dd5a440a31fa (\"Linux 6.9-rc7\").\n\nCommit e1d09c2c2f57 (\"af_unix: Fix data races around sk->sk_shutdown.\")\naddressed a comparable issue in the past regarding sk->sk_shutdown.\nHowever, it overlooked resolving this particular data path.\nThis patch only offending unix_stream_sendmsg() function, since the\nother reads seem to be protected by unix_state_lock() as discussed in"}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: af_unix: corrige ejecuci\u00f3ns de datos en unix_release_sock/unix_stream_sendmsg Se identific\u00f3 una condici\u00f3n de ejecuci\u00f3n de datos en af_unix. En una ruta de datos, la funci\u00f3n de escritura unix_release_sock() escribe at\u00f3micamente en sk->sk_shutdown usando WRITE_ONCE. Sin embargo, en el lado del lector, unix_stream_sendmsg() no lo lee at\u00f3micamente. En consecuencia, este problema est\u00e1 provocando que se produzca el siguiente s\u00edmbolo de KCSAN: ERROR: KCSAN: data-race en unix_release_sock / unix_stream_sendmsg escribe (marcado) en 0xffff88867256ddbb de 1 byte por tarea 7270 en la CPU 28: unix_release_sock (net/unix/af_unix.c: 640) unix_release (net/unix/af_unix.c:1050) sock_close (net/socket.c:659 net/socket.c:1421) __fput (fs/file_table.c:422) __fput_sync (fs/file_table.c:508 ) __se_sys_close (fs/open.c:1559 fs/open.c:1541) __x64_sys_close (fs/open.c:1541) x64_sys_call (arch/x86/entry/syscall_64.c:33) do_syscall_64 (arch/x86/entry/ common.c:?) Entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) le\u00eddo en 0xffff88867256ddbb de 1 bytes por la tarea 989 en la CPU 14: unix_stream_sendmsg (net/unix/af_unix.c:2273) __sock_sendmsg (net/socket .c:730 net/socket.c:745) ____sys_sendmsg (net/socket.c:2584) __sys_sendmmsg (net/socket.c:2638 net/socket.c:2724) __x64_sys_sendmmsg (net/socket.c:2753 net/ socket.c:2750 net/socket.c:2750) x64_sys_call (arch/x86/entry/syscall_64.c:33) do_syscall_64 (arch/x86/entry/common.c:?) Entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64 .S:130) valor cambiado: 0x01 -> 0x03 Los n\u00fameros de l\u00ednea est\u00e1n relacionados con el commit dd5a440a31fa (\"Linux 6.9-rc7\"). El commit e1d09c2c2f57 (\"af_unix: corregir ejecuci\u00f3ns de datos alrededor de sk->sk_shutdown.\") abord\u00f3 un problema comparable en el pasado con respecto a sk->sk_shutdown. Sin embargo, pas\u00f3 por alto resolver esta ruta de datos en particular. Este parche solo ofende la funci\u00f3n unix_stream_sendmsg(), ya que las otras lecturas parecen estar protegidas por unix_state_lock() como se explica en"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/0688d4e499bee3f2749bca27329bd128686230cb", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4d51845d734a4c5d079e56e0916f936a55e15055", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/540bf24fba16b88c1b3b9353927204b4f1074e25", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8299e4d778f664b31b67cf4cf3d5409de2ecb92c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9aa8773abfa0e954136875b4cbf2df4cf638e8a5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a4c88072abcaca593cefe70f90e9d3707526e8f9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a52fa2addfcccc2c5a0217fd45562605088c018b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/de6641d213373fbde9bbdd7c4b552254bc9f82fe", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/fca6072e1a7b1e709ada5604b951513b89b4bd0a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38597", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:19.730", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\neth: sungem: remove .ndo_poll_controller to avoid deadlocks\n\nErhard reports netpoll warnings from sungem:\n\n netpoll_send_skb_on_dev(): eth0 enabled interrupts in poll (gem_start_xmit+0x0/0x398)\n WARNING: CPU: 1 PID: 1 at net/core/netpoll.c:370 netpoll_send_skb+0x1fc/0x20c\n\ngem_poll_controller() disables interrupts, which may sleep.\nWe can't sleep in netpoll, it has interrupts disabled completely.\nStrangely, gem_poll_controller() doesn't even poll the completions,\nand instead acts as if an interrupt has fired so it just schedules\nNAPI and exits. None of this has been necessary for years, since\nnetpoll invokes NAPI directly."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: eth: sungem: elimine .ndo_poll_controller para evitar interbloqueos Erhard informa advertencias de netpoll desde sungem: netpoll_send_skb_on_dev(): eth0 habilit\u00f3 interrupciones en la encuesta (gem_start_xmit+0x0/0x398) ADVERTENCIA: CPU: 1 PID: 1 en net/core/netpoll.c:370 netpoll_send_skb+0x1fc/0x20c gem_poll_controller() desactiva las interrupciones, que pueden dormir. No podemos dormir en netpoll, tiene las interrupciones desactivadas por completo. Curiosamente, gem_poll_controller() ni siquiera sondea las finalizaciones y, en cambio, act\u00faa como si se hubiera disparado una interrupci\u00f3n, por lo que simplemente programa NAPI y sale. Nada de esto ha sido necesario durante a\u00f1os, ya que netpoll invoca directamente a NAPI."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/476adb3bbbd7886e8251d3b9ce2d3c3e680f35d6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5de5aeb98f9a000adb0db184e32765e4815d860b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/6400d205fbbcbcf9b8510157e1f379c1d7e2e937", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ac0a230f719b02432d8c7eba7615ebd691da86f4", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e22b23f5888a065d084e87db1eec639c445e677f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/faf94f1eb8a34b2c31b2042051ef36f63420ecce", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/fbeeb55dbb33d562149c57e794f06b7414e44289", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38598", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:19.813", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: fix resync softlockup when bitmap size is less than array size\n\nIs is reported that for dm-raid10, lvextend + lvchange --syncaction will\ntrigger following softlockup:\n\nkernel:watchdog: BUG: soft lockup - CPU#3 stuck for 26s! [mdX_resync:6976]\nCPU: 7 PID: 3588 Comm: mdX_resync Kdump: loaded Not tainted 6.9.0-rc4-next-20240419 #1\nRIP: 0010:_raw_spin_unlock_irq+0x13/0x30\nCall Trace:\n \n md_bitmap_start_sync+0x6b/0xf0\n raid10_sync_request+0x25c/0x1b40 [raid10]\n md_do_sync+0x64b/0x1020\n md_thread+0xa7/0x170\n kthread+0xcf/0x100\n ret_from_fork+0x30/0x50\n ret_from_fork_asm+0x1a/0x30\n\nAnd the detailed process is as follows:\n\nmd_do_sync\n j = mddev->resync_min\n while (j < max_sectors)\n sectors = raid10_sync_request(mddev, j, &skipped)\n if (!md_bitmap_start_sync(..., &sync_blocks))\n // md_bitmap_start_sync set sync_blocks to 0\n return sync_blocks + sectors_skippe;\n // sectors = 0;\n j += sectors;\n // j never change\n\nRoot cause is that commit 301867b1c168 (\"md/raid10: check\nslab-out-of-bounds in md_bitmap_get_counter\") return early from\nmd_bitmap_get_counter(), without setting returned blocks.\n\nFix this problem by always set returned blocks from\nmd_bitmap_get_counter\"(), as it used to be.\n\nNoted that this patch just fix the softlockup problem in kernel, the\ncase that bitmap size doesn't match array size still need to be fixed."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: md: corrige el bloqueo suave de resincronizaci\u00f3n cuando el tama\u00f1o del mapa de bits es menor que el tama\u00f1o de la matriz. Se informa que para dm-raid10, lvextend + lvchange --syncaction activar\u00e1 el siguiente bloqueo suave: kernel:watchdog: ERROR : bloqueo suave - \u00a1CPU n.\u00b0 3 bloqueada durante 26 segundos! [mdX_resync:6976] CPU: 7 PID: 3588 Comm: mdX_resync Kdump: cargado No contaminado 6.9.0-rc4-next-20240419 #1 RIP: 0010:_raw_spin_unlock_irq+0x13/0x30 Seguimiento de llamadas: md_bitmap_start_sync+0x6b/0xf0 raid10_sync_request+0x25c/0x1b40 [raid10] md_do_sync+0x64b/0x1020 md_thread+0xa7/0x170 kthread+0xcf/0x100 ret_from_fork+0x30/0x50 ret_from_fork_asm+0x1a/0x30 Y el proceso detallado es el siguiente: _sync j = mddev->resync_min mientras ( j < max_sectors) sectores = raid10_sync_request(mddev, j, &skipped) if (!md_bitmap_start_sync(..., &sync_blocks)) // md_bitmap_start_sync establece sync_blocks en 0 return sync_blocks + sectores_skippe; // sectores = 0; j += sectores; // j nunca cambia La causa principal es que el commit 301867b1c168 (\"md/raid10: check slab-out-of-bounds in md_bitmap_get_counter\") regresa antes de md_bitmap_get_counter(), sin configurar los bloques devueltos. Solucione este problema estableciendo siempre los bloques devueltos desde md_bitmap_get_counter\"(), como sol\u00eda ser. Tenga en cuenta que este parche solo soluciona el problema de bloqueo suave en el kernel, el caso de que el tama\u00f1o del mapa de bits no coincida con el tama\u00f1o de la matriz a\u00fan debe solucionarse."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/3f5b73ef8fd6268cbc968b308d8eafe56fda97f3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/43771597feba89a839c5f893716df88ae5c237ce", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5817f43ae1a118855676f57ef7ab50e37eac7482", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/69296914bfd508c85935bf5f711cad9b0fe78492", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/71e8e4f288e74a896b6d9cd194f3bab12bd7a10f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8bbc71315e0ae4bb7e37f8d43b915e1cb01a481b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c9566b812c8f66160466cc1e29df6d3646add0b1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d4b9c764d48fa41caa24cfb4275f3aa9fb4bd798", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f0e729af2eb6bee9eb58c4df1087f14ebaefe26b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38599", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:19.903", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\njffs2: prevent xattr node from overflowing the eraseblock\n\nAdd a check to make sure that the requested xattr node size is no larger\nthan the eraseblock minus the cleanmarker.\n\nUnlike the usual inode nodes, the xattr nodes aren't split into parts\nand spread across multiple eraseblocks, which means that a xattr node\nmust not occupy more than one eraseblock. If the requested xattr value is\ntoo large, the xattr node can spill onto the next eraseblock, overwriting\nthe nodes and causing errors such as:\n\njffs2: argh. node added in wrong place at 0x0000b050(2)\njffs2: nextblock 0x0000a000, expected at 0000b00c\njffs2: error: (823) do_verify_xattr_datum: node CRC failed at 0x01e050,\nread=0xfc892c93, calc=0x000000\njffs2: notice: (823) jffs2_get_inode_nodes: Node header CRC failed\nat 0x01e00c. {848f,2fc4,0fef511f,59a3d171}\njffs2: Node at 0x0000000c with length 0x00001044 would run over the\nend of the erase block\njffs2: Perhaps the file system was created with the wrong erase size?\njffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found\nat 0x00000010: 0x1044 instead\n\nThis breaks the filesystem and can lead to KASAN crashes such as:\n\nBUG: KASAN: slab-out-of-bounds in jffs2_sum_add_kvec+0x125e/0x15d0\nRead of size 4 at addr ffff88802c31e914 by task repro/830\nCPU: 0 PID: 830 Comm: repro Not tainted 6.9.0-rc3+ #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996),\nBIOS Arch Linux 1.16.3-1-1 04/01/2014\nCall Trace:\n \n dump_stack_lvl+0xc6/0x120\n print_report+0xc4/0x620\n ? __virt_addr_valid+0x308/0x5b0\n kasan_report+0xc1/0xf0\n ? jffs2_sum_add_kvec+0x125e/0x15d0\n ? jffs2_sum_add_kvec+0x125e/0x15d0\n jffs2_sum_add_kvec+0x125e/0x15d0\n jffs2_flash_direct_writev+0xa8/0xd0\n jffs2_flash_writev+0x9c9/0xef0\n ? __x64_sys_setxattr+0xc4/0x160\n ? do_syscall_64+0x69/0x140\n ? entry_SYSCALL_64_after_hwframe+0x76/0x7e\n [...]\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: jffs2: evita que el nodo xattr desborde el bloque de borrado. Agregue una verificaci\u00f3n para asegurarse de que el tama\u00f1o del nodo xattr solicitado no sea mayor que el bloque de borrado menos el marcador de limpieza. A diferencia de los nodos de inodo habituales, los nodos xattr no se dividen en partes ni se distribuyen en m\u00faltiples bloques de borrado, lo que significa que un nodo xattr no debe ocupar m\u00e1s de un bloque de borrado. Si el valor xattr solicitado es demasiado grande, el nodo xattr puede extenderse al siguiente bloque de borrado, sobrescribiendo los nodos y provocando errores como: jffs2: argh. nodo agregado en un lugar incorrecto en 0x0000b050(2) jffs2: nextblock 0x0000a000, esperado en 0000b00c jffs2: error: (823) do_verify_xattr_datum: el CRC del nodo fall\u00f3 en 0x01e050, read=0xfc892c93, calc=0x000000 jffs2: aviso: 823) jffs2_get_inode_nodes: Nodo El CRC del encabezado fall\u00f3 en 0x01e00c. {848f,2fc4,0fef511f,59a3d171} jffs2: El nodo en 0x0000000c con longitud 0x00001044 se ejecutar\u00eda sobre el final del bloque de borrado jffs2: \u00bfQuiz\u00e1s el sistema de archivos se cre\u00f3 con un tama\u00f1o de borrado incorrecto? jffs2: jffs2_scan_eraseblock(): M\u00e1scara de bits m\u00e1gica 0x1985 no encontrada en 0x00000010: 0x1044 en su lugar. Esto rompe el sistema de archivos y puede provocar fallas de KASAN como: ERROR: KASAN: losa fuera de los l\u00edmites en jffs2_sum_add_kvec+0x125e/0x15d0 Lectura de tama\u00f1o 4 en addr ffff88802c31e914 por tarea repro/830 CPU: 0 PID: 830 Comm: repro Not tainted 6.9.0-rc3+ #1 Nombre de hardware: PC est\u00e1ndar QEMU (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 01/04/2014 Seguimiento de llamadas: dump_stack_lvl+0xc6/0x120 print_report+0xc4/0x620 ? __virt_addr_valid+0x308/0x5b0 kasan_report+0xc1/0xf0 ? jffs2_sum_add_kvec+0x125e/0x15d0? jffs2_sum_add_kvec+0x125e/0x15d0 jffs2_sum_add_kvec+0x125e/0x15d0 jffs2_flash_direct_writev+0xa8/0xd0 jffs2_flash_writev+0x9c9/0xef0 ? __x64_sys_setxattr+0xc4/0x160 ? do_syscall_64+0x69/0x140? Entry_SYSCALL_64_after_hwframe+0x76/0x7e [...] Encontrado por el Centro de verificaci\u00f3n de Linux (linuxtesting.org) con Syzkaller."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/2904e1d9b64f72d291095e3cbb31634f08788b11", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/526235dffcac74c7823ed504dfac4f88d84ba5df", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8d431391320c5c5398ff966fb3a95e68a7def275", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/978a12c91b38bf1a213e567f3c20e2beef215f07", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a1d21bcd78cf4a4353e1e835789429c6b76aca8b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/af82d8d2179b7277ad627c39e7e0778f1c86ccdb", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c6854e5a267c28300ff045480b5a7ee7f6f1d913", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f06969df2e40ab1dc8f4364a5de967830c74a098", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f0eea095ce8c959b86e1e57fe36ca4fea5ae54f8", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38600", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:19.990", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: Fix deadlocks with kctl removals at disconnection\n\nIn snd_card_disconnect(), we set card->shutdown flag at the beginning,\ncall callbacks and do sync for card->power_ref_sleep waiters at the\nend. The callback may delete a kctl element, and this can lead to a\ndeadlock when the device was in the suspended state. Namely:\n\n* A process waits for the power up at snd_power_ref_and_wait() in\n snd_ctl_info() or read/write() inside card->controls_rwsem.\n\n* The system gets disconnected meanwhile, and the driver tries to\n delete a kctl via snd_ctl_remove*(); it tries to take\n card->controls_rwsem again, but this is already locked by the\n above. Since the sleeper isn't woken up, this deadlocks.\n\nAn easy fix is to wake up sleepers before processing the driver\ndisconnect callbacks but right after setting the card->shutdown flag.\nThen all sleepers will abort immediately, and the code flows again.\n\nSo, basically this patch moves the wait_event() call at the right\ntiming. While we're at it, just to be sure, call wait_event_all()\ninstead of wait_event(), although we don't use exclusive events on\nthis queue for now."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ALSA: soluciona interbloqueos con eliminaciones de kctl al desconectar fin. La devoluci\u00f3n de llamada puede eliminar un elemento kctl y esto puede provocar un punto muerto cuando el dispositivo estaba en estado suspendido. Es decir: * Un proceso espera el encendido en snd_power_ref_and_wait() en snd_ctl_info() o lectura/escritura() dentro de card->controls_rwsem. * Mientras tanto, el sistema se desconecta y el controlador intenta eliminar un kctl mediante snd_ctl_remove*(); intenta tomar card->controls_rwsem nuevamente, pero esto ya est\u00e1 bloqueado por lo anterior. Como el durmiente no se despierta, esto se bloquea. Una soluci\u00f3n f\u00e1cil es despertar a los durmientes antes de procesar las devoluciones de llamada de desconexi\u00f3n del controlador, pero justo despu\u00e9s de configurar la tarjeta->indicador de apagado. Entonces todos los durmientes abortar\u00e1n inmediatamente y el c\u00f3digo fluir\u00e1 nuevamente. B\u00e1sicamente, este parche mueve la llamada wait_event() en el momento adecuado. Mientras estamos en esto, solo para estar seguros, llame a wait_event_all() en lugar de wait_event(), aunque no usamos eventos exclusivos en esta cola por ahora."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/2f103287ef7960854808930499d1181bd0145d68", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/6b55e879e7bd023a03888fc6c8339edf82f576f4", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/87988a534d8e12f2e6fc01fe63e6c1925dc5307c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/88ce3fe255d58a93624b467af036dc3519f309c7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c2fb439f4f1425a961d20bec818fed2c2d9ef70a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ff80185e7b7b547a0911fcfc8aefc61c3e8304d7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38601", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:20.087", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nring-buffer: Fix a race between readers and resize checks\n\nThe reader code in rb_get_reader_page() swaps a new reader page into the\nring buffer by doing cmpxchg on old->list.prev->next to point it to the\nnew page. Following that, if the operation is successful,\nold->list.next->prev gets updated too. This means the underlying\ndoubly-linked list is temporarily inconsistent, page->prev->next or\npage->next->prev might not be equal back to page for some page in the\nring buffer.\n\nThe resize operation in ring_buffer_resize() can be invoked in parallel.\nIt calls rb_check_pages() which can detect the described inconsistency\nand stop further tracing:\n\n[ 190.271762] ------------[ cut here ]------------\n[ 190.271771] WARNING: CPU: 1 PID: 6186 at kernel/trace/ring_buffer.c:1467 rb_check_pages.isra.0+0x6a/0xa0\n[ 190.271789] Modules linked in: [...]\n[ 190.271991] Unloaded tainted modules: intel_uncore_frequency(E):1 skx_edac(E):1\n[ 190.272002] CPU: 1 PID: 6186 Comm: cmd.sh Kdump: loaded Tainted: G E 6.9.0-rc6-default #5 158d3e1e6d0b091c34c3b96bfd99a1c58306d79f\n[ 190.272011] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552c-rebuilt.opensuse.org 04/01/2014\n[ 190.272015] RIP: 0010:rb_check_pages.isra.0+0x6a/0xa0\n[ 190.272023] Code: [...]\n[ 190.272028] RSP: 0018:ffff9c37463abb70 EFLAGS: 00010206\n[ 190.272034] RAX: ffff8eba04b6cb80 RBX: 0000000000000007 RCX: ffff8eba01f13d80\n[ 190.272038] RDX: ffff8eba01f130c0 RSI: ffff8eba04b6cd00 RDI: ffff8eba0004c700\n[ 190.272042] RBP: ffff8eba0004c700 R08: 0000000000010002 R09: 0000000000000000\n[ 190.272045] R10: 00000000ffff7f52 R11: ffff8eba7f600000 R12: ffff8eba0004c720\n[ 190.272049] R13: ffff8eba00223a00 R14: 0000000000000008 R15: ffff8eba067a8000\n[ 190.272053] FS: 00007f1bd64752c0(0000) GS:ffff8eba7f680000(0000) knlGS:0000000000000000\n[ 190.272057] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 190.272061] CR2: 00007f1bd6662590 CR3: 000000010291e001 CR4: 0000000000370ef0\n[ 190.272070] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 190.272073] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 190.272077] Call Trace:\n[ 190.272098] \n[ 190.272189] ring_buffer_resize+0x2ab/0x460\n[ 190.272199] __tracing_resize_ring_buffer.part.0+0x23/0xa0\n[ 190.272206] tracing_resize_ring_buffer+0x65/0x90\n[ 190.272216] tracing_entries_write+0x74/0xc0\n[ 190.272225] vfs_write+0xf5/0x420\n[ 190.272248] ksys_write+0x67/0xe0\n[ 190.272256] do_syscall_64+0x82/0x170\n[ 190.272363] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 190.272373] RIP: 0033:0x7f1bd657d263\n[ 190.272381] Code: [...]\n[ 190.272385] RSP: 002b:00007ffe72b643f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\n[ 190.272391] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f1bd657d263\n[ 190.272395] RDX: 0000000000000002 RSI: 0000555a6eb538e0 RDI: 0000000000000001\n[ 190.272398] RBP: 0000555a6eb538e0 R08: 000000000000000a R09: 0000000000000000\n[ 190.272401] R10: 0000555a6eb55190 R11: 0000000000000246 R12: 00007f1bd6662500\n[ 190.272404] R13: 0000000000000002 R14: 00007f1bd6667c00 R15: 0000000000000002\n[ 190.272412] \n[ 190.272414] ---[ end trace 0000000000000000 ]---\n\nNote that ring_buffer_resize() calls rb_check_pages() only if the parent\ntrace_buffer has recording disabled. Recent commit d78ab792705c\n(\"tracing: Stop current tracer when resizing buffer\") causes that it is\nnow always the case which makes it more likely to experience this issue.\n\nThe window to hit this race is nonetheless very small. To help\nreproducing it, one can add a delay loop in rb_get_reader_page():\n\n ret = rb_head_page_replace(reader, cpu_buffer->reader_page);\n if (!ret)\n \tgoto spin;\n for (unsigned i = 0; i < 1U << 26; i++) /* inserted delay loop */\n \t__asm__ __volatile__ (\"\" : : : \"memory\");\n rb_list_head(reader->list.next)->prev = &cpu_buffer->reader_page->list;\n\n.. \n---truncated---"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ring-buffer: corrige una ejecuci\u00f3n entre lectores y cambia el tama\u00f1o de las comprobaciones. El c\u00f3digo del lector en rb_get_reader_page() intercambia una nueva p\u00e1gina del lector en el b\u00fafer circular haciendo cmpxchg en old->list.prev ->siguiente para apuntar a la nueva p\u00e1gina. Despu\u00e9s de eso, si la operaci\u00f3n es exitosa, old->list.next->prev tambi\u00e9n se actualiza. Esto significa que la lista doblemente enlazada subyacente es temporalmente inconsistente, p\u00e1gina->anterior->siguiente o p\u00e1gina->siguiente->anterior podr\u00eda no ser igual a la p\u00e1gina para alguna p\u00e1gina en el b\u00fafer circular. La operaci\u00f3n de cambio de tama\u00f1o en ring_buffer_resize() se puede invocar en paralelo. Llama a rb_check_pages(), que puede detectar la inconsistencia descrita y detener el seguimiento: [190.271762] ------------[ cortar aqu\u00ed ]------------ [ 190.271771] ADVERTENCIA: CPU: 1 PID: 6186 en kernel/trace/ring_buffer.c:1467 rb_check_pages.isra.0+0x6a/0xa0 [190.271789] M\u00f3dulos vinculados en: [...] [190.271991] M\u00f3dulos contaminados descargados: intel_uncore_frequency(E) :1 skx_edac(E):1 [ 190.272002] CPU: 1 PID: 6186 Comm: cmd.sh Kdump: cargado Contaminado: GE 6.9.0-rc6-default #5 158d3e1e6d0b091c34c3b96bfd99a1c58306d79f [ 190.272011] Nombre del hardware: PC est\u00e1ndar QEMU (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552c-rebuilt.opensuse.org 01/04/2014 [ 190.272015] RIP: 0010:rb_check_pages.isra.0+0x6a/0xa0 [ 190.272023] C\u00f3digo: [.. .] [ 190.272028] RSP: 0018:ffff9c37463abb70 EFLAGS: 00010206 [ 190.272034] RAX: ffff8eba04b6cb80 RBX: 00000000000000007 RCX: ffff8eba01f13d80 [ 19 0.272038] RDX: ffff8eba01f130c0 RSI: ffff8eba04b6cd00 RDI: ffff8eba0004c700 [ 190.272042] RBP: ffff8eba0004c700 R08: 0000000000010002 R09: 00000000 [ 190.272045] R10: 00000000ffff7f52 R11: ffff8eba7f600000 R12: ffff8eba0004c720 [ 190.272049] R13: ffff8eba00223a00 R14: 0000000000000008 R15: ffff8eba067a8000 [ 190.272053] FS: 00007f1bd64752c0(0000) GS:ffff8eba7f680000(0000) knlGS:000000000000000000 [ 190.272057] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 190.272061] CR2: 00007f1bd6662590 CR3: 000000010291e001 CR4: 0000000000370ef0 [ 190.272070] DR0: 000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 190.272073] DR3: 0000000000000000 DR6: 00000000ffe0ff0 DR7: 0000000000000400 [ 190 .272077] Seguimiento de llamadas: [190.272098 ] [ 190.272189] ring_buffer_resize+0x2ab/0x460 [ 190.272199] __tracing_resize_ring_buffer.part.0+0x23/0xa0 [ 190.272206] tracing_resize_ring_buffer+0x65/0x90 [ 190.272216] _entries_write+0x74/0xc0 [ 190.272225] vfs_write+0xf5/0x420 [ 190.272248 ] ksys_write+0x67/0xe0 [ 190.272256] do_syscall_64+0x82/0x170 [ 190.272363] Entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 190.272373] RIP: 0033:0x7f1bd657d26 3 [ 190.272381] C\u00f3digo: [...] [ 190.272385] RSP: 002b:00007ffe72b643f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 190.272391] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f1bd657d263 [ 190.272395] RDX: 0000000 000000002 RSI: 0000555a6eb538e0 RDI: 0000000000000001 [ 190.272398] RBP: 0000555a6eb538e0 R08: 000000000000000a R09: 0000000000000000 [ 190.272401] R10: 0000555a6eb55190 R11: 0000000000000246 R12 : 00007f1bd6662500 [ 190.272404] R13: 0000000000000002 R14: 00007f1bd6667c00 R15: 00000000000000002 [ 190.272412] [ 4] ---[ end trace 0000000000000000 ]--- Tenga en cuenta que ring_buffer_resize() llama a rb_check_pages() solo si el trace_buffer principal tiene grabaci\u00f3n desactivada. El reciente commit d78ab792705c (\"rastreo: detener el rastreador actual al cambiar el tama\u00f1o del b\u00fafer\") hace que ahora sea siempre el caso, lo que hace que sea m\u00e1s probable experimentar este problema. No obstante, la ventana para llegar a esta ejecuci\u00f3n es muy peque\u00f1a. Para ayudar a reproducirlo, se puede agregar un bucle de retardo en rb_get_reader_page(): ret = rb_head_page_replace(reader, cpu_buffer->reader_page); if (!ret) ir a girar; for (unsigned i = 0; i < 1U << 26; i++) /* bucle de retardo insertado ---truncado---"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/1e160196042cac946798ac192a0bc3398f1aa66b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/54c64967ba5f8658ae7da76005024ebd3d9d8f6e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/595363182f28786d641666a09e674b852c83b4bb", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5ef9e330406d3fb4f4b2c8bca2c6b8a93bae32d1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/79b52013429a42b8efdb0cda8bb0041386abab87", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/af3274905b3143ea23142bbf77bd9b610c54e533", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b50932ea673b5a089a4bb570a8a868d95c72854e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c2274b908db05529980ec056359fae916939fdaa", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c68b7a442ee61d04ca58b2b5cb5ea7cb8230f84a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38602", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:20.183", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nax25: Fix reference count leak issues of ax25_dev\n\nThe ax25_addr_ax25dev() and ax25_dev_device_down() exist a reference\ncount leak issue of the object \"ax25_dev\".\n\nMemory leak issue in ax25_addr_ax25dev():\n\nThe reference count of the object \"ax25_dev\" can be increased multiple\ntimes in ax25_addr_ax25dev(). This will cause a memory leak.\n\nMemory leak issues in ax25_dev_device_down():\n\nThe reference count of ax25_dev is set to 1 in ax25_dev_device_up() and\nthen increase the reference count when ax25_dev is added to ax25_dev_list.\nAs a result, the reference count of ax25_dev is 2. But when the device is\nshutting down. The ax25_dev_device_down() drops the reference count once\nor twice depending on if we goto unlock_put or not, which will cause\nmemory leak.\n\nAs for the issue of ax25_addr_ax25dev(), it is impossible for one pointer\nto be on a list twice. So add a break in ax25_addr_ax25dev(). As for the\nissue of ax25_dev_device_down(), increase the reference count of ax25_dev\nonce in ax25_dev_device_up() and decrease the reference count of ax25_dev\nafter it is removed from the ax25_dev_list."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ax25: soluciona problemas de p\u00e9rdida de recuento de referencias de ax25_dev. Ax25_addr_ax25dev() y ax25_dev_device_down() existen un problema de p\u00e9rdida de recuento de referencias del objeto \"ax25_dev\". Problema de p\u00e9rdida de memoria en ax25_addr_ax25dev(): el recuento de referencias del objeto \"ax25_dev\" se puede aumentar varias veces en ax25_addr_ax25dev(). Esto provocar\u00e1 una p\u00e9rdida de memoria. Problemas de p\u00e9rdida de memoria en ax25_dev_device_down(): el recuento de referencias de ax25_dev se establece en 1 en ax25_dev_device_up() y luego aumenta el recuento de referencias cuando se agrega ax25_dev a ax25_dev_list. Como resultado, el recuento de referencia de ax25_dev es 2. Pero cuando el dispositivo se est\u00e1 apagando. El ax25_dev_device_down() reduce el recuento de referencias una o dos veces dependiendo de si vamos a unlock_put o no, lo que provocar\u00e1 una p\u00e9rdida de memoria. En cuanto al problema de ax25_addr_ax25dev(), es imposible que un puntero est\u00e9 en una lista dos veces. Entonces agregue una interrupci\u00f3n en ax25_addr_ax25dev(). En cuanto al problema de ax25_dev_device_down(), aumente el recuento de referencias de ax25_dev una vez en ax25_dev_device_up() y disminuya el recuento de referencias de ax25_dev despu\u00e9s de que se elimine de ax25_dev_list."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/1ea02699c7557eeb35ccff2bd822de1b3e09d868", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/38eb01edfdaa1562fa00429be2e33f45383b1b3a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/81d8240b0a243b3ddd8fa8aa172f1acc2f7cc8f3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ae467750a3765dd1092eb29f58247950a2f9b60c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b505e0319852b08a3a716b64620168eab21f4ced", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38603", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:20.270", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers/perf: hisi: hns3: Actually use devm_add_action_or_reset()\n\npci_alloc_irq_vectors() allocates an irq vector. When devm_add_action()\nfails, the irq vector is not freed, which leads to a memory leak.\n\nReplace the devm_add_action with devm_add_action_or_reset to ensure\nthe irq vector can be destroyed when it fails."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drivers/perf: hisi: hns3: en realidad usa devm_add_action_or_reset() pci_alloc_irq_vectors() asigna un vector irq. Cuando devm_add_action() falla, el vector irq no se libera, lo que provoca una p\u00e9rdida de memoria. Reemplace devm_add_action con devm_add_action_or_reset para garantizar que el vector irq pueda destruirse cuando falla."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/1491a01ef5a98149048b12e208f6ed8e86ad10b9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/2fcffaaf529d5fe3fdc6c0ee65a6f266b74de782", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/582c1aeee0a9e73010cf1c4cef338709860deeb0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a7678a16c25b6ece1667ac681e3e783ff3de7a6f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b1e86f1ef8fa796f8935be392457639f3a907d91", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38604", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:20.357", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: refine the EOF check in blkdev_iomap_begin\n\nblkdev_iomap_begin rounds down the offset to the logical block size\nbefore stashing it in iomap->offset and checking that it still is\ninside the inode size.\n\nCheck the i_size check to the raw pos value so that we don't try a\nzero size write if iter->pos is unaligned."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bloque: refina la comprobaci\u00f3n de EOF en blkdev_iomap_begin blkdev_iomap_begin redondea hacia abajo el desplazamiento al tama\u00f1o del bloque l\u00f3gico antes de guardarlo en iomap->offset y comprobar que todav\u00eda est\u00e1 dentro del tama\u00f1o del inodo. Verifique la verificaci\u00f3n i_size en el valor pos sin formato para que no intentemos una escritura de tama\u00f1o cero si iter->pos no est\u00e1 alineado."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/0c12028aec837f5a002009bbf68d179d506510e8", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/10b723bcba8986537a484aa94dbfc9093fd776a1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/72c54e063c32aeb38d43a2bd897821e6e5a1757d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/910717920c8c3f9386277a44c44d448058a18084", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38605", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:20.443", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: core: Fix NULL module pointer assignment at card init\n\nThe commit 81033c6b584b (\"ALSA: core: Warn on empty module\")\nintroduced a WARN_ON() for a NULL module pointer passed at snd_card\nobject creation, and it also wraps the code around it with '#ifdef\nMODULE'. This works in most cases, but the devils are always in\ndetails. \"MODULE\" is defined when the target code (i.e. the sound\ncore) is built as a module; but this doesn't mean that the caller is\nalso built-in or not. Namely, when only the sound core is built-in\n(CONFIG_SND=y) while the driver is a module (CONFIG_SND_USB_AUDIO=m),\nthe passed module pointer is ignored even if it's non-NULL, and\ncard->module remains as NULL. This would result in the missing module\nreference up/down at the device open/close, leading to a race with the\ncode execution after the module removal.\n\nFor addressing the bug, move the assignment of card->module again out\nof ifdef. The WARN_ON() is still wrapped with ifdef because the\nmodule can be really NULL when all sound drivers are built-in.\n\nNote that we keep 'ifdef MODULE' for WARN_ON(), otherwise it would\nlead to a false-positive NULL module check. Admittedly it won't catch\nperfectly, i.e. no check is performed when CONFIG_SND=y. But, it's no\nreal problem as it's only for debugging, and the condition is pretty\nrare."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ALSA: n\u00facleo: corrige la asignaci\u00f3n del puntero del m\u00f3dulo NULL en el inicio de la tarjeta el commit 81033c6b584b (\"ALSA: n\u00facleo: Advertencia sobre m\u00f3dulo vac\u00edo\") introdujo un WARN_ON() para un puntero de m\u00f3dulo NULL pasado en la creaci\u00f3n del objeto snd_card, y tambi\u00e9n envuelve el c\u00f3digo a su alrededor con '#ifdef MODULE'. Esto funciona en la mayor\u00eda de los casos, pero los problemas siempre est\u00e1n en los detalles. \"M\u00d3DULO\" se define cuando el c\u00f3digo objetivo (es decir, el n\u00facleo de sonido) se construye como un m\u00f3dulo; pero esto no significa que la persona que llama tambi\u00e9n est\u00e9 integrada o no. Es decir, cuando solo el n\u00facleo de sonido est\u00e1 integrado (CONFIG_SND=y) mientras el controlador es un m\u00f3dulo (CONFIG_SND_USB_AUDIO=m), el puntero del m\u00f3dulo pasado se ignora incluso si no es NULL, y tarjeta->m\u00f3dulo permanece como NULL. Esto dar\u00eda como resultado que la referencia del m\u00f3dulo faltante suba o baje en la apertura o cierre del dispositivo, lo que provocar\u00eda una ejecuci\u00f3n con la ejecuci\u00f3n del c\u00f3digo despu\u00e9s de la eliminaci\u00f3n del m\u00f3dulo. Para solucionar el error, mueva la asignaci\u00f3n de tarjeta->m\u00f3dulo nuevamente fuera de ifdef. WARN_ON() todav\u00eda est\u00e1 incluido en ifdef porque el m\u00f3dulo puede ser realmente NULL cuando todos los controladores de sonido est\u00e1n integrados. Tenga en cuenta que mantenemos 'ifdef MODULE' para WARN_ON(); de lo contrario, se producir\u00eda una verificaci\u00f3n de m\u00f3dulo NULL falsamente positiva. Es cierto que no se detectar\u00e1 perfectamente, es decir, no se realiza ninguna verificaci\u00f3n cuando CONFIG_SND=y. Pero no es un problema real ya que es solo para depurar y la condici\u00f3n es bastante rara."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/39381fe7394e5eafac76e7e9367e7351138a29c1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/6b8374ee2cabcf034faa34e69a855dc496a9ec12", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c935e72139e6d523defd60fe875c01eb1f9ea5c5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d7ff29a429b56f04783152ad7bbd7233b740e434", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e007476725730c1a68387b54b7629486d8a8301e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e644036a3e2b2c9b3eee3c61b5d31c2ca8b5ba92", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e7e0ca200772bdb2fdc6d43d32d341e87a36f811", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38606", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:20.567", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: qat - validate slices count returned by FW\n\nThe function adf_send_admin_tl_start() enables the telemetry (TL)\nfeature on a QAT device by sending the ICP_QAT_FW_TL_START message to\nthe firmware. This triggers the FW to start writing TL data to a DMA\nbuffer in memory and returns an array containing the number of\naccelerators of each type (slices) supported by this HW.\nThe pointer to this array is stored in the adf_tl_hw_data data\nstructure called slice_cnt.\n\nThe array slice_cnt is then used in the function tl_print_dev_data()\nto report in debugfs only statistics about the supported accelerators.\nAn incorrect value of the elements in slice_cnt might lead to an out\nof bounds memory read.\nAt the moment, there isn't an implementation of FW that returns a wrong\nvalue, but for robustness validate the slice count array returned by FW."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: crypto: qat: valida el recuento de segmentos devueltos por el FW. La funci\u00f3n adf_send_admin_tl_start() habilita la funci\u00f3n de telemetr\u00eda (TL) en un dispositivo QAT enviando el mensaje ICP_QAT_FW_TL_START al firmware. Esto hace que el FW comience a escribir datos TL en un b\u00fafer DMA en la memoria y devuelve una matriz que contiene la cantidad de aceleradores de cada tipo (porciones) admitidos por este HW. El puntero a esta matriz se almacena en la estructura de datos adf_tl_hw_data llamada slice_cnt. La matriz slice_cnt luego se usa en la funci\u00f3n tl_print_dev_data() para informar en debugfs solo estad\u00edsticas sobre los aceleradores admitidos. Un valor incorrecto de los elementos en slice_cnt podr\u00eda provocar una lectura de memoria fuera de los l\u00edmites. Por el momento, no existe una implementaci\u00f3n de FW que devuelva un valor incorrecto, pero para mayor solidez, valide la matriz de recuento de sectores devuelta por FW."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/483fd65ce29317044d1d00757e3fd23503b6b04c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9b284b915e2a5e63ca133353f8c456eff4446f82", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e57ed345e2e6043629fc74aa5be051415dcc4f77", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38607", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:20.650", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmacintosh/via-macii: Fix \"BUG: sleeping function called from invalid context\"\n\nThe via-macii ADB driver calls request_irq() after disabling hard\ninterrupts. But disabling interrupts isn't necessary here because the\nVIA shift register interrupt was masked during VIA1 initialization."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: macintosh/via-macii: Correcci\u00f3n \"ERROR: funci\u00f3n de suspensi\u00f3n llamada desde un contexto no v\u00e1lido\" El controlador ADB via-macii llama a request_irq() despu\u00e9s de deshabilitar las interrupciones bruscas. Pero aqu\u00ed no es necesario deshabilitar las interrupciones porque la interrupci\u00f3n del registro de desplazamiento de VIA se enmascar\u00f3 durante la inicializaci\u00f3n de VIA1."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/010d4cb19bb13f423e3e746b824f314a9bf3e9a9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/1e9c3f2caec548cfa7a65416ec4e6006e542f18e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/280619bbdeac186fb320fab3d61122d2a085def8", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/2907d409ce5946390f513976f0454888d37d1058", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5900a88e897e6deb1bdce09ee34167a81c2da89d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/787fb79efc15b3b86442ecf079b8148f173376d7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d301a71c76ee4c384b4e03cdc320a55f5cf1df05", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d43a8c7ec0841e0ff91a968770aeca83f0fd4c56", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e4ff8bcfb2841fe4e17e5901578b632adb89036d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38608", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:20.737", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix netif state handling\n\nmlx5e_suspend cleans resources only if netif_device_present() returns\ntrue. However, mlx5e_resume changes the state of netif, via\nmlx5e_nic_enable, only if reg_state == NETREG_REGISTERED.\nIn the below case, the above leads to NULL-ptr Oops[1] and memory\nleaks:\n\nmlx5e_probe\n _mlx5e_resume\n mlx5e_attach_netdev\n mlx5e_nic_enable <-- netdev not reg, not calling netif_device_attach()\n register_netdev <-- failed for some reason.\nERROR_FLOW:\n _mlx5e_suspend <-- netif_device_present return false, resources aren't freed :(\n\nHence, clean resources in this case as well.\n\n[1]\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nPGD 0 P4D 0\nOops: 0010 [#1] SMP\nCPU: 2 PID: 9345 Comm: test-ovs-ct-gen Not tainted 6.5.0_for_upstream_min_debug_2023_09_05_16_01 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nRIP: 0010:0x0\nCode: Unable to access opcode bytes at0xffffffffffffffd6.\nRSP: 0018:ffff888178aaf758 EFLAGS: 00010246\nCall Trace:\n \n ? __die+0x20/0x60\n ? page_fault_oops+0x14c/0x3c0\n ? exc_page_fault+0x75/0x140\n ? asm_exc_page_fault+0x22/0x30\n notifier_call_chain+0x35/0xb0\n blocking_notifier_call_chain+0x3d/0x60\n mlx5_blocking_notifier_call_chain+0x22/0x30 [mlx5_core]\n mlx5_core_uplink_netdev_event_replay+0x3e/0x60 [mlx5_core]\n mlx5_mdev_netdev_track+0x53/0x60 [mlx5_ib]\n mlx5_ib_roce_init+0xc3/0x340 [mlx5_ib]\n __mlx5_ib_add+0x34/0xd0 [mlx5_ib]\n mlx5r_probe+0xe1/0x210 [mlx5_ib]\n ? auxiliary_match_id+0x6a/0x90\n auxiliary_bus_probe+0x38/0x80\n ? driver_sysfs_add+0x51/0x80\n really_probe+0xc9/0x3e0\n ? driver_probe_device+0x90/0x90\n __driver_probe_device+0x80/0x160\n driver_probe_device+0x1e/0x90\n __device_attach_driver+0x7d/0x100\n bus_for_each_drv+0x80/0xd0\n __device_attach+0xbc/0x1f0\n bus_probe_device+0x86/0xa0\n device_add+0x637/0x840\n __auxiliary_device_add+0x3b/0xa0\n add_adev+0xc9/0x140 [mlx5_core]\n mlx5_rescan_drivers_locked+0x22a/0x310 [mlx5_core]\n mlx5_register_device+0x53/0xa0 [mlx5_core]\n mlx5_init_one_devl_locked+0x5c4/0x9c0 [mlx5_core]\n mlx5_init_one+0x3b/0x60 [mlx5_core]\n probe_one+0x44c/0x730 [mlx5_core]\n local_pci_probe+0x3e/0x90\n pci_device_probe+0xbf/0x210\n ? kernfs_create_link+0x5d/0xa0\n ? sysfs_do_create_link_sd+0x60/0xc0\n really_probe+0xc9/0x3e0\n ? driver_probe_device+0x90/0x90\n __driver_probe_device+0x80/0x160\n driver_probe_device+0x1e/0x90\n __device_attach_driver+0x7d/0x100\n bus_for_each_drv+0x80/0xd0\n __device_attach+0xbc/0x1f0\n pci_bus_add_device+0x54/0x80\n pci_iov_add_virtfn+0x2e6/0x320\n sriov_enable+0x208/0x420\n mlx5_core_sriov_configure+0x9e/0x200 [mlx5_core]\n sriov_numvfs_store+0xae/0x1a0\n kernfs_fop_write_iter+0x10c/0x1a0\n vfs_write+0x291/0x3c0\n ksys_write+0x5f/0xe0\n do_syscall_64+0x3d/0x90\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n CR2: 0000000000000000\n ---[ end trace 0000000000000000 ]---"}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: net/mlx5e: corrige el manejo del estado de netif. mlx5e_suspend limpia los recursos solo si netif_device_present() devuelve verdadero. Sin embargo, mlx5e_resume cambia el estado de netif, a trav\u00e9s de mlx5e_nic_enable, solo si reg_state == NETREG_REGISTERED. En el siguiente caso, lo anterior conduce a NULL-ptr Ups[1] y p\u00e9rdidas de memoria: mlx5e_probe _mlx5e_resume mlx5e_attach_netdev mlx5e_nic_enable <-- netdev no se registra, no llama a netif_device_attach() Register_netdev <-- fall\u00f3 por alg\u00fan motivo. ERROR_FLOW: _mlx5e_suspend <-- netif_device_present devuelve falso, los recursos no se liberan :( Por lo tanto, limpie los recursos en este caso tambi\u00e9n. [1] ERROR: desreferencia del puntero NULL del kernel, direcci\u00f3n: 00000000000000000 PGD 0 P4D 0 Ups: 0010 [#1 ] SMP CPU: 2 PID: 9345 Comm: test-ovs-ct-gen Not tainted 6.5.0_for_upstream_min_debug_2023_09_05_16_01 #1 Nombre del hardware: PC est\u00e1ndar QEMU (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuild .qemu.org 01/04/2014 RIP: 0010:0x0 C\u00f3digo: No se puede acceder a los bytes del c\u00f3digo de operaci\u00f3n at0xffffffffffffffd6 RSP: 0018:ffff888178aaf758 EFLAGS: 00010246 Seguimiento de llamadas: __die+0x20/0x60 +0x14c/0x3c0? exc_page_fault+0x75/0x140 ? _replay+0x3e/0x60 [mlx5_core] mlx5_mdev_netdev_track+0x53/0x60 [mlx5_ib] mlx5_ib_roce_init+0xc3/0x340 [mlx5_ib] __mlx5_ib_add+0x34/0xd0 [mlx5_ib] mlx5r_probe+0xe1/0x210 [mlx5_ib] ? auxiliar_match_id+0x6a/0x90 sonda_bus_auxiliar+0x38/0x80 ? driver_sysfs_add+0x51/0x80 realmente_probe+0xc9/0x3e0? driver_probe_device+0x90/0x90 __driver_probe_device+0x80/0x160 driver_probe_device+0x1e/0x90 __device_attach_driver+0x7d/0x100 bus_for_each_drv+0x80/0xd0 __device_attach+0xbc/0x1f0 bus_probe_device+0x8 6/0xa0 dispositivo_add+0x637/0x840 __auxiliary_device_add+0x3b/0xa0 add_adev+0xc9/0x140 [mlx5_core] mlx5_rescan_drivers_locked+0x22a/0x310 [mlx5_core] mlx5_register_device+0x53/0xa0 [mlx5_core] mlx5_init_one_devl_locked+0x5c4/0x9c0 [mlx5_core] mlx5_init_one+0x3b/0x60 [mlx5_core] _uno+0x44c/0x730 [mlx5_core] local_pci_probe+0x3e/0x90 pci_device_probe+ 0xbf/0x210 ? kernfs_create_link+0x5d/0xa0? sysfs_do_create_link_sd+0x60/0xc0 realmente_probe+0xc9/0x3e0? driver_probe_device+0x90/0x90 __driver_probe_device+0x80/0x160 driver_probe_device+0x1e/0x90 __device_attach_driver+0x7d/0x100 bus_for_each_drv+0x80/0xd0 __device_attach+0xbc/0x1f0 pci_bus_add_device+ 0x54/0x80 pci_iov_add_virtfn+0x2e6/0x320 sriov_enable+0x208/0x420 mlx5_core_sriov_configure+0x9e/0x200 [mlx5_core] sriov_numvfs_store+0xae/0x1a0 kernfs_fop_write_iter+0x10c/0x1a0 vfs_write+0x291/0x3c0 ksys_write+0x5f/0xe0 do_syscall_64+0x3d/0x90 Entry_SYSCALL_64_after_hwframe+0x4 6/0xb0 CR2: 0000000000000000 ---[ final de seguimiento 0000000000000000 ]---"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/3d5918477f94e4c2f064567875c475468e264644", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f7e6cfb864a53af71c5cc904f1cc22215d68f5c6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38609", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:20.813", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: connac: check for null before dereferencing\n\nThe wcid can be NULL. It should be checked for validity before\ndereferencing it to avoid crash."}, {"lang": "es", "value": "En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: wifi: mt76: connac: comprobar nulo antes de desreferenciar El wcid puede ser NULL. Se debe verificar su validez antes de eliminar la referencia para evitar fallas."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/cb47c7be0e93dd5acda078163799401ac3a78e10", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e469218765b2781fb968778bd13595acec181a0e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38610", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:20.893", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers/virt/acrn: fix PFNMAP PTE checks in acrn_vm_ram_map()\n\nPatch series \"mm: follow_pte() improvements and acrn follow_pte() fixes\".\n\nPatch #1 fixes a bunch of issues I spotted in the acrn driver. It\ncompiles, that's all I know. I'll appreciate some review and testing from\nacrn folks.\n\nPatch #2+#3 improve follow_pte(), passing a VMA instead of the MM, adding\nmore sanity checks, and improving the documentation. Gave it a quick test\non x86-64 using VM_PAT that ends up using follow_pte().\n\n\nThis patch (of 3):\n\nWe currently miss handling various cases, resulting in a dangerous\nfollow_pte() (previously follow_pfn()) usage.\n\n(1) We're not checking PTE write permissions.\n\nMaybe we should simply always require pte_write() like we do for\npin_user_pages_fast(FOLL_WRITE)? Hard to tell, so let's check for\nACRN_MEM_ACCESS_WRITE for now.\n\n(2) We're not rejecting refcounted pages.\n\nAs we are not using MMU notifiers, messing with refcounted pages is\ndangerous and can result in use-after-free. Let's make sure to reject them.\n\n(3) We are only looking at the first PTE of a bigger range.\n\nWe only lookup a single PTE, but memmap->len may span a larger area.\nLet's loop over all involved PTEs and make sure the PFN range is\nactually contiguous. Reject everything else: it couldn't have worked\neither way, and rather made use access PFNs we shouldn't be accessing."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drivers/virt/acrn: corrige las comprobaciones de PFNMAP PTE en acrn_vm_ram_map() Serie de parches \"mm: mejoras en follow_pte() y correcciones en acrn follow_pte()\". El parche n.\u00ba 1 soluciona varios problemas que detect\u00e9 en el controlador acrn. Se compila, eso es todo lo que s\u00e9. Apreciar\u00e9 algunas revisiones y pruebas por parte de la gente de acrn. El parche #2+#3 mejora follow_pte(), pasa un VMA en lugar del MM, agrega m\u00e1s controles de cordura y mejora la documentaci\u00f3n. Lo prob\u00e9 r\u00e1pidamente en x86-64 usando VM_PAT y termin\u00f3 usando follow_pte(). Este parche (de 3): Actualmente no manejamos varios casos, lo que resulta en un uso peligroso de follow_pte() (anteriormente follow_pfn()). (1) No estamos verificando los permisos de escritura de PTE. \u00bfQuiz\u00e1s simplemente deber\u00edamos requerir siempre pte_write() como lo hacemos para pin_user_pages_fast(FOLL_WRITE)? Es dif\u00edcil saberlo, as\u00ed que busquemos ACRN_MEM_ACCESS_WRITE por ahora. (2) No rechazamos p\u00e1ginas recontadas. Como no utilizamos notificadores MMU, jugar con p\u00e1ginas descontadas es peligroso y puede resultar en use-after-free. Asegur\u00e9monos de rechazarlos. (3) S\u00f3lo estamos ante el primer PTE de una gama mayor. Solo buscamos una PTE, pero memmap->len puede abarcar un \u00e1rea m\u00e1s grande. Recorramos todos los PTE involucrados y asegur\u00e9monos de que el rango de PFN sea realmente contiguo. Rechace todo lo dem\u00e1s: no podr\u00eda haber funcionado de ninguna manera, y m\u00e1s bien utiliz\u00f3 PFN de acceso a los que no deber\u00edamos acceder."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/2c8d6e24930b8ef7d4a81787627c559ae0e0d3bb", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3d6586008f7b638f91f3332602592caa8b00b559", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4c4ba3cf3a15ccfbaf787d0296fa42cdb00da9b4", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5c6705aa47b5b78d7ad36fea832bb69caa5bf49a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/afeb0e69627695f759fc73c39c1640dbf8649b32", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e873f36ec890bece26ecce850e969917bceebbb6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38611", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:20.980", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: i2c: et8ek8: Don't strip remove function when driver is builtin\n\nUsing __exit for the remove function results in the remove callback\nbeing discarded with CONFIG_VIDEO_ET8EK8=y. When such a device gets\nunbound (e.g. using sysfs or hotplug), the driver is just removed\nwithout the cleanup being performed. This results in resource leaks. Fix\nit by compiling in the remove callback unconditionally.\n\nThis also fixes a W=1 modpost warning:\n\n\tWARNING: modpost: drivers/media/i2c/et8ek8/et8ek8: section mismatch in reference: et8ek8_i2c_driver+0x10 (section: .data) -> et8ek8_remove (section: .exit.text)"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: medios: i2c: et8ek8: No eliminar la funci\u00f3n de eliminaci\u00f3n cuando el controlador est\u00e1 integrado. El uso de __exit para la funci\u00f3n de eliminaci\u00f3n hace que la devoluci\u00f3n de llamada de eliminaci\u00f3n se descarte con CONFIG_VIDEO_ET8EK8=y. Cuando un dispositivo de este tipo se desvincula (por ejemplo, usando sysfs o hotplug), el controlador simplemente se elimina sin que se realice la limpieza. Esto da como resultado fugas de recursos. Solucionarlo compilando la devoluci\u00f3n de llamada de eliminaci\u00f3n incondicionalmente. Esto tambi\u00e9n corrige una advertencia de modpost W=1: ADVERTENCIA: modpost: drivers/media/i2c/et8ek8/et8ek8: secci\u00f3n no coincide en referencia: et8ek8_i2c_driver+0x10 (secci\u00f3n: .data) -> et8ek8_remove (secci\u00f3n: .exit.text)"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/43fff07e4b1956d0e5cf23717507e438278ea3d9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/545b215736c5c4b354e182d99c578a472ac9bfce", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/904db2ba44ae60641b6378c5013254d09acf5e80", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c1a3803e5bb91c13e9ad582003e4288f67f06cd9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38612", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:21.060", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: sr: fix invalid unregister error path\n\nThe error path of seg6_init() is wrong in case CONFIG_IPV6_SEG6_LWTUNNEL\nis not defined. In that case if seg6_hmac_init() fails, the\ngenl_unregister_family() isn't called.\n\nThis issue exist since commit 46738b1317e1 (\"ipv6: sr: add option to control\nlwtunnel support\"), and commit 5559cea2d5aa (\"ipv6: sr: fix possible\nuse-after-free and null-ptr-deref\") replaced unregister_pernet_subsys()\nwith genl_unregister_family() in this error path."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: ipv6: sr: corrige la ruta de error de cancelaci\u00f3n de registro no v\u00e1lida La ruta de error de seg6_init() es incorrecta en caso de que CONFIG_IPV6_SEG6_LWTUNNEL no est\u00e9 definido. En ese caso, si seg6_hmac_init() falla, no se llama a genl_unregister_family(). Este problema existe desde que el commit 46738b1317e1 (\"ipv6: sr: agregar opci\u00f3n para controlar la compatibilidad con lwtunnel\") y el commit 5559cea2d5aa (\"ipv6: sr: corregir posible use-after-free y null-ptr-deref\") reemplaz\u00f3 unregister_pernet_subsys() con genl_unregister_family() en esta ruta de error."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/00e6335329f23ac6cf3105931691674e28bc598c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/10610575a3ac2a702bf5c57aa931beaf847949c7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/160e9d2752181fcf18c662e74022d77d3164cd45", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/1a63730fb315bb1bab97edd69ff58ad45e04bb01", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3398a40dccb88d3a7eef378247a023a78472db66", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/646cd236c55e2cb5f146fc41bbe4034c4af5b2a4", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/85a70ff1e572160f1eeb096ed48d09a1c9d4d89a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c04d6a914e890ccea4a9d11233009a2ee7978bf4", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e77a3ec7ada84543e75722a1283785a6544de925", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38613", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:21.147", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nm68k: Fix spinlock race in kernel thread creation\n\nContext switching does take care to retain the correct lock owner across\nthe switch from 'prev' to 'next' tasks. This does rely on interrupts\nremaining disabled for the entire duration of the switch.\n\nThis condition is guaranteed for normal process creation and context\nswitching between already running processes, because both 'prev' and\n'next' already have interrupts disabled in their saved copies of the\nstatus register.\n\nThe situation is different for newly created kernel threads. The status\nregister is set to PS_S in copy_thread(), which does leave the IPL at 0.\nUpon restoring the 'next' thread's status register in switch_to() aka\nresume(), interrupts then become enabled prematurely. resume() then\nreturns via ret_from_kernel_thread() and schedule_tail() where run queue\nlock is released (see finish_task_switch() and finish_lock_switch()).\n\nA timer interrupt calling scheduler_tick() before the lock is released\nin finish_task_switch() will find the lock already taken, with the\ncurrent task as lock owner. This causes a spinlock recursion warning as\nreported by Guenter Roeck.\n\nAs far as I can ascertain, this race has been opened in commit\n533e6903bea0 (\"m68k: split ret_from_fork(), simplify kernel_thread()\")\nbut I haven't done a detailed study of kernel history so it may well\npredate that commit.\n\nInterrupts cannot be disabled in the saved status register copy for\nkernel threads (init will complain about interrupts disabled when\nfinally starting user space). Disable interrupts temporarily when\nswitching the tasks' register sets in resume().\n\nNote that a simple oriw 0x700,%sr after restoring sr is not enough here\n- this leaves enough of a race for the 'spinlock recursion' warning to\nstill be observed.\n\nTested on ARAnyM and qemu (Quadra 800 emulation)."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: m68k: corrige la ejecuci\u00f3n de bloqueo de giro en la creaci\u00f3n de subprocesos del kernel. El cambio de contexto se encarga de retener el propietario del bloqueo correcto durante el cambio de las tareas 'anteriores' a las 'siguientes'. Esto depende de que las interrupciones permanezcan deshabilitadas durante toda la duraci\u00f3n del cambio. Esta condici\u00f3n est\u00e1 garantizada para la creaci\u00f3n normal de procesos y el cambio de contexto entre procesos que ya se est\u00e1n ejecutando, porque tanto 'anterior' como 'siguiente' ya tienen las interrupciones deshabilitadas en sus copias guardadas del registro de estado. La situaci\u00f3n es diferente para los subprocesos del kernel reci\u00e9n creados. El registro de estado se establece en PS_S en copy_thread(), lo que deja la IPL en 0. Al restaurar el registro de estado del 'siguiente' subproceso en switch_to() tambi\u00e9n conocido como resume(), las interrupciones se habilitan prematuramente. resume() luego regresa a trav\u00e9s de ret_from_kernel_thread() y Schedule_tail() donde se libera el bloqueo de la cola de ejecuci\u00f3n (consulte Finish_task_switch() y Finish_lock_switch()). Una interrupci\u00f3n del temporizador que llama a Scheduler_tick() antes de que se libere el bloqueo en Finish_task_switch() encontrar\u00e1 el bloqueo ya tomado, con la tarea actual como propietario del bloqueo. Esto provoca una advertencia de recursividad de spinlock seg\u00fan lo informado por Guenter Roeck. Hasta donde puedo determinar, esta ejecuci\u00f3n se abri\u00f3 en el commit 533e6903bea0 (\"m68k: split ret_from_fork(), simplifica kernel_thread()\") pero no he realizado un estudio detallado de la historia del kernel, por lo que es posible que sea anterior a esa confirmaci\u00f3n. Las interrupciones no se pueden deshabilitar en la copia del registro de estado guardado para los subprocesos del kernel (init se quejar\u00e1 de las interrupciones deshabilitadas cuando finalmente inicie el espacio de usuario). Deshabilite las interrupciones temporalmente al cambiar los conjuntos de registros de tareas en resume(). Tenga en cuenta que un simple oriw 0x700,%sr despu\u00e9s de restaurar sr no es suficiente aqu\u00ed; esto deja suficiente ejecuci\u00f3n para que a\u00fan se observe la advertencia de 'recursi\u00f3n de spinlock'. Probado en ARAnyM y qemu (emulaci\u00f3n Quadra 800)."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/0d9ae1253535f6e85a016e09c25ecbe6f7f59ef0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/2a8d1d95302c7d52c6ac8fa5cb4a6948ae0d3a14", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4eeffecc8e3cce25bb559502c2fd94a948bcde82", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5213cc01d0464c011fdc09f318705603ed3a746b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/77b2b67a0f8bce260c53907e5749d61466d90c87", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/95f00caf767b5968c2c51083957b38be4748a78a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/da89ce46f02470ef08f0f580755d14d547da59ed", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f1d4274a84c069be0f6098ab10c3443fc1f7134c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f3baf0f4f92af32943ebf27b960e0552c6c082fd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38614", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:21.240", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nopenrisc: traps: Don't send signals to kernel mode threads\n\nOpenRISC exception handling sends signals to user processes on floating\npoint exceptions and trap instructions (for debugging) among others.\nThere is a bug where the trap handling logic may send signals to kernel\nthreads, we should not send these signals to kernel threads, if that\nhappens we treat it as an error.\n\nThis patch adds conditions to die if the kernel receives these\nexceptions in kernel mode code."}, {"lang": "es", "value": "En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: openrisc: trampas: no env\u00eda se\u00f1ales a subprocesos en modo kernel. El manejo de excepciones de OpenRISC env\u00eda se\u00f1ales a los procesos del usuario sobre excepciones de punto flotante e instrucciones de captura (para depuraci\u00f3n), entre otros. Hay un error en el que la l\u00f3gica de manejo de trampas puede enviar se\u00f1ales a los subprocesos del kernel. No debemos enviar estas se\u00f1ales a los subprocesos del kernel; si eso sucede, lo tratamos como un error. Este parche agrega condiciones para morir si el kernel recibe estas excepciones en el c\u00f3digo del modo kernel."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/075c0405b0d7d9fc490609e988a3af0069596538", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c0ed9a711e3392d73e857faa031d8d349c0d70db", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c88cfb5cea5f8f9868ef02cc9ce9183a26dcf20f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/cea9d0015c140af39477dd5eeb9b20233a45daa9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38615", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:21.320", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: exit() callback is optional\n\nThe exit() callback is optional and shouldn't be called without checking\na valid pointer first.\n\nAlso, we must clear freq_table pointer even if the exit() callback isn't\npresent."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: cpufreq: la devoluci\u00f3n de llamada exit() es opcional La devoluci\u00f3n de llamada exit() es opcional y no debe llamarse sin verificar primero un puntero v\u00e1lido. Adem\u00e1s, debemos borrar el puntero freq_table incluso si la devoluci\u00f3n de llamada exit() no est\u00e1 presente."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/2d730b465e377396d2a09a53524b96b111f7ccb6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/35db5e76d5e9f752476df5fa0b9018a2398b0378", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3e99f060cfd2e36504d62c9132b453ade5027e1c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8bc9546805e572ad101681437a49939f28777273", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a8204d1b6ff762d2171d365c2c8560285d0a233d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ae37ebca325097d773d7bb6ec069123b30772872", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b8f85833c05730d631576008daaa34096bc7f3ce", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/dfc56ff5ec9904c008e9376d90a6d7e2d2bec4d3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38616", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:21.403", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: carl9170: re-fix fortified-memset warning\n\nThe carl9170_tx_release() function sometimes triggers a fortified-memset\nwarning in my randconfig builds:\n\nIn file included from include/linux/string.h:254,\n from drivers/net/wireless/ath/carl9170/tx.c:40:\nIn function 'fortify_memset_chk',\n inlined from 'carl9170_tx_release' at drivers/net/wireless/ath/carl9170/tx.c:283:2,\n inlined from 'kref_put' at include/linux/kref.h:65:3,\n inlined from 'carl9170_tx_put_skb' at drivers/net/wireless/ath/carl9170/tx.c:342:9:\ninclude/linux/fortify-string.h:493:25: error: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror=attribute-warning]\n 493 | __write_overflow_field(p_size_field, size);\n\nKees previously tried to avoid this by using memset_after(), but it seems\nthis does not fully address the problem. I noticed that the memset_after()\nhere is done on a different part of the union (status) than the original\ncast was from (rate_driver_data), which may confuse the compiler.\n\nUnfortunately, the memset_after() trick does not work on driver_rates[]\nbecause that is part of an anonymous struct, and I could not get\nstruct_group() to do this either. Using two separate memset() calls\non the two members does address the warning though."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: wifi: carl9170: volver a corregir la advertencia de memset fortificado La funci\u00f3n carl9170_tx_release() a veces activa una advertencia de memset fortificado en mis compilaciones de randconfig: en el archivo incluido en include/linux/string. h:254, de drivers/net/wireless/ath/carl9170/tx.c:40: en la funci\u00f3n 'fortify_memset_chk', insertado desde 'carl9170_tx_release' en drivers/net/wireless/ath/carl9170/tx.c:283:2 , incluido desde 'kref_put' en include/linux/kref.h:65:3, incluido desde 'carl9170_tx_put_skb' en drivers/net/wireless/ath/carl9170/tx.c:342:9: include/linux/fortify-string .h:493:25: error: llamada a '__write_overflow_field' declarada con advertencia de atributo: escritura detectada m\u00e1s all\u00e1 del tama\u00f1o del campo (primer par\u00e1metro); \u00bfQuiz\u00e1s usar struct_group()? [-Werror=advertencia-atributo] 493 | __write_overflow_field(p_size_field, tama\u00f1o); Kees anteriormente intent\u00f3 evitar esto usando memset_after(), pero parece que esto no soluciona completamente el problema. Me di cuenta de que memset_after() aqu\u00ed se realiza en una parte diferente de la uni\u00f3n (estado) de la que proven\u00eda la conversi\u00f3n original (rate_driver_data), lo que puede confundir al compilador. Desafortunadamente, el truco memset_after() no funciona en driver_rates[] porque es parte de una estructura an\u00f3nima y tampoco pude lograr que struct_group() hiciera esto. Sin embargo, el uso de dos llamadas memset() separadas en los dos miembros soluciona la advertencia."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/042a39bb8e0812466327a5102606e88a5a4f8c02", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/066afafc10c9476ee36c47c9062527a17e763901", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/0c38c9c460bb8ce8d6f6cf316e0d71a70983ec83", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/13857683126e8a6492af73c74d702835f7a2175b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/87586467098281f04fa93e59fe3a516b954bddc4", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38617", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:21.490", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nkunit/fortify: Fix mismatched kvalloc()/vfree() usage\n\nThe kv*() family of tests were accidentally freeing with vfree() instead\nof kvfree(). Use kvfree() instead."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: kunit/fortify: corrige el uso no coincidente de kvalloc()/vfree() La familia de pruebas kv*() se liberaba accidentalmente con vfree() en lugar de kvfree(). Utilice kvfree() en su lugar."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/03758d5a0932016b6d5f5bfbca580177e6bc937a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/42d21c9727028fe7ee392223ba127484b1b8677e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7880dbf4eafe22a6a41a42e774f1122c814ed02d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/998b18072ceb0613629c256b409f4d299829c7ec", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38618", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T14:15:21.567", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: timer: Set lower bound of start tick time\n\nCurrently ALSA timer doesn't have the lower limit of the start tick\ntime, and it allows a very small size, e.g. 1 tick with 1ns resolution\nfor hrtimer. Such a situation may lead to an unexpected RCU stall,\nwhere the callback repeatedly queuing the expire update, as reported\nby fuzzer.\n\nThis patch introduces a sanity check of the timer start tick time, so\nthat the system returns an error when a too small start size is set.\nAs of this patch, the lower limit is hard-coded to 100us, which is\nsmall enough but can still work somehow."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ALSA: temporizador: establece el l\u00edmite inferior del tiempo de inicio. Actualmente, el temporizador ALSA no tiene el l\u00edmite inferior del tiempo de inicio y permite un tama\u00f1o muy peque\u00f1o, por ejemplo, 1 tic. con resoluci\u00f3n de 1ns para hrtimer. Tal situaci\u00f3n puede provocar una parada inesperada de la RCU, donde la devoluci\u00f3n de llamada pone en cola repetidamente la actualizaci\u00f3n caducada, seg\u00fan lo informado por fuzzer. Este parche introduce una verificaci\u00f3n de cordura del tiempo de inicio del temporizador, de modo que el sistema devuelve un error cuando se establece un tama\u00f1o de inicio demasiado peque\u00f1o. A partir de este parche, el l\u00edmite inferior est\u00e1 codificado en 100us, que es bastante peque\u00f1o pero a\u00fan puede funcionar de alguna manera."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/2c95241ac5fc90c929d6c0c023e84bf0d30e84c3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4a63bd179fa8d3fcc44a0d9d71d941ddd62f0c4e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/68396c825c43664b20a3a1ba546844deb2b4e48f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/74bfb8d90f2601718ae203faf45a196844c01fa1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/83f0ba8592b9e258fd80ac6486510ab1dcd7ad6e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/abb1ad69d98cf1ff25bb14fff0e7c3f66239e1cd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/bdd0aa055b8ec7e24bbc19513f3231958741d0ab", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ceab795a67dd28dd942d0d8bba648c6c0f7a044b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2021-47573", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T15:15:51.767", "lastModified": "2024-06-20T09:15:10.660", "vulnStatus": "Rejected", "descriptions": [{"lang": "en", "value": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."}], "metrics": {}, "references": []}}, {"cve": {"id": "CVE-2021-47574", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T15:15:51.890", "lastModified": "2024-06-20T09:15:10.850", "vulnStatus": "Rejected", "descriptions": [{"lang": "en", "value": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."}], "metrics": {}, "references": []}}, {"cve": {"id": "CVE-2021-47575", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T15:15:52.010", "lastModified": "2024-06-20T09:15:10.953", "vulnStatus": "Rejected", "descriptions": [{"lang": "en", "value": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."}], "metrics": {}, "references": []}}, {"cve": {"id": "CVE-2021-47576", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T15:15:52.117", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: scsi_debug: Sanity check block descriptor length in resp_mode_select()\n\nIn resp_mode_select() sanity check the block descriptor len to avoid UAF.\n\nBUG: KASAN: use-after-free in resp_mode_select+0xa4c/0xb40 drivers/scsi/scsi_debug.c:2509\nRead of size 1 at addr ffff888026670f50 by task scsicmd/15032\n\nCPU: 1 PID: 15032 Comm: scsicmd Not tainted 5.15.0-01d0625 #15\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\nCall Trace:\n \n dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:107\n print_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:257\n kasan_report.cold.14+0x7d/0x117 mm/kasan/report.c:443\n __asan_report_load1_noabort+0x14/0x20 mm/kasan/report_generic.c:306\n resp_mode_select+0xa4c/0xb40 drivers/scsi/scsi_debug.c:2509\n schedule_resp+0x4af/0x1a10 drivers/scsi/scsi_debug.c:5483\n scsi_debug_queuecommand+0x8c9/0x1e70 drivers/scsi/scsi_debug.c:7537\n scsi_queue_rq+0x16b4/0x2d10 drivers/scsi/scsi_lib.c:1521\n blk_mq_dispatch_rq_list+0xb9b/0x2700 block/blk-mq.c:1640\n __blk_mq_sched_dispatch_requests+0x28f/0x590 block/blk-mq-sched.c:325\n blk_mq_sched_dispatch_requests+0x105/0x190 block/blk-mq-sched.c:358\n __blk_mq_run_hw_queue+0xe5/0x150 block/blk-mq.c:1762\n __blk_mq_delay_run_hw_queue+0x4f8/0x5c0 block/blk-mq.c:1839\n blk_mq_run_hw_queue+0x18d/0x350 block/blk-mq.c:1891\n blk_mq_sched_insert_request+0x3db/0x4e0 block/blk-mq-sched.c:474\n blk_execute_rq_nowait+0x16b/0x1c0 block/blk-exec.c:63\n sg_common_write.isra.18+0xeb3/0x2000 drivers/scsi/sg.c:837\n sg_new_write.isra.19+0x570/0x8c0 drivers/scsi/sg.c:775\n sg_ioctl_common+0x14d6/0x2710 drivers/scsi/sg.c:941\n sg_ioctl+0xa2/0x180 drivers/scsi/sg.c:1166\n __x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:52\n do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:50\n entry_SYSCALL_64_after_hwframe+0x44/0xae arch/x86/entry/entry_64.S:113"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: scsi: scsi_debug: Verifique la longitud del descriptor del bloque en resp_mode_select() En resp_mode_select(), verifique la longitud del descriptor del bloque para evitar UAF. ERROR: KASAN: use-after-free en resp_mode_select+0xa4c/0xb40 drivers/scsi/scsi_debug.c:2509 Lectura del tama\u00f1o 1 en la direcci\u00f3n ffff888026670f50 por tarea scsicmd/15032 CPU: 1 PID: 15032 Comm: scsicmd Not tainted 5.15.0 -01d0625 #15 Nombre del hardware: PC est\u00e1ndar QEMU (i440FX + PIIX, 1996), seguimiento de llamadas del BIOS: dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:107 print_address_description.constprop.9+0x28/0x160 mm/kasan/ report.c:257 kasan_report.cold.14+0x7d/0x117 mm/kasan/report.c:443 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report_generic.c:306 resp_mode_select+0xa4c/0xb40 drivers/scsi/scsi_debug.c: 2509 Schedule_resp+0x4af/0x1a10 controladores/scsi/scsi_debug.c:5483 scsi_debug_queuecommand+0x8c9/0x1e70 controladores/scsi/scsi_debug.c:7537 scsi_queue_rq+0x16b4/0x2d10 controladores/scsi/scsi_lib.c:1521 blk_mq_dispatch_rq_list+0xb9b/0x2700 bloque/ blk-mq.c:1640 __blk_mq_sched_dispatch_requests+0x28f/0x590 block/blk-mq-sched.c:325 blk_mq_sched_dispatch_requests+0x105/0x190 block/blk-mq-sched.c:358 __blk_mq_run_hw_queue+0xe5/ 0x150 cuadra/blk-mq. c:1762 __blk_mq_delay_run_hw_queue+0x4f8/0x5c0 block/blk-mq.c:1839 blk_mq_run_hw_queue+0x18d/0x350 block/blk-mq.c:1891 blk_mq_sched_insert_request+0x3db/0x4e0 ched.c:474 blk_execute_rq_nowait+0x16b /0x1c0 block/blk-exec.c:63 sg_common_write.isra.18+0xeb3/0x2000 controladores/scsi/sg.c:837 sg_new_write.isra.19+0x570/0x8c0 controladores/scsi/sg.c:775 sg_ioctl_common+0x14d6 /0x2710 controladores/scsi/sg.c:941 sg_ioctl+0xa2/0x180 controladores/scsi/sg.c:1166 __x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:52 do_syscall_64+0x3a/0x80 arch/x86/entry/common. c:50 entrada_SYSCALL_64_after_hwframe+0x44/0xae arch/x86/entry/entry_64.S:113"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/04181973c38f3d6a353f9246dcf7fee08024fd9e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/90491283b4064220682e4b0687d07b05df01e3bf", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a9078e791426c2cbbdf28a320c3670f6e0a611e6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/adcecd50da6cab7b4957cba0606771dcc846c5a9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b847ecff850719c46c95acd25a0d555dfd16e10d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/dfc3fff63793c571147930b13c0f8c689c4281ac", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e0a2c28da11e2c2b963fc01d50acbf03045ac732", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2021-47577", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T15:15:52.223", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio-wq: check for wq exit after adding new worker task_work\n\nWe check IO_WQ_BIT_EXIT before attempting to create a new worker, and\nwq exit cancels pending work if we have any. But it's possible to have\na race between the two, where creation checks exit finding it not set,\nbut we're in the process of exiting. The exit side will cancel pending\ncreation task_work, but there's a gap where we add task_work after we've\ncanceled existing creations at exit time.\n\nFix this by checking the EXIT bit post adding the creation task_work.\nIf it's set, run the same cancelation that exit does."}, {"lang": "es", "value": "En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: io-wq: comprueba la salida de wq despu\u00e9s de agregar un nuevo trabajador task_work Comprobamos IO_WQ_BIT_EXIT antes de intentar crear un nuevo trabajador, y wq exit cancela el trabajo pendiente si tenemos alguno. Pero es posible tener una carrera entre los dos, donde las comprobaciones de creaci\u00f3n salen y descubren que no est\u00e1 configurado, pero estamos en el proceso de salir. El lado de salida cancelar\u00e1 la creaci\u00f3n pendiente task_work, pero hay un espacio en el que agregamos task_work despu\u00e9s de haber cancelado las creaciones existentes en el momento de la salida. Solucione este problema marcando la publicaci\u00f3n del bit EXIT agregando la tarea de creaci\u00f3n_trabajo. Si est\u00e1 configurado, ejecute la misma cancelaci\u00f3n que realiza la salida."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/4b4e5bbf9386d4ec21d91c0cb0fd60b9bba778ec", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/71a85387546e50b1a37b0fa45dadcae3bfb35cf6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2021-47578", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T15:15:52.320", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: scsi_debug: Don't call kcalloc() if size arg is zero\n\nIf the size arg to kcalloc() is zero, it returns ZERO_SIZE_PTR. Because of\nthat, for a following NULL pointer check to work on the returned pointer,\nkcalloc() must not be called with the size arg equal to zero. Return early\nwithout error before the kcalloc() call if size arg is zero.\n\nBUG: KASAN: null-ptr-deref in memcpy include/linux/fortify-string.h:191 [inline]\nBUG: KASAN: null-ptr-deref in sg_copy_buffer+0x138/0x240 lib/scatterlist.c:974\nWrite of size 4 at addr 0000000000000010 by task syz-executor.1/22789\n\nCPU: 1 PID: 22789 Comm: syz-executor.1 Not tainted 5.15.0-syzk #1\nHardware name: Red Hat KVM, BIOS 1.13.0-2\nCall Trace:\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:106\n __kasan_report mm/kasan/report.c:446 [inline]\n kasan_report.cold.14+0x112/0x117 mm/kasan/report.c:459\n check_region_inline mm/kasan/generic.c:183 [inline]\n kasan_check_range+0x1a3/0x210 mm/kasan/generic.c:189\n memcpy+0x3b/0x60 mm/kasan/shadow.c:66\n memcpy include/linux/fortify-string.h:191 [inline]\n sg_copy_buffer+0x138/0x240 lib/scatterlist.c:974\n do_dout_fetch drivers/scsi/scsi_debug.c:2954 [inline]\n do_dout_fetch drivers/scsi/scsi_debug.c:2946 [inline]\n resp_verify+0x49e/0x930 drivers/scsi/scsi_debug.c:4276\n schedule_resp+0x4d8/0x1a70 drivers/scsi/scsi_debug.c:5478\n scsi_debug_queuecommand+0x8c9/0x1ec0 drivers/scsi/scsi_debug.c:7533\n scsi_dispatch_cmd drivers/scsi/scsi_lib.c:1520 [inline]\n scsi_queue_rq+0x16b0/0x2d40 drivers/scsi/scsi_lib.c:1699\n blk_mq_dispatch_rq_list+0xb9b/0x2700 block/blk-mq.c:1639\n __blk_mq_sched_dispatch_requests+0x28f/0x590 block/blk-mq-sched.c:325\n blk_mq_sched_dispatch_requests+0x105/0x190 block/blk-mq-sched.c:358\n __blk_mq_run_hw_queue+0xe5/0x150 block/blk-mq.c:1761\n __blk_mq_delay_run_hw_queue+0x4f8/0x5c0 block/blk-mq.c:1838\n blk_mq_run_hw_queue+0x18d/0x350 block/blk-mq.c:1891\n blk_mq_sched_insert_request+0x3db/0x4e0 block/blk-mq-sched.c:474\n blk_execute_rq_nowait+0x16b/0x1c0 block/blk-exec.c:62\n blk_execute_rq+0xdb/0x360 block/blk-exec.c:102\n sg_scsi_ioctl drivers/scsi/scsi_ioctl.c:621 [inline]\n scsi_ioctl+0x8bb/0x15c0 drivers/scsi/scsi_ioctl.c:930\n sg_ioctl_common+0x172d/0x2710 drivers/scsi/sg.c:1112\n sg_ioctl+0xa2/0x180 drivers/scsi/sg.c:1165\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:874 [inline]\n __se_sys_ioctl fs/ioctl.c:860 [inline]\n __x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:860\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: scsi: scsi_debug: no llamar a kcalloc() si el tama\u00f1o arg es cero. Si el tama\u00f1o arg de kcalloc() es cero, devuelve ZERO_SIZE_PTR. Por eso, para que una siguiente verificaci\u00f3n de puntero NULL funcione en el puntero devuelto, no se debe llamar a kcalloc() con el tama\u00f1o arg igual a cero. Regrese temprano sin errores antes de la llamada a kcalloc() si el tama\u00f1o arg es cero. ERROR: KASAN: null-ptr-deref en memcpy include/linux/fortify-string.h:191 [en l\u00ednea] ERROR: KASAN: null-ptr-deref en sg_copy_buffer+0x138/0x240 lib/scatterlist.c:974 Escritura de tama\u00f1o 4 en la direcci\u00f3n 0000000000000010 por tarea syz-executor.1/22789 CPU: 1 PID: 22789 Comm: syz-executor.1 No contaminado 5.15.0-syzk #1 Nombre del hardware: Red Hat KVM, BIOS 1.13.0-2 Seguimiento de llamadas : __dump_stack lib/dump_stack.c:88 [en l\u00ednea] dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:106 __kasan_report mm/kasan/report.c:446 [en l\u00ednea] kasan_report.cold.14+0x112/0x117 mm/kasan/ report.c:459 check_region_inline mm/kasan/generic.c:183 [en l\u00ednea] kasan_check_range+0x1a3/0x210 mm/kasan/generic.c:189 memcpy+0x3b/0x60 mm/kasan/shadow.c:66 memcpy include/linux /fortify-string.h:191 [en l\u00ednea] sg_copy_buffer+0x138/0x240 lib/scatterlist.c:974 controladores do_dout_fetch/scsi/scsi_debug.c:2954 [en l\u00ednea] controladores do_dout_fetch/scsi/scsi_debug.c:2946 [en l\u00ednea] resp_verify +0x49e/0x930 controladores/scsi/scsi_debug.c:4276 Schedule_resp+0x4d8/0x1a70 controladores/scsi/scsi_debug.c:5478 scsi_debug_queuecommand+0x8c9/0x1ec0 controladores/scsi/scsi_debug.c:7533 controladores scsi_dispatch_cmd/scsi /scsi_lib.c: 1520 [en l\u00ednea] scsi_queue_rq+0x16b0/0x2d40 drivers/scsi/scsi_lib.c:1699 blk_mq_dispatch_rq_list+0xb9b/0x2700 block/blk-mq.c:1639 __blk_mq_sched_dispatch_requests+0x28f/0x590 lk-mq-sched.c:325 blk_mq_sched_dispatch_requests+ 0x105/0x190 block/blk-mq-sched.c:358 __blk_mq_run_hw_queue+0xe5/0x150 block/blk-mq.c:1761 __blk_mq_delay_run_hw_queue+0x4f8/0x5c0 block/blk-mq.c:1838 cola+0x18d/0x350 bloque/negro -mq.c:1891 blk_mq_sched_insert_request+0x3db/0x4e0 block/blk-mq-sched.c:474 blk_execute_rq_nowait+0x16b/0x1c0 block/blk-exec.c:62 blk_execute_rq+0xdb/0x360 block/blk-exec.c:102 sg_scsi_ioctl controladores/scsi/scsi_ioctl.c:621 [en l\u00ednea] scsi_ioctl+0x8bb/0x15c0 controladores/scsi/scsi_ioctl.c:930 sg_ioctl_common+0x172d/0x2710 controladores/scsi/sg.c:1112 sg_ioctl+0xa2/0 controladores x180/scsi/ SG.C: 1165 VFS_IOCTL FS/IOCTL.C: 51 [INLINE] __DO_SYS_IOCTL FS/IOCTL.C: 874 [INLINE] __SE_SYS_IOCTL FS/IOCTL.C: 860 [Inline] __X64_SY 60 do_syscall_x64 arch/x86/entry/common.c:50 [en l\u00ednea] do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80 Entry_SYSCALL_64_after_hwframe+0x44/0xae"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/3344b58b53a76199dae48faa396e9fc37bf86992", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/47d11d35203b0aa13533634e270fe2c3610e531b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/aa1f912712a109b6306746133de7e5343f016b26", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2021-47579", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T15:15:52.427", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\novl: fix warning in ovl_create_real()\n\nSyzbot triggered the following warning in ovl_workdir_create() ->\novl_create_real():\n\n\tif (!err && WARN_ON(!newdentry->d_inode)) {\n\nThe reason is that the cgroup2 filesystem returns from mkdir without\ninstantiating the new dentry.\n\nWeird filesystems such as this will be rejected by overlayfs at a later\nstage during setup, but to prevent such a warning, call ovl_mkdir_real()\ndirectly from ovl_workdir_create() and reject this case early."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ovl: corregir advertencia en ovl_create_real() Syzbot activ\u00f3 la siguiente advertencia en ovl_workdir_create() -> ovl_create_real(): if (!err && WARN_ON(!newdentry->d_inode)) { La raz\u00f3n es que el sistema de archivos cgroup2 regresa desde mkdir sin crear una instancia del nuevo dentry. Los sistemas de archivos extra\u00f1os como este ser\u00e1n rechazados por overlayfs en una etapa posterior durante la instalaci\u00f3n, pero para evitar dicha advertencia, llame a ovl_mkdir_real() directamente desde ovl_workdir_create() y rechace este caso anticipadamente."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/1f5573cfe7a7056e80a92c7a037a3e69f3a13d1c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/445d2dc63e5871d218f21b8f62ab29ac72f2e6b8", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/6859985a2fbda5d1586bf44538853e1be69e85f7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d2ccdd4e4efab06178608a34d7bfb20a54104c02", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f9f300a92297be8250547347fd52216ef0177ae0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2021-47580", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T15:15:52.537", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: scsi_debug: Fix type in min_t to avoid stack OOB\n\nChange min_t() to use type \"u32\" instead of type \"int\" to avoid stack out\nof bounds. With min_t() type \"int\" the values get sign extended and the\nlarger value gets used causing stack out of bounds.\n\nBUG: KASAN: stack-out-of-bounds in memcpy include/linux/fortify-string.h:191 [inline]\nBUG: KASAN: stack-out-of-bounds in sg_copy_buffer+0x1de/0x240 lib/scatterlist.c:976\nRead of size 127 at addr ffff888072607128 by task syz-executor.7/18707\n\nCPU: 1 PID: 18707 Comm: syz-executor.7 Not tainted 5.15.0-syzk #1\nHardware name: Red Hat KVM, BIOS 1.13.0-2\nCall Trace:\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:106\n print_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:256\n __kasan_report mm/kasan/report.c:442 [inline]\n kasan_report.cold.14+0x7d/0x117 mm/kasan/report.c:459\n check_region_inline mm/kasan/generic.c:183 [inline]\n kasan_check_range+0x1a3/0x210 mm/kasan/generic.c:189\n memcpy+0x23/0x60 mm/kasan/shadow.c:65\n memcpy include/linux/fortify-string.h:191 [inline]\n sg_copy_buffer+0x1de/0x240 lib/scatterlist.c:976\n sg_copy_from_buffer+0x33/0x40 lib/scatterlist.c:1000\n fill_from_dev_buffer.part.34+0x82/0x130 drivers/scsi/scsi_debug.c:1162\n fill_from_dev_buffer drivers/scsi/scsi_debug.c:1888 [inline]\n resp_readcap16+0x365/0x3b0 drivers/scsi/scsi_debug.c:1887\n schedule_resp+0x4d8/0x1a70 drivers/scsi/scsi_debug.c:5478\n scsi_debug_queuecommand+0x8c9/0x1ec0 drivers/scsi/scsi_debug.c:7533\n scsi_dispatch_cmd drivers/scsi/scsi_lib.c:1520 [inline]\n scsi_queue_rq+0x16b0/0x2d40 drivers/scsi/scsi_lib.c:1699\n blk_mq_dispatch_rq_list+0xb9b/0x2700 block/blk-mq.c:1639\n __blk_mq_sched_dispatch_requests+0x28f/0x590 block/blk-mq-sched.c:325\n blk_mq_sched_dispatch_requests+0x105/0x190 block/blk-mq-sched.c:358\n __blk_mq_run_hw_queue+0xe5/0x150 block/blk-mq.c:1761\n __blk_mq_delay_run_hw_queue+0x4f8/0x5c0 block/blk-mq.c:1838\n blk_mq_run_hw_queue+0x18d/0x350 block/blk-mq.c:1891\n blk_mq_sched_insert_request+0x3db/0x4e0 block/blk-mq-sched.c:474\n blk_execute_rq_nowait+0x16b/0x1c0 block/blk-exec.c:62\n sg_common_write.isra.18+0xeb3/0x2000 drivers/scsi/sg.c:836\n sg_new_write.isra.19+0x570/0x8c0 drivers/scsi/sg.c:774\n sg_ioctl_common+0x14d6/0x2710 drivers/scsi/sg.c:939\n sg_ioctl+0xa2/0x180 drivers/scsi/sg.c:1165\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:874 [inline]\n __se_sys_ioctl fs/ioctl.c:860 [inline]\n __x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:860\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae"}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: scsi: scsi_debug: corrige el tipo min_t para evitar la pila OOB. Cambie min_t() para usar el tipo \"u32\" en lugar de \"int\" para evitar la pila fuera de los l\u00edmites. Con min_t() escriba \"int\", los valores se extienden y el valor mayor se usa provocando que la pila est\u00e9 fuera de los l\u00edmites. ERROR: KASAN: pila fuera de los l\u00edmites en memcpy include/linux/fortify-string.h:191 [en l\u00ednea] ERROR: KASAN: pila fuera de los l\u00edmites en sg_copy_buffer+0x1de/0x240 lib/scatterlist.c: 976 Lectura del tama\u00f1o 127 en la direcci\u00f3n ffff888072607128 mediante la tarea syz-executor.7/18707 CPU: 1 PID: 18707 Comm: syz-executor.7 No contaminado 5.15.0-syzk #1 Nombre del hardware: Red Hat KVM, BIOS 1.13.0 -2 Seguimiento de llamadas: __dump_stack lib/dump_stack.c:88 [en l\u00ednea] dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:106 print_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:256 __kasan_report mm/kasan /report.c:442 [en l\u00ednea] kasan_report.cold.14+0x7d/0x117 mm/kasan/report.c:459 check_region_inline mm/kasan/generic.c:183 [en l\u00ednea] kasan_check_range+0x1a3/0x210 mm/kasan/generic .c:189 memcpy+0x23/0x60 mm/kasan/shadow.c:65 memcpy include/linux/fortify-string.h:191 [en l\u00ednea] sg_copy_buffer+0x1de/0x240 lib/scatterlist.c:976 sg_copy_from_buffer+0x33/0x40 lib/scatterlist.c:1000 fill_from_dev_buffer.part.34+0x82/0x130 controladores/scsi/scsi_debug.c:1162 fill_from_dev_buffer controladores/scsi/scsi_debug.c:1888 [en l\u00ednea] resp_readcap16+0x365/0x3b0 controladores/scsi/scsi_debug.c :1887 Schedule_resp+0x4d8/0x1a70 controladores/scsi/scsi_debug.c:5478 scsi_debug_queuecommand+0x8c9/0x1ec0 controladores/scsi/scsi_debug.c:7533 controladores scsi_dispatch_cmd/scsi/scsi_lib.c:1520 [en l\u00ednea] Controladores 0x16b0/0x2d40/ scsi/scsi_lib.c:1699 blk_mq_dispatch_rq_list+0xb9b/0x2700 block/blk-mq.c:1639 __blk_mq_sched_dispatch_requests+0x28f/0x590 block/blk-mq-sched.c:325 blk_mq_sched_dispatch_requests+0x10 5/0x190 cuadra/blk-mq-programado. c:358 __blk_mq_run_hw_queue+0xe5/0x150 block/blk-mq.c:1761 __blk_mq_delay_run_hw_queue+0x4f8/0x5c0 block/blk-mq.c:1838 blk_mq_run_hw_queue+0x18d/0x350 :1891 blk_mq_sched_insert_request+0x3db/0x4e0 block/blk-mq-sched.c:474 blk_execute_rq_nowait+0x16b/0x1c0 block/blk-exec.c:62 sg_common_write.isra.18+0xeb3/0x2000 drivers/scsi/sg.c:836 sg_new_write.isra.19+0x570 /0x8c0 controladores/scsi/sg.c:774 sg_ioctl_common+0x14d6/0x2710 controladores/scsi/sg.c:939 sg_ioctl+0xa2/0x180 controladores/scsi/sg.c:1165 vfs_ioctl fs/ioctl.c:51 [en l\u00ednea] __do_sys_ioctl fs/ioctl.c:874 [en l\u00ednea] __se_sys_ioctl fs/ioctl.c:860 [en l\u00ednea] __x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [en l\u00ednea] llamada al sistema_64 +0x3a/0x80 arch/x86/entry/common.c:80 Entry_SYSCALL_64_after_hwframe+0x44/0xae"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/3085147645938eb41f0bc0e25ef9791e71f5ee4b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/36e07d7ede88a1f1ef8f0f209af5b7612324ac2c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/bdb854f134b964528fa543e0351022eb45bd7346", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2021-47581", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T15:15:52.637", "lastModified": "2024-06-20T09:15:11.057", "vulnStatus": "Rejected", "descriptions": [{"lang": "en", "value": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."}], "metrics": {}, "references": []}}, {"cve": {"id": "CVE-2021-47582", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T15:15:52.743", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: core: Make do_proc_control() and do_proc_bulk() killable\n\nThe USBDEVFS_CONTROL and USBDEVFS_BULK ioctls invoke\nusb_start_wait_urb(), which contains an uninterruptible wait with a\nuser-specified timeout value. If timeout value is very large and the\ndevice being accessed does not respond in a reasonable amount of time,\nthe kernel will complain about \"Task X blocked for more than N\nseconds\", as found in testing by syzbot:\n\nINFO: task syz-executor.0:8700 blocked for more than 143 seconds.\n Not tainted 5.14.0-rc7-syzkaller #0\n\"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\ntask:syz-executor.0 state:D stack:23192 pid: 8700 ppid: 8455 flags:0x00004004\nCall Trace:\n context_switch kernel/sched/core.c:4681 [inline]\n __schedule+0xc07/0x11f0 kernel/sched/core.c:5938\n schedule+0x14b/0x210 kernel/sched/core.c:6017\n schedule_timeout+0x98/0x2f0 kernel/time/timer.c:1857\n do_wait_for_common+0x2da/0x480 kernel/sched/completion.c:85\n __wait_for_common kernel/sched/completion.c:106 [inline]\n wait_for_common kernel/sched/completion.c:117 [inline]\n wait_for_completion_timeout+0x46/0x60 kernel/sched/completion.c:157\n usb_start_wait_urb+0x167/0x550 drivers/usb/core/message.c:63\n do_proc_bulk+0x978/0x1080 drivers/usb/core/devio.c:1236\n proc_bulk drivers/usb/core/devio.c:1273 [inline]\n usbdev_do_ioctl drivers/usb/core/devio.c:2547 [inline]\n usbdev_ioctl+0x3441/0x6b10 drivers/usb/core/devio.c:2713\n...\n\nTo fix this problem, this patch replaces usbfs's calls to\nusb_control_msg() and usb_bulk_msg() with special-purpose code that\ndoes essentially the same thing (as recommended in the comment for\nusb_start_wait_urb()), except that it always uses a killable wait and\nit uses GFP_KERNEL rather than GFP_NOIO."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: USB: core: Hacer que do_proc_control() y do_proc_bulk() se puedan eliminar. Los ioctls USBDEVFS_CONTROL y USBDEVFS_BULK invocan usb_start_wait_urb(), que contiene una espera ininterrumpida con un valor de tiempo de espera especificado por el usuario. Si el valor del tiempo de espera es muy grande y el dispositivo al que se accede no responde en un per\u00edodo de tiempo razonable, el kernel se quejar\u00e1 de \"Tarea X bloqueada durante m\u00e1s de N segundos\", como se encontr\u00f3 en las pruebas realizadas por syzbot: INFORMACI\u00d3N: tarea syz-executor .0:8700 bloqueado durante m\u00e1s de 143 segundos. Not tainted 5.14.0-rc7-syzkaller #0 \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" desactiva este mensaje. tarea:syz-executor.0 estado:D pila:23192 pid: 8700 ppid: 8455 banderas:0x00004004 Seguimiento de llamadas: context_switch kernel/sched/core.c:4681 [en l\u00ednea] __schedule+0xc07/0x11f0 kernel/sched/core.c :5938 programaci\u00f3n+0x14b/0x210 kernel/sched/core.c:6017 Schedule_timeout+0x98/0x2f0 kernel/time/timer.c:1857 do_wait_for_common+0x2da/0x480 kernel/sched/completion.c:85 __wait_for_common kernel/sched/completion .c:106 [en l\u00ednea] wait_for_common kernel/sched/completion.c:117 [en l\u00ednea] wait_for_completion_timeout+0x46/0x60 kernel/sched/completion.c:157 usb_start_wait_urb+0x167/0x550 drivers/usb/core/message.c:63 do_proc_bulk+0x978/0x1080 controladores/usb/core/devio.c:1236 controladores proc_bulk/usb/core/devio.c:1273 [en l\u00ednea] usbdev_do_ioctl controladores/usb/core/devio.c:2547 [en l\u00ednea] usbdev_ioctl+0x3441/ 0x6b10 drivers/usb/core/devio.c:2713 ... Para solucionar este problema, este parche reemplaza las llamadas de usbfs a usb_control_msg() y usb_bulk_msg() con c\u00f3digo de prop\u00f3sito especial que hace esencialmente lo mismo (como se recomienda en el comentario para usb_start_wait_urb()), excepto que siempre usa una espera eliminable y usa GFP_KERNEL en lugar de GFP_NOIO."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/403716741c6c2c510dce44e88f085a740f535de6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ae8709b296d80c7f45aa1f35c0e7659ad69edce1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2021-47583", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T15:15:52.843", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mxl111sf: change mutex_init() location\n\nSyzbot reported, that mxl111sf_ctrl_msg() uses uninitialized\nmutex. The problem was in wrong mutex_init() location.\n\nPrevious mutex_init(&state->msg_lock) call was in ->init() function, but\ndvb_usbv2_init() has this order of calls:\n\n\tdvb_usbv2_init()\n\t dvb_usbv2_adapter_init()\n\t dvb_usbv2_adapter_frontend_init()\n\t props->frontend_attach()\n\n\t props->init()\n\nSince mxl111sf_* devices call mxl111sf_ctrl_msg() in ->frontend_attach()\ninternally we need to initialize state->msg_lock before\nfrontend_attach(). To achieve it, ->probe() call added to all mxl111sf_*\ndevices, which will simply initiaize mutex."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: medio: mxl111sf: cambiar la ubicaci\u00f3n de mutex_init() Syzbot inform\u00f3 que mxl111sf_ctrl_msg() usa un mutex no inicializado. El problema estaba en la ubicaci\u00f3n mutex_init() incorrecta. La llamada anterior a mutex_init(&state->msg_lock) estaba en la funci\u00f3n ->init(), pero dvb_usbv2_init() tiene este orden de llamadas: dvb_usbv2_init() dvb_usbv2_adapter_init() dvb_usbv2_adapter_frontend_init() props->frontend_attach() props->init() Desde Los dispositivos mxl111sf_* llaman a mxl111sf_ctrl_msg() en ->frontend_attach() internamente, necesitamos inicializar state->msg_lock antes de frontend_attach(). Para lograrlo, se agrega la llamada ->probe() a todos los dispositivos mxl111sf_*, lo que simplemente iniciar\u00e1 el mutex."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/44870a9e7a3c24acbb3f888b2a7cc22c9bdf7e7f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4b2d9600b31f9ba7adbc9f3c54a068615d27b390", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8c6fdf62bfe1bc72bfceeaf832ef7499c7ed09ba", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/96f182c9f48b984447741f054ec301fdc8517035", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b99bdf127af91d53919e96292c05f737c45ea59a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2021-47584", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T15:15:52.947", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niocost: Fix divide-by-zero on donation from low hweight cgroup\n\nThe donation calculation logic assumes that the donor has non-zero\nafter-donation hweight, so the lowest active hweight a donating cgroup can\nhave is 2 so that it can donate 1 while keeping the other 1 for itself.\nEarlier, we only donated from cgroups with sizable surpluses so this\ncondition was always true. However, with the precise donation algorithm\nimplemented, f1de2439ec43 (\"blk-iocost: revamp donation amount\ndetermination\") made the donation amount calculation exact enabling even low\nhweight cgroups to donate.\n\nThis means that in rare occasions, a cgroup with active hweight of 1 can\nenter donation calculation triggering the following warning and then a\ndivide-by-zero oops.\n\n WARNING: CPU: 4 PID: 0 at block/blk-iocost.c:1928 transfer_surpluses.cold+0x0/0x53 [884/94867]\n ...\n RIP: 0010:transfer_surpluses.cold+0x0/0x53\n Code: 92 ff 48 c7 c7 28 d1 ab b5 65 48 8b 34 25 00 ae 01 00 48 81 c6 90 06 00 00 e8 8b 3f fe ff 48 c7 c0 ea ff ff ff e9 95 ff 92 ff <0f> 0b 48 c7 c7 30 da ab b5 e8 71 3f fe ff 4c 89 e8 4d 85 ed 74 0\n4\n ...\n Call Trace:\n \n ioc_timer_fn+0x1043/0x1390\n call_timer_fn+0xa1/0x2c0\n __run_timers.part.0+0x1ec/0x2e0\n run_timer_softirq+0x35/0x70\n ...\n iocg: invalid donation weights in /a/b: active=1 donating=1 after=0\n\nFix it by excluding cgroups w/ active hweight < 2 from donating. Excluding\nthese extreme low hweight donations shouldn't affect work conservation in\nany meaningful way."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: iocost: corrige la divisi\u00f3n por cero en la donaci\u00f3n de un grupo c de bajo peso. La l\u00f3gica de c\u00e1lculo de la donaci\u00f3n supone que el donante tiene un peso posterior a la donaci\u00f3n distinto de cero, por lo que el peso activo m\u00e1s bajo es una donaci\u00f3n. cgroup puede tener 2 para poder donar 1 y conservar el otro para s\u00ed mismo. Anteriormente, solo don\u00e1bamos de grupos comunitarios con excedentes considerables, por lo que esta condici\u00f3n siempre fue cierta. Sin embargo, con el algoritmo de donaci\u00f3n preciso implementado, f1de2439ec43 (\"blk-iocost: renovar la determinaci\u00f3n del monto de la donaci\u00f3n\") hizo que el c\u00e1lculo del monto de la donaci\u00f3n fuera exacto, permitiendo que incluso los grupos de bajo peso donaran. Esto significa que, en raras ocasiones, un grupo con un peso activo de 1 puede ingresar al c\u00e1lculo de la donaci\u00f3n, lo que genera la siguiente advertencia y luego una divisi\u00f3n por cero. ADVERTENCIA: CPU: 4 PID: 0 en block/blk-iocost.c:1928 transfer_surpluses.cold+0x0/0x53 [884/94867] ... RIP: 0010:transfer_surpluses.cold+0x0/0x53 C\u00f3digo: 92 y siguientes 48 c7 c7 28 d1 ab b5 65 48 8b 34 25 00 ae 01 00 48 81 c6 90 06 00 00 e8 8b 3f fe ff 48 c7 c0 ea ff ff ff e9 95 ff 92 ff <0f> 0b 48 c7 c7 30 da ab b5 e8 71 3f fe ff 4c 89 e8 4d 85 ed 74 0 4 ... Seguimiento de llamadas: ioc_timer_fn+0x1043/0x1390 call_timer_fn+0xa1/0x2c0 __run_timers.part.0+0x1ec/0x2e0 run_timer_softirq+0x35/0x70 ... iocg : pesos de donaci\u00f3n no v\u00e1lidos en /a/b: activo=1 donaci\u00f3n=1 despu\u00e9s=0 Corr\u00edjalo excluyendo cgroups con hweight activo < 2 de la donaci\u00f3n. Excluir estas donaciones de peso extremadamente bajo no deber\u00eda afectar la conservaci\u00f3n del trabajo de ninguna manera significativa."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/3a1a4eb574178c21241a6200f4785572e661c472", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a7c80674538f15f85d68138240aae440b8039519", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/edaa26334c117a584add6053f48d63a988d25a6e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2021-47585", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T15:15:53.057", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix memory leak in __add_inode_ref()\n\nLine 1169 (#3) allocates a memory chunk for victim_name by kmalloc(),\nbut when the function returns in line 1184 (#4) victim_name allocated\nby line 1169 (#3) is not freed, which will lead to a memory leak.\nThere is a similar snippet of code in this function as allocating a memory\nchunk for victim_name in line 1104 (#1) as well as releasing the memory\nin line 1116 (#2).\n\nWe should kfree() victim_name when the return value of backref_in_log()\nis less than zero and before the function returns in line 1184 (#4).\n\n1057 static inline int __add_inode_ref(struct btrfs_trans_handle *trans,\n1058 \t\t\t\t struct btrfs_root *root,\n1059 \t\t\t\t struct btrfs_path *path,\n1060 \t\t\t\t struct btrfs_root *log_root,\n1061 \t\t\t\t struct btrfs_inode *dir,\n1062 \t\t\t\t struct btrfs_inode *inode,\n1063 \t\t\t\t u64 inode_objectid, u64 parent_objectid,\n1064 \t\t\t\t u64 ref_index, char *name, int namelen,\n1065 \t\t\t\t int *search_done)\n1066 {\n\n1104 \tvictim_name = kmalloc(victim_name_len, GFP_NOFS);\n\t// #1: kmalloc (victim_name-1)\n1105 \tif (!victim_name)\n1106 \t\treturn -ENOMEM;\n\n1112\tret = backref_in_log(log_root, &search_key,\n1113\t\t\tparent_objectid, victim_name,\n1114\t\t\tvictim_name_len);\n1115\tif (ret < 0) {\n1116\t\tkfree(victim_name); // #2: kfree (victim_name-1)\n1117\t\treturn ret;\n1118\t} else if (!ret) {\n\n1169 \tvictim_name = kmalloc(victim_name_len, GFP_NOFS);\n\t// #3: kmalloc (victim_name-2)\n1170 \tif (!victim_name)\n1171 \t\treturn -ENOMEM;\n\n1180 \tret = backref_in_log(log_root, &search_key,\n1181 \t\t\tparent_objectid, victim_name,\n1182 \t\t\tvictim_name_len);\n1183 \tif (ret < 0) {\n1184 \t\treturn ret; // #4: missing kfree (victim_name-2)\n1185 \t} else if (!ret) {\n\n1241 \treturn 0;\n1242 }"}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: btrfs: corrige la p\u00e9rdida de memoria en __add_inode_ref() La l\u00ednea 1169 (#3) asigna un fragmento de memoria para victim_name mediante kmalloc(), pero cuando la funci\u00f3n regresa en la l\u00ednea 1184 (#4) victim_name asignado por la l\u00ednea 1169 (#3) no se libera, lo que provocar\u00e1 una p\u00e9rdida de memoria. Hay un fragmento de c\u00f3digo similar en esta funci\u00f3n para asignar un fragmento de memoria para victim_name en la l\u00ednea 1104 (n.\u00ba 1), as\u00ed como para liberar la memoria en la l\u00ednea 1116 (n.\u00ba 2). Deber\u00edamos kfree() victim_name cuando el valor de retorno de backref_in_log() sea menor que cero y antes de que la funci\u00f3n regrese en la l\u00ednea 1184 (#4). 1057 static inline int __add_inode_ref(struct btrfs_trans_handle *trans, 1058 struct btrfs_root *root, 1059 struct btrfs_path *path, 1060 struct btrfs_root *log_root, 1061 struct btrfs_inode *dir, 1062 struct btrfs_inode *inode, 63 u64 inode_objectid, u64 parent_objectid, 1064 u64 ref_index, char *nombre, int nombrelen, 1065 int *search_done) 1066 { 1104 nombre_v\u00edctima = kmalloc(nombre_v\u00edctima_len, GFP_NOFS); // #1: kmalloc (nombre_v\u00edctima-1) 1105 if (!nombre_v\u00edctima) 1106 return -ENOMEM; 1112 ret = backref_in_log(log_root, &search_key, 1113 parent_objectid, victim_name, 1114 victim_name_len); 1115 if (ret < 0) { 1116 kfree(nombre_v\u00edctima); // #2: kfree (nombre_v\u00edctima-1) 1117 return ret; 1118 } else if (!ret) { 1169 nombre_v\u00edctima = kmalloc(nombre_v\u00edctima_len, GFP_NOFS); // #3: kmalloc (nombre_v\u00edctima-2) 1170 if (!nombre_v\u00edctima) 1171 return -ENOMEM; 1180 ret = backref_in_log(log_root, &search_key, 1181 parent_objectid, victim_name, 1182 victim_name_len); 1183 si (ret < 0) { 1184 retorno ret; // #4: falta kfree (nombre_v\u00edctima-2) 1185 } else if (!ret) { 1241 return 0; 1242 }"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/005d9292b5b2e71a009f911bd85d755009b37242", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/493ff661d434d6bdf02e3a21adae04d7a0b4265d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f35838a6930296fc1988764cfa54cb3f705c0665", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2021-47586", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T15:15:53.160", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: dwmac-rk: fix oob read in rk_gmac_setup\n\nKASAN reports an out-of-bounds read in rk_gmac_setup on the line:\n\n\twhile (ops->regs[i]) {\n\nThis happens for most platforms since the regs flexible array member is\nempty, so the memory after the ops structure is being read here. It\nseems that mostly this happens to contain zero anyway, so we get lucky\nand everything still works.\n\nTo avoid adding redundant data to nearly all the ops structures, add a\nnew flag to indicate whether the regs field is valid and avoid this loop\nwhen it is not."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: stmmac: dwmac-rk: fix oob read in rk_gmac_setup KASAN informa una lectura fuera de los l\u00edmites en rk_gmac_setup en la l\u00ednea: while (ops->regs[i]) { Esto sucede en la mayor\u00eda de las plataformas, ya que el miembro de la matriz flexible regs est\u00e1 vac\u00edo, por lo que aqu\u00ed se lee la memoria despu\u00e9s de la estructura de operaciones. Parece que la mayor parte de esto contiene cero de todos modos, as\u00ed que tenemos suerte y todo sigue funcionando. Para evitar agregar datos redundantes a casi todas las estructuras de operaciones, agregue un nuevo indicador para indicar si el campo regs es v\u00e1lido y evite este bucle cuando no lo sea."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/0546b224cc7717cc8a2db076b0bb069a9c430794", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/0b4a5d1e15ce72f69be48f38dc0401dab890ae0f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2021-47587", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T15:15:53.260", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: systemport: Add global locking for descriptor lifecycle\n\nThe descriptor list is a shared resource across all of the transmit queues, and\nthe locking mechanism used today only protects concurrency across a given\ntransmit queue between the transmit and reclaiming. This creates an opportunity\nfor the SYSTEMPORT hardware to work on corrupted descriptors if we have\nmultiple producers at once which is the case when using multiple transmit\nqueues.\n\nThis was particularly noticeable when using multiple flows/transmit queues and\nit showed up in interesting ways in that UDP packets would get a correct UDP\nheader checksum being calculated over an incorrect packet length. Similarly TCP\npackets would get an equally correct checksum computed by the hardware over an\nincorrect packet length.\n\nThe SYSTEMPORT hardware maintains an internal descriptor list that it re-arranges\nwhen the driver produces a new descriptor anytime it writes to the\nWRITE_PORT_{HI,LO} registers, there is however some delay in the hardware to\nre-organize its descriptors and it is possible that concurrent TX queues\neventually break this internal allocation scheme to the point where the\nlength/status part of the descriptor gets used for an incorrect data buffer.\n\nThe fix is to impose a global serialization for all TX queues in the short\nsection where we are writing to the WRITE_PORT_{HI,LO} registers which solves\nthe corruption even with multiple concurrent TX queues being used."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: net: systemport: agregue bloqueo global para el ciclo de vida del descriptor. La lista de descriptores es un recurso compartido entre todas las colas de transmisi\u00f3n y el mecanismo de bloqueo que se usa hoy solo protege la concurrencia en una cola de transmisi\u00f3n determinada. entre la transmisi\u00f3n y la recuperaci\u00f3n. Esto crea una oportunidad para que el hardware de SYSTEMPORT funcione con descriptores corruptos si tenemos varios productores a la vez, como es el caso cuando utilizamos varias colas de transmisi\u00f3n. Esto fue particularmente notable cuando se usaban m\u00faltiples flujos/colas de transmisi\u00f3n y se mostr\u00f3 de manera interesante en que los paquetes UDP obtendr\u00edan una suma de verificaci\u00f3n de encabezado UDP correcta al calcularse sobre una longitud de paquete incorrecta. De manera similar, los paquetes TCP obtendr\u00edan una suma de verificaci\u00f3n igualmente correcta calculada por el hardware en una longitud de paquete incorrecta. El hardware de SYSTEMPORT mantiene una lista de descriptores internos que reorganiza cuando el controlador produce un nuevo descriptor cada vez que escribe en los registros WRITE_PORT_{HI,LO}. Sin embargo, hay cierto retraso en el hardware para reorganizar sus descriptores y es Es posible que las colas de TX simult\u00e1neas eventualmente rompan este esquema de asignaci\u00f3n interna hasta el punto en que la parte de longitud/estado del descriptor se use para un b\u00fafer de datos incorrecto. La soluci\u00f3n es imponer una serializaci\u00f3n global para todas las colas de TX en la secci\u00f3n corta donde escribimos en los registros WRITE_PORT_{HI,LO}, lo que resuelve la corrupci\u00f3n incluso cuando se utilizan varias colas de TX simult\u00e1neas."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/595a684fa6f23b21958379a18cfa83862c73c2e1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/6e1011cd183faae8daff275c72444edcdfe0d473", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8b8e6e782456f1ce02a7ae914bbd5b1053f0b034", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8ed2f5d08d6e59f8c78b2869bfb95d0be32c094c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c675256a7f131f5ba3f331efb715e8f31ea0e392", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/de57f62f76450b934de8203711bdc4f7953c3421", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/eb4687c7442942e115420a30185f8d83faf37696", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f3fde37d3f0d429f0fcce214cb52588a9e21260e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2021-47588", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T15:15:53.383", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsit: do not call ipip6_dev_free() from sit_init_net()\n\nipip6_dev_free is sit dev->priv_destructor, already called\nby register_netdevice() if something goes wrong.\n\nAlternative would be to make ipip6_dev_free() robust against\nmultiple invocations, but other drivers do not implement this\nstrategy.\n\nsyzbot reported:\n\ndst_release underflow\nWARNING: CPU: 0 PID: 5059 at net/core/dst.c:173 dst_release+0xd8/0xe0 net/core/dst.c:173\nModules linked in:\nCPU: 1 PID: 5059 Comm: syz-executor.4 Not tainted 5.16.0-rc5-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nRIP: 0010:dst_release+0xd8/0xe0 net/core/dst.c:173\nCode: 4c 89 f2 89 d9 31 c0 5b 41 5e 5d e9 da d5 44 f9 e8 1d 90 5f f9 c6 05 87 48 c6 05 01 48 c7 c7 80 44 99 8b 31 c0 e8 e8 67 29 f9 <0f> 0b eb 85 0f 1f 40 00 53 48 89 fb e8 f7 8f 5f f9 48 83 c3 a8 48\nRSP: 0018:ffffc9000aa5faa0 EFLAGS: 00010246\nRAX: d6894a925dd15a00 RBX: 00000000ffffffff RCX: 0000000000040000\nRDX: ffffc90005e19000 RSI: 000000000003ffff RDI: 0000000000040000\nRBP: 0000000000000000 R08: ffffffff816a1f42 R09: ffffed1017344f2c\nR10: ffffed1017344f2c R11: 0000000000000000 R12: 0000607f462b1358\nR13: 1ffffffff1bfd305 R14: ffffe8ffffcb1358 R15: dffffc0000000000\nFS: 00007f66c71a2700(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f88aaed5058 CR3: 0000000023e0f000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n dst_cache_destroy+0x107/0x1e0 net/core/dst_cache.c:160\n ipip6_dev_free net/ipv6/sit.c:1414 [inline]\n sit_init_net+0x229/0x550 net/ipv6/sit.c:1936\n ops_init+0x313/0x430 net/core/net_namespace.c:140\n setup_net+0x35b/0x9d0 net/core/net_namespace.c:326\n copy_net_ns+0x359/0x5c0 net/core/net_namespace.c:470\n create_new_namespaces+0x4ce/0xa00 kernel/nsproxy.c:110\n unshare_nsproxy_namespaces+0x11e/0x180 kernel/nsproxy.c:226\n ksys_unshare+0x57d/0xb50 kernel/fork.c:3075\n __do_sys_unshare kernel/fork.c:3146 [inline]\n __se_sys_unshare kernel/fork.c:3144 [inline]\n __x64_sys_unshare+0x34/0x40 kernel/fork.c:3144\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7f66c882ce99\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f66c71a2168 EFLAGS: 00000246 ORIG_RAX: 0000000000000110\nRAX: ffffffffffffffda RBX: 00007f66c893ff60 RCX: 00007f66c882ce99\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000048040200\nRBP: 00007f66c8886ff1 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007fff6634832f R14: 00007f66c71a2300 R15: 0000000000022000\n "}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: sit: no llame a ipip6_dev_free() desde sit_init_net() ipip6_dev_free es sit dev->priv_destructor, ya llamado por Register_netdevice() si algo sale mal. La alternativa ser\u00eda hacer que ipip6_dev_free() sea robusto contra m\u00faltiples invocaciones, pero otros controladores no implementan esta estrategia. syzbot inform\u00f3: dst_release underflow ADVERTENCIA: CPU: 0 PID: 5059 en net/core/dst.c:173 dst_release+0xd8/0xe0 net/core/dst.c:173 M\u00f3dulos vinculados en: CPU: 1 PID: 5059 Comm: syz -executor.4 Not tainted 5.16.0-rc5-syzkaller #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:dst_release+0xd8/0xe0 net/core/dst.c :173 C\u00f3digo: 4c 89 f2 89 d9 31 c0 5b 41 5e 5d e9 da d5 44 f9 e8 1d 90 5f f9 c6 05 87 48 c6 05 01 48 c7 c7 80 44 99 8b 31 c0 e8 e8 67 29 f9 <0f> 0b eb 85 0f 1f 40 00 53 48 89 fb e8 f7 8f 5f f9 48 83 c3 a8 48 RSP: 0018:ffffc9000aa5faa0 EFLAGS: 00010246 RAX: d6894a925dd15a00 RBX: RCX: 0000000000040000 RDX: ffffc90005e19000 RSI: 000000000003ffff RDI: 0000000000040000 RBP: 0000000000000000 R08 : ffffffff816a1f42 R09: ffffed1017344f2c R10: ffffed1017344f2c R11: 0000000000000000 R12: 0000607f462b1358 R13: 1ffffffff1bfd305 R14: ffffe8ffffcb135 8 R15: dffffc0000000000 FS: 00007f66c71a2700(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 50033 CR2: 00007f88aaed5058 CR3: 0000000023e0f000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 00000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Seguimiento de llamadas: dst_cache_destroy+0x107/0x1e0 net/core/dst_cache.c:160 ipip6_dev_free net/ ipv6/sit.c:1414 [en l\u00ednea] sit_init_net+0x229/0x550 net/ipv6/sit.c:1936 ops_init+0x313/0x430 net/core/net_namespace.c:140 setup_net+0x35b/0x9d0 net/core/net_namespace.c :326 copy_net_ns+0x359/0x5c0 net/core/net_namespace.c:470 create_new_namespaces+0x4ce/0xa00 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0x11e/0x180 kernel/nsproxy.c:226 ksys_unshare+0x57d/0xb50 .c :3075 __do_sys_unshare kernel/fork.c:3146 [en l\u00ednea] __se_sys_unshare kernel/fork.c:3144 [en l\u00ednea] __x64_sys_unshare+0x34/0x40 kernel/fork.c:3144 do_syscall_x64 arch/x86/entry/common.c:50 [en l\u00ednea ] do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 Entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f66c882ce99 C\u00f3digo: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP:00 007f66c71a2168 EFLAGS: 00000246 ORIG_RAX: 0000000000000110 RAX: ffffffffffffffda RBX: 00007f66c893ff60 RCX: 00007f66c882ce99 RDX: 0000000000000000 RSI: 0000000000 000000 RDI: 0000000048040200 RBP: 00007f66c8886ff1 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 00000000000 00246 R12: 0000000000000000 R13: 00007fff6634832f R14: 00007f66c71a2300 R15: 0000000000022000 "}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/44a6c846bc3a7efe7d394bab8b2ae3b7f580e190", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4e1797914d8f223726ff6ae5ece4f97d73f21bab", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/6f46c59e60b64620d5d386c8ee2eaa11ebe3b595", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ad0ed314d6167b212939e3839428ba0c8bb16adb", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e28587cc491ef0f3c51258fdc87fbc386b1d4c59", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e56b65c1e74d7f706d74b51baba15187be2fb4b5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2021-47589", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T15:15:53.490", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nigbvf: fix double free in `igbvf_probe`\n\nIn `igbvf_probe`, if register_netdev() fails, the program will go to\nlabel err_hw_init, and then to label err_ioremap. In free_netdev() which\nis just below label err_ioremap, there is `list_for_each_entry_safe` and\n`netif_napi_del` which aims to delete all entries in `dev->napi_list`.\nThe program has added an entry `adapter->rx_ring->napi` which is added by\n`netif_napi_add` in igbvf_alloc_queues(). However, adapter->rx_ring has\nbeen freed below label err_hw_init. So this a UAF.\n\nIn terms of how to patch the problem, we can refer to igbvf_remove() and\ndelete the entry before `adapter->rx_ring`.\n\nThe KASAN logs are as follows:\n\n[ 35.126075] BUG: KASAN: use-after-free in free_netdev+0x1fd/0x450\n[ 35.127170] Read of size 8 at addr ffff88810126d990 by task modprobe/366\n[ 35.128360]\n[ 35.128643] CPU: 1 PID: 366 Comm: modprobe Not tainted 5.15.0-rc2+ #14\n[ 35.129789] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014\n[ 35.131749] Call Trace:\n[ 35.132199] dump_stack_lvl+0x59/0x7b\n[ 35.132865] print_address_description+0x7c/0x3b0\n[ 35.133707] ? free_netdev+0x1fd/0x450\n[ 35.134378] __kasan_report+0x160/0x1c0\n[ 35.135063] ? free_netdev+0x1fd/0x450\n[ 35.135738] kasan_report+0x4b/0x70\n[ 35.136367] free_netdev+0x1fd/0x450\n[ 35.137006] igbvf_probe+0x121d/0x1a10 [igbvf]\n[ 35.137808] ? igbvf_vlan_rx_add_vid+0x100/0x100 [igbvf]\n[ 35.138751] local_pci_probe+0x13c/0x1f0\n[ 35.139461] pci_device_probe+0x37e/0x6c0\n[ 35.165526]\n[ 35.165806] Allocated by task 366:\n[ 35.166414] ____kasan_kmalloc+0xc4/0xf0\n[ 35.167117] foo_kmem_cache_alloc_trace+0x3c/0x50 [igbvf]\n[ 35.168078] igbvf_probe+0x9c5/0x1a10 [igbvf]\n[ 35.168866] local_pci_probe+0x13c/0x1f0\n[ 35.169565] pci_device_probe+0x37e/0x6c0\n[ 35.179713]\n[ 35.179993] Freed by task 366:\n[ 35.180539] kasan_set_track+0x4c/0x80\n[ 35.181211] kasan_set_free_info+0x1f/0x40\n[ 35.181942] ____kasan_slab_free+0x103/0x140\n[ 35.182703] kfree+0xe3/0x250\n[ 35.183239] igbvf_probe+0x1173/0x1a10 [igbvf]\n[ 35.184040] local_pci_probe+0x13c/0x1f0"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: igbvf: corrige double free en `igbvf_probe` En `igbvf_probe`, si Register_netdev() falla, el programa ir\u00e1 a la etiqueta err_hw_init y luego a la etiqueta err_ioremap. En free_netdev(), que est\u00e1 justo debajo de la etiqueta err_ioremap, est\u00e1n `list_for_each_entry_safe` y `netif_napi_del` que tienen como objetivo eliminar todas las entradas en `dev->napi_list`. El programa ha agregado una entrada `adapter->rx_ring->napi` que se agrega mediante `netif_napi_add` en igbvf_alloc_queues(). Sin embargo, adaptador->rx_ring se ha liberado debajo de la etiqueta err_hw_init. Entonces esto es una UAF. En t\u00e9rminos de c\u00f3mo solucionar el problema, podemos consultar igbvf_remove() y eliminar la entrada antes de `adapter->rx_ring`. Los registros de KASAN son los siguientes: [35.126075] ERROR: KASAN: use-after-free en free_netdev+0x1fd/0x450 [35.127170] Lectura de tama\u00f1o 8 en la direcci\u00f3n ffff88810126d990 mediante la tarea modprobe/366 [35.128360] [35.128643] CPU: 1 PID : 366 Comm: modprobe Not tainted 5.15.0-rc2+ #14 [ 35.129789] Nombre del hardware: PC est\u00e1ndar QEMU (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01 /2014 [35.131749] Seguimiento de llamadas: [35.132199] dump_stack_lvl+0x59/0x7b [35.132865] print_address_description+0x7c/0x3b0 [35.133707] ? free_netdev+0x1fd/0x450 [ 35.134378] __kasan_report+0x160/0x1c0 [ 35.135063] ? free_netdev+0x1fd/0x450 [ 35.135738] kasan_report+0x4b/0x70 [ 35.136367] free_netdev+0x1fd/0x450 [ 35.137006] igbvf_probe+0x121d/0x1a10 [igbvf] [ 35.137808 ] ? igbvf_vlan_rx_add_vid+0x100/0x100 [igbvf] [ 35.138751] local_pci_probe+0x13c/0x1f0 [ 35.139461] pci_device_probe+0x37e/0x6c0 [ 35.165526] [ 35.165806] por tarea 366: [35.166414] ____kasan_kmalloc+0xc4/0xf0 [35.167117] foo_kmem_cache_alloc_trace+0x3c/ 0x50 [igbvf] [ 35.168078] igbvf_probe+0x9c5/0x1a10 [igbvf] [ 35.168866] local_pci_probe+0x13c/0x1f0 [ 35.169565] pci_device_probe+0x37e/0x6c0 [ 35.179713 ] [35.179993] Liberado por la tarea 366: [35.180539] kasan_set_track+0x4c/0x80 [ 35.181211] kasan_set_free_info+0x1f/0x40 [ 35.181942] ____kasan_slab_free+0x103/0x140 [ 35.182703] kfree+0xe3/0x250 [ 35.183239] igbvf_probe+0x1173/0x1a10 vf] [35.184040] local_pci_probe+0x13c/0x1f0"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/74a16e062b23332d8db017ff4a41e16279c44411", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/79d9b092035dcdbe636b70433149df9cc6db1e49", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8addba6cab94ce01686ea2e80ed1530f9dc33a9a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8d0c927a9fb2b4065230936b77b54f857a3754fc", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/944b8be08131f5faf2cd2440aa1c24a39a163a54", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b6d335a60dc624c0d279333b22c737faa765b028", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/cc9b655bb84f1be283293dfea94dff9a31b106ac", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ffe1695b678729edec04037e691007900a2b2beb", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2021-47590", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T15:15:53.610", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix deadlock in __mptcp_push_pending()\n\n__mptcp_push_pending() may call mptcp_flush_join_list() with subflow\nsocket lock held. If such call hits mptcp_sockopt_sync_all() then\nsubsequently __mptcp_sockopt_sync() could try to lock the subflow\nsocket for itself, causing a deadlock.\n\nsysrq: Show Blocked State\ntask:ss-server state:D stack: 0 pid: 938 ppid: 1 flags:0x00000000\nCall Trace:\n \n __schedule+0x2d6/0x10c0\n ? __mod_memcg_state+0x4d/0x70\n ? csum_partial+0xd/0x20\n ? _raw_spin_lock_irqsave+0x26/0x50\n schedule+0x4e/0xc0\n __lock_sock+0x69/0x90\n ? do_wait_intr_irq+0xa0/0xa0\n __lock_sock_fast+0x35/0x50\n mptcp_sockopt_sync_all+0x38/0xc0\n __mptcp_push_pending+0x105/0x200\n mptcp_sendmsg+0x466/0x490\n sock_sendmsg+0x57/0x60\n __sys_sendto+0xf0/0x160\n ? do_wait_intr_irq+0xa0/0xa0\n ? fpregs_restore_userregs+0x12/0xd0\n __x64_sys_sendto+0x20/0x30\n do_syscall_64+0x38/0x90\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7f9ba546c2d0\nRSP: 002b:00007ffdc3b762d8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c\nRAX: ffffffffffffffda RBX: 00007f9ba56c8060 RCX: 00007f9ba546c2d0\nRDX: 000000000000077a RSI: 0000000000e5e180 RDI: 0000000000000234\nRBP: 0000000000cc57f0 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007f9ba56c8060\nR13: 0000000000b6ba60 R14: 0000000000cc7840 R15: 41d8685b1d7901b8\n \n\nFix the issue by using __mptcp_flush_join_list() instead of plain\nmptcp_flush_join_list() inside __mptcp_push_pending(), as suggested by\nFlorian. The sockopt sync will be deferred to the workqueue."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: mptcp: corrige el punto muerto en __mptcp_push_pending() __mptcp_push_pending() puede llamar a mptcp_flush_join_list() con el bloqueo del socket de subflujo retenido. Si dicha llamada llega a mptcp_sockopt_sync_all(), posteriormente __mptcp_sockopt_sync() podr\u00eda intentar bloquear el socket de subflujo por s\u00ed mismo, provocando un punto muerto. sysrq: Mostrar estado bloqueado tarea: estado del servidor ss: D pila: 0 pid: 938 ppid: 1 banderas: 0x00000000 Seguimiento de llamadas: __schedule+0x2d6/0x10c0? __mod_memcg_state+0x4d/0x70 ? csum_partial+0xd/0x20? _raw_spin_lock_irqsave+0x26/0x50 horario+0x4e/0xc0 __lock_sock+0x69/0x90 ? do_wait_intr_irq+0xa0/0xa0 __lock_sock_fast+0x35/0x50 mptcp_sockopt_sync_all+0x38/0xc0 __mptcp_push_pending+0x105/0x200 mptcp_sendmsg+0x466/0x490 sock_sendmsg+0x57/0x60 __sys_sendto+0xf0/0x160? do_wait_intr_irq+0xa0/0xa0? fpregs_restore_userregs+0x12/0xd0 __x64_sys_sendto+0x20/0x30 do_syscall_64+0x38/0x90 Entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f9ba546c2d0 RSP: dc3b762d8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007f9ba56c8060 RCX: 00007f9ba546c2d0 RDX: 000000000000077a RSI: 0000000000e5e180 RDI: 0000000000000234 RBP: 0000000000cc57f0 R08: 0000000000000000 R09: 00000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f9ba56c8060 R13: 0000000000b6ba60 R14: 0000000000cc7840 R15: 41d8685b1d7901b8 Solucione el problema usando __mptcp_flush_join_list() en su lugar de mptcp_flush_join_list() simple dentro __mptcp_push_pending(), como sugiere Florian. La sincronizaci\u00f3n de sockopt se aplazar\u00e1 a la cola de trabajo."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/23311b92755ffa9087332d1bb8c71c0f6a10cc08", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3d79e3756ca90f7a6087b77b62c1d9c0801e0820", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2021-47591", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T15:15:53.700", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: remove tcp ulp setsockopt support\n\nTCP_ULP setsockopt cannot be used for mptcp because its already\nused internally to plumb subflow (tcp) sockets to the mptcp layer.\n\nsyzbot managed to trigger a crash for mptcp connections that are\nin fallback mode:\n\nKASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027]\nCPU: 1 PID: 1083 Comm: syz-executor.3 Not tainted 5.16.0-rc2-syzkaller #0\nRIP: 0010:tls_build_proto net/tls/tls_main.c:776 [inline]\n[..]\n __tcp_set_ulp net/ipv4/tcp_ulp.c:139 [inline]\n tcp_set_ulp+0x428/0x4c0 net/ipv4/tcp_ulp.c:160\n do_tcp_setsockopt+0x455/0x37c0 net/ipv4/tcp.c:3391\n mptcp_setsockopt+0x1b47/0x2400 net/mptcp/sockopt.c:638\n\nRemove support for TCP_ULP setsockopt."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: mptcp: elimina el soporte de tcp ulp setsockopt TCP_ULP setsockopt no se puede usar para mptcp porque ya se usa internamente para conectar sockets de subflujo (tcp) a la capa mptcp. syzbot logr\u00f3 desencadenar un bloqueo para las conexiones mptcp que est\u00e1n en modo alternativo: KASAN: null-ptr-deref en el rango [0x0000000000000020-0x0000000000000027] CPU: 1 PID: 1083 Comm: syz-executor.3 Not tainted 5.16.0-rc2- syzkaller #0 RIP: 0010:tls_build_proto net/tls/tls_main.c:776 [en l\u00ednea] [..] __tcp_set_ulp net/ipv4/tcp_ulp.c:139 [en l\u00ednea] tcp_set_ulp+0x428/0x4c0 net/ipv4/tcp_ulp.c: 160 do_tcp_setsockopt+0x455/0x37c0 net/ipv4/tcp.c:3391 mptcp_setsockopt+0x1b47/0x2400 net/mptcp/sockopt.c:638 Elimina la compatibilidad con TCP_ULP setsockopt."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/3de0c86d42f841d1d64f316cd949e65c566f0734", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/404cd9a22150f24acf23a8df2ad0c094ba379f57", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2021-47592", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T15:15:53.793", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: fix tc flower deletion for VLAN priority Rx steering\n\nTo replicate the issue:-\n\n1) Add 1 flower filter for VLAN Priority based frame steering:-\n$ IFDEVNAME=eth0\n$ tc qdisc add dev $IFDEVNAME ingress\n$ tc qdisc add dev $IFDEVNAME root mqprio num_tc 8 \\\n map 0 1 2 3 4 5 6 7 0 0 0 0 0 0 0 0 \\\n queues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 hw 0\n$ tc filter add dev $IFDEVNAME parent ffff: protocol 802.1Q \\\n flower vlan_prio 0 hw_tc 0\n\n2) Get the 'pref' id\n$ tc filter show dev $IFDEVNAME ingress\n\n3) Delete a specific tc flower record (say pref 49151)\n$ tc filter del dev $IFDEVNAME parent ffff: pref 49151\n\nFrom dmesg, we will observe kernel NULL pointer ooops\n\n[ 197.170464] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[ 197.171367] #PF: supervisor read access in kernel mode\n[ 197.171367] #PF: error_code(0x0000) - not-present page\n[ 197.171367] PGD 0 P4D 0\n[ 197.171367] Oops: 0000 [#1] PREEMPT SMP NOPTI\n\n\n\n[ 197.171367] RIP: 0010:tc_setup_cls+0x20b/0x4a0 [stmmac]\n\n\n\n[ 197.171367] Call Trace:\n[ 197.171367] \n[ 197.171367] ? __stmmac_disable_all_queues+0xa8/0xe0 [stmmac]\n[ 197.171367] stmmac_setup_tc_block_cb+0x70/0x110 [stmmac]\n[ 197.171367] tc_setup_cb_destroy+0xb3/0x180\n[ 197.171367] fl_hw_destroy_filter+0x94/0xc0 [cls_flower]\n\nThe above issue is due to previous incorrect implementation of\ntc_del_vlan_flow(), shown below, that uses flow_cls_offload_flow_rule()\nto get struct flow_rule *rule which is no longer valid for tc filter\ndelete operation.\n\n struct flow_rule *rule = flow_cls_offload_flow_rule(cls);\n struct flow_dissector *dissector = rule->match.dissector;\n\nSo, to ensure tc_del_vlan_flow() deletes the right VLAN cls record for\nearlier configured RX queue (configured by hw_tc) in tc_add_vlan_flow(),\nthis patch introduces stmmac_rfs_entry as driver-side flow_cls_offload\nrecord for 'RX frame steering' tc flower, currently used for VLAN\npriority. The implementation has taken consideration for future extension\nto include other type RX frame steering such as EtherType based.\n\nv2:\n - Clean up overly extensive backtrace and rewrite git message to better\n explain the kernel NULL pointer issue."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: net: stmmac: corrija la eliminaci\u00f3n de flores tc para la direcci\u00f3n Rx con prioridad de VLAN Para replicar el problema: - 1) Agregue 1 filtro de flores para la direcci\u00f3n de cuadros basada en prioridad de VLAN: - $ IFDEVNAME=eth0 $ tc qdisc agregar dev $IFDEVNAME ingreso $ tc qdisc agregar dev $IFDEVNAME ra\u00edz mqprio num_tc 8 \\ map 0 1 2 3 4 5 6 7 0 0 0 0 0 0 0 0 0 \\ colas 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 hw 0 $ tc filter add dev $IFDEVNAME parent ffff: protocolo 802.1Q \\ flower vlan_prio 0 hw_tc 0 2) Obtener el id 'pref' $ tc filter show dev $IFDEVNAME ingress 3 ) Eliminar un registro de flor tc espec\u00edfico (digamos pref 49151) $ tc filter del dev $IFDEVNAME parent ffff: pref 49151 Desde dmesg, observaremos el puntero NULL del kernel ooops [ 197.170464] ERROR: desreferencia del puntero NULL del kernel, direcci\u00f3n: 00000000000000000 [ 197.171367] #PF: acceso de lectura de supervisor en modo kernel [ 197.171367] #PF: error_code(0x0000) - p\u00e1gina no presente [ 197.171367] PGD 0 P4D 0 [ 197.171367] Ups: 0000 [#1] PREEMPT SMP NOPTI [ 197.171367] RIP: 0010:tc_setup_cls+0x20b/0x4a0 [stmmac] [ 197.171367] Seguimiento de llamadas: [ 197.171367] [ 197.171367] ? __stmmac_disable_all_queues+0xa8/0xe0 [stmmac] [ 197.171367] stmmac_setup_tc_block_cb+0x70/0x110 [stmmac] [ 197.171367] tc_setup_cb_destroy+0xb3/0x180 [ 197.171367] destroy_filter+0x94/0xc0 [cls_flower] El problema anterior se debe a una implementaci\u00f3n anterior incorrecta de tc_del_vlan_flow( ), que se muestra a continuaci\u00f3n, que usa flow_cls_offload_flow_rule() para obtener la estructura flow_rule *rule que ya no es v\u00e1lida para la operaci\u00f3n de eliminaci\u00f3n del filtro tc. estructura flow_rule *regla = flow_cls_offload_flow_rule(cls); estructura flow_dissector *dissector = regla->match.dissector; Por lo tanto, para garantizar que tc_del_vlan_flow() elimine el registro VLAN cls correcto para la cola RX configurada anteriormente (configurada por hw_tc) en tc_add_vlan_flow(), este parche introduce stmmac_rfs_entry como registro flow_cls_offload del lado del controlador para la flor tc 'Direcci\u00f3n de trama RX', actualmente utilizada para Prioridad de VLAN. La implementaci\u00f3n ha tenido en cuenta una futura ampliaci\u00f3n para incluir otro tipo de direcci\u00f3n de bastidor RX, como la basada en EtherType. v2: - Limpiar el rastreo demasiado extenso y reescribir el mensaje de git para explicar mejor el problema del puntero NULL del kernel."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/97cb5c82aa1dd85a39b1bd021c8b5f18af623779", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/aeb7c75cb77478fdbf821628e9c95c4baa9adc63", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2021-47593", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T15:15:53.890", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: clear 'kern' flag from fallback sockets\n\nThe mptcp ULP extension relies on sk->sk_sock_kern being set correctly:\nIt prevents setsockopt(fd, IPPROTO_TCP, TCP_ULP, \"mptcp\", 6); from\nworking for plain tcp sockets (any userspace-exposed socket).\n\nBut in case of fallback, accept() can return a plain tcp sk.\nIn such case, sk is still tagged as 'kernel' and setsockopt will work.\n\nThis will crash the kernel, The subflow extension has a NULL ctx->conn\nmptcp socket:\n\nBUG: KASAN: null-ptr-deref in subflow_data_ready+0x181/0x2b0\nCall Trace:\n tcp_data_ready+0xf8/0x370\n [..]"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mptcp: borrar el indicador 'kern' de los sockets de reserva La extensi\u00f3n mptcp ULP depende de que sk->sk_sock_kern est\u00e9 configurado correctamente: impide que setsockopt(fd, IPPROTO_TCP, TCP_ULP, \"mptcp\", 6); de funcionar para sockets tcp simples (cualquier socket expuesto al espacio de usuario). Pero en caso de respaldo, aceptar() puede devolver un sk tcp simple. En tal caso, sk todav\u00eda est\u00e1 etiquetado como 'kernel' y setsockopt funcionar\u00e1. Esto bloquear\u00e1 el kernel. La extensi\u00f3n de subflujo tiene un socket NULL ctx->conn mptcp: ERROR: KASAN: null-ptr-deref en subflow_data_ready+0x181/0x2b0 Seguimiento de llamadas: tcp_data_ready+0xf8/0x370 [..]"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/451f1eded7f56e93aaf52eb547ba97742d9c0e97", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c26ac0ea3a91c210cf90452e625dc441adf3e549", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d6692b3b97bdc165d150f4c1505751a323a80717", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2021-47594", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T15:15:53.983", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: never allow the PM to close a listener subflow\n\nCurrently, when deleting an endpoint the netlink PM treverses\nall the local MPTCP sockets, regardless of their status.\n\nIf an MPTCP listener socket is bound to the IP matching the\ndelete endpoint, the listener TCP socket will be closed.\nThat is unexpected, the PM should only affect data subflows.\n\nAdditionally, syzbot was able to trigger a NULL ptr dereference\ndue to the above:\n\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]\nCPU: 1 PID: 6550 Comm: syz-executor122 Not tainted 5.16.0-rc4-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nRIP: 0010:__lock_acquire+0xd7d/0x54a0 kernel/locking/lockdep.c:4897\nCode: 0f 0e 41 be 01 00 00 00 0f 86 c8 00 00 00 89 05 69 cc 0f 0e e9 bd 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 f3 2f 00 00 48 81 3b 20 75 17 8f 0f 84 52 f3 ff\nRSP: 0018:ffffc90001f2f818 EFLAGS: 00010016\nRAX: dffffc0000000000 RBX: 0000000000000018 RCX: 0000000000000000\nRDX: 0000000000000003 RSI: 0000000000000000 RDI: 0000000000000001\nRBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001\nR10: 0000000000000000 R11: 000000000000000a R12: 0000000000000000\nR13: ffff88801b98d700 R14: 0000000000000000 R15: 0000000000000001\nFS: 00007f177cd3d700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f177cd1b268 CR3: 000000001dd55000 CR4: 0000000000350ee0\nCall Trace:\n \n lock_acquire kernel/locking/lockdep.c:5637 [inline]\n lock_acquire+0x1ab/0x510 kernel/locking/lockdep.c:5602\n __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\n _raw_spin_lock_irqsave+0x39/0x50 kernel/locking/spinlock.c:162\n finish_wait+0xc0/0x270 kernel/sched/wait.c:400\n inet_csk_wait_for_connect net/ipv4/inet_connection_sock.c:464 [inline]\n inet_csk_accept+0x7de/0x9d0 net/ipv4/inet_connection_sock.c:497\n mptcp_accept+0xe5/0x500 net/mptcp/protocol.c:2865\n inet_accept+0xe4/0x7b0 net/ipv4/af_inet.c:739\n mptcp_stream_accept+0x2e7/0x10e0 net/mptcp/protocol.c:3345\n do_accept+0x382/0x510 net/socket.c:1773\n __sys_accept4_file+0x7e/0xe0 net/socket.c:1816\n __sys_accept4+0xb0/0x100 net/socket.c:1846\n __do_sys_accept net/socket.c:1864 [inline]\n __se_sys_accept net/socket.c:1861 [inline]\n __x64_sys_accept+0x71/0xb0 net/socket.c:1861\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7f177cd8b8e9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f177cd3d308 EFLAGS: 00000246 ORIG_RAX: 000000000000002b\nRAX: ffffffffffffffda RBX: 00007f177ce13408 RCX: 00007f177cd8b8e9\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003\nRBP: 00007f177ce13400 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007f177ce1340c\nR13: 00007f177cde1004 R14: 6d705f706374706d R15: 0000000000022000\n \n\nFix the issue explicitly skipping MPTCP socket in TCP_LISTEN\nstatus."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mptcp: nunca permitir que el PM cierre un subflujo de escucha Actualmente, al eliminar un endpoint, el PM de netlink atraviesa todos los sockets MPTCP locales, independientemente de su estado. Si un socket de escucha MPTCP est\u00e1 vinculado a la IP que coincide con el endpoint de eliminaci\u00f3n, el socket TCP de escucha se cerrar\u00e1. Esto es inesperado, el PM solo deber\u00eda afectar los subflujos de datos. Adem\u00e1s, syzbot pudo activar una desreferencia de ptr NULL debido a lo anterior: falla de protecci\u00f3n general, probablemente para la direcci\u00f3n no can\u00f3nica 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref en el rango [0x0000000000000018-0x0000000000000001f] CPU: 1 PID: 6550 Comm: syz-executor122 No contaminado 5.16.0-rc4-syzkaller #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__lock_acquire+0xd7d/0x54a0 kernel/locking/lockdep.c:4897 C\u00f3digo: 0f 0e 41 be 01 00 00 00 0f 86 c8 00 00 00 89 05 69 cc 0f 0e e9 bd 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 f3 2f 00 00 48 81 3b 20 75 17 8f 0f 84 52 f3 ff RSP: 0018:ffffc90001f2f818 EFLAGS: 00010016 RAX: 00 RBX: 0000000000000018 RCX: 0000000000000000 RDX: 0000000000000003 RSI: 0000000000000000 RDI: 0000000000000001 RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001 R10: 0000000000000000 R11: 000000000000000 a R12: 0000000000000000 R13: ffff88801b98d700 R14: 0000000000000000 R15: 0000000000000001 FS: 00007f177cd3d700(0000) GS:ffff8880b9d00000 (0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f177cd1b268 CR3: 000000001dd55000 CR4: 0000000000350ee0 Seguimiento de llamadas: lock_acquire kernel/locking/lockdep.c:5637 [en l\u00ednea] +0x1ab/0x510 kernel/locking/lockdep.c:5602 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [en l\u00ednea] _raw_spin_lock_irqsave+0x39/0x50 kernel/locking/spinlock.c:162 Finish_wait+0xc0/0x270 kernel/sched/wait.c:400 inet_csk_wait_for_connect net/ipv4/inet_connection_sock.c:464 [en l\u00ednea] inet_csk_accept+0x7de/0x9d0 net/ipv4/inet_connection_sock.c:497 mptcp_accept+0xe5/0x500 net/mptcp/protocol.c:2865 inet_accept+0xe4/0x7b0 net/ipv4/af_inet.c:739 e7/0x10e0 net/mptcp/protocol.c:3345 do_accept+0x382/0x510 net/socket.c:1773 __sys_accept4_file+0x7e/0xe0 net/socket.c:1816 __sys_accept4+0xb0/0x100 net/socket.c:1846 __do_sys_accept net/socket. c:1864 [en l\u00ednea] __se_sys_accept net/socket.c:1861 [en l\u00ednea] __x64_sys_accept+0x71/0xb0 net/socket.c:1861 do_syscall_x64 arch/x86/entry/common.c:50 [en l\u00ednea] do_syscall_64+0x35/0xb0 arch /x86/entry/common.c:80 Entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f177cd8b8e9 C\u00f3digo: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f177cd3d308 EFLAGS: 00000246 ORIG_RAX: 000000000000002b RAX : ffffffffffffffda RBX: 00007f177ce13408 RCX: 00007f177cd8b8e9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00007f177 ce13400 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f177ce1340c R13: cde1004 R14: 6d705f706374706d R15: 0000000000022000 Arreglar el problema al omitir expl\u00edcitamente el socket MPTCP en el estado TCP_LISTEN."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/1456a0004cc54c58adb2501cb0c95dc8b3c83e9e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b0cdc5dbcf2ba0d99785da5aabf1b17943805b8a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2021-47595", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T15:15:54.097", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_ets: don't remove idle classes from the round-robin list\n\nShuang reported that the following script:\n\n 1) tc qdisc add dev ddd0 handle 10: parent 1: ets bands 8 strict 4 priomap 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7\n 2) mausezahn ddd0 -A 10.10.10.1 -B 10.10.10.2 -c 0 -a own -b 00:c1:a0:c1:a0:00 -t udp &\n 3) tc qdisc change dev ddd0 handle 10: ets bands 4 strict 2 quanta 2500 2500 priomap 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3\n\ncrashes systematically when line 2) is commented:\n\n list_del corruption, ffff8e028404bd30->next is LIST_POISON1 (dead000000000100)\n ------------[ cut here ]------------\n kernel BUG at lib/list_debug.c:47!\n invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 0 PID: 954 Comm: tc Not tainted 5.16.0-rc4+ #478\n Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014\n RIP: 0010:__list_del_entry_valid.cold.1+0x12/0x47\n Code: fe ff 0f 0b 48 89 c1 4c 89 c6 48 c7 c7 08 42 1b 87 e8 1d c5 fe ff 0f 0b 48 89 fe 48 89 c2 48 c7 c7 98 42 1b 87 e8 09 c5 fe ff <0f> 0b 48 c7 c7 48 43 1b 87 e8 fb c4 fe ff 0f 0b 48 89 f2 48 89 fe\n RSP: 0018:ffffae46807a3888 EFLAGS: 00010246\n RAX: 000000000000004e RBX: 0000000000000007 RCX: 0000000000000202\n RDX: 0000000000000000 RSI: ffffffff871ac536 RDI: 00000000ffffffff\n RBP: ffffae46807a3a10 R08: 0000000000000000 R09: c0000000ffff7fff\n R10: 0000000000000001 R11: ffffae46807a36a8 R12: ffff8e028404b800\n R13: ffff8e028404bd30 R14: dead000000000100 R15: ffff8e02fafa2400\n FS: 00007efdc92e4480(0000) GS:ffff8e02fb600000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000682f48 CR3: 00000001058be000 CR4: 0000000000350ef0\n Call Trace:\n \n ets_qdisc_change+0x58b/0xa70 [sch_ets]\n tc_modify_qdisc+0x323/0x880\n rtnetlink_rcv_msg+0x169/0x4a0\n netlink_rcv_skb+0x50/0x100\n netlink_unicast+0x1a5/0x280\n netlink_sendmsg+0x257/0x4d0\n sock_sendmsg+0x5b/0x60\n ____sys_sendmsg+0x1f2/0x260\n ___sys_sendmsg+0x7c/0xc0\n __sys_sendmsg+0x57/0xa0\n do_syscall_64+0x3a/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n RIP: 0033:0x7efdc8031338\n Code: 89 02 48 c7 c0 ff ff ff ff eb b5 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 8d 05 25 43 2c 00 8b 00 85 c0 75 17 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 41 54 41 89 d4 55\n RSP: 002b:00007ffdf1ce9828 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\n RAX: ffffffffffffffda RBX: 0000000061b37a97 RCX: 00007efdc8031338\n RDX: 0000000000000000 RSI: 00007ffdf1ce9890 RDI: 0000000000000003\n RBP: 0000000000000000 R08: 0000000000000001 R09: 000000000078a940\n R10: 000000000000000c R11: 0000000000000246 R12: 0000000000000001\n R13: 0000000000688880 R14: 0000000000000000 R15: 0000000000000000\n \n Modules linked in: sch_ets sch_tbf dummy rfkill iTCO_wdt iTCO_vendor_support intel_rapl_msr intel_rapl_common joydev pcspkr i2c_i801 virtio_balloon i2c_smbus lpc_ich ip_tables xfs libcrc32c crct10dif_pclmul crc32_pclmul crc32c_intel serio_raw ghash_clmulni_intel ahci libahci libata virtio_blk virtio_console virtio_net net_failover failover sunrpc dm_mirror dm_region_hash dm_log dm_mod [last unloaded: sch_ets]\n ---[ end trace f35878d1912655c2 ]---\n RIP: 0010:__list_del_entry_valid.cold.1+0x12/0x47\n Code: fe ff 0f 0b 48 89 c1 4c 89 c6 48 c7 c7 08 42 1b 87 e8 1d c5 fe ff 0f 0b 48 89 fe 48 89 c2 48 c7 c7 98 42 1b 87 e8 09 c5 fe ff <0f> 0b 48 c7 c7 48 43 1b 87 e8 fb c4 fe ff 0f 0b 48 89 f2 48 89 fe\n RSP: 0018:ffffae46807a3888 EFLAGS: 00010246\n RAX: 000000000000004e RBX: 0000000000000007 RCX: 0000000000000202\n RDX: 0000000000000000 RSI: ffffffff871ac536 RDI: 00000000ffffffff\n RBP: ffffae46807a3a10 R08: 0000000000000000 R09: c0000000ffff7fff\n R10: 0000000000000001 R11: ffffae46807a36a8 R12: ffff8e028404b800\n R13: ffff8e028404bd30 R14: dead000000000100 R15: ffff8e02fafa2400\n FS: 00007efdc92e4480(0000) GS:ffff8e02fb600000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000000\n---truncated---"}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: net/sched: sch_ets: no elimine las clases inactivas de la lista de turnos Shuang inform\u00f3 que el siguiente script: 1) tc qdisc add dev ddd0 handle 10: parent 1: ets bandas 8 estricto 4 priomap 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 2) mausezahn ddd0 -A 10.10.10.1 -B 10.10.10.2 -c 0 -a propio -b 00:c1:a0: c1:a0:00 -t udp & 3) tc qdisc change dev ddd0 handle 10: ets bands 4 estricto 2 cuantos 2500 2500 priomap 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 falla sistem\u00e1ticamente cuando la l\u00ednea 2) se comenta: corrupci\u00f3n list_del, ffff8e028404bd30->el siguiente es LIST_POISON1 (dead000000000100) ------------[ cortar aqu\u00ed ]------------ ERROR del kernel en lib/list_debug. c:47! c\u00f3digo de operaci\u00f3n no v\u00e1lido: 0000 [#1] PREEMPT SMP NOPTI CPU: 0 PID: 954 Comunicaciones: tc Not tainted 5.16.0-rc4+ #478 Nombre de hardware: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066 +0f1aadab 01/04/2014 RIP: 0010:__list_del_entry_valid.cold.1+0x12/0x47 C\u00f3digo: fe ff 0f 0b 48 89 c1 4c 89 c6 48 c7 c7 08 42 1b 87 e8 1d c5 fe ff 0f 0b 48 89 fe 4 8 89 c2 48 c7 c7 98 42 1b 87 e8 09 c5 fe ff <0f> 0b 48 c7 c7 48 43 1b 87 e8 fb c4 fe ff 0f 0b 48 89 f2 48 89 fe RSP: 0018:ffffae46807a3888 EFLAGS: 246 RAX: 000000000000004eRBX : 0000000000000007 RCX: 0000000000000202 RDX: 0000000000000000 RSI: ffffffff871ac536 RDI: 00000000ffffffff RBP: ffffae46807a3a10 R08: 00000000000 00000 R09: c0000000ffff7fff R10: 00000000000000001 R11: ffffae46807a36a8 R12: ffff8e028404b800 R13: ffff8e028404bd30 R14: dead000000000100 R15: e02fafa2400 FS: 00007efdc92e4480(0000) GS:ffff8e02fb600000 (0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000682f48 CR3: 00000001058be000 CR4: 000000000035 0ef0 Seguimiento de llamadas: ets_qdisc_change+0x58b/0xa70 [sch_ets] tc_modify_qdisc+0x323/0x880 rtnetlink_rcv_msg+0x169/ 0x4a0 netlink_rcv_skb+0x50/0x100 netlink_unicast+0x1a5/0x280 netlink_sendmsg+0x257/0x4d0 sock_sendmsg+0x5b/0x60 ____sys_sendmsg+0x1f2/0x260 ___sys_sendmsg+0x7c/0xc0 __sys_sendmsg+0x57/0xa0 do_syscall_64+0x3a/0x80 Entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033: 0x7efdc8031338 C\u00f3digo: 89 02 48 c7 c0 ff ff ff ff eb b5 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 8d 05 25 43 2c 00 8b 00 85 c0 75 17 b8 2e 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 41 54 41 89 d4 55 RSP: 002b:00007ffdf1ce9828 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: de RBX: 0000000061b37a97 RCX: 00007efdc8031338 RDX: 0000000000000000 RSI: 00007ffdf1ce9890 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000001 R09: 000000000078a940 R10: 000000000000000c R11: 00000000000000246 R12: 0000000000000001 R 13: 0000000000688880 R14: 0000000000000000 R15: 0000000000000000 M\u00f3dulos vinculados en: sch_ets sch_tbf dummy rfkill iTCO_wdt iTCO_vendor_support intel_rapl_msr intel_rapl_common pcs pkr i2c_i801 virtio_balloon i2c_smbus lpc_ich ip_tables xfs libcrc32c crct10dif_pclmul crc32_pclmul crc32c_intel serio_raw ghash_clmulni_intel ahci libahci libata virtio_blk virtio_console virtio_net net_failover failover sunrpc dm_mirror dm_region_hash dm_log dm_mod [\u00faltima descarga: sch_ets] ---[ fin de seguimiento f35878d191 2655c2 ]--- RIP: 0010:__list_del_entry_valid.cold.1+0x12/0x47 C\u00f3digo: fe ff 0f 0b 48 89 c1 4c 89 c6 48 c7 c7 08 42 1b 87 e8 1d c5 fe ff 0f 0b 48 89 fe 48 89 c2 48 c7 c7 98 42 1b 87 e8 09 c5 fe ff <0f> 0b 48 c7 c7 48 43 1b 87 e8 fb c4 fe ff 0f 0b 48 89 f2 48 89 fe RSP: 0018:ffffae46807a3888 EFLAGS: 00010246 RAX: 000000000000004e RBX: 0000000000000007 RCX 000 0000000000202 RDX: 0000000000000000 RSI: ffffffff871ac536 RDI: 00000000ffffffff RBP: ffffae46807a3a10 R08: 0000000000000000 R09: c0000000ffff7fff R10: 0000000000000001 R11: FFFFFAE46807A36A8 R12: FFFFF8E028404B800 R13: FFFF8E028404BD30 R14: Dead000000000100 R15: FFFFF8E02FAFA2400 FUT: GS: FFFF8E02FB600000 (0000) KNLGS: 000000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000 - --truncado---"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/491c1253441e2fdc8f6a6f4976e3f13440419b7a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/81fbdd45652d8605a029e78ef14a6aaa529c4e72", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c062f2a0b04d86c5b8c9d973bea43493eaca3d32", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2021-47596", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T15:15:54.197", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: fix use-after-free bug in hclgevf_send_mbx_msg\n\nCurrently, the hns3_remove function firstly uninstall client instance,\nand then uninstall acceletion engine device. The netdevice is freed in\nclient instance uninstall process, but acceletion engine device uninstall\nprocess still use it to trace runtime information. This causes a use after\nfree problem.\n\nSo fixes it by check the instance register state to avoid use after free."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: net: hns3: corrige el error de use-after-free en hclgevf_send_mbx_msg Actualmente, la funci\u00f3n hns3_remove desinstala primero la instancia del cliente y luego desinstala el dispositivo del motor de aceleraci\u00f3n. El dispositivo de red se libera en el proceso de desinstalaci\u00f3n de la instancia del cliente, pero el proceso de desinstalaci\u00f3n del dispositivo del motor de aceleraci\u00f3n a\u00fan lo utiliza para rastrear la informaci\u00f3n del tiempo de ejecuci\u00f3n. Esto provoca un problema de use-after-free. Entonces lo soluciona verificando el estado del registro de la instancia para evitar use after free."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/12512bc8f25b8ba9795dfbae0e9ca57ff13fd542", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/27cbf64a766e86f068ce6214f04c00ceb4db1af4", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4f4a353f6fe033807cd026a5de81c67469ff19b0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2021-47597", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T15:15:54.290", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ninet_diag: fix kernel-infoleak for UDP sockets\n\nKMSAN reported a kernel-infoleak [1], that can exploited\nby unpriv users.\n\nAfter analysis it turned out UDP was not initializing\nr->idiag_expires. Other users of inet_sk_diag_fill()\nmight make the same mistake in the future, so fix this\nin inet_sk_diag_fill().\n\n[1]\nBUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:121 [inline]\nBUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:156 [inline]\nBUG: KMSAN: kernel-infoleak in _copy_to_iter+0x69d/0x25c0 lib/iov_iter.c:670\n instrument_copy_to_user include/linux/instrumented.h:121 [inline]\n copyout lib/iov_iter.c:156 [inline]\n _copy_to_iter+0x69d/0x25c0 lib/iov_iter.c:670\n copy_to_iter include/linux/uio.h:155 [inline]\n simple_copy_to_iter+0xf3/0x140 net/core/datagram.c:519\n __skb_datagram_iter+0x2cb/0x1280 net/core/datagram.c:425\n skb_copy_datagram_iter+0xdc/0x270 net/core/datagram.c:533\n skb_copy_datagram_msg include/linux/skbuff.h:3657 [inline]\n netlink_recvmsg+0x660/0x1c60 net/netlink/af_netlink.c:1974\n sock_recvmsg_nosec net/socket.c:944 [inline]\n sock_recvmsg net/socket.c:962 [inline]\n sock_read_iter+0x5a9/0x630 net/socket.c:1035\n call_read_iter include/linux/fs.h:2156 [inline]\n new_sync_read fs/read_write.c:400 [inline]\n vfs_read+0x1631/0x1980 fs/read_write.c:481\n ksys_read+0x28c/0x520 fs/read_write.c:619\n __do_sys_read fs/read_write.c:629 [inline]\n __se_sys_read fs/read_write.c:627 [inline]\n __x64_sys_read+0xdb/0x120 fs/read_write.c:627\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nUninit was created at:\n slab_post_alloc_hook mm/slab.h:524 [inline]\n slab_alloc_node mm/slub.c:3251 [inline]\n __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974\n kmalloc_reserve net/core/skbuff.c:354 [inline]\n __alloc_skb+0x545/0xf90 net/core/skbuff.c:426\n alloc_skb include/linux/skbuff.h:1126 [inline]\n netlink_dump+0x3d5/0x16a0 net/netlink/af_netlink.c:2245\n __netlink_dump_start+0xd1c/0xee0 net/netlink/af_netlink.c:2370\n netlink_dump_start include/linux/netlink.h:254 [inline]\n inet_diag_handler_cmd+0x2e7/0x400 net/ipv4/inet_diag.c:1343\n sock_diag_rcv_msg+0x24a/0x620\n netlink_rcv_skb+0x447/0x800 net/netlink/af_netlink.c:2491\n sock_diag_rcv+0x63/0x80 net/core/sock_diag.c:276\n netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n netlink_unicast+0x1095/0x1360 net/netlink/af_netlink.c:1345\n netlink_sendmsg+0x16f3/0x1870 net/netlink/af_netlink.c:1916\n sock_sendmsg_nosec net/socket.c:704 [inline]\n sock_sendmsg net/socket.c:724 [inline]\n sock_write_iter+0x594/0x690 net/socket.c:1057\n do_iter_readv_writev+0xa7f/0xc70\n do_iter_write+0x52c/0x1500 fs/read_write.c:851\n vfs_writev fs/read_write.c:924 [inline]\n do_writev+0x63f/0xe30 fs/read_write.c:967\n __do_sys_writev fs/read_write.c:1040 [inline]\n __se_sys_writev fs/read_write.c:1037 [inline]\n __x64_sys_writev+0xe5/0x120 fs/read_write.c:1037\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nBytes 68-71 of 312 are uninitialized\nMemory access of size 312 starts at ffff88812ab54000\nData copied to user address 0000000020001440\n\nCPU: 1 PID: 6365 Comm: syz-executor801 Not tainted 5.16.0-rc3-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011"}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: inet_diag: corrige la fuga de informaci\u00f3n del kernel para sockets UDP KMSAN inform\u00f3 una fuga de informaci\u00f3n del kernel [1], que puede ser explotada por usuarios sin privilegios. Despu\u00e9s del an\u00e1lisis result\u00f3 que UDP no estaba inicializando r->idiag_expires. Otros usuarios de inet_sk_diag_fill() podr\u00edan cometer el mismo error en el futuro, as\u00ed que solucione este problema en inet_sk_diag_fill(). [1] ERROR: KMSAN: kernel-infoleak en instrument_copy_to_user include/linux/instrumented.h:121 [en l\u00ednea] ERROR: KMSAN: kernel-infoleak en copia lib/iov_iter.c:156 [en l\u00ednea] ERROR: KMSAN: kernel-infoleak en _copy_to_iter+0x69d/0x25c0 lib/iov_iter.c:670 instrument_copy_to_user include/linux/instrumented.h:121 [en l\u00ednea] copia lib/iov_iter.c:156 [en l\u00ednea] _copy_to_iter+0x69d/0x25c0 lib/iov_iter.c:670 copy_to_iter include/linux/uio.h:155 [en l\u00ednea] simple_copy_to_iter+0xf3/0x140 net/core/datagram.c:519 __skb_datagram_iter+0x2cb/0x1280 net/core/datagram.c:425 skb_copy_datagram_iter+0xdc/0x270 net/core/datagram .c:533 skb_copy_datagram_msg include/linux/skbuff.h:3657 [en l\u00ednea] netlink_recvmsg+0x660/0x1c60 net/netlink/af_netlink.c:1974 sock_recvmsg_nosec net/socket.c:944 [en l\u00ednea] sock_recvmsg net/socket.c:962 [en l\u00ednea] sock_read_iter+0x5a9/0x630 net/socket.c:1035 call_read_iter include/linux/fs.h:2156 [en l\u00ednea] new_sync_read fs/read_write.c:400 [en l\u00ednea] vfs_read+0x1631/0x1980 fs/read_write.c: 481 ksys_read+0x28c/0x520 fs/read_write.c:619 __do_sys_read fs/read_write.c:629 [en l\u00ednea] __se_sys_read fs/read_write.c:627 [en l\u00ednea] __x64_sys_read+0xdb/0x120 fs/read_write.c:627 _arco x64/ x86/entry/common.c:51 [en l\u00ednea] do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 Entry_SYSCALL_64_after_hwframe+0x44/0xae Uninit se cre\u00f3 en: slab_post_alloc_hook mm/slab.h:524 [en l\u00ednea] slab_alloc_node mm/slub.c:3251 [en l\u00ednea] __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974 kmalloc_reserve net/core/skbuff.c:354 [en l\u00ednea] __alloc_skb+0x545/0xf90 net/core/skbuff.c:426 alloc_skb include/linux/skbuff.h:1126 [en l\u00ednea] netlink_dump+0x3d5/0x16a0 net/netlink/af_netlink.c:2245 __netlink_dump_start+0xd1c/0xee0 net/netlink/af_netlink.c:2370 netlink_dump_start include/linux/netlink.h:254 [en l\u00ednea] inet_diag_handler_cmd+0x2e7/0x400 net/ipv4/inet_diag.c:1343 sock_diag_rcv_msg+0x24a/0x620 netlink_rcv_skb+0x447/0x800 net/netlink/af_netlink.c:2491 sock_diag_rcv+0x63/0x80 net/core/sock_diag.c:276 netlink_unicast_kernel net/netlink/af_netlink.c: 1319 [en l\u00ednea] netlink_unicast+0x1095/0x1360 netLink/af_netlink.c: 1345 netlink_sendmsg+0x16f3/0x1870 net/netlink/af_etlink.c: 1916 sockm. C: 704 [ en l\u00ednea] sock_sendmsg net/socket.c:724 [en l\u00ednea] sock_write_iter+0x594/0x690 net/socket.c:1057 do_iter_readv_writev+0xa7f/0xc70 do_iter_write+0x52c/0x1500 fs/read_write.c:851 vfs_writev fs/read_write.c:9 24 [en l\u00ednea] do_writev+0x63f/0xe30 fs/read_write.c:967 __do_sys_writev fs/read_write.c:1040 [en l\u00ednea] __se_sys_writev fs/read_write.c:1037 [en l\u00ednea] __x64_sys_writev+0xe5/0x120 fs/read_write.c:1037 _syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 Entry_SYSCALL_64_after_hwframe+0x44/0xae Los bytes 68-71 de 312 no est\u00e1n inicializados El acceso a la memoria de tama\u00f1o 312 comienza en ffff88812ab54000 Datos copiados a la direcci\u00f3n de usuario 0000000020001440 CPU: 1 PID: 6365 Comm: syz-executor801 Not tainted 5.16.0-rc3-syzkaller #0 Nombre de hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/3a4f6dba1eb98101abc012ef968a8b10dac1ce50", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/71ddeac8cd1d217744a0e060ff520e147c9328d1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7b5596e531253ce84213d9daa7120b71c9d83198", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e5d28205bf1de7082d904ed277ceb2db2879e302", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2021-47598", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T15:15:54.383", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsch_cake: do not call cake_destroy() from cake_init()\n\nqdiscs are not supposed to call their own destroy() method\nfrom init(), because core stack already does that.\n\nsyzbot was able to trigger use after free:\n\nDEBUG_LOCKS_WARN_ON(lock->magic != lock)\nWARNING: CPU: 0 PID: 21902 at kernel/locking/mutex.c:586 __mutex_lock_common kernel/locking/mutex.c:586 [inline]\nWARNING: CPU: 0 PID: 21902 at kernel/locking/mutex.c:586 __mutex_lock+0x9ec/0x12f0 kernel/locking/mutex.c:740\nModules linked in:\nCPU: 0 PID: 21902 Comm: syz-executor189 Not tainted 5.16.0-rc4-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nRIP: 0010:__mutex_lock_common kernel/locking/mutex.c:586 [inline]\nRIP: 0010:__mutex_lock+0x9ec/0x12f0 kernel/locking/mutex.c:740\nCode: 08 84 d2 0f 85 19 08 00 00 8b 05 97 38 4b 04 85 c0 0f 85 27 f7 ff ff 48 c7 c6 20 00 ac 89 48 c7 c7 a0 fe ab 89 e8 bf 76 ba ff <0f> 0b e9 0d f7 ff ff 48 8b 44 24 40 48 8d b8 c8 08 00 00 48 89 f8\nRSP: 0018:ffffc9000627f290 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\nRDX: ffff88802315d700 RSI: ffffffff815f1db8 RDI: fffff52000c4fe44\nRBP: ffff88818f28e000 R08: 0000000000000000 R09: 0000000000000000\nR10: ffffffff815ebb5e R11: 0000000000000000 R12: 0000000000000000\nR13: dffffc0000000000 R14: ffffc9000627f458 R15: 0000000093c30000\nFS: 0000555556abc400(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fda689c3303 CR3: 000000001cfbb000 CR4: 0000000000350ef0\nCall Trace:\n \n tcf_chain0_head_change_cb_del+0x2e/0x3d0 net/sched/cls_api.c:810\n tcf_block_put_ext net/sched/cls_api.c:1381 [inline]\n tcf_block_put_ext net/sched/cls_api.c:1376 [inline]\n tcf_block_put+0xbc/0x130 net/sched/cls_api.c:1394\n cake_destroy+0x3f/0x80 net/sched/sch_cake.c:2695\n qdisc_create.constprop.0+0x9da/0x10f0 net/sched/sch_api.c:1293\n tc_modify_qdisc+0x4c5/0x1980 net/sched/sch_api.c:1660\n rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5571\n netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2496\n netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1345\n netlink_sendmsg+0x904/0xdf0 net/netlink/af_netlink.c:1921\n sock_sendmsg_nosec net/socket.c:704 [inline]\n sock_sendmsg+0xcf/0x120 net/socket.c:724\n ____sys_sendmsg+0x6e8/0x810 net/socket.c:2409\n ___sys_sendmsg+0xf3/0x170 net/socket.c:2463\n __sys_sendmsg+0xe5/0x1b0 net/socket.c:2492\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7f1bb06badb9\nCode: Unable to access opcode bytes at RIP 0x7f1bb06bad8f.\nRSP: 002b:00007fff3012a658 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f1bb06badb9\nRDX: 0000000000000000 RSI: 00000000200007c0 RDI: 0000000000000003\nRBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000003\nR10: 0000000000000003 R11: 0000000000000246 R12: 00007fff3012a688\nR13: 00007fff3012a6a0 R14: 00007fff3012a6e0 R15: 00000000000013c2\n "}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: sch_cake: no llamar a cake_destroy() desde cake_init() Se supone que las qdiscs no deben llamar a su propio m\u00e9todo destroy() desde init(), porque la pila central ya lo hace. syzbot pudo activar el use-after-free: DEBUG_LOCKS_WARN_ON(lock->magic != lock) ADVERTENCIA: CPU: 0 PID: 21902 en kernel/locking/mutex.c:586 __mutex_lock_common kernel/locking/mutex.c:586 [en l\u00ednea] ADVERTENCIA: CPU: 0 PID: 21902 en kernel/locking/mutex.c:586 __mutex_lock+0x9ec/0x12f0 kernel/locking/mutex.c:740 M\u00f3dulos vinculados en: CPU: 0 PID: 21902 Comm: syz-executor189 No contaminado 5.16 .0-rc4-syzkaller #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__mutex_lock_common kernel/locking/mutex.c:586 [en l\u00ednea] RIP: 0010:__mutex_lock+ 0x9ec/0x12f0 kernel/locking/mutex.c:740 C\u00f3digo: 08 84 d2 0f 85 19 08 00 00 8b 05 97 38 4b 04 85 c0 0f 85 27 f7 ff ff 48 c7 c6 20 00 ac 89 48 c7 c7 a0 fe ab 89 e8 bf 76 ba ff <0f> 0b e9 0d f7 ff ff 48 8b 44 24 40 48 8d b8 c8 08 00 00 48 89 f8 RSP: 0018:ffffc9000627f290 EFLAGS: 00010282 RAX: 0000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: ffff88802315d700 RSI: ffffffff815f1db8 RDI: fffff52000c4fe44 RBP: ffff88818f28e000 R08: 0000000000000000 R09: 0000000000000000 R10: ffffffff815ebb5e R11: 00000 R12: 0000000000000000 R13: dffffc0000000000 R14: ffffc9000627f458 R15: 0000000093c30000 FS: 000055556abc400(0000) GS:ffff8880b9c0000 0(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fda689c3303 CR3: 000000001cfbb000 CR4: 0000000000350ef0 Seguimiento de llamadas: tcf_chain0_head_change_cb_del+0x2e/0 x3d0 net/sched/cls_api.c:810 tcf_block_put_ext net/sched/cls_api.c:1381 [ en l\u00ednea] tcf_block_put_ext net/sched/cls_api.c:1376 [en l\u00ednea] tcf_block_put+0xbc/0x130 net/sched/cls_api.c:1394 cake_destroy+0x3f/0x80 net/sched/sch_cake.c:2695 qdisc_create.constprop.0+0x9da /0x10f0 net/sched/sch_api.c:1293 tc_modify_qdisc+0x4c5/0x1980 net/sched/sch_api.c:1660 rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5571 netlink_rcv_skb+0x153/0x420 net/netlink/ af_netlink. c:2496 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [en l\u00ednea] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x904/0xdf0 net/netlink/af_netlink.c:1921 sock_sendmsg_nosec net/socket.c :704 [en l\u00ednea] sock_sendmsg+0xcf/0x120 net/socket.c:724 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2409 ___sys_sendmsg+0xf3/0x170 net/socket.c:2463 __sys_sendmsg+0xe5/0x1b 0 red/toma. c:2492 do_syscall_x64 arch/x86/entry/common.c:50 [en l\u00ednea] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 Entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f1bb06badb9 C\u00f3digo: No se puede acceder al c\u00f3digo de operaci\u00f3n bytes en RIP 0x7f1bb06bad8f. RSP: 002b:00007fff3012a658 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00000000000000003 RCX: 00007f1bb06badb9 RDX: 000000000 RSI: 00000000200007c0 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000003 R10: 00000003 R11: 0000000000000246 R12: 00007fff3012a688 R13: 00007fff3012a6a0 R14: 00007fff3012a6e0 R15: 00000000000013c2 "}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/0d80462fbdcafd536dcad7569e65d3d14a7e9f2f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/20ad1ef02f9ad5e1dda9eeb113e4c158b4806986", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4e388232e630ebe4f94b4a0715ec98c0e2b314a3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ab443c53916730862cec202078d36fd4008bea79", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f6deae2e2d83bd267e1986f5d71d8c458e18fd99", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2021-47599", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T15:15:54.483", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: use latest_dev in btrfs_show_devname\n\nThe test case btrfs/238 reports the warning below:\n\n WARNING: CPU: 3 PID: 481 at fs/btrfs/super.c:2509 btrfs_show_devname+0x104/0x1e8 [btrfs]\n CPU: 2 PID: 1 Comm: systemd Tainted: G W O 5.14.0-rc1-custom #72\n Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015\n Call trace:\n btrfs_show_devname+0x108/0x1b4 [btrfs]\n show_mountinfo+0x234/0x2c4\n m_show+0x28/0x34\n seq_read_iter+0x12c/0x3c4\n vfs_read+0x29c/0x2c8\n ksys_read+0x80/0xec\n __arm64_sys_read+0x28/0x34\n invoke_syscall+0x50/0xf8\n do_el0_svc+0x88/0x138\n el0_svc+0x2c/0x8c\n el0t_64_sync_handler+0x84/0xe4\n el0t_64_sync+0x198/0x19c\n\nReason:\nWhile btrfs_prepare_sprout() moves the fs_devices::devices into\nfs_devices::seed_list, the btrfs_show_devname() searches for the devices\nand found none, leading to the warning as in above.\n\nFix:\nlatest_dev is updated according to the changes to the device list.\nThat means we could use the latest_dev->name to show the device name in\n/proc/self/mounts, the pointer will be always valid as it's assigned\nbefore the device is deleted from the list in remove or replace.\nThe RCU protection is sufficient as the device structure is freed after\nsynchronization."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: btrfs: utilice Latest_dev en btrfs_show_devname El caso de prueba btrfs/238 informa la siguiente advertencia: ADVERTENCIA: CPU: 3 PID: 481 en fs/btrfs/super.c:2509 btrfs_show_devname+0x104 /0x1e8 [btrfs] CPU: 2 PID: 1 Comunicaci\u00f3n: systemd Contaminado: GWO 5.14.0-rc1-custom #72 Nombre de hardware: QEMU M\u00e1quina virtual QEMU, BIOS 0.0.0 06/02/2015 Rastreo de llamadas: btrfs_show_devname+0x108/ 0x1b4 [btrfs] show_mountinfo+0x234/0x2c4 m_show+0x28/0x34 seq_read_iter+0x12c/0x3c4 vfs_read+0x29c/0x2c8 ksys_read+0x80/0xec __arm64_sys_read+0x28/0x34 x50/0xf8 do_el0_svc+0x88/0x138 el0_svc+0x2c/0x8c el0t_64_sync_handler +0x84/0xe4 el0t_64_sync+0x198/0x19c Motivo: mientras btrfs_prepare_sprout() mueve fs_devices::devices a fs_devices::seed_list, btrfs_show_devname() busca los dispositivos y no encuentra ninguno, lo que genera la advertencia como se muestra arriba. Soluci\u00f3n: last_dev se actualiza seg\u00fan los cambios en la lista de dispositivos. Eso significa que podr\u00edamos usar el \u00faltimo_dev->name para mostrar el nombre del dispositivo en /proc/self/mounts, el puntero siempre ser\u00e1 v\u00e1lido tal como est\u00e1 asignado antes de que el dispositivo se elimine de la lista en eliminar o reemplazar. La protecci\u00f3n de la RCU es suficiente, ya que la estructura del dispositivo se libera despu\u00e9s de la sincronizaci\u00f3n."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/6605fd2f394bba0a0059df2b6cfc87b0b6d393a2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e342c2558016ead462f376b6c6c2ac5efc17f3b1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2021-47600", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T15:15:54.567", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm btree remove: fix use after free in rebalance_children()\n\nMove dm_tm_unlock() after dm_tm_dec()."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: dm btree remove: corrige el use after free en rebalance_children() Mueve dm_tm_unlock() despu\u00e9s de dm_tm_dec()."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/0e21e6cd5eebfc929ac5fa3b97ca2d4ace3cb6a3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/1b8d2789dad0005fd5e7d35dab26a8e1203fb6da", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/293f957be5e39720778fb1851ced7f5fba6d51c3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/501ecd90efdc9b2edc6c28852ecd098a4adf8f00", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/607beb420b3fe23b948a9bf447d993521a02fbbb", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/66ea642af6fd4eacb5d0271a922130fcf8700424", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a48f6a2bf33734ec5669ee03067dfb6c5b4818d6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b03abd0aa09c05099f537cb05b8460c4298f0861", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2021-47601", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T15:15:54.670", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntee: amdtee: fix an IS_ERR() vs NULL bug\n\nThe __get_free_pages() function does not return error pointers it returns\nNULL so fix this condition to avoid a NULL dereference."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: tee: amdtee: corrige un error IS_ERR() vs NULL La funci\u00f3n __get_free_pages() no devuelve punteros de error, devuelve NULL, as\u00ed que corrija esta condici\u00f3n para evitar una desreferencia a NULL."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/640e28d618e82be78fb43b4bf5113bc90d6aa442", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/832f3655c6138c23576ed268e31cc76e0f05f2b1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9d7482771fac8d8e38e763263f2ca0ca12dd22c6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2021-47602", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T15:15:54.760", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmac80211: track only QoS data frames for admission control\n\nFor admission control, obviously all of that only works for\nQoS data frames, otherwise we cannot even access the QoS\nfield in the header.\n\nSyzbot reported (see below) an uninitialized value here due\nto a status of a non-QoS nullfunc packet, which isn't even\nlong enough to contain the QoS header.\n\nFix this to only do anything for QoS data packets."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: mac80211: rastrea solo frameworks de datos QoS para control de admisi\u00f3n. Para el control de admisi\u00f3n, obviamente todo eso solo funciona para frameworks de datos QoS; de lo contrario, ni siquiera podemos acceder al campo QoS en el encabezado. Syzbot inform\u00f3 (ver m\u00e1s abajo) un valor no inicializado aqu\u00ed debido al estado de un paquete nullfunc sin QoS, que ni siquiera es lo suficientemente largo para contener el encabezado de QoS. Solucione este problema para hacer algo \u00fanicamente con los paquetes de datos QoS."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/42d08e97b196479f593499e887a9ab81446a34b9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/46b9e29db2012a4d2a40a26101862e002ccf387b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/69f054d6642c8f6173724ce17e7ee3ff66b8f682", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d5e568c3a4ec2ddd23e7dc5ad5b0c64e4f22981a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/eed897a22230e3231a740eddd7d6d95ba476625f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2021-47603", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T15:15:54.863", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\naudit: improve robustness of the audit queue handling\n\nIf the audit daemon were ever to get stuck in a stopped state the\nkernel's kauditd_thread() could get blocked attempting to send audit\nrecords to the userspace audit daemon. With the kernel thread\nblocked it is possible that the audit queue could grow unbounded as\ncertain audit record generating events must be exempt from the queue\nlimits else the system enter a deadlock state.\n\nThis patch resolves this problem by lowering the kernel thread's\nsocket sending timeout from MAX_SCHEDULE_TIMEOUT to HZ/10 and tweaks\nthe kauditd_send_queue() function to better manage the various audit\nqueues when connection problems occur between the kernel and the\naudit daemon. With this patch, the backlog may temporarily grow\nbeyond the defined limits when the audit daemon is stopped and the\nsystem is under heavy audit pressure, but kauditd_thread() will\ncontinue to make progress and drain the queues as it would for other\nconnection problems. For example, with the audit daemon put into a\nstopped state and the system configured to audit every syscall it\nwas still possible to shutdown the system without a kernel panic,\ndeadlock, etc.; granted, the system was slow to shutdown but that is\nto be expected given the extreme pressure of recording every syscall.\n\nThe timeout value of HZ/10 was chosen primarily through\nexperimentation and this developer's \"gut feeling\". There is likely\nno one perfect value, but as this scenario is limited in scope (root\nprivileges would be needed to send SIGSTOP to the audit daemon), it\nis likely not worth exposing this as a tunable at present. This can\nalways be done at a later date if it proves necessary."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: auditor\u00eda: mejora la solidez del manejo de la cola de auditor\u00eda. Si el daemon de auditor\u00eda alguna vez se atascara en un estado detenido, kauditd_thread() del kernel podr\u00eda bloquearse al intentar enviar registros de auditor\u00eda al espacio de usuario. daemon de auditor\u00eda. Con el subproceso del n\u00facleo bloqueado, es posible que la cola de auditor\u00eda crezca sin l\u00edmites, ya que ciertos eventos que generan registros de auditor\u00eda deben estar exentos de los l\u00edmites de la cola, de lo contrario, el sistema entrar\u00e1 en un estado de bloqueo. Este parche resuelve este problema reduciendo el tiempo de espera de env\u00edo del socket del subproceso del n\u00facleo de MAX_SCHEDULE_TIMEOUT a HZ/10 y modifica la funci\u00f3n kauditd_send_queue() para gestionar mejor las distintas colas de auditor\u00eda cuando se producen problemas de conexi\u00f3n entre el n\u00facleo y el daemon de auditor\u00eda. Con este parche, el trabajo pendiente puede crecer temporalmente m\u00e1s all\u00e1 de los l\u00edmites definidos cuando se detiene el daemon de auditor\u00eda y el sistema est\u00e1 bajo una fuerte presi\u00f3n de auditor\u00eda, pero kauditd_thread() continuar\u00e1 progresando y drenando las colas como lo har\u00eda con otros problemas de conexi\u00f3n. Por ejemplo, con el daemon de auditor\u00eda en estado detenido y el sistema configurado para auditar cada llamada al sistema, a\u00fan era posible apagar el sistema sin p\u00e1nico en el kernel, interbloqueo, etc.; Por supuesto, el sistema tard\u00f3 en cerrarse, pero eso es de esperarse dada la presi\u00f3n extrema de registrar cada llamada al sistema. El valor de tiempo de espera de HZ/10 se eligi\u00f3 principalmente a trav\u00e9s de la experimentaci\u00f3n y el \"instinto\" de este desarrollador. Probablemente no exista un valor perfecto, pero como este escenario tiene un alcance limitado (se necesitar\u00edan privilegios de root para enviar SIGSTOP al daemon de auditor\u00eda), probablemente no valga la pena exponerlo como un ajuste ajustable en este momento. Esto siempre se puede hacer en una fecha posterior si resulta necesario."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/0d3277eabd542fb662be23696e5ec9f390d688e1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4cc6badff97f74d0fce65f9784b5df3b64e4250b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/75fdb751f84727d614deea0571a1490c3225d83a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8389f50ceb854cb437fefb9330d5024ed3c7c1f5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a5f4d17daf2e6cd7c1d9676b476147f6b4ac53f2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f4b3ee3c85551d2d343a3ba159304066523f730f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2021-47604", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T15:15:54.973", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvduse: check that offset is within bounds in get_config()\n\nThis condition checks \"len\" but it does not check \"offset\" and that\ncould result in an out of bounds read if \"offset > dev->config_size\".\nThe problem is that since both variables are unsigned the\n\"dev->config_size - offset\" subtraction would result in a very high\nunsigned value.\n\nI think these checks might not be necessary because \"len\" and \"offset\"\nare supposed to already have been validated using the\nvhost_vdpa_config_validate() function. But I do not know the code\nperfectly, and I like to be safe."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: vduse: verifique que el desplazamiento est\u00e9 dentro de los l\u00edmites en get_config() Esta condici\u00f3n verifica \"len\" pero no verifica \"desplazamiento\" y eso podr\u00eda resultar en una lectura fuera de los l\u00edmites si \" desplazamiento > dev->config_size\". El problema es que, dado que ambas variables no est\u00e1n firmadas, la resta \"dev->config_size - offset\" dar\u00eda como resultado un valor sin firmar muy alto. Creo que estas comprobaciones podr\u00edan no ser necesarias porque se supone que \"len\" y \"offset\" ya se han validado mediante la funci\u00f3n vhost_vdpa_config_validate(). Pero no conozco el c\u00f3digo a la perfecci\u00f3n y me gusta estar seguro."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/dc1db0060c02d119fd4196924eff2d1129e9a442", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ebbbc5fea3f648175df1aa3f127c78eb0252cc2a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2021-47605", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T15:15:55.067", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvduse: fix memory corruption in vduse_dev_ioctl()\n\nThe \"config.offset\" comes from the user. There needs to a check to\nprevent it being out of bounds. The \"config.offset\" and\n\"dev->config_size\" variables are both type u32. So if the offset if\nout of bounds then the \"dev->config_size - config.offset\" subtraction\nresults in a very high u32 value. The out of bounds offset can result\nin memory corruption."}, {"lang": "es", "value": "En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: vduse: corrige corrupci\u00f3n de memoria en vduse_dev_ioctl() El \"config.offset\" proviene del usuario. Es necesario realizar un control para evitar que est\u00e9 fuera de los l\u00edmites. Las variables \"config.offset\" y \"dev->config_size\" son ambas del tipo u32. Entonces, si el desplazamiento est\u00e1 fuera de los l\u00edmites, entonces la resta \"dev->config_size - config.offset\" da como resultado un valor u32 muy alto. El desplazamiento fuera de los l\u00edmites puede provocar da\u00f1os en la memoria."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/e6c67560b4341914bec32ec536e931c22062af65", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ff9f9c6e74848170fcb45c8403c80d661484c8c9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2021-47606", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T15:15:55.153", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: netlink: af_netlink: Prevent empty skb by adding a check on len.\n\nAdding a check on len parameter to avoid empty skb. This prevents a\ndivision error in netem_enqueue function which is caused when skb->len=0\nand skb->data_len=0 in the randomized corruption step as shown below.\n\nskb->data[prandom_u32() % skb_headlen(skb)] ^= 1<<(prandom_u32() % 8);\n\nCrash Report:\n[ 343.170349] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family\n0 port 6081 - 0\n[ 343.216110] netem: version 1.3\n[ 343.235841] divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI\n[ 343.236680] CPU: 3 PID: 4288 Comm: reproducer Not tainted 5.16.0-rc1+\n[ 343.237569] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),\nBIOS 1.11.0-2.el7 04/01/2014\n[ 343.238707] RIP: 0010:netem_enqueue+0x1590/0x33c0 [sch_netem]\n[ 343.239499] Code: 89 85 58 ff ff ff e8 5f 5d e9 d3 48 8b b5 48 ff ff\nff 8b 8d 50 ff ff ff 8b 85 58 ff ff ff 48 8b bd 70 ff ff ff 31 d2 2b 4f\n74 f1 48 b8 00 00 00 00 00 fc ff df 49 01 d5 4c 89 e9 48 c1 e9 03\n[ 343.241883] RSP: 0018:ffff88800bcd7368 EFLAGS: 00010246\n[ 343.242589] RAX: 00000000ba7c0a9c RBX: 0000000000000001 RCX:\n0000000000000000\n[ 343.243542] RDX: 0000000000000000 RSI: ffff88800f8edb10 RDI:\nffff88800f8eda40\n[ 343.244474] RBP: ffff88800bcd7458 R08: 0000000000000000 R09:\nffffffff94fb8445\n[ 343.245403] R10: ffffffff94fb8336 R11: ffffffff94fb8445 R12:\n0000000000000000\n[ 343.246355] R13: ffff88800a5a7000 R14: ffff88800a5b5800 R15:\n0000000000000020\n[ 343.247291] FS: 00007fdde2bd7700(0000) GS:ffff888109780000(0000)\nknlGS:0000000000000000\n[ 343.248350] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 343.249120] CR2: 00000000200000c0 CR3: 000000000ef4c000 CR4:\n00000000000006e0\n[ 343.250076] Call Trace:\n[ 343.250423] \n[ 343.250713] ? memcpy+0x4d/0x60\n[ 343.251162] ? netem_init+0xa0/0xa0 [sch_netem]\n[ 343.251795] ? __sanitizer_cov_trace_pc+0x21/0x60\n[ 343.252443] netem_enqueue+0xe28/0x33c0 [sch_netem]\n[ 343.253102] ? stack_trace_save+0x87/0xb0\n[ 343.253655] ? filter_irq_stacks+0xb0/0xb0\n[ 343.254220] ? netem_init+0xa0/0xa0 [sch_netem]\n[ 343.254837] ? __kasan_check_write+0x14/0x20\n[ 343.255418] ? _raw_spin_lock+0x88/0xd6\n[ 343.255953] dev_qdisc_enqueue+0x50/0x180\n[ 343.256508] __dev_queue_xmit+0x1a7e/0x3090\n[ 343.257083] ? netdev_core_pick_tx+0x300/0x300\n[ 343.257690] ? check_kcov_mode+0x10/0x40\n[ 343.258219] ? _raw_spin_unlock_irqrestore+0x29/0x40\n[ 343.258899] ? __kasan_init_slab_obj+0x24/0x30\n[ 343.259529] ? setup_object.isra.71+0x23/0x90\n[ 343.260121] ? new_slab+0x26e/0x4b0\n[ 343.260609] ? kasan_poison+0x3a/0x50\n[ 343.261118] ? kasan_unpoison+0x28/0x50\n[ 343.261637] ? __kasan_slab_alloc+0x71/0x90\n[ 343.262214] ? memcpy+0x4d/0x60\n[ 343.262674] ? write_comp_data+0x2f/0x90\n[ 343.263209] ? __kasan_check_write+0x14/0x20\n[ 343.263802] ? __skb_clone+0x5d6/0x840\n[ 343.264329] ? __sanitizer_cov_trace_pc+0x21/0x60\n[ 343.264958] dev_queue_xmit+0x1c/0x20\n[ 343.265470] netlink_deliver_tap+0x652/0x9c0\n[ 343.266067] netlink_unicast+0x5a0/0x7f0\n[ 343.266608] ? netlink_attachskb+0x860/0x860\n[ 343.267183] ? __sanitizer_cov_trace_pc+0x21/0x60\n[ 343.267820] ? write_comp_data+0x2f/0x90\n[ 343.268367] netlink_sendmsg+0x922/0xe80\n[ 343.268899] ? netlink_unicast+0x7f0/0x7f0\n[ 343.269472] ? __sanitizer_cov_trace_pc+0x21/0x60\n[ 343.270099] ? write_comp_data+0x2f/0x90\n[ 343.270644] ? netlink_unicast+0x7f0/0x7f0\n[ 343.271210] sock_sendmsg+0x155/0x190\n[ 343.271721] ____sys_sendmsg+0x75f/0x8f0\n[ 343.272262] ? kernel_sendmsg+0x60/0x60\n[ 343.272788] ? write_comp_data+0x2f/0x90\n[ 343.273332] ? write_comp_data+0x2f/0x90\n[ 343.273869] ___sys_sendmsg+0x10f/0x190\n[ 343.274405] ? sendmsg_copy_msghdr+0x80/0x80\n[ 343.274984] ? slab_post_alloc_hook+0x70/0x230\n[ 343.275597] ? futex_wait_setup+0x240/0x240\n[ 343.276175] ? security_file_alloc+0x3e/0x170\n[ 343.276779] ? write_comp_d\n---truncated---"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: netlink: af_netlink: Evite el skb vac\u00edo agregando una marca en len. Agregar una verificaci\u00f3n en el par\u00e1metro len para evitar skb vac\u00edo. Esto evita un error de divisi\u00f3n en la funci\u00f3n netem_enqueue que se produce cuando skb->len=0 y skb->data_len=0 en el paso de corrupci\u00f3n aleatoria como se muestra a continuaci\u00f3n. skb->datos[prandom_u32() % skb_headlen(skb)] ^= 1<<(prandom_u32() % 8); Informe de fallo: [343.170349] netdevsim netdevsim0 netdevsim3: establecer [1, 0] tipo 2 familia 0 puerto 6081 - 0 [343.216110] netem: versi\u00f3n 1.3 [343.235841] error de divisi\u00f3n: 0000 [#1] PREEMPT SMP KASAN NOPTI [ 80] CPU : 3 PID: 4288 Comm: reproductor No contaminado 5.16.0-rc1+ [ 343.237569] Nombre del hardware: PC est\u00e1ndar QEMU (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 01/04/2014 [ 343.238707] RIP: 0010:netem_enqueue+0x1590/0x33c0 [sch_netem] [ 343.239499] C\u00f3digo: 89 85 58 ff ff ff e8 5f 5d e9 d3 48 8b b5 48 ff ff ff 8b 8d 50 ff ff 8b 85 58 ff ff 4 8 8b bd 70 y sigs. ff ff 31 d2 2b 4f 74 f1 48 b8 00 00 00 00 00 fc ff df 49 01 d5 4c 89 e9 48 c1 e9 03 [ 343.241883] RSP: 0018:ffff88800bcd7368 EFLAGS: 46 [343.242589] RAX: 00000000ba7c0a9c RBX: 0000000000000001 RCX: 0000000000000000 [ 343.243542] RDX: 0000000000000000 RSI: ffff88800f8edb10 RDI: ffff88800f8eda40 [ 343.244474] RBP: ff88800bcd7458 R08: 0000000000000000 R09: ffffffff94fb8445 [ 343.245403] R10: ffffffff94fb8336 R11: ffffffff94fb8445 R12: 0000000000000000 [ 343. 246355] R13: ffff88800a5a7000 R14: ffff88800a5b5800 R15 : 0000000000000020 [ 343.247291] FS: 00007fdde2bd7700(0000) GS:ffff888109780000(0000) knlGS:0000000000000000 [ 343.248350] CS: 0010 DS: 000 ES: 0000 CR0: 0000000080050033 [ 343.249120] CR2: 00000000200000c0 CR3: 000000000ef4c000 CR4: 00000000000006e0 [ 343.250076] Seguimiento de llamadas: [ 343.250423] [ 343.250713] ? memcpy+0x4d/0x60 [343.251162]? netem_init+0xa0/0xa0 [sch_netem] [ 343.251795] ? __sanitizer_cov_trace_pc+0x21/0x60 [ 343.252443] netem_enqueue+0xe28/0x33c0 [sch_netem] [ 343.253102] ? stack_trace_save+0x87/0xb0 [343.253655]? filter_irq_stacks+0xb0/0xb0 [343.254220]? netem_init+0xa0/0xa0 [sch_netem] [ 343.254837] ? __kasan_check_write+0x14/0x20 [343.255418]? _raw_spin_lock+0x88/0xd6 [ 343.255953] dev_qdisc_enqueue+0x50/0x180 [ 343.256508] __dev_queue_xmit+0x1a7e/0x3090 [ 343.257083] ? netdev_core_pick_tx+0x300/0x300 [343.257690]? check_kcov_mode+0x10/0x40 [343.258219]? _raw_spin_unlock_irqrestore+0x29/0x40 [343.258899]? __kasan_init_slab_obj+0x24/0x30 [343.259529] ? setup_object.isra.71+0x23/0x90 [343.260121]? nueva_losa+0x26e/0x4b0 [ 343.260609] ? kasan_poison+0x3a/0x50 [ 343.261118] ? kasan_unpoison+0x28/0x50 [343.261637]? __kasan_slab_alloc+0x71/0x90 [343.262214]? memcpy+0x4d/0x60 [343.262674]? write_comp_data+0x2f/0x90 [343.263209]? __kasan_check_write+0x14/0x20 [343.263802]? __skb_clone+0x5d6/0x840 [343.264329]? __sanitizer_cov_trace_pc+0x21/0x60 [ 343.264958] dev_queue_xmit+0x1c/0x20 [ 343.265470] netlink_deliver_tap+0x652/0x9c0 [ 343.266067] netlink_unicast+0x5a0/0x7f0 [ 343. 266608] ? netlink_attachskb+0x860/0x860 [343.267183]? __sanitizer_cov_trace_pc+0x21/0x60 [ 343.267820] ? write_comp_data+0x2f/0x90 [343.268367] netlink_sendmsg+0x922/0xe80 [343.268899]? netlink_unicast+0x7f0/0x7f0 [343.269472]? __sanitizer_cov_trace_pc+0x21/0x60 [343.270099] ? write_comp_data+0x2f/0x90 [343.270644]? netlink_unicast+0x7f0/0x7f0 [343.271210] sock_sendmsg+0x155/0x190 [343.271721] ____sys_sendmsg+0x75f/0x8f0 [343.272262] ? kernel_sendmsg+0x60/0x60 [343.272788]? write_comp_data+0x2f/0x90 [343.273332]? write_comp_data+0x2f/0x90 [ 343.273869] ___sys_sendmsg+0x10f/0x190 [ 343.274405] ? sendmsg_copy_msghdr+0x80/0x80 [343.274984]? slab_post_alloc_hook+0x70/0x230 [343.275597]? futex_wait_setup+0x240/0x240 [343.276175]? security_file_alloc+0x3e/0x170 [343.276779]? write_comp_d ---truncado---"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/40cf2e058832d9cfaae98dfd77334926275598b6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4c986072a8c9249b9398c7a18f216dc26a9f0e35", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/54e785f7d5c197bc06dbb8053700df7e2a093ced", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c0315e93552e0d840e9edc6abd71c7db82ec8f51", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c54a60c8fbaa774f828e26df79f66229a8a0e010", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/dadce61247c6230489527cc5e343b6002d1114c5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f123cffdd8fe8ea6c7fded4b88516a42798797d0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ff3f517bf7138e01a17369042908a3f345c0ee41", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2021-47607", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T15:15:55.263", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix kernel address leakage in atomic cmpxchg's r0 aux reg\n\nThe implementation of BPF_CMPXCHG on a high level has the following parameters:\n\n .-[old-val] .-[new-val]\n BPF_R0 = cmpxchg{32,64}(DST_REG + insn->off, BPF_R0, SRC_REG)\n `-[mem-loc] `-[old-val]\n\nGiven a BPF insn can only have two registers (dst, src), the R0 is fixed and\nused as an auxilliary register for input (old value) as well as output (returning\nold value from memory location). While the verifier performs a number of safety\nchecks, it misses to reject unprivileged programs where R0 contains a pointer as\nold value.\n\nThrough brute-forcing it takes about ~16sec on my machine to leak a kernel pointer\nwith BPF_CMPXCHG. The PoC is basically probing for kernel addresses by storing the\nguessed address into the map slot as a scalar, and using the map value pointer as\nR0 while SRC_REG has a canary value to detect a matching address.\n\nFix it by checking R0 for pointers, and reject if that's the case for unprivileged\nprograms."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf: corrige la fuga de direcci\u00f3n del kernel en el registro auxiliar r0 de atomic cmpxchg. La implementaci\u00f3n de BPF_CMPXCHG en un nivel alto tiene los siguientes par\u00e1metros: .-[old-val] .-[new-val ] BPF_R0 = cmpxchg{32,64}(DST_REG + insn->off, BPF_R0, SRC_REG) `-[mem-loc] `-[old-val] Dado un BPF insn solo puede tener dos registros (dst, src), el R0 es fijo y se utiliza como registro auxiliar para la entrada (valor anterior), as\u00ed como para la salida (devolver el valor anterior desde la ubicaci\u00f3n de la memoria). Si bien el verificador realiza una serie de comprobaciones de seguridad, no rechaza los programas sin privilegios donde R0 contiene un puntero como valor antiguo. A trav\u00e9s de la fuerza bruta, en mi m\u00e1quina se necesitan aproximadamente 16 segundos para filtrar un puntero del kernel con BPF_CMPXCHG. B\u00e1sicamente, PoC busca direcciones del kernel almacenando la direcci\u00f3n adivinada en la ranura del mapa como un escalar y usando el puntero del valor del mapa como R0, mientras que SRC_REG tiene un valor canario para detectar una direcci\u00f3n coincidente. Solucionelo comprobando R0 en busca de punteros y rech\u00e1celo si ese es el caso de los programas sin privilegios."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/a82fe085f344ef20b452cd5f481010ff96b5c4cd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f87a6c160ecc8c7b417d25f508d3f076fe346136", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2021-47608", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T15:15:55.360", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix kernel address leakage in atomic fetch\n\nThe change in commit 37086bfdc737 (\"bpf: Propagate stack bounds to registers\nin atomics w/ BPF_FETCH\") around check_mem_access() handling is buggy since\nthis would allow for unprivileged users to leak kernel pointers. For example,\nan atomic fetch/and with -1 on a stack destination which holds a spilled\npointer will migrate the spilled register type into a scalar, which can then\nbe exported out of the program (since scalar != pointer) by dumping it into\na map value.\n\nThe original implementation of XADD was preventing this situation by using\na double call to check_mem_access() one with BPF_READ and a subsequent one\nwith BPF_WRITE, in both cases passing -1 as a placeholder value instead of\nregister as per XADD semantics since it didn't contain a value fetch. The\nBPF_READ also included a check in check_stack_read_fixed_off() which rejects\nthe program if the stack slot is of __is_pointer_value() if dst_regno < 0.\nThe latter is to distinguish whether we're dealing with a regular stack spill/\nfill or some arithmetical operation which is disallowed on non-scalars, see\nalso 6e7e63cbb023 (\"bpf: Forbid XADD on spilled pointers for unprivileged\nusers\") for more context on check_mem_access() and its handling of placeholder\nvalue -1.\n\nOne minimally intrusive option to fix the leak is for the BPF_FETCH case to\ninitially check the BPF_READ case via check_mem_access() with -1 as register,\nfollowed by the actual load case with non-negative load_reg to propagate\nstack bounds to registers."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: bpf: corrige la fuga de la direcci\u00f3n del kernel en la recuperaci\u00f3n at\u00f3mica. El cambio en el commit 37086bfdc737 (\"bpf: propaga los l\u00edmites de la pila a los registros en at\u00f3micos con BPF_FETCH\") alrededor del manejo de check_mem_access() tiene errores ya que esto permitir\u00eda a usuarios sin privilegios filtrar punteros del kernel. Por ejemplo, una recuperaci\u00f3n at\u00f3mica/y con -1 en un destino de pila que contiene un puntero derramado migrar\u00e1 el tipo de registro derramado a un escalar, que luego se puede exportar fuera del programa (ya que escalar! = puntero) volc\u00e1ndolo en un valor de mapa. La implementaci\u00f3n original de XADD evitaba esta situaci\u00f3n mediante el uso de una llamada doble a check_mem_access(), una con BPF_READ y otra posterior con BPF_WRITE, en ambos casos pasando -1 como valor de marcador de posici\u00f3n en lugar de registrarse seg\u00fan la sem\u00e1ntica de XADD, ya que no lo hac\u00eda contener una recuperaci\u00f3n de valor. BPF_READ tambi\u00e9n incluy\u00f3 una verificaci\u00f3n en check_stack_read_fixed_off() que rechaza el programa si la ranura de la pila es de __is_pointer_value() si dst_regno < 0. Esto \u00faltimo es para distinguir si estamos tratando con un derrame/llenado de pila regular o alguna operaci\u00f3n aritm\u00e9tica que no est\u00e1 permitido en valores no escalares, consulte tambi\u00e9n 6e7e63cbb023 (\"bpf: Prohibir XADD en punteros dispersos para usuarios sin privilegios\") para obtener m\u00e1s contexto sobre check_mem_access() y su manejo del valor del marcador de posici\u00f3n -1. Una opci\u00f3n m\u00ednimamente intrusiva para solucionar la fuga es que el caso BPF_FETCH verifique inicialmente el caso BPF_READ mediante check_mem_access() con -1 como registro, seguido del caso de carga real con load_reg no negativo para propagar los l\u00edmites de la pila a los registros."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/423628125a484538111c2c6d9bb1588eb086053b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7d3baf0afa3aa9102d6a521a8e4c41888bb79882", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2021-47609", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T15:15:55.457", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: arm_scpi: Fix string overflow in SCPI genpd driver\n\nWithout the bound checks for scpi_pd->name, it could result in the buffer\noverflow when copying the SCPI device name from the corresponding device\ntree node as the name string is set at maximum size of 30.\n\nLet us fix it by using devm_kasprintf so that the string buffer is\nallocated dynamically."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: firmware: arm_scpi: corrige el desbordamiento de cadena en el controlador SCPI genpd. Sin las comprobaciones vinculadas para scpi_pd->name, podr\u00eda provocar un desbordamiento del b\u00fafer al copiar el nombre del dispositivo SCPI del dispositivo correspondiente. El nodo del \u00e1rbol como cadena de nombre se establece en un tama\u00f1o m\u00e1ximo de 30. Arreglemoslo usando devm_kasprintf para que el b\u00fafer de cadena se asigne din\u00e1micamente."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/4694b1ec425a2d20d6f8ca3db594829fdf5f2672", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/639901b9429a3195e0fead981ed74b51f5f31538", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7e8645ca2c0046f7cd2f0f7d569fc036c8abaedb", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/802a1a8501563714a5fe8824f4ed27fec04a0719", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/865ed67ab955428b9aa771d8b4f1e4fb7fd08945", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/976389cbb16cee46847e5d06250a3a0b5506781e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f0f484714f35d24ffa0ecb4afe3df1c5b225411d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2021-47610", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T15:15:55.557", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: Fix null ptr access msm_ioctl_gem_submit()\n\nFix the below null pointer dereference in msm_ioctl_gem_submit():\n\n 26545.260705: Call trace:\n 26545.263223: kref_put+0x1c/0x60\n 26545.266452: msm_ioctl_gem_submit+0x254/0x744\n 26545.270937: drm_ioctl_kernel+0xa8/0x124\n 26545.274976: drm_ioctl+0x21c/0x33c\n 26545.278478: drm_compat_ioctl+0xdc/0xf0\n 26545.282428: __arm64_compat_sys_ioctl+0xc8/0x100\n 26545.287169: el0_svc_common+0xf8/0x250\n 26545.291025: do_el0_svc_compat+0x28/0x54\n 26545.295066: el0_svc_compat+0x10/0x1c\n 26545.298838: el0_sync_compat_handler+0xa8/0xcc\n 26545.303403: el0_sync_compat+0x188/0x1c0\n 26545.307445: Code: d503201f d503201f 52800028 4b0803e8 (b8680008)\n 26545.318799: Kernel panic - not syncing: Oops: Fatal exception"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/msm: corrige el acceso ptr nulo msm_ioctl_gem_submit() Corrige la siguiente desreferencia del puntero nulo en msm_ioctl_gem_submit(): 26545.260705: Rastreo de llamadas: 26545.263223: kref_put+0x1c/0x60 26545.266452 msm: _ioctl_gem_submit+ 0x254/0x744 26545.270937: drm_ioctl_kernel+0xa8/0x124 26545.274976: drm_ioctl+0x21c/0x33c 26545.278478: drm_compat_ioctl+0xdc/0xf0 : __arm64_compat_sys_ioctl+0xc8/0x100 26545.287169: el0_svc_common+0xf8/0x250 26545.291025: do_el0_svc_compat+0x28/0x54 26545.295066: 0 /0x1c 26545.298838: el0_sync_compat_handler+0xa8/0xcc 26545.303403: el0_sync_compat+0x188/0x1c0 26545.307445: C\u00f3digo: d503201f d503201f 52800028 4b0803e8 680008) 26545.318799: P\u00e1nico del kernel: no se sincroniza: Ups: excepci\u00f3n fatal"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/26d776fd0f79f093a5d0ce1a4c7c7a992bc3264c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f6db3d98f876870c35e96693cfd54752f6199e59", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2021-47611", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T15:15:55.650", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmac80211: validate extended element ID is present\n\nBefore attempting to parse an extended element, verify that\nthe extended element ID is present."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: mac80211: validar que el ID del elemento extendido est\u00e9 presente Antes de intentar analizar un elemento extendido, verifique que el ID del elemento extendido est\u00e9 presente."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/03029bb044ccee60adbc93e70713f3ae58abc3a1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/768c0b19b50665e337c96858aa2b7928d6dcf756", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7fd214fc7f2ee3a89f91e717e3cfad55f5a27045", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a19cf6844b509d44ecbd536f33d314d91ecdd2b5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c62b16f98688ae7bc0ab23a6490481f4ce9b3a49", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2021-47612", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T15:15:55.750", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: fix segfault in nfc_genl_dump_devices_done\n\nWhen kmalloc in nfc_genl_dump_devices() fails then\nnfc_genl_dump_devices_done() segfaults as below\n\nKASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\nCPU: 0 PID: 25 Comm: kworker/0:1 Not tainted 5.16.0-rc4-01180-g2a987e65025e-dirty #5\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-6.fc35 04/01/2014\nWorkqueue: events netlink_sock_destruct_work\nRIP: 0010:klist_iter_exit+0x26/0x80\nCall Trace:\n\nclass_dev_iter_exit+0x15/0x20\nnfc_genl_dump_devices_done+0x3b/0x50\ngenl_lock_done+0x84/0xd0\nnetlink_sock_destruct+0x8f/0x270\n__sk_destruct+0x64/0x3b0\nsk_destruct+0xa8/0xd0\n__sk_free+0x2e8/0x3d0\nsk_free+0x51/0x90\nnetlink_sock_destruct_work+0x1c/0x20\nprocess_one_work+0x411/0x710\nworker_thread+0x6fd/0xa80"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: nfc: corrige el error de segmentaci\u00f3n en nfc_genl_dump_devices_done Cuando falla kmalloc en nfc_genl_dump_devices(), entonces el error de segmentaci\u00f3n de nfc_genl_dump_devices_done() se muestra a continuaci\u00f3n KASAN: null-ptr-deref en el rango [0x0000000000000008-0x00 0000000000000f] CPU: 0 PID : 25 Comm: kworker/0:1 Not tainted 5.16.0-rc4-01180-g2a987e65025e-dirty #5 Nombre del hardware: PC est\u00e1ndar QEMU (i440FX + PIIX, 1996), BIOS 1.14.0-6.fc35 04/01/ 2014 Cola de trabajo: eventos netlink_sock_destruct_work RIP: 0010:klist_iter_exit+0x26/0x80 Seguimiento de llamadas: class_dev_iter_exit+0x15/0x20 nfc_genl_dump_devices_done+0x3b/0x50 genl_lock_done+0x84/0xd0 estructura+0x8f/0x270 __sk_destruct+0x64/0x3b0 sk_destruct+0xa8/0xd0 __sk_free+0x2e8/0x3d0 sk_free+0x51/0x90 netlink_sock_destruct_work+0x1c/0x20 Process_one_work+0x411/0x710 trabajador_thread+0x6fd/0xa80"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/214af18abbe39db05beb305b2d11e87d09a6529c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/2a8845b9603c545fddd17862282dc4c4ce0971e3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/6644989642844de830f9b072cd65c553cb55946c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c602863ad28ec86794cb4ab4edea5324f555f181", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d731ecc6f2eaec68f4ad1542283bbc7d07bd0112", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d89e4211b51752daf063d638af50abed2fd5f96d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ea55b3797878752aa076b118afb727dcf79cac34", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/fd79a0cbf0b2e34bcc45b13acf962e2032a82203", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2021-47613", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T15:15:55.850", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: virtio: fix completion handling\n\nThe driver currently assumes that the notify callback is only received\nwhen the device is done with all the queued buffers.\n\nHowever, this is not true, since the notify callback could be called\nwithout any of the queued buffers being completed (for example, with\nvirtio-pci and shared interrupts) or with only some of the buffers being\ncompleted (since the driver makes them available to the device in\nmultiple separate virtqueue_add_sgs() calls).\n\nThis can lead to incorrect data on the I2C bus or memory corruption in\nthe guest if the device operates on buffers which are have been freed by\nthe driver. (The WARN_ON in the driver is also triggered.)\n\n BUG kmalloc-128 (Tainted: G W ): Poison overwritten\n First byte 0x0 instead of 0x6b\n Allocated in i2cdev_ioctl_rdwr+0x9d/0x1de age=243 cpu=0 pid=28\n \tmemdup_user+0x2e/0xbd\n \ti2cdev_ioctl_rdwr+0x9d/0x1de\n \ti2cdev_ioctl+0x247/0x2ed\n \tvfs_ioctl+0x21/0x30\n \tsys_ioctl+0xb18/0xb41\n Freed in i2cdev_ioctl_rdwr+0x1bb/0x1de age=68 cpu=0 pid=28\n \tkfree+0x1bd/0x1cc\n \ti2cdev_ioctl_rdwr+0x1bb/0x1de\n \ti2cdev_ioctl+0x247/0x2ed\n \tvfs_ioctl+0x21/0x30\n \tsys_ioctl+0xb18/0xb41\n\nFix this by calling virtio_get_buf() from the notify handler like other\nvirtio drivers and by actually waiting for all the buffers to be\ncompleted."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: i2c: virtio: manejo de finalizaci\u00f3n de reparaci\u00f3n El controlador actualmente supone que la devoluci\u00f3n de llamada de notificaci\u00f3n solo se recibe cuando el dispositivo termina con todos los b\u00faferes en cola. Sin embargo, esto no es cierto, ya que la devoluci\u00f3n de llamada de notificaci\u00f3n podr\u00eda llamarse sin que se complete ninguno de los b\u00faferes en cola (por ejemplo, con virtio-pci e interrupciones compartidas) o con solo algunos de los b\u00faferes completados (ya que el controlador los pone a disposici\u00f3n). al dispositivo en m\u00faltiples llamadas virtqueue_add_sgs() separadas). Esto puede provocar datos incorrectos en el bus I2C o da\u00f1os en la memoria del hu\u00e9sped si el dispositivo funciona con b\u00faferes que han sido liberados por el controlador. (El WARN_ON en el controlador tambi\u00e9n se activa). ERROR kmalloc-128 (Contaminado: GW): Veneno sobrescrito Primer byte 0x0 en lugar de 0x6b Asignado en i2cdev_ioctl_rdwr+0x9d/0x1de age=243 cpu=0 pid=28 memdup_user+0x2e/0xbd i2cdev_ioctl_rdwr+0x9d/0x1de i2cdev_ioctl+0x247/0x2ed vfs_ioctl+0x21/0x30 sys_ioctl+0xb18/0xb41 Liberado en i2cdev_ioctl_rdwr+0x1bb/0x1de age=68 cpu=0 pid=28 0x1cc i2cdev_ioctl_rdwr+0x1bb/0x1de i2cdev_ioctl+0x247/ 0x2ed vfs_ioctl+0x21/0x30 sys_ioctl+0xb18/0xb41 Solucione este problema llamando a virtio_get_buf() desde el controlador de notificaci\u00f3n como otros controladores virtio y esperando a que se completen todos los b\u00faferes."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/9cbb957441ed8873577d7d313a3d79d69f1dad5c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b503de239f62eca898cfb7e820d9a35499137d22", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2021-47614", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T15:15:55.943", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: Fix a user-after-free in add_pble_prm\n\nWhen irdma_hmc_sd_one fails, 'chunk' is freed while its still on the PBLE\ninfo list.\n\nAdd the chunk entry to the PBLE info list only after successful setting of\nthe SD in irdma_hmc_sd_one."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: RDMA/irdma: corrige un user-after-free en add_pble_prm Cuando falla irdma_hmc_sd_one, el 'fragmento' se libera mientras todav\u00eda est\u00e1 en la lista de informaci\u00f3n de PBLE. Agregue la entrada del fragmento a la lista de informaci\u00f3n de PBLE solo despu\u00e9s de configurar correctamente la SD en irdma_hmc_sd_one."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/11eebcf63e98fcf047a876a51d76afdabc3b8b9b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/1e11a39a82e95ce86f849f40dda0d9c0498cebd9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2021-47615", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T15:15:56.030", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix releasing unallocated memory in dereg MR flow\n\nFor the case of IB_MR_TYPE_DM the mr does doesn't have a umem, even though\nit is a user MR. This causes function mlx5_free_priv_descs() to think that\nit is a kernel MR, leading to wrongly accessing mr->descs that will get\nwrong values in the union which leads to attempt to release resources that\nwere not allocated in the first place.\n\nFor example:\n DMA-API: mlx5_core 0000:08:00.1: device driver tries to free DMA memory it has not allocated [device address=0x0000000000000000] [size=0 bytes]\n WARNING: CPU: 8 PID: 1021 at kernel/dma/debug.c:961 check_unmap+0x54f/0x8b0\n RIP: 0010:check_unmap+0x54f/0x8b0\n Call Trace:\n debug_dma_unmap_page+0x57/0x60\n mlx5_free_priv_descs+0x57/0x70 [mlx5_ib]\n mlx5_ib_dereg_mr+0x1fb/0x3d0 [mlx5_ib]\n ib_dereg_mr_user+0x60/0x140 [ib_core]\n uverbs_destroy_uobject+0x59/0x210 [ib_uverbs]\n uobj_destroy+0x3f/0x80 [ib_uverbs]\n ib_uverbs_cmd_verbs+0x435/0xd10 [ib_uverbs]\n ? uverbs_finalize_object+0x50/0x50 [ib_uverbs]\n ? lock_acquire+0xc4/0x2e0\n ? lock_acquired+0x12/0x380\n ? lock_acquire+0xc4/0x2e0\n ? lock_acquire+0xc4/0x2e0\n ? ib_uverbs_ioctl+0x7c/0x140 [ib_uverbs]\n ? lock_release+0x28a/0x400\n ib_uverbs_ioctl+0xc0/0x140 [ib_uverbs]\n ? ib_uverbs_ioctl+0x7c/0x140 [ib_uverbs]\n __x64_sys_ioctl+0x7f/0xb0\n do_syscall_64+0x38/0x90\n\nFix it by reorganizing the dereg flow and mlx5_ib_mr structure:\n - Move the ib_umem field into the user MRs structure in the union as it's\n applicable only there.\n - Function mlx5_ib_dereg_mr() will now call mlx5_free_priv_descs() only\n in case there isn't udata, which indicates that this isn't a user MR."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: RDMA/mlx5: Se corrigi\u00f3 la liberaci\u00f3n de memoria no asignada en el flujo de MR dereg. Para el caso de IB_MR_TYPE_DM, mr no tiene un umem, aunque sea un usuario MR. Esto hace que la funci\u00f3n mlx5_free_priv_descs() piense que es un MR del kernel, lo que lleva a un acceso incorrecto a mr->descs que obtendr\u00e1 valores incorrectos en la uni\u00f3n, lo que lleva a intentar liberar recursos que no fueron asignados en primer lugar. Por ejemplo: DMA-API: mlx5_core 0000:08:00.1: el controlador de dispositivo intenta liberar la memoria DMA que no ha asignado [direcci\u00f3n del dispositivo=0x0000000000000000] [tama\u00f1o=0 bytes] ADVERTENCIA: CPU: 8 PID: 1021 en kernel/dma/ debug.c:961 check_unmap+0x54f/0x8b0 RIP: 0010:check_unmap+0x54f/0x8b0 Seguimiento de llamadas: debug_dma_unmap_page+0x57/0x60 mlx5_free_priv_descs+0x57/0x70 [mlx5_ib] [mlx5_ib] ib_dereg_mr_user+0x60/0x140 [ib_core ] uverbs_destroy_uobject+0x59/0x210 [ib_uverbs] uobj_destroy+0x3f/0x80 [ib_uverbs] ib_uverbs_cmd_verbs+0x435/0xd10 [ib_uverbs] ? uverbs_finalize_object+0x50/0x50 [ib_uverbs] ? lock_acquire+0xc4/0x2e0? lock_adquirido+0x12/0x380? lock_acquire+0xc4/0x2e0? lock_acquire+0xc4/0x2e0? ib_uverbs_ioctl+0x7c/0x140 [ib_uverbs] ? lock_release+0x28a/0x400 ib_uverbs_ioctl+0xc0/0x140 [ib_uverbs]? ib_uverbs_ioctl+0x7c/0x140 [ib_uverbs] __x64_sys_ioctl+0x7f/0xb0 do_syscall_64+0x38/0x90 Soluci\u00f3nelo reorganizando el flujo de dereg y la estructura mlx5_ib_mr: - Mueva el campo ib_umem a la estructura MRs del usuario en la uni\u00f3n, ya que solo se aplica all\u00ed. - La funci\u00f3n mlx5_ib_dereg_mr() ahora llamar\u00e1 a mlx5_free_priv_descs() solo en caso de que no haya udata, lo que indica que no se trata de un usuario MR."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/c44979ace49b4aede3cc7cb5542316e53a4005c9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e3bc4d4b50cae7db08e50dbe43f771c906e97701", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f0ae4afe3d35e67db042c58a52909e06262b740f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2021-47616", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-19T15:15:56.130", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA: Fix use-after-free in rxe_queue_cleanup\n\nOn error handling path in rxe_qp_from_init() qp->sq.queue is freed and\nthen rxe_create_qp() will drop last reference to this object. qp clean up\nfunction will try to free this queue one time and it causes UAF bug.\n\nFix it by zeroing queue pointer after freeing queue in rxe_qp_from_init()."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: RDMA: corrige el use-after-free en rxe_queue_cleanup En la ruta de manejo de errores en rxe_qp_from_init() qp->sq.queue se libera y luego rxe_create_qp() eliminar\u00e1 la \u00faltima referencia a este objeto. La funci\u00f3n de limpieza qp intentar\u00e1 liberar esta cola una vez y provocar\u00e1 un error UAF. Solucionarlo poniendo a cero el puntero de la cola despu\u00e9s de liberar la cola en rxe_qp_from_init()."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/84b01721e8042cdd1e8ffeb648844a09cd4213e0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/acb53e47db1fbc7cd37ab10b46388f045a76e383", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-45832", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-19T15:15:56.223", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Hennessey Digital Attorney.This issue affects Attorney: from n/a through 3."}, {"lang": "es", "value": "Vulnerabilidad de falta de autorizaci\u00f3n en Hennessey Digital Attorney. Este problema afecta a Attorney: desde n/a hasta 3."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/attorney/wordpress-attorney-theme-3-unauth-arbitrary-content-deletion-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2023-25697", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-19T15:15:56.513", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in GamiPress.This issue affects GamiPress: from n/a through 2.5.6."}, {"lang": "es", "value": "Vulnerabilidad de Cross-Site Request Forgery (CSRF) en GamiPress. Este problema afecta a GamiPress: desde n/a hasta 2.5.6."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-352"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/gamipress/wordpress-gamipress-plugin-2-5-6-csrf-leading-to-settings-change-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2023-36515", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-19T15:15:56.847", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in ThimPress LearnPress.This issue affects LearnPress: from n/a through 4.2.3."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en ThimPress LearnPress. Este problema afecta a LearnPress: desde n/a hasta 4.2.3."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.4}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/learnpress/wordpress-learnpress-plugin-4-2-3-unauthenticated-broken-access-control-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2023-36516", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-19T15:15:57.133", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in ThimPress LearnPress.This issue affects LearnPress: from n/a through 4.2.3."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en ThimPress LearnPress. Este problema afecta a LearnPress: desde n/a hasta 4.2.3."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 4.7}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/learnpress/wordpress-learnpress-plugin-4-2-3-authenticated-broken-access-control-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2023-38393", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-19T15:15:57.420", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Saturday Drive Ninja Forms.This issue affects Ninja Forms: from n/a through 3.6.25."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Saturday Drive Ninja Forms. Este problema afecta a Ninja Forms: desde n/a hasta 3.6.25."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 4.7}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/ninja-forms/wordpress-ninja-forms-plugin-3-6-25-subscriber-broken-access-control-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2023-38394", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-19T15:15:57.710", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Artbees JupiterX Core.This issue affects JupiterX Core: from 3.0.0 through 3.3.0."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Artbees JupiterX Core. Este problema afecta a JupiterX Core: desde 3.0.0 hasta 3.3.0."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/jupiterx-core/wordpress-jupiter-x-core-plugin-3-3-0-multiple-subscriber-broken-access-control-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2023-39312", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-19T15:15:58.020", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in ThemeFusion Avada.This issue affects Avada: from n/a through 7.11.1."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en ThemeFusion Avada. Este problema afecta a Avada: desde n/a hasta 7.11.1."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 2.3, "impactScore": 6.0}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/avada/wordpress-avada-theme-7-11-1-authenticated-author-unrestricted-zip-extraction-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2024-22263", "sourceIdentifier": "security@vmware.com", "published": "2024-06-19T15:15:58.327", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Spring Cloud Data Flow is a microservices-based Streaming and Batch data processing in Cloud Foundry and Kubernetes. The Skipper server has the ability to receive upload package requests. However, due to improper sanitization for upload path, a malicious user who has access to skipper server api can use a crafted upload request to write arbitrary file to any location on file system, may even compromises the server."}, {"lang": "es", "value": "Spring Cloud Data Flow es un procesamiento de datos por lotes y streaming basado en microservicios en Cloud Foundry y Kubernetes. El servidor Skipper tiene la capacidad de recibir solicitudes de carga de paquetes. Sin embargo, debido a una sanitizaci\u00f3n inadecuada de la ruta de carga, un usuario malintencionado que tenga acceso a la API del servidor skipper puede utilizar una solicitud de carga manipulada para escribir un archivo arbitrario en cualquier ubicaci\u00f3n del sistema de archivos e incluso puede comprometer el servidor."}], "metrics": {"cvssMetricV31": [{"source": "security@vmware.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "references": [{"url": "https://spring.io/security/cve-2024-22263", "source": "security@vmware.com"}]}}, {"cve": {"id": "CVE-2024-34443", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-19T15:15:59.230", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in ThemePunch OHG Slider Revolution allows Stored XSS.This issue affects Slider Revolution: from n/a before 6.7.11."}, {"lang": "es", "value": "La vulnerabilidad de neutralizaci\u00f3n inadecuada de la entrada durante la generaci\u00f3n de p\u00e1ginas web (XSS o 'Cross-site Scripting') en ThemePunch OHG Slider Revolution permite XSS Almacenado. Este problema afecta a Slider Revolution: desde n/a antes de 6.7.11."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.7, "impactScore": 3.7}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://patchstack.com/articles/unauthenticated-xss-vulnerability-patched-in-slider-revolution-plugin?_s_id=cve", "source": "audit@patchstack.com"}, {"url": "https://patchstack.com/database/vulnerability/revslider/wordpress-slider-revolution-plugin-6-7-11-cross-site-scripting-xss-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2024-34444", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-19T15:15:59.530", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in ThemePunch OHG Slider Revolution.This issue affects Slider Revolution: from n/a before 6.7.0."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en ThemePunch OHG Slider Revolution. Este problema afecta a Slider Revolution: desde n/a antes de 6.7.0."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.7}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://patchstack.com/articles/unauthenticated-xss-vulnerability-patched-in-slider-revolution-plugin?_s_id=cve", "source": "audit@patchstack.com"}, {"url": "https://patchstack.com/database/vulnerability/revslider/wordpress-slider-revolution-plugin-6-7-0-unauthenticated-broken-access-control-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2024-32030", "sourceIdentifier": "security-advisories@github.com", "published": "2024-06-19T17:15:57.863", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Kafka UI is an Open-Source Web UI for Apache Kafka Management. Kafka UI API allows users to connect to different Kafka brokers by specifying their network address and port. As a separate feature, it also provides the ability to monitor the performance of Kafka brokers by connecting to their JMX ports. JMX is based on the RMI protocol, so it is inherently susceptible to deserialization attacks. A potential attacker can exploit this feature by connecting Kafka UI backend to its own malicious broker. This vulnerability affects the deployments where one of the following occurs: 1. dynamic.config.enabled property is set in settings. It's not enabled by default, but it's suggested to be enabled in many tutorials for Kafka UI, including its own README.md. OR 2. an attacker has access to the Kafka cluster that is being connected to Kafka UI. In this scenario the attacker can exploit this vulnerability to expand their access and execute code on Kafka UI as well. Instead of setting up a legitimate JMX port, an attacker can create an RMI listener that returns a malicious serialized object for any RMI call. In the worst case it could lead to remote code execution as Kafka UI has the required gadget chains in its classpath. This issue may lead to post-auth remote code execution. This is particularly dangerous as Kafka-UI does not have authentication enabled by default. This issue has been addressed in version 0.7.2. All users are advised to upgrade. There are no known workarounds for this vulnerability. These issues were discovered and reported by the GitHub Security lab and is also tracked as GHSL-2023-230."}, {"lang": "es", "value": "Kafka UI es una interfaz de usuario web de c\u00f3digo abierto para la administraci\u00f3n de Apache Kafka. La API de Kafka UI permite a los usuarios conectarse a diferentes corredores de Kafka especificando su direcci\u00f3n de red y puerto. Como caracter\u00edstica independiente, tambi\u00e9n brinda la capacidad de monitorear el desempe\u00f1o de los corredores de Kafka conect\u00e1ndose a sus puertos JMX. JMX se basa en el protocolo RMI, por lo que es inherentemente susceptible a ataques de deserializaci\u00f3n. Un atacante potencial puede aprovechar esta caracter\u00edstica conectando el backend de la interfaz de usuario de Kafka a su propio agente malicioso. Esta vulnerabilidad afecta las implementaciones donde ocurre una de las siguientes situaciones: 1. La propiedad dynamic.config.enabled est\u00e1 configurada en la configuraci\u00f3n. No est\u00e1 habilitado de forma predeterminada, pero se sugiere habilitarlo en muchos tutoriales para Kafka UI, incluido su propio README.md. O 2. un atacante tiene acceso al cl\u00faster de Kafka que se est\u00e1 conectando a la interfaz de usuario de Kafka. En este escenario, el atacante puede aprovechar esta vulnerabilidad para ampliar su acceso y ejecutar c\u00f3digo tambi\u00e9n en la interfaz de usuario de Kafka. En lugar de configurar un puerto JMX leg\u00edtimo, un atacante puede crear un detector RMI que devuelva un objeto serializado malicioso para cualquier llamada RMI. En el peor de los casos, podr\u00eda conducir a la ejecuci\u00f3n remota de c\u00f3digo, ya que Kafka UI tiene las cadenas de dispositivos necesarias en su classpath. Este problema puede provocar la ejecuci\u00f3n remota de c\u00f3digo posterior a la autenticaci\u00f3n. Esto es particularmente peligroso ya que Kafka-UI no tiene la autenticaci\u00f3n habilitada de forma predeterminada. Este problema se solucion\u00f3 en la versi\u00f3n 0.7.2. Se recomienda a todos los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad. Estos problemas fueron descubiertos e informados por el laboratorio de seguridad de GitHub y tambi\u00e9n se rastrean como GHSL-2023-230."}], "metrics": {"cvssMetricV31": [{"source": "security-advisories@github.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "security-advisories@github.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-502"}, {"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "https://github.com/provectus/kafka-ui/commit/83b5a60cc08501b570a0c4d0b4cdfceb1b88d6b7#diff-37e769f4709c1e78c076a5949bbcead74e969725bfd89c7c4ba6d6f229a411e6R36", "source": "security-advisories@github.com"}, {"url": "https://github.com/provectus/kafka-ui/pull/4427", "source": "security-advisories@github.com"}, {"url": "https://securitylab.github.com/advisories/GHSL-2023-229_GHSL-2023-230_kafka-ui/", "source": "security-advisories@github.com"}]}}, {"cve": {"id": "CVE-2024-36115", "sourceIdentifier": "security-advisories@github.com", "published": "2024-06-19T18:15:10.597", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Reposilite is an open source, lightweight and easy-to-use repository manager for Maven based artifacts in JVM ecosystem. As a Maven repository manager, Reposilite provides the ability to view the artifacts content in the browser, as well as perform administrative tasks via API. The problem lies in the fact that the artifact's content is served via the same origin (protocol/host/port) as the Admin UI. If the artifact contains HTML content with javascript inside, the javascript is executed within the same origin. Therefore, if an authenticated user is viewing the artifacts content, the javascript inside can access the browser's local storage where the user's password (aka 'token-secret') is stored. It is especially dangerous in scenarios where Reposilite is configured to mirror third party repositories, like the Maven Central Repository. Since anyone can publish an artifact to Maven Central under its own name, such malicious packages can be used to attack the Reposilite instance. This issue may lead to the full Reposilite instance compromise. If this attack is performed against the admin user, it's possible to use the admin API to modify settings and artifacts on the instance. In the worst case scenario, an attacker would be able to obtain the Remote code execution on all systems that use artifacts from Reposilite. It's important to note that the attacker does not need to lure a victim user to use a malicious artifact, but just open a link in the browser. This link can be silently loaded among the other HTML content, making this attack unnoticeable. Even if the Reposilite instance is located in an isolated environment, such as behind a VPN or in the local network, this attack is still possible as it can be performed from the admin browser. Reposilite has addressed this issue in version 3.5.12. Users are advised to upgrade. There are no known workarounds for this vulnerability. This issue was discovered and reported by the GitHub Security lab and is also tracked as GHSL-2024-072."}, {"lang": "es", "value": "Reposilite es un administrador de repositorio de c\u00f3digo abierto, liviano y f\u00e1cil de usar para artefactos basados en Maven en el ecosistema JVM. Como administrador de repositorio de Maven, Reposilite brinda la capacidad de ver el contenido de los artefactos en el navegador, as\u00ed como realizar tareas administrativas a trav\u00e9s de API. El problema radica en el hecho de que el contenido del artefacto se entrega a trav\u00e9s del mismo origen (protocolo/host/puerto) que la interfaz de usuario del administrador. Si el artefacto contiene contenido HTML con javascript dentro, el javascript se ejecuta dentro del mismo origen. Por lo tanto, si un usuario autenticado est\u00e1 viendo el contenido de los artefactos, el javascript interno puede acceder al almacenamiento local del navegador donde se almacena la contrase\u00f1a del usuario (tambi\u00e9n conocida como 'token-secret'). Es especialmente peligroso en escenarios donde Reposilite est\u00e1 configurado para reflejar repositorios de terceros, como el Repositorio Central de Maven. Dado que cualquiera puede publicar un artefacto en Maven Central con su propio nombre, dichos paquetes maliciosos se pueden utilizar para atacar la instancia de Reposilite. Este problema puede provocar que la instancia de Reposilite se vea comprometida por completo. Si este ataque se realiza contra el usuario administrador, es posible utilizar la API de administrador para modificar la configuraci\u00f3n y los artefactos en la instancia. En el peor de los casos, un atacante podr\u00eda obtener la ejecuci\u00f3n remota de c\u00f3digo en todos los sistemas que utilicen artefactos de Reposilite. Es importante tener en cuenta que el atacante no necesita atraer al usuario v\u00edctima para que utilice un artefacto malicioso, sino simplemente abrir un enlace en el navegador. Este enlace se puede cargar silenciosamente entre el resto del contenido HTML, lo que hace que este ataque pase desapercibido. Incluso si la instancia de Reposilite est\u00e1 ubicada en un entorno aislado, como detr\u00e1s de una VPN o en la red local, este ataque a\u00fan es posible ya que se puede realizar desde el navegador de administraci\u00f3n. Reposilite ha solucionado este problema en la versi\u00f3n 3.5.12. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad. Este problema fue descubierto e informado por el laboratorio de seguridad de GitHub y tambi\u00e9n se rastrea como GHSL-2024-072."}], "metrics": {"cvssMetricV31": [{"source": "security-advisories@github.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "security-advisories@github.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://github.com/dzikoysk/reposilite/commit/279a472015ec675c1da449d902dc82e4dd578484", "source": "security-advisories@github.com"}, {"url": "https://github.com/dzikoysk/reposilite/commit/d11609f427aba255e0f6f54b1105d5d20ab043cf", "source": "security-advisories@github.com"}, {"url": "https://github.com/dzikoysk/reposilite/releases/tag/3.5.12", "source": "security-advisories@github.com"}, {"url": "https://github.com/dzikoysk/reposilite/security/advisories/GHSA-9w8w-34vr-65j2", "source": "security-advisories@github.com"}]}}, {"cve": {"id": "CVE-2024-36116", "sourceIdentifier": "security-advisories@github.com", "published": "2024-06-19T18:15:10.910", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Reposilite is an open source, lightweight and easy-to-use repository manager for Maven based artifacts in JVM ecosystem. Reposilite provides support for JavaDocs files, which are archives that contain documentation for artifacts. Specifically, JavadocEndpoints.kt controller allows to expand the javadoc archive into the server's file system and return its content. The problem is in the way how the archives are expanded, specifically how the new filename is created. The `file.name` taken from the archive can contain path traversal characters, such as '/../../../anything.txt', so the resulting extraction path can be outside the target directory. If the archive is taken from an untrusted source, such as Maven Central or JitPack for example, an attacker can craft a special archive to overwrite any local file on Reposilite instance. This could lead to remote code execution, for example by placing a new plugin into the '$workspace$/plugins' directory. Alternatively, an attacker can overwrite the content of any other package. Note that the attacker can use its own malicious package from Maven Central to overwrite any other package on Reposilite. Reposilite has addressed this issue in version 3.5.12. Users are advised to upgrade. There are no known workarounds for this vulnerability. This issue was discovered and reported by the GitHub Security lab and is also tracked as GHSL-2024-073."}, {"lang": "es", "value": "Reposilite es un administrador de repositorio de c\u00f3digo abierto, liviano y f\u00e1cil de usar para artefactos basados en Maven en el ecosistema JVM. Reposilite brinda soporte para archivos JavaDocs, que son archivos que contienen documentaci\u00f3n para artefactos. Espec\u00edficamente, el controlador JavadocEndpoints.kt permite expandir el archivo javadoc al sistema de archivos del servidor y devolver su contenido. El problema est\u00e1 en la forma en que se expanden los archivos, espec\u00edficamente en c\u00f3mo se crea el nuevo nombre de archivo. El `file.name` tomado del archivo puede contener caracteres de path traversal, como '/../../../anything.txt', por lo que la ruta de extracci\u00f3n resultante puede estar fuera del directorio de destino. Si el archivo se toma de una fuente que no es de confianza, como Maven Central o JitPack, por ejemplo, un atacante puede crear un archivo especial para sobrescribir cualquier archivo local en la instancia de Reposilite. Esto podr\u00eda conducir a la ejecuci\u00f3n remota de c\u00f3digo, por ejemplo, colocando un nuevo complemento en el directorio '$workspace$/plugins'. Alternativamente, un atacante puede sobrescribir el contenido de cualquier otro paquete. Tenga en cuenta que el atacante puede utilizar su propio paquete malicioso de Maven Central para sobrescribir cualquier otro paquete en Reposilite. Reposilite ha solucionado este problema en la versi\u00f3n 3.5.12. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad. Este problema fue descubierto e informado por el laboratorio de seguridad de GitHub y tambi\u00e9n se rastrea como GHSL-2024-073."}], "metrics": {"cvssMetricV31": [{"source": "security-advisories@github.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH"}, "exploitabilityScore": 1.6, "impactScore": 5.9}]}, "weaknesses": [{"source": "security-advisories@github.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://github.com/dzikoysk/reposilite/commit/848173738e4375482c70365db5cebae29f125eaa", "source": "security-advisories@github.com"}, {"url": "https://github.com/dzikoysk/reposilite/releases/tag/3.5.12", "source": "security-advisories@github.com"}, {"url": "https://github.com/dzikoysk/reposilite/security/advisories/GHSA-frvj-cfq4-3228", "source": "security-advisories@github.com"}]}}, {"cve": {"id": "CVE-2024-36117", "sourceIdentifier": "security-advisories@github.com", "published": "2024-06-19T18:15:11.220", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Reposilite is an open source, lightweight and easy-to-use repository manager for Maven based artifacts in JVM ecosystem. Reposilite v3.5.10 is affected by an Arbitrary File Read vulnerability via path traversal while serving expanded javadoc files. Reposilite has addressed this issue in version 3.5.12. There are no known workarounds for this vulnerability. This issue was discovered and reported by the GitHub Security lab and is also tracked as GHSL-2024-074."}, {"lang": "es", "value": "Reposilite es un administrador de repositorio de c\u00f3digo abierto, liviano y f\u00e1cil de usar para artefactos basados en Maven en el ecosistema JVM. Reposilite v3.5.10 se ve afectado por una vulnerabilidad de lectura arbitraria de archivos a trav\u00e9s del recorrido de ruta mientras sirve archivos javadoc expandidos. Reposilite ha solucionado este problema en la versi\u00f3n 3.5.12. No se conocen workarounds para esta vulnerabilidad. Este problema fue descubierto e informado por el laboratorio de seguridad de GitHub y tambi\u00e9n se rastrea como GHSL-2024-074."}], "metrics": {"cvssMetricV31": [{"source": "security-advisories@github.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 8.6, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 4.7}]}, "weaknesses": [{"source": "security-advisories@github.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://github.com/dzikoysk/reposilite/releases/tag/3.5.12", "source": "security-advisories@github.com"}]}}, {"cve": {"id": "CVE-2024-38352", "sourceIdentifier": "security-advisories@github.com", "published": "2024-06-19T18:15:11.507", "lastModified": "2024-06-19T18:15:11.507", "vulnStatus": "Rejected", "descriptions": [{"lang": "en", "value": "Rejected reason: CVE was assigned in error."}], "metrics": {}, "references": []}}, {"cve": {"id": "CVE-2024-34993", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-19T20:15:11.053", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the module \"Bulk Export products to Google Merchant-Google Shopping\" (bagoogleshopping) up to version 1.0.26 from Buy Addons for PrestaShop, a guest can perform SQL injection via`GenerateCategories::renderCategories()."}, {"lang": "es", "value": "En el m\u00f3dulo \"Exportaci\u00f3n masiva de productos a Google Merchant-Google Shopping\" (bagoogleshopping) hasta la versi\u00f3n 1.0.26 de Buy Addons for PrestaShop, un invitado puede realizar una inyecci\u00f3n SQL a trav\u00e9s de `GenerateCategories::renderCategories()."}], "metrics": {}, "references": [{"url": "https://github.com/friends-of-presta/security-advisories/blob/main/_posts/2024-06-18-bagoogleshopping.md", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-38355", "sourceIdentifier": "security-advisories@github.com", "published": "2024-06-19T20:15:11.180", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. This issue is fixed by commit `15af22fc22` which has been included in `socket.io@4.6.2` (released in May 2023). The fix was backported in the 2.x branch as well with commit `d30630ba10`. Users are advised to upgrade. Users unable to upgrade may attach a listener for the \"error\" event to catch these errors.\n"}, {"lang": "es", "value": "Socket.IO es un framework de comunicaci\u00f3n de c\u00f3digo abierto, en tiempo real, bidireccional y basado en eventos. Un paquete Socket.IO especialmente manipulado puede desencadenar una excepci\u00f3n no detectada en el servidor Socket.IO, matando as\u00ed el proceso Node.js. Este problema se solucion\u00f3 mediante el commit `15af22fc22` que se incluy\u00f3 en `socket.io@4.6.2` (publicado en mayo de 2023). La soluci\u00f3n tambi\u00e9n se respald\u00f3 en la rama 2.x con el commit `d30630ba10`. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar pueden adjuntar un detector del evento \"error\" para detectar estos errores."}], "metrics": {"cvssMetricV31": [{"source": "security-advisories@github.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.4}]}, "weaknesses": [{"source": "security-advisories@github.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-754"}]}], "references": [{"url": "https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115", "source": "security-advisories@github.com"}, {"url": "https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c", "source": "security-advisories@github.com"}, {"url": "https://github.com/socketio/socket.io/security/advisories/GHSA-25hc-qcg6-38wj", "source": "security-advisories@github.com"}]}}, {"cve": {"id": "CVE-2024-38356", "sourceIdentifier": "security-advisories@github.com", "published": "2024-06-19T20:15:11.453", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE\u2019s content extraction code. When using the `noneditable_regexp` option, specially crafted HTML attributes containing malicious code were able to be executed when content was extracted from the editor. This vulnerability has been patched in TinyMCE 7.2.0, TinyMCE 6.8.4 and TinyMCE 5.11.0 LTS by ensuring that, when using the `noneditable_regexp` option, any content within an attribute is properly verified to match the configured regular expression before being added. Users are advised to upgrade. There are no known workarounds for this vulnerability.\n"}, {"lang": "es", "value": "TinyMCE es un editor de texto enriquecido de c\u00f3digo abierto. Se descubri\u00f3 una vulnerabilidad de cross-site scripting (XSS) en el c\u00f3digo de extracci\u00f3n de contenido de TinyMCE. Al utilizar la opci\u00f3n `noneditable_regexp`, se pod\u00edan ejecutar atributos HTML especialmente manipulados que conten\u00edan c\u00f3digo malicioso cuando se extra\u00eda el contenido del editor. Esta vulnerabilidad se ha solucionado en TinyMCE 7.2.0, TinyMCE 6.8.4 y TinyMCE 5.11.0 LTS garantizando que, al utilizar la opci\u00f3n `noneditable_regexp`, se verifique correctamente que cualquier contenido dentro de un atributo coincida con la expresi\u00f3n regular configurada antes de agregarlo. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}], "metrics": {"cvssMetricV31": [{"source": "security-advisories@github.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "security-advisories@github.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://github.com/tinymce/tinymce/commit/5acb741665a98e83d62b91713c800abbff43b00d", "source": "security-advisories@github.com"}, {"url": "https://github.com/tinymce/tinymce/security/advisories/GHSA-9hcv-j9pv-qmph", "source": "security-advisories@github.com"}, {"url": "https://owasp.org/www-community/attacks/xss", "source": "security-advisories@github.com"}, {"url": "https://www.tiny.cloud/docs/tinymce/6/6.8.4-release-notes/#overview", "source": "security-advisories@github.com"}, {"url": "https://www.tiny.cloud/docs/tinymce/7/7.2-release-notes/#overview", "source": "security-advisories@github.com"}]}}, {"cve": {"id": "CVE-2024-38357", "sourceIdentifier": "security-advisories@github.com", "published": "2024-06-19T20:15:11.727", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE\u2019s content parsing code. This allowed specially crafted noscript elements containing malicious code to be executed when that content was loaded into the editor. This vulnerability has been patched in TinyMCE 7.2.0, TinyMCE 6.8.4 and TinyMCE 5.11.0 LTS by ensuring that content within noscript elements are properly parsed. Users are advised to upgrade. There are no known workarounds for this vulnerability.\n"}, {"lang": "es", "value": "TinyMCE es un editor de texto enriquecido de c\u00f3digo abierto. Se descubri\u00f3 una vulnerabilidad de cross-site scripting (XSS) en el c\u00f3digo de an\u00e1lisis de contenido de TinyMCE. Esto permiti\u00f3 que se ejecutaran elementos noscript especialmente manipulados que conten\u00edan c\u00f3digo malicioso cuando ese contenido se cargaba en el editor. Esta vulnerabilidad se ha solucionado en TinyMCE 7.2.0, TinyMCE 6.8.4 y TinyMCE 5.11.0 LTS garantizando que el contenido dentro de los elementos noscript se analice correctamente. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}], "metrics": {"cvssMetricV31": [{"source": "security-advisories@github.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "security-advisories@github.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://github.com/tinymce/tinymce/commit/5acb741665a98e83d62b91713c800abbff43b00d", "source": "security-advisories@github.com"}, {"url": "https://github.com/tinymce/tinymce/security/advisories/GHSA-w9jx-4g6g-rp7x", "source": "security-advisories@github.com"}, {"url": "https://owasp.org/www-community/attacks/xss", "source": "security-advisories@github.com"}, {"url": "https://www.tiny.cloud/docs/tinymce/6/6.8.4-release-notes/#overview", "source": "security-advisories@github.com"}, {"url": "https://www.tiny.cloud/docs/tinymce/7/7.2-release-notes/#overview", "source": "security-advisories@github.com"}]}}, {"cve": {"id": "CVE-2024-38358", "sourceIdentifier": "security-advisories@github.com", "published": "2024-06-19T20:15:11.990", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Wasmer is a web assembly (wasm) Runtime supporting WASIX, WASI and Emscripten. If the preopened directory has a symlink pointing outside, WASI programs can traverse the symlink and access host filesystem if the caller sets both `oflags::creat` and `rights::fd_write`. Programs can also crash the runtime by creating a symlink pointing outside with `path_symlink` and `path_open`ing the link. This issue has been addressed in commit `b9483d022` which has been included in release version 4.3.2. Users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "Wasmer es un tiempo de ejecuci\u00f3n de ensamblaje web (wasm) que admite WASIX, WASI y Emscripten. Si el directorio preabierto tiene un enlace simb\u00f3lico que apunta hacia afuera, los programas WASI pueden atravesar el enlace simb\u00f3lico y acceder al sistema de archivos del host si la persona que llama configura tanto `oflags::creat` como `rights::fd_write`. Los programas tambi\u00e9n pueden bloquear el tiempo de ejecuci\u00f3n al crear un enlace simb\u00f3lico que apunte hacia afuera con `path_symlink` y `path_open` en el enlace. Este problema se solucion\u00f3 en el commit `b9483d022` que se incluy\u00f3 en la versi\u00f3n 4.3.2. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}], "metrics": {"cvssMetricV31": [{"source": "security-advisories@github.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 2.9, "baseSeverity": "LOW"}, "exploitabilityScore": 1.4, "impactScore": 1.4}]}, "weaknesses": [{"source": "security-advisories@github.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://github.com/wasmerio/wasmer/commit/b9483d022c602b994103f78ecfe46f017f8ac662", "source": "security-advisories@github.com"}, {"url": "https://github.com/wasmerio/wasmer/security/advisories/GHSA-55f3-3qvg-8pv5", "source": "security-advisories@github.com"}]}}, {"cve": {"id": "CVE-2024-33836", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-19T21:15:56.920", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the module \"JA Marketplace\" (jamarketplace) up to version 9.0.1 from JA Module for PrestaShop, a guest can upload files with extensions .php. In version 6.X, the method `JmarketplaceproductModuleFrontController::init()` and in version 8.X, the method `JmarketplaceSellerproductModuleFrontController::init()` allow upload of .php files, which will lead to a critical vulnerability."}, {"lang": "es", "value": "En el m\u00f3dulo \"JA Marketplace\" (jamarketplace) hasta la versi\u00f3n 9.0.1 del M\u00f3dulo JA para PrestaShop, un invitado puede cargar archivos con extensiones .php. En la versi\u00f3n 6.X, el m\u00e9todo `JmarketplaceproductModuleFrontController::init()` y en la versi\u00f3n 8.X, el m\u00e9todo `JmarketplaceSellerproductModuleFrontController::init()` permiten cargar archivos .php, lo que conducir\u00e1 a una vulnerabilidad cr\u00edtica."}], "metrics": {}, "references": [{"url": "https://github.com/friends-of-presta/security-advisories/blob/main/_posts/2024-06-18-jamarketplace.md", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-34990", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-19T21:15:57.023", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the module \"Help Desk - Customer Support Management System\" (helpdesk) up to version 2.4.0 from FME Modules for PrestaShop, a customer can upload .php files. Methods `HelpdeskHelpdeskModuleFrontController::submitTicket()` and `HelpdeskHelpdeskModuleFrontController::replyTicket()` allow upload of .php files on a predictable path for connected customers."}, {"lang": "es", "value": "En el m\u00f3dulo \"Help Desk - Sistema de gesti\u00f3n de atenci\u00f3n al cliente\" (helpdesk) hasta la versi\u00f3n 2.4.0 de los M\u00f3dulos FME para PrestaShop, un cliente puede cargar archivos .php. Los m\u00e9todos `HelpdeskHelpdeskModuleFrontController::submitTicket()` y `HelpdeskHelpdeskModuleFrontController::replyTicket()` permiten cargar archivos .php en una ruta predecible para los clientes conectados."}], "metrics": {}, "references": [{"url": "https://github.com/friends-of-presta/security-advisories/blob/main/_posts/2024-06-18-helpdesk.md", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-34994", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-19T21:15:57.130", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the module \"Channable\" (channable) up to version 3.2.1 from Channable for PrestaShop, a guest can perform SQL injection via `ChannableFeedModuleFrontController::postProcess()`."}, {"lang": "es", "value": "En el m\u00f3dulo \"Channable\" (channable) hasta la versi\u00f3n 3.2.1 de Channable para PrestaShop, un invitado puede realizar una inyecci\u00f3n SQL a trav\u00e9s de `ChannableFeedModuleFrontController::postProcess()`."}], "metrics": {}, "references": [{"url": "https://github.com/friends-of-presta/security-advisories/blob/main/_posts/2024-06-18-channable.md", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-36677", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-19T21:15:57.257", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the module \"Login as customer PRO\" (loginascustomerpro) <1.2.7 from Weblir for PrestaShop, a guest can access direct link to connect to each customer account of the Shop if the module is not installed OR if a secret accessible to administrator is stolen."}, {"lang": "es", "value": "En el m\u00f3dulo \"Iniciar sesi\u00f3n como cliente PRO\" (loginascustomerpro) <1.2.7 de Weblir para PrestaShop, un invitado puede acceder a un enlace directo para conectarse a cada cuenta de cliente de la Tienda si el m\u00f3dulo no est\u00e1 instalado O si hay un secreto accesible para el administrador. robado."}], "metrics": {}, "references": [{"url": "https://security.friendsofpresta.org/modules/2024/06/18/loginascustomerpro.html", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-36678", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-19T21:15:57.363", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the module \"Theme settings\" (pk_themesettings) <= 1.8.8 from Promokit.eu for PrestaShop, a guest can perform SQL injection. The script ajax.php have a sensitive SQL call that can be executed with a trivial http call and exploited to forge a SQL injection."}, {"lang": "es", "value": "En el m\u00f3dulo \"Configuraci\u00f3n del tema\" (pk_themesettings) <= 1.8.8 de Promokit.eu para PrestaShop, un invitado puede realizar una inyecci\u00f3n SQL. El script ajax.php tiene una llamada SQL sensible que puede ejecutarse con una llamada http trivial y explotarse para falsificar una inyecci\u00f3n SQL."}], "metrics": {}, "references": [{"url": "https://security.friendsofpresta.org/modules/2024/06/18/pk_themesettings.html", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-36679", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-19T21:15:57.470", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the module \"Module Live Chat Pro (All in One Messaging)\" (livechatpro) <=8.4.0, a guest can perform PHP Code injection. Due to a predictable token, the method `Lcp::saveTranslations()` suffer of a white writer that can inject PHP code into a PHP file."}, {"lang": "es", "value": "En el m\u00f3dulo \"M\u00f3dulo Live Chat Pro (Mensajer\u00eda todo en uno)\" (livechatpro) <=8.4.0, un invitado puede realizar la inyecci\u00f3n de c\u00f3digo PHP. Debido a un token predecible, el m\u00e9todo `Lcp::saveTranslations()` sufre de un escritor blanco que puede inyectar c\u00f3digo PHP en un archivo PHP."}], "metrics": {}, "references": [{"url": "https://security.friendsofpresta.org/modules/2024/06/18/livechatpro.html", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-36680", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-19T21:15:57.577", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the module \"Facebook\" (pkfacebook) <=1.0.1 from Promokit.eu for PrestaShop, a guest can perform SQL injection. The ajax script facebookConnect.php have a sensitive SQL call that can be executed with a trivial http call and exploited to forge a SQL injection."}, {"lang": "es", "value": "En el m\u00f3dulo \"Facebook\" (pkfacebook) <=1.0.1 de Promokit.eu para PrestaShop, un invitado puede realizar una inyecci\u00f3n SQL. El script ajax facebookConnect.php tiene una llamada SQL sensible que puede ejecutarse con una llamada http trivial y explotarse para falsificar una inyecci\u00f3n SQL."}], "metrics": {}, "references": [{"url": "https://security.friendsofpresta.org/modules/2024/06/18/pkfacebook.html", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-36684", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-19T21:15:57.680", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the module \"Custom links\" (pk_customlinks) <= 2.3 from Promokit.eu for PrestaShop, a guest can perform SQL injection. The script ajax.php have a sensitive SQL call that can be executed with a trivial http call and exploited to forge a SQL injection."}, {"lang": "es", "value": "En el m\u00f3dulo \"Enlaces personalizados\" (pk_customlinks) <= 2.3 de Promokit.eu para PrestaShop, un invitado puede realizar una inyecci\u00f3n SQL. El script ajax.php tiene una llamada SQL sensible que puede ejecutarse con una llamada http trivial y explotarse para falsificar una inyecci\u00f3n SQL."}], "metrics": {}, "references": [{"url": "https://security.friendsofpresta.org/modules/2024/06/18/pk_customlinks.html", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-5182", "sourceIdentifier": "security@huntr.dev", "published": "2024-06-20T00:15:09.487", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A path traversal vulnerability exists in mudler/localai version 2.14.0, where an attacker can exploit the `model` parameter during the model deletion process to delete arbitrary files. Specifically, by crafting a request with a manipulated `model` parameter, an attacker can traverse the directory structure and target files outside of the intended directory, leading to the deletion of sensitive data. This vulnerability is due to insufficient input validation and sanitization of the `model` parameter."}, {"lang": "es", "value": "Existe una vulnerabilidad de path traversal en mudler/localai versi\u00f3n 2.14.0, donde un atacante puede explotar el par\u00e1metro `model` durante el proceso de eliminaci\u00f3n del modelo para eliminar archivos arbitrarios. Espec\u00edficamente, al elaborar una solicitud con un par\u00e1metro \"modelo\" manipulado, un atacante puede atravesar la estructura del directorio y apuntar a archivos fuera del directorio deseado, lo que lleva a la eliminaci\u00f3n de datos confidenciales. Esta vulnerabilidad se debe a una validaci\u00f3n de entrada y una sanitizaci\u00f3n insuficientes del par\u00e1metro \"modelo\"."}], "metrics": {"cvssMetricV30": [{"source": "security@huntr.dev", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "security@huntr.dev", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://github.com/mudler/localai/commit/1a3dedece06cab1acc3332055d285ac540a47f0e", "source": "security@huntr.dev"}, {"url": "https://huntr.com/bounties/f7a87f29-c22a-48e8-9fce-b6d5a273e545", "source": "security@huntr.dev"}]}}, {"cve": {"id": "CVE-2024-6100", "sourceIdentifier": "chrome-cve-admin@google.com", "published": "2024-06-20T00:15:09.810", "lastModified": "2024-06-21T13:15:13.077", "vulnStatus": "Modified", "descriptions": [{"lang": "en", "value": "Type Confusion in V8 in Google Chrome prior to 126.0.6478.114 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)"}, {"lang": "es", "value": "Type Confusion en V8 en Google Chrome anterior a 126.0.6478.114 permit\u00eda a un atacante remoto ejecutar c\u00f3digo arbitrario a trav\u00e9s de una p\u00e1gina HTML manipulada. (Severidad de seguridad de Chrome: alta)"}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-843"}]}, {"source": "chrome-cve-admin@google.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-843"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*", "versionEndExcluding": "126.0.6478.114", "matchCriteriaId": "1B82B0A4-B5BC-4639-AA1D-FD1B3E501892"}]}]}], "references": [{"url": "https://chromereleases.googleblog.com/2024/06/stable-channel-update-for-desktop_18.html", "source": "chrome-cve-admin@google.com", "tags": ["Third Party Advisory"]}, {"url": "https://issues.chromium.org/issues/344608204", "source": "chrome-cve-admin@google.com", "tags": ["Permissions Required"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6HYUEHZ35ZPY2EONVZCGO6LPT3AMLZCP/", "source": "chrome-cve-admin@google.com"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5NRNCEYS246CYGOR32MF7OGKWOWER22/", "source": "chrome-cve-admin@google.com"}]}}, {"cve": {"id": "CVE-2024-6101", "sourceIdentifier": "chrome-cve-admin@google.com", "published": "2024-06-20T00:15:09.967", "lastModified": "2024-06-21T13:15:13.187", "vulnStatus": "Modified", "descriptions": [{"lang": "en", "value": "Inappropriate implementation in V8 in Google Chrome prior to 126.0.6478.114 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)"}, {"lang": "es", "value": "La implementaci\u00f3n inapropiada en V8 en Google Chrome anterior a 126.0.6478.114 permiti\u00f3 a un atacante remoto realizar acceso a la memoria fuera de los l\u00edmites a trav\u00e9s de una p\u00e1gina HTML manipulada. (Severidad de seguridad de Chrome: alta)"}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*", "versionEndExcluding": "126.0.6478.114", "matchCriteriaId": "1B82B0A4-B5BC-4639-AA1D-FD1B3E501892"}]}]}], "references": [{"url": "https://chromereleases.googleblog.com/2024/06/stable-channel-update-for-desktop_18.html", "source": "chrome-cve-admin@google.com", "tags": ["Third Party Advisory"]}, {"url": "https://issues.chromium.org/issues/343748812", "source": "chrome-cve-admin@google.com", "tags": ["Permissions Required"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6HYUEHZ35ZPY2EONVZCGO6LPT3AMLZCP/", "source": "chrome-cve-admin@google.com"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5NRNCEYS246CYGOR32MF7OGKWOWER22/", "source": "chrome-cve-admin@google.com"}]}}, {"cve": {"id": "CVE-2024-6102", "sourceIdentifier": "chrome-cve-admin@google.com", "published": "2024-06-20T00:15:10.053", "lastModified": "2024-06-21T13:15:13.277", "vulnStatus": "Modified", "descriptions": [{"lang": "en", "value": "Out of bounds memory access in Dawn in Google Chrome prior to 126.0.6478.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)"}, {"lang": "es", "value": "El acceso a memoria fuera de los l\u00edmites en Dawn en Google Chrome anterior a 126.0.6478.114 permit\u00eda a un atacante remoto explotar potencialmente la corrupci\u00f3n del mont\u00f3n a trav\u00e9s de una p\u00e1gina HTML manipulada. (Severidad de seguridad de Chrome: alta)"}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*", "versionEndExcluding": "126.0.6478.114", "matchCriteriaId": "1B82B0A4-B5BC-4639-AA1D-FD1B3E501892"}]}]}], "references": [{"url": "https://chromereleases.googleblog.com/2024/06/stable-channel-update-for-desktop_18.html", "source": "chrome-cve-admin@google.com", "tags": ["Third Party Advisory"]}, {"url": "https://issues.chromium.org/issues/339169163", "source": "chrome-cve-admin@google.com", "tags": ["Permissions Required"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6HYUEHZ35ZPY2EONVZCGO6LPT3AMLZCP/", "source": "chrome-cve-admin@google.com"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5NRNCEYS246CYGOR32MF7OGKWOWER22/", "source": "chrome-cve-admin@google.com"}]}}, {"cve": {"id": "CVE-2024-6103", "sourceIdentifier": "chrome-cve-admin@google.com", "published": "2024-06-20T00:15:10.133", "lastModified": "2024-06-21T13:15:13.350", "vulnStatus": "Modified", "descriptions": [{"lang": "en", "value": "Use after free in Dawn in Google Chrome prior to 126.0.6478.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)"}, {"lang": "es", "value": "Use after free en Dawn en Google Chrome anterior a 126.0.6478.114 permit\u00eda a un atacante remoto explotar potencialmente la corrupci\u00f3n del mont\u00f3n a trav\u00e9s de una p\u00e1gina HTML manipulada. (Severidad de seguridad de Chrome: alta)"}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-416"}]}, {"source": "chrome-cve-admin@google.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*", "versionEndExcluding": "126.0.6478.114", "matchCriteriaId": "1B82B0A4-B5BC-4639-AA1D-FD1B3E501892"}]}]}], "references": [{"url": "https://chromereleases.googleblog.com/2024/06/stable-channel-update-for-desktop_18.html", "source": "chrome-cve-admin@google.com", "tags": ["Third Party Advisory"]}, {"url": "https://issues.chromium.org/issues/344639860", "source": "chrome-cve-admin@google.com", "tags": ["Permissions Required"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6HYUEHZ35ZPY2EONVZCGO6LPT3AMLZCP/", "source": "chrome-cve-admin@google.com"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5NRNCEYS246CYGOR32MF7OGKWOWER22/", "source": "chrome-cve-admin@google.com"}]}}, {"cve": {"id": "CVE-2024-6176", "sourceIdentifier": "product.security@lge.com", "published": "2024-06-20T01:15:49.023", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Allocation of Resources Without Limits or Throttling vulnerability in LG Electronics LG SuperSign CMS allows Port Scanning.This issue affects LG SuperSign CMS: from 4.1.3 before < 4.3.1."}, {"lang": "es", "value": "Asignaci\u00f3n de recursos sin l\u00edmites o vulnerabilidad de limitaci\u00f3n en LG Electronics LG SuperSign CMS permite el escaneo de puertos. Este problema afecta a LG SuperSign CMS: desde 4.1.3 antes < 4.3.1."}], "metrics": {}, "weaknesses": [{"source": "product.security@lge.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-770"}]}], "references": [{"url": "https://lgsecurity.lge.com/bulletins/idproducts#updateDetails", "source": "product.security@lge.com"}]}}, {"cve": {"id": "CVE-2023-3204", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-20T02:15:09.147", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Undergoing Analysis", "descriptions": [{"lang": "en", "value": "The Materialis theme for WordPress is vulnerable to limited arbitrary options updates in versions up to, and including, 1.1.24. This is due to missing authorization checks on the companion_disable_popup() function called via an AJAX action. This makes it possible for authenticated attackers, with minimal permissions such as subscribers, to modify any option on the site to a numerical value."}, {"lang": "es", "value": "El tema Materialis para WordPress es vulnerable a actualizaciones limitadas de opciones arbitrarias en versiones hasta la 1.1.24 incluida. Esto se debe a que faltan comprobaciones de autorizaci\u00f3n en la funci\u00f3n complementario_disable_popup() llamada mediante una acci\u00f3n AJAX. Esto hace posible que atacantes autenticados, con permisos m\u00ednimos, como suscriptores, modifiquen cualquier opci\u00f3n en el sitio a un valor num\u00e9rico."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "references": [{"url": "https://themes.trac.wordpress.org/browser/materialis/1.1.20/inc/companion.php#L45", "source": "security@wordfence.com"}, {"url": "https://themes.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=231816%40materialis&new=231816%40materialis&sfp_email=&sfph_mail=#file6", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a2e05094-8344-4388-a703-518daf3d2948?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-1168", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-20T02:15:09.420", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Undergoing Analysis", "descriptions": [{"lang": "en", "value": "The SEOPress \u2013 On-site SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's social image URL in all versions up to, and including, 7.9 due to insufficient input sanitization and output escaping on user supplied image URLs. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento SEOPress \u2013 On-site SEO para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s de la URL de la imagen social del complemento en todas las versiones hasta la 7.9 incluida debido a una sanitizaci\u00f3n de entrada insuficiente y a un escape de salida en las URL de im\u00e1genes proporcionadas por el usuario. Esto hace posible que atacantes autenticados con permisos de nivel de colaborador y superiores inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "references": [{"url": "https://wordpress.org/plugins/wp-seopress/#developers", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c446f429-1981-4d6d-a5ec-a5837428d212?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-3558", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-20T02:15:09.663", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Undergoing Analysis", "descriptions": [{"lang": "en", "value": "The Custom Field Suite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the the 'cfs[post_title]' parameter versions up to, and including, 2.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento Custom Field Suite para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s de las versiones del par\u00e1metro 'cfs[post_title]' hasta la 2.6.7 incluida debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "references": [{"url": "https://core.trac.wordpress.org/ticket/56655", "source": "security@wordfence.com"}, {"url": "https://en-gb.wordpress.org/plugins/custom-field-suite/", "source": "security@wordfence.com"}, {"url": "https://github.com/WordPress/WordPress/blob/22d95abc55824e83904dc0fef290464b6bec7708/wp-admin/includes/template.php#L1384", "source": "security@wordfence.com"}, {"url": "https://github.com/mgibbs189/custom-field-suite/blob/963dfcede18ff4ad697498556d9058db07d74fa3/includes/api.php#L282", "source": "security@wordfence.com"}, {"url": "https://github.com/mgibbs189/custom-field-suite/blob/963dfcede18ff4ad697498556d9058db07d74fa3/includes/field_group.php#L20", "source": "security@wordfence.com"}, {"url": "https://github.com/mgibbs189/custom-field-suite/blob/963dfcede18ff4ad697498556d9058db07d74fa3/includes/form.php#L64", "source": "security@wordfence.com"}, {"url": "https://mgibbs189.github.io/custom-field-suite/", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8e4dc6fd-4bd5-4ed1-ade0-cf2f8831fac3?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-3561", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-20T02:15:09.920", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Undergoing Analysis", "descriptions": [{"lang": "en", "value": "The Custom Field Suite plugin for WordPress is vulnerable to SQL Injection via the the 'Term' custom field in all versions up to, and including, 2.6.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}, {"lang": "es", "value": "El complemento Custom Field Suite para WordPress es vulnerable a la inyecci\u00f3n SQL a trav\u00e9s del campo personalizado 'T\u00e9rmino' en todas las versiones hasta la 2.6.7 incluida debido a un escape insuficiente en el par\u00e1metro proporcionado por el usuario y a la falta de preparaci\u00f3n suficiente en la consulta SQL existente. Esto hace posible que los atacantes autenticados, con acceso de nivel de colaborador y superior, agreguen consultas SQL adicionales a consultas ya existentes que pueden usarse para extraer informaci\u00f3n confidencial de la base de datos."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "references": [{"url": "https://en-gb.wordpress.org/plugins/custom-field-suite/", "source": "security@wordfence.com"}, {"url": "https://github.com/mgibbs189/custom-field-suite/blob/963dfcede18ff4ad697498556d9058db07d74fa3/includes/fields/term.php#L58", "source": "security@wordfence.com"}, {"url": "https://mgibbs189.github.io/custom-field-suite/field-types/term.html", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/afc00118-e87e-475a-8ad6-b68d09ee2e44?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-3562", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-20T02:15:10.140", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Undergoing Analysis", "descriptions": [{"lang": "en", "value": "The Custom Field Suite plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 2.6.7 via the Loop custom field. This is due to insufficient sanitization of input prior to being used in a call to the eval() function. This makes it possible for authenticated attackers, with contributor-level access and above, to execute arbitrary PHP code on the server."}, {"lang": "es", "value": "El complemento Custom Field Suite para WordPress es vulnerable a la inyecci\u00f3n de c\u00f3digo PHP en todas las versiones hasta la 2.6.7 incluida a trav\u00e9s del campo personalizado Loop. Esto se debe a una limpieza insuficiente de la entrada antes de usarla en una llamada a la funci\u00f3n eval(). Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, ejecuten c\u00f3digo PHP arbitrario en el servidor."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "references": [{"url": "https://github.com/mgibbs189/custom-field-suite/blob/963dfcede18ff4ad697498556d9058db07d74fa3/includes/fields/loop.php#L192", "source": "security@wordfence.com"}, {"url": "https://github.com/mgibbs189/custom-field-suite/blob/963dfcede18ff4ad697498556d9058db07d74fa3/includes/fields/loop.php#L224", "source": "security@wordfence.com"}, {"url": "https://mgibbs189.github.io/custom-field-suite/field-types/loop.html", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dfd7b788-03a0-41a4-96f2-cfca74ef281b?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-3597", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-20T02:15:10.363", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Undergoing Analysis", "descriptions": [{"lang": "en", "value": "The Export WP Page to Static HTML/CSS plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 2.2.2. This is due to insufficient validation on the redirect url supplied via the rc_exported_zip_file parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action."}, {"lang": "es", "value": "El complemento Export WP Page to Static HTML/CSS para WordPress es vulnerable a Open Redirect en todas las versiones hasta la 2.2.2 incluida. Esto se debe a una validaci\u00f3n insuficiente de la URL de redireccionamiento proporcionada mediante el par\u00e1metro rc_exported_zip_file. Esto hace posible que atacantes no autenticados redirijan a los usuarios a sitios potencialmente maliciosos si logran enga\u00f1arlos para que realicen una acci\u00f3n."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.7}]}, "references": [{"url": "https://plugins.trac.wordpress.org/browser/export-wp-page-to-static-html/trunk/admin/class-export-wp-page-to-static-html-admin.php#L1289", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/598e2c2e-7dd5-435e-a366-6c7569243f2a?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-3602", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-20T02:15:10.590", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Undergoing Analysis", "descriptions": [{"lang": "en", "value": "The Pop ups, Exit intent popups, email popups, banners, bars, countdowns and cart savers \u2013 Promolayer plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the disconnect_promolayer function in all versions up to, and including, 1.1.0. This makes it possible for authenticated attackers, with subscriber access or higher, to remove the Promolayer connection."}, {"lang": "es", "value": "El complemento Pop ups, Exit intent popups, email popups, banners, bars, countdowns and cart savers \u2013 Promolayer para WordPress es vulnerable a actualizaciones no autorizadas de la configuraci\u00f3n del complemento debido a una falta de verificaci\u00f3n de capacidad en la funci\u00f3n de desconexi\u00f3n_promolayer en todas las versiones hasta, e incluyendo, 1.1.0. Esto hace posible que atacantes autenticados, con acceso de suscriptor o superior, eliminen la conexi\u00f3n de Promolayer."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "references": [{"url": "https://plugins.trac.wordpress.org/browser/promolayer-popup-builder/trunk/admin/class-promolayer-admin.php#L208", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/05b051bc-3b1c-412e-b3d0-98ff2c8bc06e?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-3605", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-20T02:15:10.817", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Undergoing Analysis", "descriptions": [{"lang": "en", "value": "The WP Hotel Booking plugin for WordPress is vulnerable to SQL Injection via the 'room_type' parameter of the /wphb/v1/rooms/search-rooms REST API endpoint in all versions up to, and including, 2.1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}, {"lang": "es", "value": "El complemento WP Hotel Booking para WordPress es vulnerable a la inyecci\u00f3n SQL a trav\u00e9s del par\u00e1metro 'room_type' del endpoint de la API REST /wphb/v1/rooms/search-rooms en todas las versiones hasta la 2.1.0 incluida debido a un escape insuficiente en el par\u00e1metro proporcionado por el usuario y la falta de preparaci\u00f3n suficiente en la consulta SQL existente. Esto hace posible que atacantes no autenticados agreguen consultas SQL adicionales a consultas ya existentes que pueden usarse para extraer informaci\u00f3n confidencial de la base de datos."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 6.0}]}, "references": [{"url": "https://wordpress.org/plugins/wp-hotel-booking/", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5931ad4e-7de3-41ac-b783-f7e58aaef569?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-3627", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-20T02:15:11.040", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Undergoing Analysis", "descriptions": [{"lang": "en", "value": "The Wheel of Life: Coaching and Assessment Tool for Life Coach plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on several functions in the AjaxFunctions.php file in all versions up to, and including, 1.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary posts and modify settings."}, {"lang": "es", "value": "El complemento Wheel of Life: Coaching and Assessment Tool for Life Coach para WordPress es vulnerable a modificaciones no autorizadas y p\u00e9rdida de datos debido a una falta de verificaci\u00f3n de capacidad en varias funciones en el archivo AjaxFunctions.php en todas las versiones hasta la 1.1.7 incluida. Esto hace posible que atacantes autenticados, con acceso de nivel de suscriptor y superior, eliminen publicaciones arbitrarias y modifiquen configuraciones."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "references": [{"url": "https://plugins.trac.wordpress.org/browser/wheel-of-life/trunk/includes/functions/AjaxFunctions.php", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0615d1be-f9fa-45b3-9d5b-3ad1f36be8e1?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-4626", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-20T02:15:11.270", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Undergoing Analysis", "descriptions": [{"lang": "en", "value": "The JetWidgets For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018layout_type\u2019 and 'id' parameters in all versions up to, and including, 1.0.17 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento JetWidgets For Elementor para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s de los par\u00e1metros 'layout_type' e 'id' en todas las versiones hasta la 1.0.17 incluida debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3103042/jetwidgets-for-elementor/tags/1.0.18/includes/addons/jet-widgets-image-comparison.php", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/changeset/3103042/jetwidgets-for-elementor/tags/1.0.18/includes/addons/jet-widgets-images-layout.php", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4457d15e-2c01-498d-b94a-a6e93adcf70c?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-4742", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-20T02:15:11.500", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Undergoing Analysis", "descriptions": [{"lang": "en", "value": "The Youzify \u2013 BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress plugin for WordPress is vulnerable to SQL Injection via the order_by shortcode attribute in all versions up to, and including, 1.2.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}, {"lang": "es", "value": "El complemento Youzify \u2013 BuddyPress Community, User Profile, Social Network & Membership Plugin para WordPress es vulnerable a la inyecci\u00f3n SQL a trav\u00e9s del atributo shortcode order_by en todas las versiones hasta la 1.2.5 incluida debido a un escape insuficiente en el par\u00e1metro proporcionado por el usuario. y falta de preparaci\u00f3n suficiente en la consulta SQL existente. Esto hace posible que los atacantes autenticados, con acceso de nivel de colaborador y superior, agreguen consultas SQL adicionales a consultas ya existentes que pueden usarse para extraer informaci\u00f3n confidencial de la base de datos."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "references": [{"url": "https://plugins.trac.wordpress.org/browser/youzify/trunk/includes/public/core/functions/youzify-account-verification-functions.php#L294", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/08bd24ca-eec6-4b62-af49-192496e65a5b?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-5432", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-20T02:15:11.737", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Undergoing Analysis", "descriptions": [{"lang": "en", "value": "The Lifeline Donation plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.2.6. This is due to insufficient verification on the user being supplied during the checkout through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email."}, {"lang": "es", "value": "El complemento Lifeline Donation para WordPress es vulnerable a la omisi\u00f3n de autenticaci\u00f3n en versiones hasta la 1.2.6 incluida. Esto se debe a una verificaci\u00f3n insuficiente del usuario que se proporciona durante el pago a trav\u00e9s del complemento. Esto hace posible que atacantes no autenticados inicien sesi\u00f3n como cualquier usuario existente en el sitio, como un administrador, si tienen acceso al correo electr\u00f3nico."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "references": [{"url": "https://plugins.trac.wordpress.org/browser/lifeline-donation/trunk/includes/class-lifeline-donation.php?rev=2575844#L292", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/lifeline-donation/trunk/vendor/webinane/webinane-commerce/includes/Classes/Checkout.php?rev=2490935#L125", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2e24da0c-13d2-4a3d-b918-0d28e3341d88?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-6177", "sourceIdentifier": "product.security@lge.com", "published": "2024-06-20T02:15:11.980", "lastModified": "2024-06-20T15:17:06.493", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in LG Electronics SuperSign CMS allows Reflected XSS.\u00a0This issue affects SuperSign CMS: from 4.1.3 before < 4.3.1."}, {"lang": "es", "value": "La vulnerabilidad de neutralizaci\u00f3n inadecuada de la entrada durante la generaci\u00f3n de p\u00e1ginas web (XSS o 'Cross-site Scripting') en LG Electronics SuperSign CMS permite XSS Reflejado. Este problema afecta a SuperSign CMS: desde 4.1.3 antes < 4.3.1."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}, {"source": "product.security@lge.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:lg:supersign_cms:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.1.3", "versionEndExcluding": "4.3.1", "matchCriteriaId": "6995A868-E46C-4793-9F8F-03E04879946C"}]}]}], "references": [{"url": "https://lgsecurity.lge.com/bulletins/idproducts#updateDetails", "source": "product.security@lge.com", "tags": ["Vendor Advisory"]}]}}, {"cve": {"id": "CVE-2024-6178", "sourceIdentifier": "product.security@lge.com", "published": "2024-06-20T02:15:12.123", "lastModified": "2024-06-20T15:16:58.507", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LG Electronics SuperSign CMS allows Reflected XSS.\u00a0This issue affects SuperSign CMS: from 4.1.3 before < 4.3.1."}, {"lang": "es", "value": "La vulnerabilidad de neutralizaci\u00f3n inadecuada de la entrada durante la generaci\u00f3n de p\u00e1ginas web ('cross-site Scripting') en LG Electronics SuperSign CMS permite XSS Reflejado. Este problema afecta a SuperSign CMS: desde 4.1.3 antes < 4.3.1."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}, {"source": "product.security@lge.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:lg:supersign_cms:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.1.3", "versionEndExcluding": "4.3.1", "matchCriteriaId": "6995A868-E46C-4793-9F8F-03E04879946C"}]}]}], "references": [{"url": "https://lgsecurity.lge.com/bulletins/idproducts#updateDetails", "source": "product.security@lge.com", "tags": ["Vendor Advisory"]}]}}, {"cve": {"id": "CVE-2024-6179", "sourceIdentifier": "product.security@lge.com", "published": "2024-06-20T02:15:12.257", "lastModified": "2024-06-20T15:16:47.133", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LG Electronics SuperSign CMS allows Reflected XSS.\u00a0This issue affects SuperSign CMS: from 4.1.3 before < 4.3.1."}, {"lang": "es", "value": "La vulnerabilidad de neutralizaci\u00f3n inadecuada de la entrada durante la generaci\u00f3n de p\u00e1ginas web ('cross-site Scripting') en LG Electronics SuperSign CMS permite XSS Reflejado. Este problema afecta a SuperSign CMS: desde 4.1.3 antes < 4.3.1."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}, {"source": "product.security@lge.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:lg:supersign_cms:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.1.3", "versionEndExcluding": "4.3.1", "matchCriteriaId": "6995A868-E46C-4793-9F8F-03E04879946C"}]}]}], "references": [{"url": "https://lgsecurity.lge.com/bulletins/idproducts#updateDetails", "source": "product.security@lge.com", "tags": ["Vendor Advisory"]}]}}, {"cve": {"id": "CVE-2024-5213", "sourceIdentifier": "security@huntr.dev", "published": "2024-06-20T03:15:09.067", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Undergoing Analysis", "descriptions": [{"lang": "en", "value": "In mintplex-labs/anything-llm versions up to and including 1.5.3, an issue was discovered where the password hash of a user is returned in the response after login (`POST /api/request-token`) and after account creations (`POST /api/admin/users/new`). This exposure occurs because the entire User object, including the bcrypt password hash, is included in the response sent to the frontend. This practice could potentially lead to sensitive information exposure despite the use of bcrypt, a strong hashing algorithm. It is recommended not to expose any clues about passwords to the frontend. "}, {"lang": "es", "value": "En las versiones de mintplex-labs/anything-llm hasta la 1.5.3 incluida, se descubri\u00f3 un problema por el cual el hash de la contrase\u00f1a de un usuario se devuelve en la respuesta despu\u00e9s de iniciar sesi\u00f3n (`POST /api/request-token`) y despu\u00e9s de la creaci\u00f3n de la cuenta. (`POST /api/admin/usuarios/nuevo`). Esta exposici\u00f3n se produce porque todo el objeto Usuario, incluido el hash de la contrase\u00f1a de bcrypt, se incluye en la respuesta enviada al frontend. Esta pr\u00e1ctica podr\u00eda conducir potencialmente a la exposici\u00f3n de informaci\u00f3n confidencial a pesar del uso de bcrypt, un potente algoritmo hash. Se recomienda no exponer ninguna pista sobre contrase\u00f1as en la interfaz."}], "metrics": {"cvssMetricV30": [{"source": "security@huntr.dev", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.6, "impactScore": 3.6}]}, "weaknesses": [{"source": "security@huntr.dev", "type": "Primary", "description": [{"lang": "en", "value": "CWE-1230"}]}], "references": [{"url": "https://github.com/mintplex-labs/anything-llm/commit/9df4521113ddb9a3adb5d0e3941e7d494992629c", "source": "security@huntr.dev"}, {"url": "https://huntr.com/bounties/8794fb65-50aa-40e3-b348-a29838dbf63d", "source": "security@huntr.dev"}]}}, {"cve": {"id": "CVE-2024-4390", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-20T04:15:17.857", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Undergoing Analysis", "descriptions": [{"lang": "en", "value": "The Slider and Carousel slider by Depicter plugin for WordPress is vulnerable to Arbitrary Nonce Generation in all versions up to, and including, 3.0.2. This makes it possible for authenticated attackers with contributor access and above, to generate a valid nonce for any WordPress action/function. This could be used to invoke functionality that is protected only by nonce checks."}, {"lang": "es", "value": "El complemento Slider and Carousel slider by Depicter para WordPress es vulnerable a Arbitrary Nonce Generation en todas las versiones hasta la 3.0.2 incluida. Esto hace posible que los atacantes autenticados con acceso de colaborador y superior generen un nonce v\u00e1lido para cualquier acci\u00f3n/funci\u00f3n de WordPress. Esto podr\u00eda usarse para invocar una funcionalidad que est\u00e1 protegida \u00fanicamente mediante comprobaciones nonce."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "references": [{"url": "https://plugins.trac.wordpress.org/browser/depicter/trunk/app/src/Controllers/Ajax/SecurityAjaxController.php#L14", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3103357%40depicter%2Ftrunk&old=3090538%40depicter%2Ftrunk&sfp_email=&sfph_mail=", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dd7c3a5d-b8aa-45cb-983c-55ba7e3d72f3?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-5605", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-20T04:15:18.590", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Undergoing Analysis", "descriptions": [{"lang": "en", "value": "The Media Library Assistant plugin for WordPress is vulnerable to time-based SQL Injection via the \u2018order\u2019 parameter within the mla_tag_cloud Shortcode in all versions up to, and including, 3.16 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}, {"lang": "es", "value": "El complemento Media Library Assistant para WordPress es vulnerable a la inyecci\u00f3n SQL basada en tiempo a trav\u00e9s del par\u00e1metro 'order' dentro del c\u00f3digo corto mla_tag_cloud en todas las versiones hasta la 3.16 incluida debido a un escape insuficiente en el par\u00e1metro proporcionado por el usuario y a la falta de preparaci\u00f3n suficiente en la consulta SQL existente. Esto hace posible que los atacantes autenticados, con acceso de nivel de colaborador y superior, agreguen consultas SQL adicionales a consultas ya existentes que pueden usarse para extraer informaci\u00f3n confidencial de la base de datos."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "references": [{"url": "https://plugins.trac.wordpress.org/browser/media-library-assistant/trunk/includes/class-mla-shortcode-support.php#L2783", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3098232%40media-library-assistant&new=3098232%40media-library-assistant&sfp_email=&sfph_mail=", "source": "security@wordfence.com"}, {"url": "https://wordpress.org/plugins/media-library-assistant/#developers", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3ba8a9f5-0633-4cf0-af27-5466d93e9020?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-5686", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-20T04:15:18.890", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Undergoing Analysis", "descriptions": [{"lang": "en", "value": "The WPZOOM Addons for Elementor (Templates, Widgets) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018url\u2019 attribute within the plugin's Team Members widget in all versions up to, and including, 1.1.38 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento WPZOOM Addons for Elementor (Plantillas, Widgets) para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s del atributo 'url' dentro del widget Miembros del equipo del complemento en todas las versiones hasta la 1.1.38 incluida debido a una sanitizaci\u00f3n de entrada insuficiente y el escape de salida. Esto hace posible que atacantes autenticados, con acceso de nivel de Colaborador y superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "references": [{"url": "https://plugins.trac.wordpress.org/browser/wpzoom-elementor-addons/tags/1.1.38/includes/widgets/team-members/team-members.php#L1452", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3104212%40wpzoom-elementor-addons&new=3104212%40wpzoom-elementor-addons&sfp_email=&sfph_mail=", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f972ab72-8e68-4ab3-aa7f-e2816de33554?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-4565", "sourceIdentifier": "contact@wpscan.com", "published": "2024-06-20T06:15:09.950", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Undergoing Analysis", "descriptions": [{"lang": "en", "value": "The Advanced Custom Fields (ACF) WordPress plugin before 6.3, Advanced Custom Fields Pro WordPress plugin before 6.3 allows you to display custom field values for any post via shortcode without checking for the correct access"}, {"lang": "es", "value": "El complemento Advanced Custom Fields (ACF) WordPress anterior a 6.3, el complemento de Advanced Custom Fields Pro WordPress anterior a 6.3 le permite mostrar valores de campo personalizados para cualquier publicaci\u00f3n mediante un c\u00f3digo corto sin verificar el acceso correcto"}], "metrics": {}, "references": [{"url": "https://wpscan.com/vulnerability/430224c4-d6e3-4ca8-b1bc-b2229a9bcf12/", "source": "contact@wpscan.com"}]}}, {"cve": {"id": "CVE-2024-5475", "sourceIdentifier": "contact@wpscan.com", "published": "2024-06-20T06:15:10.077", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The Responsive video embed WordPress plugin before 0.5.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks."}, {"lang": "es", "value": "El complemento Responsive video embed de WordPress anterior a 0.5.1 no valida ni escapa algunos de sus atributos de c\u00f3digo corto antes de devolverlos a una p\u00e1gina/publicaci\u00f3n donde se incrusta el c\u00f3digo corto, lo que podr\u00eda permitir a los usuarios con el rol de colaborador y superior realizar ataques de Cross-Site Scripting Almacenado."}], "metrics": {}, "references": [{"url": "https://wpscan.com/vulnerability/cee66543-b5d6-4205-8f9b-0febd7fee445/", "source": "contact@wpscan.com"}]}}, {"cve": {"id": "CVE-2024-5522", "sourceIdentifier": "contact@wpscan.com", "published": "2024-06-20T06:15:10.197", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The HTML5 Video Player WordPress plugin before 2.5.27 does not sanitize and escape a parameter from a REST route before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks"}, {"lang": "es", "value": "El complemento HTML5 Video Player de WordPress anterior a 2.5.27 no sanitiza ni escapa un par\u00e1metro de una ruta REST antes de usarlo en una declaraci\u00f3n SQL, lo que permite a usuarios no autenticados realizar ataques de inyecci\u00f3n SQL."}], "metrics": {}, "references": [{"url": "https://wpscan.com/vulnerability/bc76ef95-a2a9-4185-8ed9-1059097a506a/", "source": "contact@wpscan.com"}]}}, {"cve": {"id": "CVE-2024-6113", "sourceIdentifier": "cna@vuldb.com", "published": "2024-06-20T06:15:10.310", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability was found in itsourcecode Monbela Tourist Inn Online Reservation System 1.0. It has been rated as critical. This issue affects some unknown processing of the file login.php. The manipulation of the argument email leads to sql injection. The attack may be initiated remotely. The identifier VDB-268865 was assigned to this vulnerability."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en itsourcecode Monbela Tourist Inn Online Reservation System 1.0. Ha sido calificada como cr\u00edtica. Este problema afecta un procesamiento desconocido del archivo login.php. La manipulaci\u00f3n del argumento email conduce a la inyecci\u00f3n de SQL. El ataque puede iniciarse de forma remota. A esta vulnerabilidad se le asign\u00f3 el identificador VDB-268865."}], "metrics": {"cvssMetricV31": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.4}], "cvssMetricV2": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "cna@vuldb.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://github.com/wangyuan-ui/CVE/issues/3", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.268865", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.268865", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.358991", "source": "cna@vuldb.com"}]}}, {"cve": {"id": "CVE-2023-25646", "sourceIdentifier": "psirt@zte.com.cn", "published": "2024-06-20T07:15:41.340", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "There is an unauthorized access vulnerability in ZTE H388X. If H388X is caused by brute-force serial port cracking,attackers with common user permissions can use this vulnerability to obtain elevated permissions on the affected device by performing specific operations."}, {"lang": "es", "value": "Existe una vulnerabilidad de acceso no autorizado en ZTE H388X. Si H388X es causado por un craqueo del puerto serie por fuerza bruta, los atacantes con permisos de usuario comunes pueden usar esta vulnerabilidad para obtener permisos elevados en el dispositivo afectado mediante la realizaci\u00f3n de operaciones espec\u00edficas."}], "metrics": {"cvssMetricV31": [{"source": "psirt@zte.com.cn", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "attackVector": "PHYSICAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH"}, "exploitabilityScore": 0.5, "impactScore": 6.0}]}, "weaknesses": [{"source": "psirt@zte.com.cn", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-281"}]}], "references": [{"url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1035844", "source": "psirt@zte.com.cn"}]}}, {"cve": {"id": "CVE-2024-38619", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T07:15:41.830", "lastModified": "2024-06-21T14:15:13.613", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb-storage: alauda: Check whether the media is initialized\n\nThe member \"uzonesize\" of struct alauda_info will remain 0\nif alauda_init_media() fails, potentially causing divide errors\nin alauda_read_data() and alauda_write_lba().\n- Add a member \"media_initialized\" to struct alauda_info.\n- Change a condition in alauda_check_media() to ensure the\n first initialization.\n- Add an error check for the return value of alauda_init_media()."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: usb-storage: alauda: compruebe si el medio est\u00e1 inicializado. El miembro \"uzonesize\" de la estructura alauda_info permanecer\u00e1 0 si alauda_init_media() falla, lo que podr\u00eda provocar errores de divisi\u00f3n en alauda_read_data() y alauda_write_lba(). - Agregue un miembro \"media_initialized\" a la estructura alauda_info. - Cambiar una condici\u00f3n en alauda_check_media() para asegurar la primera inicializaci\u00f3n. - Agregue una verificaci\u00f3n de errores para el valor de retorno de alauda_init_media()."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/16637fea001ab3c8df528a8995b3211906165a30", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/24bff7f714bdff97c2a75a0ff6a368cdf8ad5af4", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/2cc32639ec347e3365075b130f9953ef16cb13f1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e0e2eec76920a133dd49a4fbe4656d83596a1361", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-4098", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-20T07:15:41.933", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The Shariff Wrapper plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 4.6.13 via the shariff3uu_fetch_sharecounts function. This allows unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other \u201csafe\u201d file types can be uploaded and included."}, {"lang": "es", "value": "El complemento Shariff Wrapper para WordPress es vulnerable a la inclusi\u00f3n de archivos locales en versiones hasta la 4.6.13 incluida a trav\u00e9s de la funci\u00f3n shariff3uu_fetch_sharecounts. Esto permite a atacantes no autenticados incluir y ejecutar archivos arbitrarios en el servidor, permitiendo la ejecuci\u00f3n de cualquier c\u00f3digo PHP en esos archivos. Esto se puede utilizar para eludir los controles de acceso, obtener datos confidenciales o lograr la ejecuci\u00f3n de c\u00f3digo en los casos en que se puedan cargar e incluir im\u00e1genes y otros tipos de archivos \"seguros\"."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "references": [{"url": "https://plugins.trac.wordpress.org/browser/shariff/trunk/shariff.php#L410", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/changeset/3103137", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f49fba00-c576-4a1a-8b0b-9ebed3e3d090?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-38620", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T08:15:38.377", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: HCI: Remove HCI_AMP support\n\nSince BT_HS has been remove HCI_AMP controllers no longer has any use so\nremove it along with the capability of creating AMP controllers.\n\nSince we no longer need to differentiate between AMP and Primary\ncontrollers, as only HCI_PRIMARY is left, this also remove\nhdev->dev_type altogether."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: Bluetooth: HCI: eliminar la compatibilidad con HCI_AMP Dado que se elimin\u00f3 BT_HS, los controladores HCI_AMP ya no tienen ning\u00fan uso, as\u00ed que elim\u00ednelos junto con la capacidad de crear controladores AMP. Como ya no necesitamos diferenciar entre los controladores AMP y primarios, ya que solo queda HCI_PRIMARY, esto tambi\u00e9n elimina hdev->dev_type por completo."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/5af2e235b0d5b797e9531a00c50058319130e156", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/84a4bb6548a29326564f0e659fb8064503ecc1c7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/af1d425b6dc67cd67809f835dd7afb6be4d43e03", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d3c7b012d912b31ad23b9349c0e499d6dddd48ec", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-29012", "sourceIdentifier": "PSIRT@sonicwall.com", "published": "2024-06-20T09:15:11.347", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Stack-based buffer overflow vulnerability in the SonicOS HTTP server allows an authenticated remote attacker to cause Denial of Service (DoS) via sscanf function."}, {"lang": "es", "value": "Una vulnerabilidad de desbordamiento de b\u00fafer basada en pila en el servidor HTTP de SonicOS permite que un atacante remoto autenticado provoque una denegaci\u00f3n de servicio (DoS) a trav\u00e9s de la funci\u00f3n sscanf."}], "metrics": {}, "weaknesses": [{"source": "PSIRT@sonicwall.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-121"}]}], "references": [{"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0008", "source": "PSIRT@sonicwall.com"}]}}, {"cve": {"id": "CVE-2024-29013", "sourceIdentifier": "PSIRT@sonicwall.com", "published": "2024-06-20T09:15:11.543", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Heap-based buffer overflow vulnerability in the SonicOS SSL-VPN allows an authenticated remote attacker to cause Denial of Service (DoS) via memcpy function."}, {"lang": "es", "value": "Una vulnerabilidad de desbordamiento de b\u00fafer basada en mont\u00f3n en SonicOS SSL-VPN permite que un atacante remoto autenticado provoque una denegaci\u00f3n de servicio (DoS) a trav\u00e9s de la funci\u00f3n memcpy."}], "metrics": {}, "weaknesses": [{"source": "PSIRT@sonicwall.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-122"}]}], "references": [{"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0009", "source": "PSIRT@sonicwall.com"}]}}, {"cve": {"id": "CVE-2024-34693", "sourceIdentifier": "security@apache.org", "published": "2024-06-20T09:15:11.683", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Improper Input Validation vulnerability in Apache Superset, allows for an authenticated attacker to create a MariaDB connection with local_infile enabled. If both the MariaDB server (off by default) and the local mysql client on the web server are set to allow for local infile, it's possible for the attacker to execute a specific MySQL/MariaDB SQL command that is able to read files from the server and insert their content on a MariaDB database table.This issue affects Apache Superset: before 3.1.3 and version 4.0.0\n\nUsers are recommended to upgrade to version 4.0.1 or 3.1.3, which fixes the issue.\n\n"}, {"lang": "es", "value": "Vulnerabilidad de validaci\u00f3n de entrada incorrecta en Apache Superset, permite que un atacante autenticado cree una conexi\u00f3n MariaDB con local_infile habilitado. Si tanto el servidor MariaDB (desactivado de forma predeterminada) como el cliente MySQL local en el servidor web est\u00e1n configurados para permitir el archivo local, es posible que el atacante ejecute un comando SQL MySQL/MariaDB espec\u00edfico que pueda leer archivos del servidor e inserte su contenido en una tabla de base de datos MariaDB. Este problema afecta a Apache Superset: antes de 3.1.3 y versi\u00f3n 4.0.0. Se recomienda a los usuarios actualizar a la versi\u00f3n 4.0.1 o 3.1.3, que soluciona el problema."}], "metrics": {"cvssMetricV31": [{"source": "security@apache.org", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.3, "impactScore": 4.0}]}, "weaknesses": [{"source": "security@apache.org", "type": "Primary", "description": [{"lang": "en", "value": "CWE-20"}]}], "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/06/20/1", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread/1803x1s34m7r71h1k0q1njol8k6fmyon", "source": "security@apache.org"}]}}, {"cve": {"id": "CVE-2021-47617", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T11:15:54.317", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: pciehp: Fix infinite loop in IRQ handler upon power fault\n\nThe Power Fault Detected bit in the Slot Status register differs from\nall other hotplug events in that it is sticky: It can only be cleared\nafter turning off slot power. Per PCIe r5.0, sec. 6.7.1.8:\n\n If a power controller detects a main power fault on the hot-plug slot,\n it must automatically set its internal main power fault latch [...].\n The main power fault latch is cleared when software turns off power to\n the hot-plug slot.\n\nThe stickiness used to cause interrupt storms and infinite loops which\nwere fixed in 2009 by commits 5651c48cfafe (\"PCI pciehp: fix power fault\ninterrupt storm problem\") and 99f0169c17f3 (\"PCI: pciehp: enable\nsoftware notification on empty slots\").\n\nUnfortunately in 2020 the infinite loop issue was inadvertently\nreintroduced by commit 8edf5332c393 (\"PCI: pciehp: Fix MSI interrupt\nrace\"): The hardirq handler pciehp_isr() clears the PFD bit until\npciehp's power_fault_detected flag is set. That happens in the IRQ\nthread pciehp_ist(), which never learns of the event because the hardirq\nhandler is stuck in an infinite loop. Fix by setting the\npower_fault_detected flag already in the hardirq handler."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: PCI: pciehp: soluciona el bucle infinito en el controlador IRQ ante un fallo de alimentaci\u00f3n. El bit de fallo de alimentaci\u00f3n detectado en el registro de estado de la ranura se diferencia de todos los dem\u00e1s eventos de conexi\u00f3n en caliente en que es fijo: solo puede borrarse despu\u00e9s de apagar la alimentaci\u00f3n de la ranura. Por PCIe r5.0, seg. 6.7.1.8: Si un controlador de energ\u00eda detecta una falla de energ\u00eda principal en la ranura de conexi\u00f3n en caliente, debe configurar autom\u00e1ticamente su pestillo interno de falla de energ\u00eda principal [...]. El bloqueo de fallo de alimentaci\u00f3n principal se borra cuando el software corta la alimentaci\u00f3n a la ranura de conexi\u00f3n en caliente. La rigidez sol\u00eda causar tormentas de interrupci\u00f3n y bucles infinitos que se solucionaron en 2009 mediante los commits 5651c48cfafe (\"PCI pciehp: solucionar el problema de la tormenta de interrupci\u00f3n por falla de energ\u00eda\") y 99f0169c17f3 (\"PCI: pciehp: habilitar la notificaci\u00f3n de software en ranuras vac\u00edas\"). Desafortunadamente, en 2020, el problema del bucle infinito se reintrodujo inadvertidamente mediante el commit 8edf5332c393 (\"PCI: pciehp: arreglar carrera de interrupci\u00f3n MSI\"): el controlador hardirq pciehp_isr() borra el bit PFD hasta que se establece el indicador power_fault_detected de pciehp. Eso sucede en el hilo IRQ pciehp_ist(), que nunca se entera del evento porque el controlador hardirq est\u00e1 atrapado en un bucle infinito. Para solucionarlo, configure el indicador power_fault_detected que ya est\u00e1 en el controlador hardirq."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/1db58c6584a72102e98af2e600ea184ddaf2b8af", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/23584c1ed3e15a6f4bfab8dc5a88d94ab929ee12", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3b4c966fb156ff3e70b2526d964952ff7c1574d9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/464da38ba827f670deac6500a1de9a4f0f44c41d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/6d6f1f0dac3e3441ecdb1103d4efb11b9ed24dd5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ff27f7d0333cff89ec85c419f431aca1b38fb16a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2021-47618", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T11:15:54.477", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: 9170/1: fix panic when kasan and kprobe are enabled\n\narm32 uses software to simulate the instruction replaced\nby kprobe. some instructions may be simulated by constructing\nassembly functions. therefore, before executing instruction\nsimulation, it is necessary to construct assembly function\nexecution environment in C language through binding registers.\nafter kasan is enabled, the register binding relationship will\nbe destroyed, resulting in instruction simulation errors and\ncausing kernel panic.\n\nthe kprobe emulate instruction function is distributed in three\nfiles: actions-common.c actions-arm.c actions-thumb.c, so disable\nKASAN when compiling these files.\n\nfor example, use kprobe insert on cap_capable+20 after kasan\nenabled, the cap_capable assembly code is as follows:\n:\ne92d47f0\tpush\t{r4, r5, r6, r7, r8, r9, sl, lr}\ne1a05000\tmov\tr5, r0\ne280006c\tadd\tr0, r0, #108 ; 0x6c\ne1a04001\tmov\tr4, r1\ne1a06002\tmov\tr6, r2\ne59fa090\tldr\tsl, [pc, #144] ;\nebfc7bf8\tbl\tc03aa4b4 <__asan_load4>\ne595706c\tldr\tr7, [r5, #108] ; 0x6c\ne2859014\tadd\tr9, r5, #20\n......\nThe emulate_ldr assembly code after enabling kasan is as follows:\nc06f1384 :\ne92d47f0\tpush\t{r4, r5, r6, r7, r8, r9, sl, lr}\ne282803c\tadd\tr8, r2, #60 ; 0x3c\ne1a05000\tmov\tr5, r0\ne7e37855\tubfx\tr7, r5, #16, #4\ne1a00008\tmov\tr0, r8\ne1a09001\tmov\tr9, r1\ne1a04002\tmov\tr4, r2\nebf35462\tbl\tc03c6530 <__asan_load4>\ne357000f\tcmp\tr7, #15\ne7e36655\tubfx\tr6, r5, #12, #4\ne205a00f\tand\tsl, r5, #15\n0a000001\tbeq\tc06f13bc \ne0840107\tadd\tr0, r4, r7, lsl #2\nebf3545c\tbl\tc03c6530 <__asan_load4>\ne084010a\tadd\tr0, r4, sl, lsl #2\nebf3545a\tbl\tc03c6530 <__asan_load4>\ne2890010\tadd\tr0, r9, #16\nebf35458\tbl\tc03c6530 <__asan_load4>\ne5990010\tldr\tr0, [r9, #16]\ne12fff30\tblx\tr0\ne356000f\tcm\tr6, #15\n1a000014\tbne\tc06f1430 \ne1a06000\tmov\tr6, r0\ne2840040\tadd\tr0, r4, #64 ; 0x40\n......\n\nwhen running in emulate_ldr to simulate the ldr instruction, panic\noccurred, and the log is as follows:\nUnable to handle kernel NULL pointer dereference at virtual address\n00000090\npgd = ecb46400\n[00000090] *pgd=2e0fa003, *pmd=00000000\nInternal error: Oops: 206 [#1] SMP ARM\nPC is at cap_capable+0x14/0xb0\nLR is at emulate_ldr+0x50/0xc0\npsr: 600d0293 sp : ecd63af8 ip : 00000004 fp : c0a7c30c\nr10: 00000000 r9 : c30897f4 r8 : ecd63cd4\nr7 : 0000000f r6 : 0000000a r5 : e59fa090 r4 : ecd63c98\nr3 : c06ae294 r2 : 00000000 r1 : b7611300 r0 : bf4ec008\nFlags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user\nControl: 32c5387d Table: 2d546400 DAC: 55555555\nProcess bash (pid: 1643, stack limit = 0xecd60190)\n(cap_capable) from (kprobe_handler+0x218/0x340)\n(kprobe_handler) from (kprobe_trap_handler+0x24/0x48)\n(kprobe_trap_handler) from (do_undefinstr+0x13c/0x364)\n(do_undefinstr) from (__und_svc_finish+0x0/0x30)\n(__und_svc_finish) from (cap_capable+0x18/0xb0)\n(cap_capable) from (cap_vm_enough_memory+0x38/0x48)\n(cap_vm_enough_memory) from\n(security_vm_enough_memory_mm+0x48/0x6c)\n(security_vm_enough_memory_mm) from\n(copy_process.constprop.5+0x16b4/0x25c8)\n(copy_process.constprop.5) from (_do_fork+0xe8/0x55c)\n(_do_fork) from (SyS_clone+0x1c/0x24)\n(SyS_clone) from (__sys_trace_return+0x0/0x10)\nCode: 0050a0e1 6c0080e2 0140a0e1 0260a0e1 (f801f0e7)"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ARM: 9170/1: soluciona el p\u00e1nico cuando kasan y kprobe est\u00e1n habilitados arm32 usa software para simular la instrucci\u00f3n reemplazada por kprobe. Algunas instrucciones pueden simularse mediante la construcci\u00f3n de funciones de ensamblaje. por lo tanto, antes de ejecutar la simulaci\u00f3n de instrucciones, es necesario construir un entorno de ejecuci\u00f3n de funciones de ensamblaje en lenguaje C mediante registros vinculantes. despu\u00e9s de habilitar kasan, la relaci\u00f3n de enlace de registros se destruir\u00e1, lo que provocar\u00e1 errores de simulaci\u00f3n de instrucciones y provocar\u00e1 p\u00e1nico en el kernel. La funci\u00f3n de emulaci\u00f3n de instrucciones de kprobe se distribuye en tres archivos: acciones-common.c acciones-arm.c acciones-thumb.c, por lo tanto, desactive KASAN al compilar estos archivos. por ejemplo, use kprobe insert en cap_capable+20 despu\u00e9s de habilitar kasan, el c\u00f3digo ensamblador de cap_capable es el siguiente: : e92d47f0 push {r4, r5, r6, r7, r8, r9, sl, lr} e1a05000 mov r5, r0 e280006c agregue r0, r0, #108; 0x6c e1a04001 mov r4, r1 e1a06002 mov r6, r2 e59fa090 ldr sl, [ordenador personal, #144]; ebfc7bf8 bl c03aa4b4 <__asan_load4> e595706c ldr r7, [r5, #108]; 0x6c e2859014 add r9, r5, #20 ...... El c\u00f3digo ensamblador emulate_ldr despu\u00e9s de habilitar kasan es el siguiente: c06f1384 : e92d47f0 push {r4, r5, r6, r7, r8, r9, sl, lr} e282803c agregue r8, r2, #60; 0x3c e1a05000 mov r5, r0 e7e37855 ubfx r7, r5, #16, #4 e1a00008 mov r0, r8 e1a09001 mov r9, r1 e1a04002 mov r4, r2 ebf35462 bl c03c6530 <__asan_load 4> e357000f cmp r7, #15 e7e36655 ubfx r6, r5, #12, #4 e205a00f y sl, r5, #15 0a000001 beq c06f13bc e0840107 add r0, r4, r7, lsl #2 ebf3545c bl c03c6530 <__asan_load4> e084010a add r0, 4, sl, lsl #2 ebf3545a bl c03c6530 <__asan_load4> e2890010 agregar r0, r9, #16 ebf35458 bl c03c6530 <__asan_load4> e5990010 ldr r0, [r9, #16] e12fff30 blx r0 e356000f cm r6, #15 14 bne c06f1430 e1a06000 mov r6, r0 e2840040 agregar r0, r4, #64; 0x40 ...... cuando se ejecuta emulate_ldr para simular la instrucci\u00f3n ldr, se produce p\u00e1nico y el registro es el siguiente: No se puede manejar la desreferencia del puntero NULL del kernel en la direcci\u00f3n virtual 00000090 pgd = ecb46400 [00000090] *pgd=2e0fa003, * pmd=00000000 Error interno: Ups: 206 [#1] La PC SMP ARM est\u00e1 en cap_capable+0x14/0xb0 LR est\u00e1 en emulate_ldr+0x50/0xc0 psr: 600d0293 sp: ecd63af8 ip: 00000004 fp: c0a7c30c r10: r9: c30897f4 r8 : ecd63cd4 r7 : 0000000f r6 : 0000000a r5 : e59fa090 r4 : ecd63c98 r3 : c06ae294 r2 : 00000000 r1 : b7611300 r0 : bf4ec008 Banderas: nZCv IRQ desactivadas FIQ activadas Modo SVC_3 2 Usuario de segmento ISA ARM Control: 32c5387d Tabla: 2d546400 DAC: 55555555 Proceso bash (pid: 1643, l\u00edmite de pila = 0xecd60190) (cap_capable) de (kprobe_handler+0x218/0x340) (kprobe_handler) de (kprobe_trap_handler+0x24/0x48) (kprobe_trap_handler) de (do_undefinstr+0x13c/0x364) (do_undefinstr) de (__ und_svc_finish+ 0x0/0x30) (__und_svc_finish) de (cap_capable+0x18/0xb0) (cap_capable) de (cap_vm_enough_memory+0x38/0x48) (cap_vm_enough_memory) de (security_vm_enough_memory_mm+0x48/0x6c) (security_vm_enough_memory_mm) de (copy_process .constprop.5+0x16b4/ 0x25c8) (copy_process.constprop.5) de (_do_fork+0xe8/0x55c) (_do_fork) de (SyS_clone+0x1c/0x24) (SyS_clone) de (__sys_trace_return+0x0/0x10) C\u00f3digo: 0050a0e1 6c0080e2 0260a0e1 (f801f0e7)"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/1515e72aae803fc6b466adf918e71c4e4c9d5b3d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8b59b0a53c840921b625378f137e88adfa87647e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ba1863be105b06e10d0e2f6b1b8a0570801cfc71", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2021-47619", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T11:15:54.560", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Fix queues reservation for XDP\n\nWhen XDP was configured on a system with large number of CPUs\nand X722 NIC there was a call trace with NULL pointer dereference.\n\ni40e 0000:87:00.0: failed to get tracking for 256 queues for VSI 0 err -12\ni40e 0000:87:00.0: setup of MAIN VSI failed\n\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nRIP: 0010:i40e_xdp+0xea/0x1b0 [i40e]\nCall Trace:\n? i40e_reconfig_rss_queues+0x130/0x130 [i40e]\ndev_xdp_install+0x61/0xe0\ndev_xdp_attach+0x18a/0x4c0\ndev_change_xdp_fd+0x1e6/0x220\ndo_setlink+0x616/0x1030\n? ahci_port_stop+0x80/0x80\n? ata_qc_issue+0x107/0x1e0\n? lock_timer_base+0x61/0x80\n? __mod_timer+0x202/0x380\nrtnl_setlink+0xe5/0x170\n? bpf_lsm_binder_transaction+0x10/0x10\n? security_capable+0x36/0x50\nrtnetlink_rcv_msg+0x121/0x350\n? rtnl_calcit.isra.0+0x100/0x100\nnetlink_rcv_skb+0x50/0xf0\nnetlink_unicast+0x1d3/0x2a0\nnetlink_sendmsg+0x22a/0x440\nsock_sendmsg+0x5e/0x60\n__sys_sendto+0xf0/0x160\n? __sys_getsockname+0x7e/0xc0\n? _copy_from_user+0x3c/0x80\n? __sys_setsockopt+0xc8/0x1a0\n__x64_sys_sendto+0x20/0x30\ndo_syscall_64+0x33/0x40\nentry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7f83fa7a39e0\n\nThis was caused by PF queue pile fragmentation due to\nflow director VSI queue being placed right after main VSI.\nBecause of this main VSI was not able to resize its\nqueue allocation for XDP resulting in no queues allocated\nfor main VSI when XDP was turned on.\n\nFix this by always allocating last queue in PF queue pile\nfor a flow director VSI."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: i40e: Arreglar la reserva de colas para XDP Cuando se configur\u00f3 XDP en un sistema con una gran cantidad de CPU y NIC X722, hubo un seguimiento de llamada con desreferencia de puntero NULL. i40e 0000:87:00.0: no se pudo obtener el seguimiento de 256 colas para VSI 0 err -12 i40e 0000:87:00.0: fall\u00f3 la configuraci\u00f3n de VSI PRINCIPAL ERROR: desreferencia del puntero NULL del kernel, direcci\u00f3n: 00000000000000000 RIP: 0010:i40e_xdp+0xea/ 0x1b0 [i40e] Seguimiento de llamadas:? i40e_reconfig_rss_queues+0x130/0x130 [i40e] dev_xdp_install+0x61/0xe0 dev_xdp_attach+0x18a/0x4c0 dev_change_xdp_fd+0x1e6/0x220 do_setlink+0x616/0x1030 ? ahci_port_stop+0x80/0x80? ata_qc_issue+0x107/0x1e0? lock_timer_base+0x61/0x80? __mod_timer+0x202/0x380 rtnl_setlink+0xe5/0x170 ? bpf_lsm_binder_transaction+0x10/0x10? capacidad_seguridad+0x36/0x50 rtnetlink_rcv_msg+0x121/0x350 ? rtnl_calcit.isra.0+0x100/0x100 netlink_rcv_skb+0x50/0xf0 netlink_unicast+0x1d3/0x2a0 netlink_sendmsg+0x22a/0x440 sock_sendmsg+0x5e/0x60 __sys_sendto+0xf0/0x160 ? __sys_getsockname+0x7e/0xc0 ? _copia_de_usuario+0x3c/0x80 ? __sys_setsockopt+0xc8/0x1a0 __x64_sys_sendto+0x20/0x30 do_syscall_64+0x33/0x40 Entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f83fa7a39e0 Esto fue causado por la fragmentaci\u00f3n de la pila de cola PF debido al flujo La cola VSI del director se coloca justo despu\u00e9s de la VSI principal. Debido a esto, la VSI principal no pudo cambiar el tama\u00f1o de su asignaci\u00f3n de cola para XDP, lo que provoc\u00f3 que no se asignaran colas para la VSI principal cuando se activ\u00f3 XDP. Solucione este problema asignando siempre la \u00faltima cola en la pila de colas PF para una VSI de director de flujo."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/00eddb0e4ea115154581d1049507a996acfc2d3e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4b3aa858268b7b9aeef02e5f9c4cd8f8fac101c8", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/768eb705e6381f0c70ca29d4e66f19790d5d19a1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/92947844b8beee988c0ce17082b705c2f75f0742", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/be6998f232b8e4ca8225029e305b8329d89bfd59", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d46fa4ea9756ef6cbcf9752d0832cc66e2d7121b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2021-47620", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T11:15:54.653", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: refactor malicious adv data check\n\nCheck for out-of-bound read was being performed at the end of while\nnum_reports loop, and would fill journal with false positives. Added\ncheck to beginning of loop processing so that it doesn't get checked\nafter ptr has been advanced."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: Bluetooth: refactorizaci\u00f3n de verificaci\u00f3n de datos publicitarios maliciosos. Se estaba realizando una verificaci\u00f3n de lectura fuera de los l\u00edmites al final del bucle while num_reports y llenar\u00eda el diario con falsos positivos. Se agreg\u00f3 una verificaci\u00f3n al comienzo del procesamiento del bucle para que no se verifique despu\u00e9s de que se haya avanzado ptr."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/305e92f525450f3e1b5f5c9dc7eadb152d66a082", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5a539c08d743d9910631448da78af5e961664c0e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5c968affa804ba98c3c603f37ffea6fba618025e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7889b38a7f21ed19314f83194622b195d328465c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/835d3706852537bf92eb23eb8635b8dee0c0aa67", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/83d5196b65d1b29e27d7dd16a3b9b439fb1d2dba", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8819f93cd4a443dfe547aa622b21f723757df3fb", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/899663be5e75dc0174dc8bda0b5e6826edf0b29a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/bcea886771c3f22a590c8c8b9139a107bd7f1e1c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48711", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T11:15:54.793", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: improve size validations for received domain records\n\nThe function tipc_mon_rcv() allows a node to receive and process\ndomain_record structs from peer nodes to track their views of the\nnetwork topology.\n\nThis patch verifies that the number of members in a received domain\nrecord does not exceed the limit defined by MAX_MON_DOMAIN, something\nthat may otherwise lead to a stack overflow.\n\ntipc_mon_rcv() is called from the function tipc_link_proto_rcv(), where\nwe are reading a 32 bit message data length field into a uint16. To\navert any risk of bit overflow, we add an extra sanity check for this in\nthat function. We cannot see that happen with the current code, but\nfuture designers being unaware of this risk, may introduce it by\nallowing delivery of very large (> 64k) sk buffers from the bearer\nlayer. This potential problem was identified by Eric Dumazet.\n\nThis fixes CVE-2022-0435"}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: tipc: mejorar las validaciones de tama\u00f1o para los registros de dominio recibidos. La funci\u00f3n tipc_mon_rcv() permite que un nodo reciba y procese estructuras domain_record de nodos pares para rastrear sus vistas de la topolog\u00eda de la red. Este parche verifica que la cantidad de miembros en un registro de dominio recibido no exceda el l\u00edmite definido por MAX_MON_DOMAIN, algo que de otro modo podr\u00eda provocar un desbordamiento de pila. tipc_mon_rcv() se llama desde la funci\u00f3n tipc_link_proto_rcv(), donde leemos un campo de longitud de datos de mensaje de 32 bits en un uint16. Para evitar cualquier riesgo de desbordamiento de bits, agregamos una verificaci\u00f3n de cordura adicional en esa funci\u00f3n. No podemos ver que eso suceda con el c\u00f3digo actual, pero los futuros dise\u00f1adores, al desconocer este riesgo, pueden introducirlo permitiendo la entrega de b\u00faferes sk muy grandes (> 64k) desde la capa portadora. Este problema potencial fue identificado por Eric Dumazet. Esto corrige CVE-2022-0435"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/175db196e45d6f0e6047eccd09c8ba55465eb131", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/1f1788616157b0222b0c2153828b475d95e374a7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3c7e5943553594f68bbc070683db6bb6f6e9e78e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/59ff7514f8c56f166aadca49bcecfa028e0ad50f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9aa422ad326634b76309e8ff342c246800621216", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d692e3406e052dbf9f6d9da0cba36cb763272529", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f1af11edd08dd8376f7a84487cbb0ea8203e3a1d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/fde4ddeadd099bf9fbb9ccbee8e1b5c20d530a2d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48712", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T11:15:54.880", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix error handling in ext4_fc_record_modified_inode()\n\nCurrent code does not fully takes care of krealloc() error case, which\ncould lead to silent memory corruption or a kernel bug. This patch\nfixes that.\n\nAlso it cleans up some duplicated error handling logic from various\nfunctions in fast_commit.c file."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: ext4: corrige el manejo de errores en ext4_fc_record_modified_inode() El c\u00f3digo actual no soluciona completamente el caso de error de krealloc(), lo que podr\u00eda provocar una corrupci\u00f3n silenciosa de la memoria o un error del kernel. Este parche soluciona eso. Tambi\u00e9n limpia alguna l\u00f3gica de manejo de errores duplicada de varias funciones en el archivo fast_commit.c."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/14aa3f49c7fc6424763f4323bfbc3a807b0727dc", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/1b6762ecdf3cf12113772427c904aa3c420a1802", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/62e46e0ffc02daa8fcfc02f7a932cc8a19601b19", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/cdce59a1549190b66f8e3fe465c2b2f714b98a94", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48713", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T11:15:54.960", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86/intel/pt: Fix crash with stop filters in single-range mode\n\nAdd a check for !buf->single before calling pt_buffer_region_size in a\nplace where a missing check can cause a kernel crash.\n\nFixes a bug introduced by commit 670638477aed (\"perf/x86/intel/pt:\nOpportunistically use single range output mode\"), which added a\nsupport for PT single-range output mode. Since that commit if a PT\nstop filter range is hit while tracing, the kernel will crash because\nof a null pointer dereference in pt_handle_status due to calling\npt_buffer_region_size without a ToPA configured.\n\nThe commit which introduced single-range mode guarded almost all uses of\nthe ToPA buffer variables with checks of the buf->single variable, but\nmissed the case where tracing was stopped by the PT hardware, which\nhappens when execution hits a configured stop filter.\n\nTested that hitting a stop filter while PT recording successfully\nrecords a trace with this patch but crashes without this patch."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: perf/x86/intel/pt: soluciona el fallo con filtros de parada en modo de rango \u00fanico. A\u00f1ade una marca para !buf->single antes de llamar a pt_buffer_region_size en un lugar donde una marca faltante puede provocar un fallo del kernel. Corrige un error introducido por el commit 670638477aed (\"perf/x86/intel/pt: utilizar de manera oportunista el modo de salida de rango \u00fanico\"), que agreg\u00f3 soporte para el modo de salida de rango \u00fanico PT. Desde esa confirmaci\u00f3n, si se alcanza un rango de filtro de parada PT durante el seguimiento, el kernel fallar\u00e1 debido a una desreferencia de puntero nulo en pt_handle_status debido a la llamada a pt_buffer_region_size sin un ToPA configurado. La confirmaci\u00f3n que introdujo el modo de rango \u00fanico protegi\u00f3 casi todos los usos de las variables del b\u00fafer ToPA con comprobaciones de la variable buf->single, pero omiti\u00f3 el caso en el que el hardware PT detuvo el seguimiento, lo que ocurre cuando la ejecuci\u00f3n llega a un filtro de parada configurado. Se prob\u00f3 que al presionar un filtro de detenci\u00f3n mientras se graba PT se registra exitosamente un seguimiento con este parche, pero falla sin este parche."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/1d9093457b243061a9bba23543c38726e864a643", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/456f041e035913fcedb275aff6f8a71dfebcd394", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e83d941fd3445f660d2f43647c580a320cc384f6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/feffb6ae2c80b9a8206450cdef90f5943baced99", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48714", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T11:15:55.033", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Use VM_MAP instead of VM_ALLOC for ringbuf\n\nAfter commit 2fd3fb0be1d1 (\"kasan, vmalloc: unpoison VM_ALLOC pages\nafter mapping\"), non-VM_ALLOC mappings will be marked as accessible\nin __get_vm_area_node() when KASAN is enabled. But now the flag for\nringbuf area is VM_ALLOC, so KASAN will complain out-of-bound access\nafter vmap() returns. Because the ringbuf area is created by mapping\nallocated pages, so use VM_MAP instead.\n\nAfter the change, info in /proc/vmallocinfo also changes from\n [start]-[end] 24576 ringbuf_map_alloc+0x171/0x290 vmalloc user\nto\n [start]-[end] 24576 ringbuf_map_alloc+0x171/0x290 vmap user"}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: bpf: use VM_MAP en lugar de VM_ALLOC para ringbuf Despu\u00e9s del commit 2fd3fb0be1d1 (\"kasan, vmalloc: despoisone las p\u00e1ginas VM_ALLOC despu\u00e9s del mapeo\"), los mapeos que no sean VM_ALLOC se marcar\u00e1n como accesibles en __get_vm_area_node( ) cuando KASAN est\u00e1 habilitado. Pero ahora el indicador para el \u00e1rea ringbuf es VM_ALLOC, por lo que KASAN se quejar\u00e1 del acceso fuera de los l\u00edmites despu\u00e9s de que regrese vmap(). Debido a que el \u00e1rea ringbuf se crea asignando p\u00e1ginas asignadas, use VM_MAP en su lugar. Despu\u00e9s del cambio, la informaci\u00f3n en /proc/vmallocinfo tambi\u00e9n cambia de [inicio]-[fin] 24576 ringbuf_map_alloc+0x171/0x290 usuario vmalloc a [inicio]-[fin] 24576 ringbuf_map_alloc+0x171/0x290 usuario vmap"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/5e457aeab52a5947619e1f18047f4d2f3212b3eb", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/6304a613a97d6dcd49b93fbad31e9f39d1e138d6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b293dcc473d22a62dc6d78de2b15e4f49515db56", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d578933f6226d5419af9306746efa1c693cbaf9c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48715", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T11:15:55.110", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: bnx2fc: Make bnx2fc_recv_frame() mp safe\n\nRunning tests with a debug kernel shows that bnx2fc_recv_frame() is\nmodifying the per_cpu lport stats counters in a non-mpsafe way. Just boot\na debug kernel and run the bnx2fc driver with the hardware enabled.\n\n[ 1391.699147] BUG: using smp_processor_id() in preemptible [00000000] code: bnx2fc_\n[ 1391.699160] caller is bnx2fc_recv_frame+0xbf9/0x1760 [bnx2fc]\n[ 1391.699174] CPU: 2 PID: 4355 Comm: bnx2fc_l2_threa Kdump: loaded Tainted: G B\n[ 1391.699180] Hardware name: HP ProLiant DL120 G7, BIOS J01 07/01/2013\n[ 1391.699183] Call Trace:\n[ 1391.699188] dump_stack_lvl+0x57/0x7d\n[ 1391.699198] check_preemption_disabled+0xc8/0xd0\n[ 1391.699205] bnx2fc_recv_frame+0xbf9/0x1760 [bnx2fc]\n[ 1391.699215] ? do_raw_spin_trylock+0xb5/0x180\n[ 1391.699221] ? bnx2fc_npiv_create_vports.isra.0+0x4e0/0x4e0 [bnx2fc]\n[ 1391.699229] ? bnx2fc_l2_rcv_thread+0xb7/0x3a0 [bnx2fc]\n[ 1391.699240] bnx2fc_l2_rcv_thread+0x1af/0x3a0 [bnx2fc]\n[ 1391.699250] ? bnx2fc_ulp_init+0xc0/0xc0 [bnx2fc]\n[ 1391.699258] kthread+0x364/0x420\n[ 1391.699263] ? _raw_spin_unlock_irq+0x24/0x50\n[ 1391.699268] ? set_kthread_struct+0x100/0x100\n[ 1391.699273] ret_from_fork+0x22/0x30\n\nRestore the old get_cpu/put_cpu code with some modifications to reduce the\nsize of the critical section."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: scsi: bnx2fc: Hacer que bnx2fc_recv_frame() mp sea seguro La ejecuci\u00f3n de pruebas con un kernel de depuraci\u00f3n muestra que bnx2fc_recv_frame() est\u00e1 modificando los contadores de estad\u00edsticas de puerto por CPU de una manera no segura para mp. Simplemente inicie un kernel de depuraci\u00f3n y ejecute el controlador bnx2fc con el hardware habilitado. [1391.699147] ERROR: uso de smp_processor_id() en c\u00f3digo interrumpible [00000000]: bnx2fc_ [1391.699160] la persona que llama es bnx2fc_recv_frame+0xbf9/0x1760 [bnx2fc] [1391.699174] CPU: 2 PID: 4355 Comm: bnx2fc_l2_threa Kdump: cargado Contaminado: GB [ 1391.699180 ] Nombre del hardware: HP ProLiant DL120 G7, BIOS J01 01/07/2013 [ 1391.699183] Seguimiento de llamadas: [ 1391.699188] dump_stack_lvl+0x57/0x7d [ 1391.699198] check_preemption_disabled+0xc8/0xd0 [ 1391.69 9205] bnx2fc_recv_frame+0xbf9/0x1760 [bnx2fc] [ 1391.699215] ? do_raw_spin_trylock+0xb5/0x180 [1391.699221]? bnx2fc_npiv_create_vports.isra.0+0x4e0/0x4e0 [bnx2fc] [1391.699229]? bnx2fc_l2_rcv_thread+0xb7/0x3a0 [bnx2fc] [ 1391.699240] bnx2fc_l2_rcv_thread+0x1af/0x3a0 [bnx2fc] [ 1391.699250] ? bnx2fc_ulp_init+0xc0/0xc0 [bnx2fc] [ 1391.699258] kthread+0x364/0x420 [ 1391.699263] ? _raw_spin_unlock_irq+0x24/0x50 [1391.699268]? set_kthread_struct+0x100/0x100 [ 1391.699273] ret_from_fork+0x22/0x30 Restaura el antiguo c\u00f3digo get_cpu/put_cpu con algunas modificaciones para reducir el tama\u00f1o de la secci\u00f3n cr\u00edtica."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/003bcee66a8f0e76157eb3af369c173151901d97", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/2d24336c7214b281b51860e54783dfc65f1248df", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/2f5a1ac68bdf2899ce822ab845081922ea8c588e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3a345198a7c2d1db2526dc60b77052f75de019d3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/471085571f926a1fe6b1bed095638994dbf23990", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/53e4f71763c61a557283eb43301efd671922d1e8", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/936bd03405fc83ba039d42bc93ffd4b88418f1d3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ec4334152dae175dbd8fd5bde1d2139bbe7b42d0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48716", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T11:15:55.207", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: codecs: wcd938x: fix incorrect used of portid\n\nMixer controls have the channel id in mixer->reg, which is not same\nas port id. port id should be derived from chan_info array.\nSo fix this. Without this, its possible that we could corrupt\nstruct wcd938x_sdw_priv by accessing port_map array out of range\nwith channel id instead of port id."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: ASoC: c\u00f3decs: wcd938x: corrige el uso incorrecto del puerto Los controles del mezclador tienen la identificaci\u00f3n del canal en mezclador->reg, que no es la misma que la identificaci\u00f3n del puerto. La identificaci\u00f3n del puerto debe derivarse de la matriz chan_info. Entonces arregla esto. Sin esto, es posible que podamos da\u00f1ar la estructura wcd938x_sdw_priv accediendo a la matriz port_map fuera del rango con la identificaci\u00f3n del canal en lugar de la identificaci\u00f3n del puerto."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/9167f2712dc8c24964840a4d1e2ebf130e846b95", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/aa7152f9f117b3e66b3c0d4158ca4c6d46ab229f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c5c1546a654f613e291a7c5d6f3660fc1eb6d0c7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48717", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T11:15:55.287", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: max9759: fix underflow in speaker_gain_control_put()\n\nCheck for negative values of \"priv->gain\" to prevent an out of bounds\naccess. The concern is that these might come from the user via:\n -> snd_ctl_elem_write_user()\n -> snd_ctl_elem_write()\n -> kctl->put()"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ASoC: max9759: corrige el desbordamiento en altavoz_gain_control_put() Compruebe si hay valores negativos de \"priv->gain\" para evitar un acceso fuera de los l\u00edmites. La preocupaci\u00f3n es que estos puedan provenir del usuario a trav\u00e9s de: -> snd_ctl_elem_write_user() -> snd_ctl_elem_write() -> kctl->put()"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/4c907bcd9dcd233da6707059d777ab389dcbd964", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5a45448ac95b715173edb1cd090ff24b6586d921", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/71e60c170105d153e34d01766c1e4db26a4b24cc", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a0f49d12547d45ea8b0f356a96632dd503941c1e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/baead410e5db49e962a67fffc17ac30e44b50b7c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f114fd6165dfb52520755cc4d1c1dfbd447b88b6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48718", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T11:15:55.373", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: mxsfb: Fix NULL pointer dereference\n\nmxsfb should not ever dereference the NULL pointer which\ndrm_atomic_get_new_bridge_state is allowed to return.\nAssume a fixed format instead."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: drm: mxsfb: corrige la desreferencia del puntero NULL. mxsfb nunca deber\u00eda desreferenciar el puntero NULL que drm_atomic_get_new_bridge_state puede devolver. En su lugar, asuma un formato fijo."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/622c9a3a7868e1eeca39c55305ca3ebec4742b64", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/6f9267e01cca749137349d8ffb0d0ebbadf567f4", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/86a337bb803040e4401b87c974a7fb92efe3d0e1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48719", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T11:15:55.470", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet, neigh: Do not trigger immediate probes on NUD_FAILED from neigh_managed_work\n\nsyzkaller was able to trigger a deadlock for NTF_MANAGED entries [0]:\n\n kworker/0:16/14617 is trying to acquire lock:\n ffffffff8d4dd370 (&tbl->lock){++-.}-{2:2}, at: ___neigh_create+0x9e1/0x2990 net/core/neighbour.c:652\n [...]\n but task is already holding lock:\n ffffffff8d4dd370 (&tbl->lock){++-.}-{2:2}, at: neigh_managed_work+0x35/0x250 net/core/neighbour.c:1572\n\nThe neighbor entry turned to NUD_FAILED state, where __neigh_event_send()\ntriggered an immediate probe as per commit cd28ca0a3dd1 (\"neigh: reduce\narp latency\") via neigh_probe() given table lock was held.\n\nOne option to fix this situation is to defer the neigh_probe() back to\nthe neigh_timer_handler() similarly as pre cd28ca0a3dd1. For the case\nof NTF_MANAGED, this deferral is acceptable given this only happens on\nactual failure state and regular / expected state is NUD_VALID with the\nentry already present.\n\nThe fix adds a parameter to __neigh_event_send() in order to communicate\nwhether immediate probe is allowed or disallowed. Existing call-sites\nof neigh_event_send() default as-is to immediate probe. However, the\nneigh_managed_work() disables it via use of neigh_event_send_probe().\n\n[0] \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n print_deadlock_bug kernel/locking/lockdep.c:2956 [inline]\n check_deadlock kernel/locking/lockdep.c:2999 [inline]\n validate_chain kernel/locking/lockdep.c:3788 [inline]\n __lock_acquire.cold+0x149/0x3ab kernel/locking/lockdep.c:5027\n lock_acquire kernel/locking/lockdep.c:5639 [inline]\n lock_acquire+0x1ab/0x510 kernel/locking/lockdep.c:5604\n __raw_write_lock_bh include/linux/rwlock_api_smp.h:202 [inline]\n _raw_write_lock_bh+0x2f/0x40 kernel/locking/spinlock.c:334\n ___neigh_create+0x9e1/0x2990 net/core/neighbour.c:652\n ip6_finish_output2+0x1070/0x14f0 net/ipv6/ip6_output.c:123\n __ip6_finish_output net/ipv6/ip6_output.c:191 [inline]\n __ip6_finish_output+0x61e/0xe90 net/ipv6/ip6_output.c:170\n ip6_finish_output+0x32/0x200 net/ipv6/ip6_output.c:201\n NF_HOOK_COND include/linux/netfilter.h:296 [inline]\n ip6_output+0x1e4/0x530 net/ipv6/ip6_output.c:224\n dst_output include/net/dst.h:451 [inline]\n NF_HOOK include/linux/netfilter.h:307 [inline]\n ndisc_send_skb+0xa99/0x17f0 net/ipv6/ndisc.c:508\n ndisc_send_ns+0x3a9/0x840 net/ipv6/ndisc.c:650\n ndisc_solicit+0x2cd/0x4f0 net/ipv6/ndisc.c:742\n neigh_probe+0xc2/0x110 net/core/neighbour.c:1040\n __neigh_event_send+0x37d/0x1570 net/core/neighbour.c:1201\n neigh_event_send include/net/neighbour.h:470 [inline]\n neigh_managed_work+0x162/0x250 net/core/neighbour.c:1574\n process_one_work+0x9ac/0x1650 kernel/workqueue.c:2307\n worker_thread+0x657/0x1110 kernel/workqueue.c:2454\n kthread+0x2e9/0x3a0 kernel/kthread.c:377\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295\n "}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net, neigh: no activar sondas inmediatas en NUD_FAILED desde neigh_managed_work syzkaller pudo activar un punto muerto para las entradas NTF_MANAGED [0]: kworker/0:16/14617 est\u00e1 intentando adquirir bloqueo: ffffffff8d4dd370 (&tbl->lock){++-.}-{2:2}, en: ___neigh_create+0x9e1/0x2990 net/core/neighbour.c:652 [...] pero la tarea ya mantiene el bloqueo: ffffffff8d4dd370 (&tbl->lock){++-.}-{2:2}, en: neigh_managed_work+0x35/0x250 net/core/neighbour.c:1572 La entrada del vecino pas\u00f3 al estado NUD_FAILED, donde __neigh_event_send() desencaden\u00f3 una Sondeo inmediato seg\u00fan el commit cd28ca0a3dd1 (\"relincho: reducir la latencia de arp\") a trav\u00e9s de neigh_probe() dado que se mantuvo el bloqueo de la tabla. Una opci\u00f3n para solucionar esta situaci\u00f3n es posponer neigh_probe() nuevamente a neigh_timer_handler() de manera similar a como se hac\u00eda antes de cd28ca0a3dd1. Para el caso de NTF_MANAGED, este aplazamiento es aceptable dado que esto solo ocurre en el estado de falla real y el estado normal/esperado es NUD_VALID con la entrada ya presente. La soluci\u00f3n agrega un par\u00e1metro a __neigh_event_send() para comunicar si se permite o no la sonda inmediata. Los sitios de llamadas existentes de neigh_event_send() est\u00e1n predeterminados tal cual para la investigaci\u00f3n inmediata. Sin embargo, neigh_managed_work() lo desactiva mediante el uso de neigh_event_send_probe(). [0] __dump_stack lib/dump_stack.c:88 [en l\u00ednea] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_deadlock_bug kernel/locking/lockdep.c:2956 [en l\u00ednea] check_deadlock kernel/locking/lockdep.c :2999 [en l\u00ednea] validar_chain kernel/locking/lockdep.c:3788 [en l\u00ednea] __lock_acquire.cold+0x149/0x3ab kernel/locking/lockdep.c:5027 lock_acquire kernel/locking/lockdep.c:5639 [en l\u00ednea] lock_acquire+0x1ab /0x510 kernel/locking/lockdep.c:5604 __raw_write_lock_bh include/linux/rwlock_api_smp.h:202 [en l\u00ednea] _raw_write_lock_bh+0x2f/0x40 kernel/locking/spinlock.c:334 ___neigh_create+0x9e1/0x2990 net/core/neighbour.c :652 ip6_finish_output2+0x1070/0x14f0 net/ipv6/ip6_output.c:123 __ip6_finish_output net/ipv6/ip6_output.c:191 [en l\u00ednea] __ip6_finish_output+0x61e/0xe90 net/ipv6/ip6_output.c:170 poner+0x32/0x200 neto/ ipv6/ip6_output.c:201 NF_HOOK_COND include/linux/netfilter.h:296 [en l\u00ednea] ip6_output+0x1e4/0x530 net/ipv6/ip6_output.c:224 dst_output include/net/dst.h:451 [en l\u00ednea] NF_HOOK include/ linux/netfilter.h:307 [en l\u00ednea] ndisc_send_skb+0xa99/0x17f0 net/ipv6/ndisc.c:508 ndisc_send_ns+0x3a9/0x840 net/ipv6/ndisc.c:650 ndisc_solicit+0x2cd/0x4f0 net/ipv6/ndisc.c :742 neigh_probe+0xc2/0x110 net/core/neighbour.c:1040 __neigh_event_send+0x37d/0x1570 net/core/neighbour.c:1201 neigh_event_send include/net/neighbour.h:470 [en l\u00ednea] neigh_managed_work+0x162/0x250 net/ core/neighbour.c:1574 Process_one_work+0x9ac/0x1650 kernel/workqueue.c:2307 trabajador_thread+0x657/0x1110 kernel/workqueue.c:2454 kthread+0x2e9/0x3a0 kernel/kthread.c:377 ret_from_fork+0x1f/0x30 arch/ x86/entry/entry_64.S:295 "}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/203a35ebb49cdce377416b0690215d3ce090d364", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4a81f6da9cb2d1ef911131a6fd8bd15cb61fc772", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48720", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T11:15:55.547", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: macsec: Fix offload support for NETDEV_UNREGISTER event\n\nCurrent macsec netdev notify handler handles NETDEV_UNREGISTER event by\nreleasing relevant SW resources only, this causes resources leak in case\nof macsec HW offload, as the underlay driver was not notified to clean\nit's macsec offload resources.\n\nFix by calling the underlay driver to clean it's relevant resources\nby moving offload handling from macsec_dellink() to macsec_common_dellink()\nwhen handling NETDEV_UNREGISTER event."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: macsec: se corrigi\u00f3 el soporte de descarga para el evento NETDEV_UNREGISTER. El controlador de notificaci\u00f3n netdev de macsec actual maneja el evento NETDEV_UNREGISTER liberando solo recursos SW relevantes, lo que provoca una p\u00e9rdida de recursos en caso de descarga de HW de macsec, ya que No se notific\u00f3 al controlador subyacente que limpiara sus recursos de descarga de macsec. Para solucionarlo, llame al controlador subyacente para limpiar sus recursos relevantes moviendo el manejo de descarga de macsec_dellink() a macsec_common_dellink() cuando se maneja el evento NETDEV_UNREGISTER."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/2e7f5b6ee1a7a2c628253a95b0a95b582901ef1b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8299be160aad8548071d080518712dec0df92bd5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9cef24c8b76c1f6effe499d2f131807c90f7ce9a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e7a0b3a0806dae3cc81931f0e83055ca2ac6f455", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48721", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T11:15:55.620", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: Forward wakeup to smc socket waitqueue after fallback\n\nWhen we replace TCP with SMC and a fallback occurs, there may be\nsome socket waitqueue entries remaining in smc socket->wq, such\nas eppoll_entries inserted by userspace applications.\n\nAfter the fallback, data flows over TCP/IP and only clcsocket->wq\nwill be woken up. Applications can't be notified by the entries\nwhich were inserted in smc socket->wq before fallback. So we need\na mechanism to wake up smc socket->wq at the same time if some\nentries remaining in it.\n\nThe current workaround is to transfer the entries from smc socket->wq\nto clcsock->wq during the fallback. But this may cause a crash\nlike this:\n\n general protection fault, probably for non-canonical address 0xdead000000000100: 0000 [#1] PREEMPT SMP PTI\n CPU: 3 PID: 0 Comm: swapper/3 Kdump: loaded Tainted: G E 5.16.0+ #107\n RIP: 0010:__wake_up_common+0x65/0x170\n Call Trace:\n \n __wake_up_common_lock+0x7a/0xc0\n sock_def_readable+0x3c/0x70\n tcp_data_queue+0x4a7/0xc40\n tcp_rcv_established+0x32f/0x660\n ? sk_filter_trim_cap+0xcb/0x2e0\n tcp_v4_do_rcv+0x10b/0x260\n tcp_v4_rcv+0xd2a/0xde0\n ip_protocol_deliver_rcu+0x3b/0x1d0\n ip_local_deliver_finish+0x54/0x60\n ip_local_deliver+0x6a/0x110\n ? tcp_v4_early_demux+0xa2/0x140\n ? tcp_v4_early_demux+0x10d/0x140\n ip_sublist_rcv_finish+0x49/0x60\n ip_sublist_rcv+0x19d/0x230\n ip_list_rcv+0x13e/0x170\n __netif_receive_skb_list_core+0x1c2/0x240\n netif_receive_skb_list_internal+0x1e6/0x320\n napi_complete_done+0x11d/0x190\n mlx5e_napi_poll+0x163/0x6b0 [mlx5_core]\n __napi_poll+0x3c/0x1b0\n net_rx_action+0x27c/0x300\n __do_softirq+0x114/0x2d2\n irq_exit_rcu+0xb4/0xe0\n common_interrupt+0xba/0xe0\n \n \n\nThe crash is caused by privately transferring waitqueue entries from\nsmc socket->wq to clcsock->wq. The owners of these entries, such as\nepoll, have no idea that the entries have been transferred to a\ndifferent socket wait queue and still use original waitqueue spinlock\n(smc socket->wq.wait.lock) to make the entries operation exclusive,\nbut it doesn't work. The operations to the entries, such as removing\nfrom the waitqueue (now is clcsock->wq after fallback), may cause a\ncrash when clcsock waitqueue is being iterated over at the moment.\n\nThis patch tries to fix this by no longer transferring wait queue\nentries privately, but introducing own implementations of clcsock's\ncallback functions in fallback situation. The callback functions will\nforward the wakeup to smc socket->wq if clcsock->wq is actually woken\nup and smc socket->wq has remaining entries."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/smc: Reenviar activaci\u00f3n a la cola de espera del socket smc despu\u00e9s del respaldo Cuando reemplazamos TCP con SMC y se produce un respaldo, es posible que queden algunas entradas de la cola de espera del socket en el socket smc->wq. como eppoll_entries insertados por aplicaciones de espacio de usuario. Despu\u00e9s del respaldo, los datos fluyen a trav\u00e9s de TCP/IP y solo se activar\u00e1 clcsocket->wq. Las aplicaciones no pueden ser notificadas por las entradas que se insertaron en smc socket->wq antes del respaldo. Entonces necesitamos un mecanismo para activar smc socket->wq al mismo tiempo si quedan algunas entradas en \u00e9l. La soluci\u00f3n actual es transferir las entradas de smc socket->wq a clcsock->wq durante el respaldo. Pero esto puede causar un fallo como este: fallo de protecci\u00f3n general, probablemente para la direcci\u00f3n no can\u00f3nica 0xdead000000000100: 0000 [#1] PREEMPT SMP PTI CPU: 3 PID: 0 Comm: swapper/3 Kdump: cargado Contaminado: GE 5.16.0+ #107 RIP: 0010:__wake_up_common+0x65/0x170 Seguimiento de llamadas: __wake_up_common_lock+0x7a/0xc0 sock_def_readable+0x3c/0x70 tcp_data_queue+0x4a7/0xc40 tcp_rcv_establecido+0x32f/0x660 ? sk_filter_trim_cap+0xcb/0x2e0 tcp_v4_do_rcv+0x10b/0x260 tcp_v4_rcv+0xd2a/0xde0 ip_protocol_deliver_rcu+0x3b/0x1d0 ip_local_deliver_finish+0x54/0x60 0 ? tcp_v4_early_demux+0xa2/0x140? tcp_v4_early_demux+0x10d/0x140 ip_sublist_rcv_finish+0x49/0x60 ip_sublist_rcv+0x19d/0x230 ip_list_rcv+0x13e/0x170 __netif_receive_skb_list_core+0x1c2/0x240 netif_receive_skb_list_ interno+0x1e6/0x320 napi_complete_done+0x11d/0x190 mlx5e_napi_poll+0x163/0x6b0 [mlx5_core] __napi_poll+0x3c/0x1b0 net_rx_action+ 0x27c/0x300 __do_softirq+0x114/0x2d2 irq_exit_rcu+0xb4/0xe0 common_interrupt+0xba/0xe0 El bloqueo se debe a la transferencia privada de entradas de la cola de espera desde smc socket->wq a clcsock->wq. Los propietarios de estas entradas, como epoll, no tienen idea de que las entradas se han transferido a una cola de espera de socket diferente y a\u00fan usan el spinlock de cola de espera original (smc socket->wq.wait.lock) para que la operaci\u00f3n de entradas sea exclusiva, pero no funciona. Las operaciones realizadas en las entradas, como la eliminaci\u00f3n de la cola de espera (ahora es clcsock->wq despu\u00e9s del respaldo), pueden causar un bloqueo cuando se est\u00e1 iterando sobre la cola de espera de clcsock en este momento. Este parche intenta solucionar este problema al no transferir las entradas de la cola de espera de forma privada, sino al introducir implementaciones propias de las funciones de devoluci\u00f3n de llamada de clcsock en situaciones de reserva. Las funciones de devoluci\u00f3n de llamada reenviar\u00e1n la activaci\u00f3n a smc socket->wq si clcsock->wq realmente se activa y smc socket->wq tiene entradas restantes."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/0ef6049f664941bc0f75828b3a61877635048b27", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/341adeec9adad0874f29a0a1af35638207352a39", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/504078fbe9dd570d685361b57784a6050bc40aaa", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48722", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T11:15:55.733", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ieee802154: ca8210: Stop leaking skb's\n\nUpon error the ieee802154_xmit_complete() helper is not called. Only\nieee802154_wake_queue() is called manually. We then leak the skb\nstructure.\n\nFree the skb structure upon error before returning."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: net: ieee802154: ca8210: Detener la fuga de skb. En caso de error, no se llama al asistente ieee802154_xmit_complete(). S\u00f3lo se llama manualmente a ieee802154_wake_queue(). Luego filtramos la estructura skb. Libere la estructura skb en caso de error antes de regresar."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/21feb6df3967541931242c427fe0958276af81cc", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/621b24b09eb61c63f262da0c9c5f0e93348897e5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/6f38d3a6ec11c2733b1c641a46a2a2ecec57be08", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/78b3f20c17cbcb7645bfa63f2ca0e11b53c09d56", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/94cd597e20ed4acedb8f15f029d92998b011cb1a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a1c277b0ed2a13e7de923b5f03bc23586eceb851", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d6a44feb2f28d71a7e725f72d09c97c81561cd9a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48723", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T11:15:55.820", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: uniphier: fix reference count leak in uniphier_spi_probe()\n\nThe issue happens in several error paths in uniphier_spi_probe().\nWhen either dma_get_slave_caps() or devm_spi_register_master() returns\nan error code, the function forgets to decrease the refcount of both\n`dma_rx` and `dma_tx` objects, which may lead to refcount leaks.\n\nFix it by decrementing the reference count of specific objects in\nthose error paths."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: spi: uniphier: corrige la fuga del recuento de referencias en uniphier_spi_probe() El problema ocurre en varias rutas de error en uniphier_spi_probe(). Cuando dma_get_slave_caps() o devm_spi_register_master() devuelven un c\u00f3digo de error, la funci\u00f3n se olvida de disminuir el recuento de los objetos `dma_rx` y `dma_tx`, lo que puede provocar fugas de recuento. Corr\u00edjalo disminuyendo el recuento de referencias de objetos espec\u00edficos en esas rutas de error."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/37c2c83ca4f1ef4b6908181ac98e18360af89b42", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/447c3d4046d7b54052d07d8b27e15e6edea5662c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/dd00b4f8f768d81c3788a8ac88fdb3d745e55ea3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e895e067d73e154b1ebc84a124e00831e311d9b0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-28147", "sourceIdentifier": "551230f0-3615-47bd-b7cc-93e92e730bbf", "published": "2024-06-20T11:15:55.913", "lastModified": "2024-06-24T05:15:09.493", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "An authenticated user can upload arbitrary files in the upload \nfunction for collection preview images. An attacker may upload an HTML \nfile that includes malicious JavaScript code which will be executed if a\n user visits the direct URL of the collection preview image (Stored \nCross Site Scripting). It is also possible to upload SVG files that \ninclude nested XML entities. Those are parsed when a user visits the \ndirect URL of the collection preview image, which may be utilized for a \nDenial of Service attack.\n\nThis issue affects edu-sharing: <8.0.8-RC2, <8.1.4-RC0, <9.0.0-RC19."}, {"lang": "es", "value": "Un usuario autenticado puede cargar archivos arbitrarios en la funci\u00f3n de carga para im\u00e1genes de vista previa de la colecci\u00f3n. Un atacante puede cargar un archivo HTML que incluya c\u00f3digo JavaScript malicioso que se ejecutar\u00e1 si un usuario visita la URL directa de la imagen de vista previa de la colecci\u00f3n (Stored Cross Site Scripting). Tambi\u00e9n es posible cargar archivos SVG que incluyan entidades XML anidadas. Estos se analizan cuando un usuario visita la URL directa de la imagen de vista previa de la colecci\u00f3n, que puede utilizarse para un ataque de denegaci\u00f3n de servicio. Este problema afecta a edu-sharing: <8.0.8-RC2, <8.1.4-RC0, <9.0.0-RC19."}], "metrics": {}, "weaknesses": [{"source": "551230f0-3615-47bd-b7cc-93e92e730bbf", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "http://seclists.org/fulldisclosure/2024/Jun/11", "source": "551230f0-3615-47bd-b7cc-93e92e730bbf"}, {"url": "https://r.sec-consult.com/metaventis", "source": "551230f0-3615-47bd-b7cc-93e92e730bbf"}]}}, {"cve": {"id": "CVE-2024-5036", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-20T11:15:56.273", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018url\u2019 parameter in all versions up to, and including, 3.5.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "La extensi\u00f3n Sina para Elementor (control deslizante, galer\u00eda, formulario, modal, tabla de datos, pesta\u00f1a, part\u00edcula, widgets de Elementor gratuitos y plantillas de Elementor) para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s del par\u00e1metro 'url' en todas las versiones hasta , e incluyendo, 3.5.4 debido a una sanitizaci\u00f3n insuficiente de los insumos y al escape de los productos. Esto hace posible que atacantes autenticados, con acceso de nivel de Colaborador y superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "references": [{"url": "https://plugins.trac.wordpress.org/browser/sina-extension-for-elementor/trunk/widgets/basic/sina-counter.php#L687", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/changeset/3104601/", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/64f11bc9-88b5-43d5-bc76-129dc5909210?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-5886", "sourceIdentifier": "security@huntr.dev", "published": "2024-06-20T11:15:56.580", "lastModified": "2024-06-20T11:15:56.580", "vulnStatus": "Rejected", "descriptions": [{"lang": "en", "value": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."}], "metrics": {}, "references": []}}, {"cve": {"id": "CVE-2024-6181", "sourceIdentifier": "cna@vuldb.com", "published": "2024-06-20T11:15:56.723", "lastModified": "2024-06-20T14:15:11.837", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability was found in LabVantage LIMS 2017. It has been declared as problematic. This vulnerability affects unknown code of the file /labvantage/rc?command=file&file=WEB-CORE/elements/files/filesembedded.jsp&size=32. The manipulation of the argument height/width leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-269152. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Una vulnerabilidad fue encontrada en LabVantage LIMS 2017 y ha sido declarada problem\u00e1tica. Esta vulnerabilidad afecta a c\u00f3digo desconocido del archivo /labvantage/rc?command=file&file=WEB-CORE/elements/files/filesembedded.jsp&size=32. La manipulaci\u00f3n del argumento alto/ancho conduce a cross site scripting. El ataque se puede iniciar de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. El identificador de esta vulnerabilidad es VDB-269152. NOTA: Se contact\u00f3 primeramente con el proveedor sobre esta divulgaci\u00f3n, pero no respondi\u00f3 de ninguna manera."}], "metrics": {"cvssMetricV31": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW"}, "exploitabilityScore": 2.1, "impactScore": 1.4}], "cvssMetricV2": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 4.0}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "cna@vuldb.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://gentle-khaan-c53.notion.site/Reflected-XSS-in-Labvantage-LIMS-9531d77dce984d4da2ddcab863962e9c?pvs=4", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.269152", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.269152", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.353709", "source": "cna@vuldb.com"}]}}, {"cve": {"id": "CVE-2024-6182", "sourceIdentifier": "cna@vuldb.com", "published": "2024-06-20T11:15:57.117", "lastModified": "2024-06-20T16:15:14.807", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability was found in LabVantage LIMS 2017. It has been rated as problematic. This issue affects some unknown processing of the file /labvantage/rc?command=page&page=LV_ViewSampleSpec&oosonly=Y&_sdialog=Y. The manipulation of the argument sdcid/keyid1 leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-269153 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en LabVantage LIMS 2017. Se calific\u00f3 como problem\u00e1tica. Este problema afecta un procesamiento desconocido del archivo /labvantage/rc?command=page&page=LV_ViewSampleSpec&oosonly=Y&_sdialog=Y. La manipulaci\u00f3n del argumento sdcid/keyid1 conduce a cross site scripting. El ataque puede iniciarse de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. A esta vulnerabilidad se le asign\u00f3 el identificador VDB-269153. NOTA: Se contact\u00f3 primeramente con el proveedor sobre esta divulgaci\u00f3n, pero no respondi\u00f3 de ninguna manera."}], "metrics": {"cvssMetricV31": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW"}, "exploitabilityScore": 2.1, "impactScore": 1.4}], "cvssMetricV2": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 4.0}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "cna@vuldb.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://gentle-khaan-c53.notion.site/Reflected-XSS-in-Labvantage-LIMS-95e338b6f9ea45db9a6c635c3c1ff3b8", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.269153", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.269153", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.354361", "source": "cna@vuldb.com"}]}}, {"cve": {"id": "CVE-2021-4439", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T12:15:10.447", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nisdn: cpai: check ctr->cnr to avoid array index out of bound\n\nThe cmtp_add_connection() would add a cmtp session to a controller\nand run a kernel thread to process cmtp.\n\n\t__module_get(THIS_MODULE);\n\tsession->task = kthread_run(cmtp_session, session, \"kcmtpd_ctr_%d\",\n\t\t\t\t\t\t\t\tsession->num);\n\nDuring this process, the kernel thread would call detach_capi_ctr()\nto detach a register controller. if the controller\nwas not attached yet, detach_capi_ctr() would\ntrigger an array-index-out-bounds bug.\n\n[ 46.866069][ T6479] UBSAN: array-index-out-of-bounds in\ndrivers/isdn/capi/kcapi.c:483:21\n[ 46.867196][ T6479] index -1 is out of range for type 'capi_ctr *[32]'\n[ 46.867982][ T6479] CPU: 1 PID: 6479 Comm: kcmtpd_ctr_0 Not tainted\n5.15.0-rc2+ #8\n[ 46.869002][ T6479] Hardware name: QEMU Standard PC (i440FX + PIIX,\n1996), BIOS 1.14.0-2 04/01/2014\n[ 46.870107][ T6479] Call Trace:\n[ 46.870473][ T6479] dump_stack_lvl+0x57/0x7d\n[ 46.870974][ T6479] ubsan_epilogue+0x5/0x40\n[ 46.871458][ T6479] __ubsan_handle_out_of_bounds.cold+0x43/0x48\n[ 46.872135][ T6479] detach_capi_ctr+0x64/0xc0\n[ 46.872639][ T6479] cmtp_session+0x5c8/0x5d0\n[ 46.873131][ T6479] ? __init_waitqueue_head+0x60/0x60\n[ 46.873712][ T6479] ? cmtp_add_msgpart+0x120/0x120\n[ 46.874256][ T6479] kthread+0x147/0x170\n[ 46.874709][ T6479] ? set_kthread_struct+0x40/0x40\n[ 46.875248][ T6479] ret_from_fork+0x1f/0x30\n[ 46.875773][ T6479]"}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: isdn: cpai: verifique ctr->cnr para evitar que el \u00edndice de matriz est\u00e9 fuera de l\u00edmite. cmtp_add_connection() agregar\u00eda una sesi\u00f3n cmtp a un controlador y ejecutar\u00eda un subproceso del kernel para procesar cmtp. __module_get(ESTE_M\u00d3DULO); sesi\u00f3n->tarea = kthread_run(cmtp_session, sesi\u00f3n, \"kcmtpd_ctr_%d\", sesi\u00f3n->num); Durante este proceso, el hilo del n\u00facleo llamar\u00eda a detach_capi_ctr() para desconectar un controlador de registro. Si el controlador a\u00fan no estaba conectado, detach_capi_ctr() desencadenar\u00eda un error de los l\u00edmites de \u00edndice de matriz. [ 46.866069][ T6479] UBSAN: \u00edndice de matriz fuera de los l\u00edmites en drivers/isdn/capi/kcapi.c:483:21 [ 46.867196][ T6479] el \u00edndice -1 est\u00e1 fuera de rango para el tipo 'capi_ctr *[ 32]' [ 46.867982][ T6479] CPU: 1 PID: 6479 Comm: kcmtpd_ctr_0 No contaminado 5.15.0-rc2+ #8 [ 46.869002][ T6479] Nombre de hardware: PC est\u00e1ndar QEMU (i440FX + PIIX, 1996), BIOS 1.14. 0-2 01/04/2014 [ 46.870107][ T6479] Seguimiento de llamadas: [ 46.870473][ T6479] dump_stack_lvl+0x57/0x7d [ 46.870974][ T6479] ubsan_epilogue+0x5/0x40 [ 46.871458][ T6479 ] __ubsan_handle_out_of_bounds.cold+0x43 /0x48 [ 46.872135][ T6479] detach_capi_ctr+0x64/0xc0 [ 46.872639][ T6479] cmtp_session+0x5c8/0x5d0 [ 46.873131][ T6479] ? __init_waitqueue_head+0x60/0x60 [ 46.873712][ T6479] ? cmtp_add_msgpart+0x120/0x120 [ 46.874256][ T6479] kthread+0x147/0x170 [ 46.874709][ T6479] ? set_kthread_struct+0x40/0x40 [ 46.875248][ T6479] ret_from_fork+0x1f/0x30 [ 46.875773][ T6479]"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/1f3e2e97c003f80c4b087092b225c8787ff91e4d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/24219a977bfe3d658687e45615c70998acdbac5a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/285e9210b1fab96a11c0be3ed5cea9dd48b6ac54", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7d91adc0ccb060ce564103315189466eb822cc6a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7f221ccbee4ec662e2292d490a43ce6c314c4594", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9b6b2db77bc3121fe435f1d4b56e34de443bec75", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/cc20226e218a2375d50dd9ac14fb4121b43375ff", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e8b8de17e164c9f1b7777f1c6f99d05539000036", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48724", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T12:15:10.900", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Fix potential memory leak in intel_setup_irq_remapping()\n\nAfter commit e3beca48a45b (\"irqdomain/treewide: Keep firmware node\nunconditionally allocated\"). For tear down scenario, fn is only freed\nafter fail to allocate ir_domain, though it also should be freed in case\ndmar_enable_qi returns error.\n\nBesides free fn, irq_domain and ir_msi_domain need to be removed as well\nif intel_setup_irq_remapping fails to enable queued invalidation.\n\nImprove the rewinding path by add out_free_ir_domain and out_free_fwnode\nlables per Baolu's suggestion."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: iommu/vt-d: soluciona una posible p\u00e9rdida de memoria en intel_setup_irq_remapping() despu\u00e9s del commit e3beca48a45b (\"irqdomain/treewide: mantiene el nodo de firmware asignado incondicionalmente\"). Para el escenario de desmontaje, fn solo se libera despu\u00e9s de que no se puede asignar ir_domain, aunque tambi\u00e9n debe liberarse en caso de que dmar_enable_qi devuelva un error. Adem\u00e1s de free fn, irq_domain e ir_msi_domain tambi\u00e9n deben eliminarse si intel_setup_irq_remapping no logra habilitar la invalidaci\u00f3n en cola. Mejore la ruta de rebobinado agregando las etiquetas out_free_ir_domain y out_free_fwnode seg\u00fan la sugerencia de Baolu."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/336d096b62bdc673e852b6b80d5072d7888ce85d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5c43d46daa0d2928234dd2792ebebc35d29ee2d1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/99e675d473eb8cf2deac1376a0f840222fc1adcf", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9d9995b0371e4e8c18d4f955479e5d47efe7b2d4", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a0c685ba99961b1dd894b2e470e692a539770f6d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a31cb1f0fb6caf46ffe88c41252b6b7a4ee062d9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b62eceb5f8f08815fe3f945fc55bbf997c344ecd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48725", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T12:15:10.997", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/siw: Fix refcounting leak in siw_create_qp()\n\nThe atomic_inc() needs to be paired with an atomic_dec() on the error\npath."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: RDMA/siw: corrige la fuga de recuento en siw_create_qp() Atomic_inc() debe emparejarse con atomic_dec() en la ruta de error."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/2989ba9532babac66e79997ccff73c015b69700c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a75badebfdc0b3823054bedf112edb54d6357c75", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/fa3b844a50845c817660146c27c0fc29b08d3116", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48726", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T12:15:11.077", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/ucma: Protect mc during concurrent multicast leaves\n\nPartially revert the commit mentioned in the Fixes line to make sure that\nallocation and erasing multicast struct are locked.\n\n BUG: KASAN: use-after-free in ucma_cleanup_multicast drivers/infiniband/core/ucma.c:491 [inline]\n BUG: KASAN: use-after-free in ucma_destroy_private_ctx+0x914/0xb70 drivers/infiniband/core/ucma.c:579\n Read of size 8 at addr ffff88801bb74b00 by task syz-executor.1/25529\n CPU: 0 PID: 25529 Comm: syz-executor.1 Not tainted 5.16.0-rc7-syzkaller #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\n Call Trace:\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n print_address_description.constprop.0.cold+0x8d/0x320 mm/kasan/report.c:247\n __kasan_report mm/kasan/report.c:433 [inline]\n kasan_report.cold+0x83/0xdf mm/kasan/report.c:450\n ucma_cleanup_multicast drivers/infiniband/core/ucma.c:491 [inline]\n ucma_destroy_private_ctx+0x914/0xb70 drivers/infiniband/core/ucma.c:579\n ucma_destroy_id+0x1e6/0x280 drivers/infiniband/core/ucma.c:614\n ucma_write+0x25c/0x350 drivers/infiniband/core/ucma.c:1732\n vfs_write+0x28e/0xae0 fs/read_write.c:588\n ksys_write+0x1ee/0x250 fs/read_write.c:643\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nCurrently the xarray search can touch a concurrently freeing mc as the\nxa_for_each() is not surrounded by any lock. Rather than hold the lock for\na full scan hold it only for the effected items, which is usually an empty\nlist."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: RDMA/ucma: protege mc durante las salidas simult\u00e1neas de multidifusi\u00f3n. Revierta parcialmente la confirmaci\u00f3n mencionada en la l\u00ednea Correcciones para asegurarse de que la asignaci\u00f3n y el borrado de la estructura de multidifusi\u00f3n est\u00e9n bloqueados. ERROR: KASAN: use-after-free en ucma_cleanup_multicast drivers/infiniband/core/ucma.c:491 [en l\u00ednea] ERROR: KASAN: use-after-free en ucma_destroy_private_ctx+0x914/0xb70 drivers/infiniband/core/ucma.c: 579 Lectura de tama\u00f1o 8 en la direcci\u00f3n ffff88801bb74b00 mediante la tarea syz-executor.1/25529 CPU: 0 PID: 25529 Comm: syz-executor.1 No contaminado 5.16.0-rc7-syzkaller #0 Nombre de hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Seguimiento de llamadas: __dump_stack lib/dump_stack.c:88 [en l\u00ednea] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x320 mm/kasan /report.c:247 __kasan_report mm/kasan/report.c:433 [en l\u00ednea] kasan_report.cold+0x83/0xdf mm/kasan/report.c:450 ucma_cleanup_multicast drivers/infiniband/core/ucma.c:491 [en l\u00ednea] ucma_destroy_private_ctx+0x914/0xb70 controladores/infiniband/core/ucma.c:579 ucma_destroy_id+0x1e6/0x280 controladores/infiniband/core/ucma.c:614 ucma_write+0x25c/0x350 controladores/infiniband/core/ucma.c:1732 vfs_write+ 0x28e/0xae0 fs/read_write.c:588 ksys_write+0x1ee/0x250 fs/read_write.c:643 do_syscall_x64 arch/x86/entry/common.c:50 [en l\u00ednea] do_syscall_64+0x35/0xb0 arch/x86/entry/common. c:80 Entry_SYSCALL_64_after_hwframe+0x44/0xae Actualmente, la b\u00fasqueda de xarray puede tocar un mc que se libera simult\u00e1neamente ya que xa_for_each() no est\u00e1 rodeado por ning\u00fan candado. En lugar de mantener el bloqueo durante un escaneo completo, mant\u00e9ngalo solo para los elementos afectados, que generalmente son una lista vac\u00eda."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/2923948ffe0835f7114e948b35bcc42bc9b3baa1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/36e8169ec973359f671f9ec7213547059cae972e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/75c610212b9f1756b9384911d3a2c347eee8031c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ee2477e8ccd3d978eeac0dc5a981b286d9bb7b0a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48727", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T12:15:11.167", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Avoid consuming a stale esr value when SError occur\n\nWhen any exception other than an IRQ occurs, the CPU updates the ESR_EL2\nregister with the exception syndrome. An SError may also become pending,\nand will be synchronised by KVM. KVM notes the exception type, and whether\nan SError was synchronised in exit_code.\n\nWhen an exception other than an IRQ occurs, fixup_guest_exit() updates\nvcpu->arch.fault.esr_el2 from the hardware register. When an SError was\nsynchronised, the vcpu esr value is used to determine if the exception\nwas due to an HVC. If so, ELR_EL2 is moved back one instruction. This\nis so that KVM can process the SError first, and re-execute the HVC if\nthe guest survives the SError.\n\nBut if an IRQ synchronises an SError, the vcpu's esr value is stale.\nIf the previous non-IRQ exception was an HVC, KVM will corrupt ELR_EL2,\ncausing an unrelated guest instruction to be executed twice.\n\nCheck ARM_EXCEPTION_CODE() before messing with ELR_EL2, IRQs don't\nupdate this register so don't need to check."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: KVM: arm64: Evite consumir un valor esr obsoleto cuando ocurre un SError Cuando ocurre cualquier excepci\u00f3n que no sea una IRQ, la CPU actualiza el registro ESR_EL2 con el s\u00edndrome de excepci\u00f3n. Un SError tambi\u00e9n puede quedar pendiente y KVM lo sincronizar\u00e1. KVM anota el tipo de excepci\u00f3n y si se sincroniz\u00f3 un SError en exit_code. Cuando ocurre una excepci\u00f3n distinta a una IRQ, fixup_guest_exit() actualiza vcpu->arch.fault.esr_el2 desde el registro de hardware. Cuando se sincroniza un SError, el valor de vcpu esr se utiliza para determinar si la excepci\u00f3n se debi\u00f3 a un HVC. Si es as\u00ed, ELR_EL2 retrocede una instrucci\u00f3n. Esto es para que KVM pueda procesar el SError primero y volver a ejecutar el HVC si el invitado sobrevive al SError. Pero si una IRQ sincroniza un SError, el valor esr de la vcpu est\u00e1 obsoleto. Si la excepci\u00f3n anterior no IRQ era un HVC, KVM da\u00f1ar\u00e1 ELR_EL2, lo que provocar\u00e1 que se ejecute dos veces una instrucci\u00f3n invitada no relacionada. Verifique ARM_EXCEPTION_CODE() antes de jugar con ELR_EL2, las IRQ no actualizan este registro, por lo que no es necesario verificarlo."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/1c71dbc8a179d99dd9bb7e7fc1888db613cf85de", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/57e2986c3b25092691a6e3d6ee9168caf8978932", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e1e852746997500f1873f60b954da5f02cc2dba3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48728", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T12:15:11.253", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/hfi1: Fix AIP early init panic\n\nAn early failure in hfi1_ipoib_setup_rn() can lead to the following panic:\n\n BUG: unable to handle kernel NULL pointer dereference at 00000000000001b0\n PGD 0 P4D 0\n Oops: 0002 [#1] SMP NOPTI\n Workqueue: events work_for_cpu_fn\n RIP: 0010:try_to_grab_pending+0x2b/0x140\n Code: 1f 44 00 00 41 55 41 54 55 48 89 d5 53 48 89 fb 9c 58 0f 1f 44 00 00 48 89 c2 fa 66 0f 1f 44 00 00 48 89 55 00 40 84 f6 75 77 48 0f ba 2b 00 72 09 31 c0 5b 5d 41 5c 41 5d c3 48 89 df e8 6c\n RSP: 0018:ffffb6b3cf7cfa48 EFLAGS: 00010046\n RAX: 0000000000000246 RBX: 00000000000001b0 RCX: 0000000000000000\n RDX: 0000000000000246 RSI: 0000000000000000 RDI: 00000000000001b0\n RBP: ffffb6b3cf7cfa70 R08: 0000000000000f09 R09: 0000000000000001\n R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000\n R13: ffffb6b3cf7cfa90 R14: ffffffff9b2fbfc0 R15: ffff8a4fdf244690\n FS: 0000000000000000(0000) GS:ffff8a527f400000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00000000000001b0 CR3: 00000017e2410003 CR4: 00000000007706f0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n __cancel_work_timer+0x42/0x190\n ? dev_printk_emit+0x4e/0x70\n iowait_cancel_work+0x15/0x30 [hfi1]\n hfi1_ipoib_txreq_deinit+0x5a/0x220 [hfi1]\n ? dev_err+0x6c/0x90\n hfi1_ipoib_netdev_dtor+0x15/0x30 [hfi1]\n hfi1_ipoib_setup_rn+0x10e/0x150 [hfi1]\n rdma_init_netdev+0x5a/0x80 [ib_core]\n ? hfi1_ipoib_free_rdma_netdev+0x20/0x20 [hfi1]\n ipoib_intf_init+0x6c/0x350 [ib_ipoib]\n ipoib_intf_alloc+0x5c/0xc0 [ib_ipoib]\n ipoib_add_one+0xbe/0x300 [ib_ipoib]\n add_client_context+0x12c/0x1a0 [ib_core]\n enable_device_and_get+0xdc/0x1d0 [ib_core]\n ib_register_device+0x572/0x6b0 [ib_core]\n rvt_register_device+0x11b/0x220 [rdmavt]\n hfi1_register_ib_device+0x6b4/0x770 [hfi1]\n do_init_one.isra.20+0x3e3/0x680 [hfi1]\n local_pci_probe+0x41/0x90\n work_for_cpu_fn+0x16/0x20\n process_one_work+0x1a7/0x360\n ? create_worker+0x1a0/0x1a0\n worker_thread+0x1cf/0x390\n ? create_worker+0x1a0/0x1a0\n kthread+0x116/0x130\n ? kthread_flush_work_fn+0x10/0x10\n ret_from_fork+0x1f/0x40\n\nThe panic happens in hfi1_ipoib_txreq_deinit() because there is a NULL\nderef when hfi1_ipoib_netdev_dtor() is called in this error case.\n\nhfi1_ipoib_txreq_init() and hfi1_ipoib_rxq_init() are self unwinding so\nfix by adjusting the error paths accordingly.\n\nOther changes:\n- hfi1_ipoib_free_rdma_netdev() is deleted including the free_netdev()\n since the netdev core code deletes calls free_netdev()\n- The switch to the accelerated entrances is moved to the success path."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: IB/hfi1: corrige el p\u00e1nico de inicio temprano de AIP Una falla temprana en hfi1_ipoib_setup_rn() puede provocar el siguiente p\u00e1nico: ERROR: no se puede manejar la desreferencia del puntero NULL del kernel en 00000000000001b0 PGD 0 P4D 0 Vaya: 0002 [#1] Cola de trabajo SMP NOPTI: eventos work_for_cpu_fn RIP: 0010:try_to_grab_pending+0x2b/0x140 C\u00f3digo: 1f 44 00 00 41 55 41 54 55 48 89 d5 53 48 89 fb 9c 58 0f 1f 4 00 00 48 89 c2 fa 66 0f 1f 44 00 00 48 89 55 00 40 84 f6 75 77 48 0f ba 2b 00 72 09 31 c0 5b 5d 41 5c 41 5d c3 48 89 df e8 6c RSP 0018:ffffb6b3cf7 cfa48 EFLAGS: 00010046 RAX: 0000000000000246 RBX: 00000000000001b0 RCX: 0000000000000000 RDX: 0000000000000246 RSI: 00000000000000000 RDI: 00000000000001b0 RBP: ffffb6b3cf7cfa70 R08: 0000000000000f09 R09: 0000000000000001 R10: 0000000000000000 R11: 00000000000000001 R12: 0000000000000000 R13: b6b3cf7cfa90 R14: ffffffff9b2fbfc0 R15: ffff8a4fdf244690 FS: 0000000000000000(0000) GS :ffff8a527f400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000001b0 CR3: CR4: 00000000007706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 00000000000000000 DR6: 00000000ffe0ff0 DR7: 000 0000000000400 PKRU: 55555554 Seguimiento de llamadas: __cancel_work_timer+0x42/0x190 ? dev_printk_emit+0x4e/0x70 iowait_cancel_work+0x15/0x30 [hfi1] hfi1_ipoib_txreq_deinit+0x5a/0x220 [hfi1] ? dev_err+0x6c/0x90 hfi1_ipoib_netdev_dtor+0x15/0x30 [hfi1] hfi1_ipoib_setup_rn+0x10e/0x150 [hfi1] rdma_init_netdev+0x5a/0x80 [ib_core] ? hfi1_ipoib_free_rdma_netdev+0x20/0x20 [hfi1] ipoib_intf_init+0x6c/0x350 [ib_ipoib] ipoib_intf_alloc+0x5c/0xc0 [ib_ipoib] ipoib_add_one+0xbe/0x300 [ib_ipoib] 0x1a0 [ib_core] enable_device_and_get+0xdc/0x1d0 [ib_core] ib_register_device+ 0x572/0x6b0 [ib_core] rvt_register_device+0x11b/0x220 [rdmavt] hfi1_register_ib_device+0x6b4/0x770 [hfi1] do_init_one.isra.20+0x3e3/0x680 [hfi1] local_pci_probe+0x41/0x90 cpu_fn+0x16/0x20 proceso_one_work+0x1a7/0x360 ? create_worker+0x1a0/0x1a0 trabajador_thread+0x1cf/0x390? create_worker+0x1a0/0x1a0 kthread+0x116/0x130? kthread_flush_work_fn+0x10/0x10 ret_from_fork+0x1f/0x40 El p\u00e1nico ocurre en hfi1_ipoib_txreq_deinit() porque hay una deref NULL cuando se llama a hfi1_ipoib_netdev_dtor() en este caso de error. hfi1_ipoib_txreq_init() y hfi1_ipoib_rxq_init() se desenrollan autom\u00e1ticamente, as\u00ed que corrija ajustando las rutas de error en consecuencia. Otros cambios: - hfi1_ipoib_free_rdma_netdev() se elimina incluyendo free_netdev() ya que el c\u00f3digo central de netdev elimina las llamadas free_netdev() - El cambio a las entradas aceleradas se mueve a la ruta de \u00e9xito."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/1899c3cad265c4583658aed5293d02e8af84276b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4a9bd1e6780fc59f81466ec3489d5ad535a37190", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5f8f55b92edd621f056bdf09e572092849fabd83", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a3dd4d2682f2a796121609e5f3bbeb1243198c53", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48729", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T12:15:11.343", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/hfi1: Fix panic with larger ipoib send_queue_size\n\nWhen the ipoib send_queue_size is increased from the default the following\npanic happens:\n\n RIP: 0010:hfi1_ipoib_drain_tx_ring+0x45/0xf0 [hfi1]\n Code: 31 e4 eb 0f 8b 85 c8 02 00 00 41 83 c4 01 44 39 e0 76 60 8b 8d cc 02 00 00 44 89 e3 be 01 00 00 00 d3 e3 48 03 9d c0 02 00 00 83 18 01 00 00 00 00 00 00 48 8b bb 30 01 00 00 e8 25 af a7 e0\n RSP: 0018:ffffc9000798f4a0 EFLAGS: 00010286\n RAX: 0000000000008000 RBX: ffffc9000aa0f000 RCX: 000000000000000f\n RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000\n RBP: ffff88810ff08000 R08: ffff88889476d900 R09: 0000000000000101\n R10: 0000000000000000 R11: ffffc90006590ff8 R12: 0000000000000200\n R13: ffffc9000798fba8 R14: 0000000000000000 R15: 0000000000000001\n FS: 00007fd0f79cc3c0(0000) GS:ffff88885fb00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: ffffc9000aa0f118 CR3: 0000000889c84001 CR4: 00000000001706e0\n Call Trace:\n \n hfi1_ipoib_napi_tx_disable+0x45/0x60 [hfi1]\n hfi1_ipoib_dev_stop+0x18/0x80 [hfi1]\n ipoib_ib_dev_stop+0x1d/0x40 [ib_ipoib]\n ipoib_stop+0x48/0xc0 [ib_ipoib]\n __dev_close_many+0x9e/0x110\n __dev_change_flags+0xd9/0x210\n dev_change_flags+0x21/0x60\n do_setlink+0x31c/0x10f0\n ? __nla_validate_parse+0x12d/0x1a0\n ? __nla_parse+0x21/0x30\n ? inet6_validate_link_af+0x5e/0xf0\n ? cpumask_next+0x1f/0x20\n ? __snmp6_fill_stats64.isra.53+0xbb/0x140\n ? __nla_validate_parse+0x47/0x1a0\n __rtnl_newlink+0x530/0x910\n ? pskb_expand_head+0x73/0x300\n ? __kmalloc_node_track_caller+0x109/0x280\n ? __nla_put+0xc/0x20\n ? cpumask_next_and+0x20/0x30\n ? update_sd_lb_stats.constprop.144+0xd3/0x820\n ? _raw_spin_unlock_irqrestore+0x25/0x37\n ? __wake_up_common_lock+0x87/0xc0\n ? kmem_cache_alloc_trace+0x3d/0x3d0\n rtnl_newlink+0x43/0x60\n\nThe issue happens when the shift that should have been a function of the\ntxq item size mistakenly used the ring size.\n\nFix by using the item size."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: IB/hfi1: Corrija el p\u00e1nico con ipoib send_queue_size m\u00e1s grande Cuando ipoib send_queue_size aumenta respecto del valor predeterminado, ocurre el siguiente p\u00e1nico: RIP: 0010:hfi1_ipoib_drain_tx_ring+0x45/0xf0 [hfi1] C\u00f3digo: 31 e4 eb 0f 8b 85 c8 02 00 00 41 83 c4 01 44 39 e0 76 60 8b 8d cc 02 00 00 44 89 e3 be 01 00 00 00 d3 e3 48 03 9d c0 02 00 00 83 8 01 00 00 00 00 00 00 48 8b bb 30 01 00 00 e8 25 af a7 e0 RSP: 0018:ffffc9000798f4a0 EFLAGS: 00010286 RAX: 00000000000008000 RBX: ffffc9000aa0f000 RCX: 000000000000000f RDX: 00000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 RBP: ffff88810ff08000 R08: ffff88889476d900 R09: 0000000000000101 R10: 0000000000000000 R11: ffffc90006590ff8 R12: 0000000000000200 R13: ffffc9000798fba8 R14: 0000000000000000 R15: 00000000000001 FS: 00007fd0f79cc3c0(0000) GS:ffff88885fb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR 2: ffffc9000aa0f118 CR3 : 0000000889c84001 CR4: 00000000001706e0 Seguimiento de llamadas: hfi1_ipoib_napi_tx_disable+0x45/0x60 [hfi1] hfi1_ipoib_dev_stop+0x18/0x80 [hfi1] [ib_ipoib] ipoib_stop+0x48/0xc0 [ib_ipoib] __dev_close_many+0x9e/0x110 __dev_change_flags+ 0xd9/0x210 dev_change_flags+0x21/0x60 do_setlink+0x31c/0x10f0? __nla_validate_parse+0x12d/0x1a0 ? __nla_parse+0x21/0x30? inet6_validate_link_af+0x5e/0xf0? cpumask_next+0x1f/0x20 ? __snmp6_fill_stats64.isra.53+0xbb/0x140 ? __nla_validate_parse+0x47/0x1a0 __rtnl_newlink+0x530/0x910 ? pskb_expand_head+0x73/0x300? __kmalloc_node_track_caller+0x109/0x280 ? __nla_put+0xc/0x20 ? cpumask_next_and+0x20/0x30? update_sd_lb_stats.constprop.144+0xd3/0x820? _raw_spin_unlock_irqrestore+0x25/0x37? __wake_up_common_lock+0x87/0xc0? kmem_cache_alloc_trace+0x3d/0x3d0 rtnl_newlink+0x43/0x60 El problema ocurre cuando el cambio que deber\u00eda haber sido una funci\u00f3n del tama\u00f1o del elemento txq us\u00f3 por error el tama\u00f1o del anillo. Arreglar usando el tama\u00f1o del elemento."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/1530d84fba1e459ba55f46aa42649b88773210e7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8c83d39cc730378bbac64d67a551897b203a606e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48730", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T12:15:11.430", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma-buf: heaps: Fix potential spectre v1 gadget\n\nIt appears like nr could be a Spectre v1 gadget as it's supplied by a\nuser and used as an array index. Prevent the contents\nof kernel memory from being leaked to userspace via speculative\nexecution by using array_index_nospec.\n\n [sumits: added fixes and cc: stable tags]"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: dma-buf: heaps: repara un posible gadget de Spectre v1. Parece que nr podr\u00eda ser un gadget de Spectre v1, ya que lo proporciona un usuario y se utiliza como \u00edndice de matriz. Evite que el contenido de la memoria del kernel se filtre al espacio de usuario mediante ejecuci\u00f3n especulativa utilizando array_index_nospec. [presenta: correcciones agregadas y cc: etiquetas estables]"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/24f8e12d965b24f8aea762589e0e9fe2025c005e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5d40f1bdad3dd1a177f21a90ad4353c1ed40ba3a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/92c4cfaee6872038563c5b6f2e8e613f9d84d47d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/cc8f7940d9c2d45f67b3d1a2f2b7a829ca561bed", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48731", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T12:15:11.517", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/kmemleak: avoid scanning potential huge holes\n\nWhen using devm_request_free_mem_region() and devm_memremap_pages() to\nadd ZONE_DEVICE memory, if requested free mem region's end pfn were\nhuge(e.g., 0x400000000), the node_end_pfn() will be also huge (see\nmove_pfn_range_to_zone()). Thus it creates a huge hole between\nnode_start_pfn() and node_end_pfn().\n\nWe found on some AMD APUs, amdkfd requested such a free mem region and\ncreated a huge hole. In such a case, following code snippet was just\ndoing busy test_bit() looping on the huge hole.\n\n for (pfn = start_pfn; pfn < end_pfn; pfn++) {\n\tstruct page *page = pfn_to_online_page(pfn);\n\t\tif (!page)\n\t\t\tcontinue;\n\t...\n }\n\nSo we got a soft lockup:\n\n watchdog: BUG: soft lockup - CPU#6 stuck for 26s! [bash:1221]\n CPU: 6 PID: 1221 Comm: bash Not tainted 5.15.0-custom #1\n RIP: 0010:pfn_to_online_page+0x5/0xd0\n Call Trace:\n ? kmemleak_scan+0x16a/0x440\n kmemleak_write+0x306/0x3a0\n ? common_file_perm+0x72/0x170\n full_proxy_write+0x5c/0x90\n vfs_write+0xb9/0x260\n ksys_write+0x67/0xe0\n __x64_sys_write+0x1a/0x20\n do_syscall_64+0x3b/0xc0\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nI did some tests with the patch.\n\n(1) amdgpu module unloaded\n\nbefore the patch:\n\n real 0m0.976s\n user 0m0.000s\n sys 0m0.968s\n\nafter the patch:\n\n real 0m0.981s\n user 0m0.000s\n sys 0m0.973s\n\n(2) amdgpu module loaded\n\nbefore the patch:\n\n real 0m35.365s\n user 0m0.000s\n sys 0m35.354s\n\nafter the patch:\n\n real 0m1.049s\n user 0m0.000s\n sys 0m1.042s"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mm/kmemleak: evita escanear posibles agujeros enormes. Al usar devm_request_free_mem_region() y devm_memremap_pages() para agregar memoria ZONE_DEVICE, si se solicitaba, el pfn final de la regi\u00f3n de memoria libre era enorme (por ejemplo, 0x400000000), el node_end_pfn() tambi\u00e9n ser\u00e1 enorme (ver move_pfn_range_to_zone()). Por lo tanto, crea un enorme agujero entre node_start_pfn() y node_end_pfn(). Descubrimos que en algunas APU AMD, AMDKFD solicit\u00f3 una regi\u00f3n de memoria libre y cre\u00f3 un agujero enorme. En tal caso, el siguiente fragmento de c\u00f3digo simplemente estaba haciendo un bucle test_bit() ocupado en el enorme agujero. for (pfn = start_pfn; pfn < end_pfn; pfn++) { estructura p\u00e1gina *p\u00e1gina = pfn_to_online_page(pfn); si (!p\u00e1gina) contin\u00faa; ... } Entonces obtuvimos un bloqueo suave: perro guardi\u00e1n: ERROR: bloqueo suave - \u00a1CPU#6 bloqueada durante 26 segundos! [bash:1221] CPU: 6 PID: 1221 Comm: bash No contaminado 5.15.0-custom #1 RIP: 0010:pfn_to_online_page+0x5/0xd0 Seguimiento de llamadas:? kmemleak_scan+0x16a/0x440 kmemleak_write+0x306/0x3a0 ? common_file_perm+0x72/0x170 full_proxy_write+0x5c/0x90 vfs_write+0xb9/0x260 ksys_write+0x67/0xe0 __x64_sys_write+0x1a/0x20 do_syscall_64+0x3b/0xc0 Entry_SYSCALL_64_after_hwframe+0x4 4/0xae Hice algunas pruebas con el parche. (1) m\u00f3dulo amdgpu descargado antes del parche: usuario real 0m0.976s 0m0.000s sys 0m0.968s despu\u00e9s del parche: usuario real 0m0.981s 0m0.000s sys 0m0.973s (2) m\u00f3dulo amdgpu cargado antes del parche: real 0m35 .365s usuario 0m0.000s sys 0m35.354s despu\u00e9s del parche: real 0m1.049s usuario 0m0.000s sys 0m1.042s"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/352715593e81b917ce1b321e794549815b850134", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a5389c80992f0001ee505838fe6a8b20897ce96e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c10a0f877fe007021d70f9cada240f42adc2b5db", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/cebb0aceb21ad91429617a40e3a17444fabf1529", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d3533ee20e9a0e2e8f60384da7450d43d1c63d1a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48732", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T12:15:11.607", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau: fix off by one in BIOS boundary checking\n\nBounds checking when parsing init scripts embedded in the BIOS reject\naccess to the last byte. This causes driver initialization to fail on\nApple eMac's with GeForce 2 MX GPUs, leaving the system with no working\nconsole.\n\nThis is probably only seen on OpenFirmware machines like PowerPC Macs\nbecause the BIOS image provided by OF is only the used parts of the ROM,\nnot a power-of-two blocks read from PCI directly so PCs always have\nempty bytes at the end that are never accessed."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/nouveau: solucionado por uno en la comprobaci\u00f3n de los l\u00edmites del BIOS. La comprobaci\u00f3n de los l\u00edmites al analizar los scripts de inicio integrados en el BIOS rechaza el acceso al \u00faltimo byte. Esto hace que la inicializaci\u00f3n del controlador falle en Apple eMac con GPU GeForce 2 MX, dejando el sistema sin consola funcional. Probablemente esto solo se vea en m\u00e1quinas OpenFirmware como PowerPC Mac porque la imagen del BIOS proporcionada por OF es solo las partes utilizadas de la ROM, no una potencia de dos bloques le\u00edda directamente desde PCI, por lo que las PC siempre tienen bytes vac\u00edos al final que son nunca accedido."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/1b777d4d9e383d2744fc9b3a09af6ec1893c8b1a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/909d3ec1bf9f0ec534bfc081b77c0836fea7b0e2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/acc887ba88333f5fec49631f12d8cc7ebd95781c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b2a21669ee98aafc41c6d42ef15af4dab9e6e882", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d4b746e60fd8eaa8016e144223abe91158edcdad", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d877e814a62b7de9069aeff8bc1d979dfc996e06", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e7c36fa8a1e63b08312162179c78a0c7795ea369", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f071d9fa857582d7bd77f4906691f73d3edeab73", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48733", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T12:15:11.700", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix use-after-free after failure to create a snapshot\n\nAt ioctl.c:create_snapshot(), we allocate a pending snapshot structure and\nthen attach it to the transaction's list of pending snapshots. After that\nwe call btrfs_commit_transaction(), and if that returns an error we jump\nto 'fail' label, where we kfree() the pending snapshot structure. This can\nresult in a later use-after-free of the pending snapshot:\n\n1) We allocated the pending snapshot and added it to the transaction's\n list of pending snapshots;\n\n2) We call btrfs_commit_transaction(), and it fails either at the first\n call to btrfs_run_delayed_refs() or btrfs_start_dirty_block_groups().\n In both cases, we don't abort the transaction and we release our\n transaction handle. We jump to the 'fail' label and free the pending\n snapshot structure. We return with the pending snapshot still in the\n transaction's list;\n\n3) Another task commits the transaction. This time there's no error at\n all, and then during the transaction commit it accesses a pointer\n to the pending snapshot structure that the snapshot creation task\n has already freed, resulting in a user-after-free.\n\nThis issue could actually be detected by smatch, which produced the\nfollowing warning:\n\n fs/btrfs/ioctl.c:843 create_snapshot() warn: '&pending_snapshot->list' not removed from list\n\nSo fix this by not having the snapshot creation ioctl directly add the\npending snapshot to the transaction's list. Instead add the pending\nsnapshot to the transaction handle, and then at btrfs_commit_transaction()\nwe add the snapshot to the list only when we can guarantee that any error\nreturned after that point will result in a transaction abort, in which\ncase the ioctl code can safely free the pending snapshot and no one can\naccess it anymore."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: btrfs: corrige el use-after-free despu\u00e9s de una falla al crear una instant\u00e1nea En ioctl.c:create_snapshot(), asignamos una estructura de instant\u00e1nea pendiente y luego la adjuntamos a la lista de transacciones de instant\u00e1neas pendientes. Despu\u00e9s de eso, llamamos a btrfs_commit_transaction(), y si eso devuelve un error, saltamos a la etiqueta 'falla', donde liberamos() la estructura de instant\u00e1nea pendiente. Esto puede resultar en un uso posterior despu\u00e9s de la liberaci\u00f3n de la instant\u00e1nea pendiente: 1) Asignamos la instant\u00e1nea pendiente y la agregamos a la lista de instant\u00e1neas pendientes de la transacci\u00f3n; 2) Llamamos a btrfs_commit_transaction(), y falla en la primera llamada a btrfs_run_delayed_refs() o btrfs_start_dirty_block_groups(). En ambos casos, no abortamos la transacci\u00f3n y liberamos nuestro identificador de transacci\u00f3n. Saltamos a la etiqueta 'fallo' y liberamos la estructura de instant\u00e1nea pendiente. Regresamos con la instant\u00e1nea pendiente todav\u00eda en la lista de transacciones; 3) Otra tarea confirma la transacci\u00f3n. Esta vez no hay ning\u00fan error y luego, durante la confirmaci\u00f3n de la transacci\u00f3n, accede a un puntero a la estructura de instant\u00e1nea pendiente que la tarea de creaci\u00f3n de instant\u00e1nea ya ha liberado, lo que resulta en una liberaci\u00f3n de usuario. En realidad, este problema podr\u00eda ser detectado por smatch, que produjo la siguiente advertencia: fs/btrfs/ioctl.c:843 create_snapshot() advertencia: '&pending_snapshot->list' no se elimina de la lista. As\u00ed que solucione este problema al no tener el ioctl de creaci\u00f3n de instant\u00e1neas directamente agregue la instant\u00e1nea pendiente a la lista de transacciones. En su lugar, agregue la instant\u00e1nea pendiente al identificador de la transacci\u00f3n, y luego en btrfs_commit_transaction() agregamos la instant\u00e1nea a la lista solo cuando podamos garantizar que cualquier error devuelto despu\u00e9s de ese punto resultar\u00e1 en la cancelaci\u00f3n de la transacci\u00f3n, en cuyo caso el c\u00f3digo ioctl puede Libera la instant\u00e1nea pendiente y ya nadie podr\u00e1 acceder a ella."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/28b21c558a3753171097193b6f6602a94169093a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9372fa1d73da5f1673921e365d0cd2c27ec7adc2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a7b717fa15165d3d9245614680bebc48a52ac05d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48734", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T12:15:11.797", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix deadlock between quota disable and qgroup rescan worker\n\nQuota disable ioctl starts a transaction before waiting for the qgroup\nrescan worker completes. However, this wait can be infinite and results\nin deadlock because of circular dependency among the quota disable\nioctl, the qgroup rescan worker and the other task with transaction such\nas block group relocation task.\n\nThe deadlock happens with the steps following:\n\n1) Task A calls ioctl to disable quota. It starts a transaction and\n waits for qgroup rescan worker completes.\n2) Task B such as block group relocation task starts a transaction and\n joins to the transaction that task A started. Then task B commits to\n the transaction. In this commit, task B waits for a commit by task A.\n3) Task C as the qgroup rescan worker starts its job and starts a\n transaction. In this transaction start, task C waits for completion\n of the transaction that task A started and task B committed.\n\nThis deadlock was found with fstests test case btrfs/115 and a zoned\nnull_blk device. The test case enables and disables quota, and the\nblock group reclaim was triggered during the quota disable by chance.\nThe deadlock was also observed by running quota enable and disable in\nparallel with 'btrfs balance' command on regular null_blk devices.\n\nAn example report of the deadlock:\n\n [372.469894] INFO: task kworker/u16:6:103 blocked for more than 122 seconds.\n [372.479944] Not tainted 5.16.0-rc8 #7\n [372.485067] \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n [372.493898] task:kworker/u16:6 state:D stack: 0 pid: 103 ppid: 2 flags:0x00004000\n [372.503285] Workqueue: btrfs-qgroup-rescan btrfs_work_helper [btrfs]\n [372.510782] Call Trace:\n [372.514092] \n [372.521684] __schedule+0xb56/0x4850\n [372.530104] ? io_schedule_timeout+0x190/0x190\n [372.538842] ? lockdep_hardirqs_on+0x7e/0x100\n [372.547092] ? _raw_spin_unlock_irqrestore+0x3e/0x60\n [372.555591] schedule+0xe0/0x270\n [372.561894] btrfs_commit_transaction+0x18bb/0x2610 [btrfs]\n [372.570506] ? btrfs_apply_pending_changes+0x50/0x50 [btrfs]\n [372.578875] ? free_unref_page+0x3f2/0x650\n [372.585484] ? finish_wait+0x270/0x270\n [372.591594] ? release_extent_buffer+0x224/0x420 [btrfs]\n [372.599264] btrfs_qgroup_rescan_worker+0xc13/0x10c0 [btrfs]\n [372.607157] ? lock_release+0x3a9/0x6d0\n [372.613054] ? btrfs_qgroup_account_extent+0xda0/0xda0 [btrfs]\n [372.620960] ? do_raw_spin_lock+0x11e/0x250\n [372.627137] ? rwlock_bug.part.0+0x90/0x90\n [372.633215] ? lock_is_held_type+0xe4/0x140\n [372.639404] btrfs_work_helper+0x1ae/0xa90 [btrfs]\n [372.646268] process_one_work+0x7e9/0x1320\n [372.652321] ? lock_release+0x6d0/0x6d0\n [372.658081] ? pwq_dec_nr_in_flight+0x230/0x230\n [372.664513] ? rwlock_bug.part.0+0x90/0x90\n [372.670529] worker_thread+0x59e/0xf90\n [372.676172] ? process_one_work+0x1320/0x1320\n [372.682440] kthread+0x3b9/0x490\n [372.687550] ? _raw_spin_unlock_irq+0x24/0x50\n [372.693811] ? set_kthread_struct+0x100/0x100\n [372.700052] ret_from_fork+0x22/0x30\n [372.705517] \n [372.709747] INFO: task btrfs-transacti:2347 blocked for more than 123 seconds.\n [372.729827] Not tainted 5.16.0-rc8 #7\n [372.745907] \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n [372.767106] task:btrfs-transacti state:D stack: 0 pid: 2347 ppid: 2 flags:0x00004000\n [372.787776] Call Trace:\n [372.801652] \n [372.812961] __schedule+0xb56/0x4850\n [372.830011] ? io_schedule_timeout+0x190/0x190\n [372.852547] ? lockdep_hardirqs_on+0x7e/0x100\n [372.871761] ? _raw_spin_unlock_irqrestore+0x3e/0x60\n [372.886792] schedule+0xe0/0x270\n [372.901685] wait_current_trans+0x22c/0x310 [btrfs]\n [372.919743] ? btrfs_put_transaction+0x3d0/0x3d0 [btrfs]\n [372.938923] ? finish_wait+0x270/0x270\n [372.959085] ? join_transaction+0xc7\n---truncated---"}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: btrfs: soluciona el punto muerto entre la desactivaci\u00f3n de cuota y el trabajador de rescaneo de qgroup. La desactivaci\u00f3n de cuota ioctl inicia una transacci\u00f3n antes de esperar a que se complete el trabajador de rescaneo de qgroup. Sin embargo, esta espera puede ser infinita y provocar un punto muerto debido a la dependencia circular entre el ioctl de desactivaci\u00f3n de cuota, el trabajador de rescaneo de qgroup y la otra tarea con transacciones como la tarea de reubicaci\u00f3n del grupo de bloques. El punto muerto ocurre con los siguientes pasos: 1) La tarea A llama a ioctl para deshabilitar la cuota. Inicia una transacci\u00f3n y espera a que se complete el trabajo de rescaneo de qgroup. 2) La tarea B, como la tarea de reubicaci\u00f3n del grupo de bloques, inicia una transacci\u00f3n y se une a la transacci\u00f3n que inici\u00f3 la tarea A. Luego la tarea B se compromete con la transacci\u00f3n. En esta confirmaci\u00f3n, la tarea B espera una confirmaci\u00f3n de la tarea A. 3) La tarea C, como trabajador de rescaneo de qgroup, inicia su trabajo e inicia una transacci\u00f3n. En el inicio de esta transacci\u00f3n, la tarea C espera a que se complete la transacci\u00f3n que inici\u00f3 la tarea A y confirm\u00f3 la tarea B. Este punto muerto se encontr\u00f3 con el caso de prueba btrfs/115 de fstests y un dispositivo null_blk zonificado. El caso de prueba habilita y deshabilita la cuota, y la recuperaci\u00f3n del grupo de bloques se activ\u00f3 durante la deshabilitaci\u00f3n de la cuota por casualidad. El punto muerto tambi\u00e9n se observ\u00f3 al ejecutar la habilitaci\u00f3n y deshabilitaci\u00f3n de cuotas en paralelo con el comando 'btrfs balance' en dispositivos null_blk normales. Un informe de ejemplo del punto muerto: [372.469894] INFORMACI\u00d3N: tarea kworker/u16:6:103 bloqueada durante m\u00e1s de 122 segundos. [372.479944] No contaminado 5.16.0-rc8 #7 [372.485067] \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" desactiva este mensaje. [372.493898] tarea:kworker/u16:6 estado:D pila: 0 pid: 103 ppid: 2 banderas:0x00004000 [372.503285] Cola de trabajo: btrfs-qgroup-rescan btrfs_work_helper [btrfs] [372.510782] Seguimiento de llamadas: [372.521684] __programaci\u00f3n+0xb56/0x4850 [372.530104] ? io_schedule_timeout+0x190/0x190 [372.538842] ? lockdep_hardirqs_on+0x7e/0x100 [372.547092] ? _raw_spin_unlock_irqrestore+0x3e/0x60 [372.555591] horario+0xe0/0x270 [372.561894] btrfs_commit_transaction+0x18bb/0x2610 [btrfs] [372.570506] ? btrfs_apply_pending_changes+0x50/0x50 [btrfs] [372.578875] ? free_unref_page+0x3f2/0x650 [372.585484] ? terminar_esperar+0x270/0x270 [372.591594] ? release_extent_buffer+0x224/0x420 [btrfs] [372.599264] btrfs_qgroup_rescan_worker+0xc13/0x10c0 [btrfs] [372.607157] ? lock_release+0x3a9/0x6d0 [372.613054]? btrfs_qgroup_account_extent+0xda0/0xda0 [btrfs] [372.620960]? do_raw_spin_lock+0x11e/0x250 [372.627137]? rwlock_bug.part.0+0x90/0x90 [372.633215] ? lock_is_held_type+0xe4/0x140 [372.639404] btrfs_work_helper+0x1ae/0xa90 [btrfs] [372.646268] Process_one_work+0x7e9/0x1320 [372.652321] ? lock_release+0x6d0/0x6d0 [372.658081]? pwq_dec_nr_in_flight+0x230/0x230 [372.664513] ? rwlock_bug.part.0+0x90/0x90 [372.670529] trabajador_thread+0x59e/0xf90 [372.676172] ? proceso_one_work+0x1320/0x1320 [372.682440] kthread+0x3b9/0x490 [372.687550] ? _raw_spin_unlock_irq+0x24/0x50 [372.693811] ? set_kthread_struct+0x100/0x100 [372.700052] ret_from_fork+0x22/0x30 [372.705517] [372.709747] INFORMACI\u00d3N: tarea btrfs-transacti:2347 bloqueada durante m\u00e1s de 123 segundos. [372.729827] No contaminado 5.16.0-rc8 #7 [372.745907] \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" desactiva este mensaje. [372.767106] tarea: btrfs-transacti estado: D pila: 0 pid: 2347 ppid: 2 banderas: 0x00004000 [372.787776] Seguimiento de llamadas: [372.801652] [372.812961] __schedule+0xb56/0x4850 [372.83 0011] ? io_schedule_timeout+0x190/0x190 [372.852547] ? lockdep_hardirqs_on+0x7e/0x100 [372.871761]? _raw_spin_unlock_irqrestore+0x3e/0x60 [372.886792] horario+0xe0/0x270 [372.901685] ---truncado---"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/26b3901d20bf9da2c6a00cb1fb48932166f80a45", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/31198e58c09e21d4f65c49d2361f76b87aca4c3f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/32747e01436aac8ef93fe85b5b523b4f3b52f040", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/89d4cca583fc9594ee7d1a0bc986886d6fb587e6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e804861bd4e69cc5fe1053eedcb024982dde8e48", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48735", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T12:15:11.890", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: hda: Fix UAF of leds class devs at unbinding\n\nThe LED class devices that are created by HD-audio codec drivers are\nregistered via devm_led_classdev_register() and associated with the\nHD-audio codec device. Unfortunately, it turned out that the devres\nrelease doesn't work for this case; namely, since the codec resource\nrelease happens before the devm call chain, it triggers a NULL\ndereference or a UAF for a stale set_brightness_delay callback.\n\nFor fixing the bug, this patch changes the LED class device register\nand unregister in a manual manner without devres, keeping the\ninstances in hda_gen_spec."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: ALSA: hda: corrige UAF de los desarrolladores de clase LED al desvincularse. Los dispositivos de clase LED creados por controladores de c\u00f3dec de audio HD se registran a trav\u00e9s de devm_led_classdev_register() y se asocian con el audio HD. dispositivo c\u00f3dec. Desafortunadamente, result\u00f3 que la versi\u00f3n devres no funciona para este caso; es decir, dado que la liberaci\u00f3n del recurso del c\u00f3dec ocurre antes de la cadena de llamadas del desarrollador, desencadena una desreferencia NULL o un UAF para una devoluci\u00f3n de llamada obsoleta set_brightness_delay. Para corregir el error, este parche cambia el registro y cancelaci\u00f3n del registro del dispositivo de clase LED de forma manual sin devres, manteniendo las instancias en hda_gen_spec."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/0e629052f013eeb61494d4df2f1f647c2a9aef47", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/549f8ffc7b2f7561bea7f90930b6c5104318e87b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/813e9f3e06d22e29872d4fd51b54992d89cf66c8", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a7de1002135cf94367748ffc695a29812d7633b5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48736", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T12:15:11.973", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: ops: Reject out of bounds values in snd_soc_put_xr_sx()\n\nWe don't currently validate that the values being set are within the range\nwe advertised to userspace as being valid, do so and reject any values\nthat are out of range."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: ASoC: ops: Rechazar valores fuera de los l\u00edmites en snd_soc_put_xr_sx() Actualmente no validamos que los valores que se establecen est\u00e9n dentro del rango que anunciamos en el espacio de usuario como v\u00e1lidos, h\u00e1galo y rechazar cualquier valor que est\u00e9 fuera de rango."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/17e16a66b4f9a310713d8599e6e1ca4a0c9fd28c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4cf28e9ae6e2e11a044be1bcbcfa1b0d8675fe4d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/54abca038e287d3746dd40016514670a7f654c5c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/6877f87579ed830f9ff6d478539074f035d04bfb", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7659f25a80e6affb784b690df8994b79b4212fd4", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b0a7836ecf1345814a7d8ef748fb797c520dad18", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e09cf398e8c6db69c620b6d8073abc4377a07af5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/fd9a23319f16e7031f0d8c98eed6e093c2927229", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48737", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T12:15:12.060", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: ops: Reject out of bounds values in snd_soc_put_volsw_sx()\n\nWe don't currently validate that the values being set are within the range\nwe advertised to userspace as being valid, do so and reject any values\nthat are out of range."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ASoC: ops: Rechazar valores fuera de los l\u00edmites en snd_soc_put_volsw_sx() Actualmente no validamos que los valores que se establecen est\u00e9n dentro del rango que anunciamos en el espacio de usuario como v\u00e1lidos, h\u00e1galo y rechazar cualquier valor que est\u00e9 fuera de rango."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/038f8b7caa74d29e020949a43ca368c93f6b29b9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4977491e4b3aad8567f57e2a9992d251410c1db3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4f1e50d6a9cf9c1b8c859d449b5031cacfa8404e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9a12fcbf3c622f9bf6b110a873d62b0cba93972e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9e5c40b5706d8aae2cf70bd7e01f0b4575a642d0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c33402b056de61104b6146dedbe138ca8d7ec62b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e8e07c5e25a29e2a6f119fd947f55d7a55eb8a13", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ef6cd9eeb38062a145802b7b56be7ae1090e165e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48738", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T12:15:12.150", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: ops: Reject out of bounds values in snd_soc_put_volsw()\n\nWe don't currently validate that the values being set are within the range\nwe advertised to userspace as being valid, do so and reject any values\nthat are out of range."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ASoC: ops: Rechazar valores fuera de los l\u00edmites en snd_soc_put_volsw() Actualmente no validamos que los valores que se establecen est\u00e9n dentro del rango que anunciamos en el espacio de usuario como v\u00e1lidos, h\u00e1galo y rechazar cualquier valor que est\u00e9 fuera de rango."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/40f598698129b5ceaf31012f9501b775c7b6e57d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/586ef863c94354a7e00e5ae5ef01443d1dc99bc7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/65a61b1f56f5386486757930069fbdce94af08bf", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/68fd718724284788fc5f379e0b7cac541429ece7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/817f7c9335ec01e0f5e8caffc4f1dcd5e458a4c0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9e8895f1b3d4433f6d78aa6578e9db61ca6e6830", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a9394f21fba027147bf275b083c77955864c366a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/bb72d2dda85564c66d909108ea6903937a41679d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48739", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T12:15:12.243", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: hdmi-codec: Fix OOB memory accesses\n\nCorrect size of iec_status array by changing it to the size of status\narray of the struct snd_aes_iec958. This fixes out-of-bounds slab\nread accesses made by memcpy() of the hdmi-codec driver. This problem\nis reported by KASAN."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ASoC: hdmi-codec: corrige los accesos a memoria OOB Corrija el tama\u00f1o de la matriz iec_status cambi\u00e1ndolo al tama\u00f1o de la matriz de estado de la estructura snd_aes_iec958. Esto corrige los accesos de lectura de losa fuera de los l\u00edmites realizados por memcpy() del controlador hdmi-codec. KASAN informa de este problema."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/06feec6005c9d9500cd286ec440aabf8b2ddd94d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/10007bd96b6c4c3cfaea9e76c311b06a07a5e260", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/1552e66be325a21d7eff49f46013fb402165a0ac", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48740", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T12:15:12.330", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nselinux: fix double free of cond_list on error paths\n\nOn error path from cond_read_list() and duplicate_policydb_cond_list()\nthe cond_list_destroy() gets called a second time in caller functions,\nresulting in NULL pointer deref. Fix this by resetting the\ncond_list_len to 0 in cond_list_destroy(), making subsequent calls a\nnoop.\n\nAlso consistently reset the cond_list pointer to NULL after freeing.\n\n[PM: fix line lengths in the description]"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: selinux: corrige el doble libre de cond_list en rutas de error En la ruta de error de cond_read_list() y duplicado_policydb_cond_list(), se llama a cond_list_destroy() por segunda vez en las funciones de llamada, lo que resulta en un puntero NULL deref. Solucione este problema restableciendo cond_list_len a 0 en cond_list_destroy(), haciendo que las llamadas posteriores sean un error. Tambi\u00e9n restablezca constantemente el puntero cond_list a NULL despu\u00e9s de liberarlo. [PM: corrija la longitud de las l\u00edneas en la descripci\u00f3n]"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/186edf7e368c40d06cf727a1ad14698ea67b74ad", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/70caa32e6d81f45f0702070c0e4dfe945e92fbd7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7ed9cbf7ac0d4ed86b356e1b944304ae9ee450d4", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f446089a268c8fc6908488e991d28a9b936293db", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48741", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T12:15:12.430", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\novl: fix NULL pointer dereference in copy up warning\n\nThis patch is fixing a NULL pointer dereference to get a recently\nintroduced warning message working."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ovl: corrige la desreferencia del puntero NULL en la advertencia de copia. Este parche corrige una desreferencia del puntero NULL para que funcione un mensaje de advertencia introducido recientemente."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/4ee7e4a6c9b298da44029ed9ec8ed23ae49cc209", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9c7f8a35c5a83740c0e3ea540b6ad145c50d79aa", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e6b678c1a3673de6a5d2f4e22bb725a086a0701a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48742", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T12:15:12.517", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrtnetlink: make sure to refresh master_dev/m_ops in __rtnl_newlink()\n\nWhile looking at one unrelated syzbot bug, I found the replay logic\nin __rtnl_newlink() to potentially trigger use-after-free.\n\nIt is better to clear master_dev and m_ops inside the loop,\nin case we have to replay it."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: rtnetlink: aseg\u00farese de actualizar master_dev/m_ops en __rtnl_newlink() Mientras observaba un error de syzbot no relacionado, encontr\u00e9 la l\u00f3gica de reproducci\u00f3n en __rtnl_newlink() para activar potencialmente el use-after-free. Es mejor borrar master_dev y m_ops dentro del bucle, en caso de que tengamos que reproducirlo."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/2cf180360d66bd657e606c1217e0e668e6faa303", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/36a9a0aee881940476b254e0352581401b23f210", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3bbe2019dd12b8d13671ee6cda055d49637b4c39", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7d9211678c0f0624f74cdff36117ab8316697bb8", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a01e60a1ec6bef9be471fb7182a33c6d6f124e93", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/bd43771ee9759dd9dfae946bff190e2c5a120de5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c6f6f2444bdbe0079e41914a35081530d0409963", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/def5e7070079b2a214b3b1a2fbec623e6fbfe34a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48743", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T12:15:12.610", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: amd-xgbe: Fix skb data length underflow\n\nThere will be BUG_ON() triggered in include/linux/skbuff.h leading to\nintermittent kernel panic, when the skb length underflow is detected.\n\nFix this by dropping the packet if such length underflows are seen\nbecause of inconsistencies in the hardware descriptors."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: amd-xgbe: corrige el desbordamiento de longitud de datos de skb. Se activar\u00e1 BUG_ON() en include/linux/skbuff.h, lo que provocar\u00e1 un p\u00e1nico intermitente en el kernel, cuando el desbordamiento de longitud de skb sea detectado. Solucione este problema descartando el paquete si se observan desbordamientos de longitud debido a inconsistencias en los descriptores de hardware."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/34aeb4da20f93ac80a6291a2dbe7b9c6460e9b26", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4d3fcfe8464838b3920bc2b939d888e0b792934e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5aac9108a180fc06e28d4e7fb00247ce603b72ee", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/617f9934bb37993b9813832516f318ba874bcb7d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9892742f035f7aa7dcd2bb0750effa486db89576", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9924c80bd484340191e586110ca22bff23a49f2e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/db6fd92316a254be2097556f01bccecf560e53ce", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e8f73f620fee5f52653ed2da360121e4446575c5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48744", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T12:15:12.700", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Avoid field-overflowing memcpy()\n\nIn preparation for FORTIFY_SOURCE performing compile-time and run-time\nfield bounds checking for memcpy(), memmove(), and memset(), avoid\nintentionally writing across neighboring fields.\n\nUse flexible arrays instead of zero-element arrays (which look like they\nare always overflowing) and split the cross-field memcpy() into two halves\nthat can be appropriately bounds-checked by the compiler.\n\nWe were doing:\n\n\t#define ETH_HLEN 14\n\t#define VLAN_HLEN 4\n\t...\n\t#define MLX5E_XDP_MIN_INLINE (ETH_HLEN + VLAN_HLEN)\n\t...\n struct mlx5e_tx_wqe *wqe = mlx5_wq_cyc_get_wqe(wq, pi);\n\t...\n struct mlx5_wqe_eth_seg *eseg = &wqe->eth;\n struct mlx5_wqe_data_seg *dseg = wqe->data;\n\t...\n\tmemcpy(eseg->inline_hdr.start, xdptxd->data, MLX5E_XDP_MIN_INLINE);\n\ntarget is wqe->eth.inline_hdr.start (which the compiler sees as being\n2 bytes in size), but copying 18, intending to write across start\n(really vlan_tci, 2 bytes). The remaining 16 bytes get written into\nwqe->data[0], covering byte_count (4 bytes), lkey (4 bytes), and addr\n(8 bytes).\n\nstruct mlx5e_tx_wqe {\n struct mlx5_wqe_ctrl_seg ctrl; /* 0 16 */\n struct mlx5_wqe_eth_seg eth; /* 16 16 */\n struct mlx5_wqe_data_seg data[]; /* 32 0 */\n\n /* size: 32, cachelines: 1, members: 3 */\n /* last cacheline: 32 bytes */\n};\n\nstruct mlx5_wqe_eth_seg {\n u8 swp_outer_l4_offset; /* 0 1 */\n u8 swp_outer_l3_offset; /* 1 1 */\n u8 swp_inner_l4_offset; /* 2 1 */\n u8 swp_inner_l3_offset; /* 3 1 */\n u8 cs_flags; /* 4 1 */\n u8 swp_flags; /* 5 1 */\n __be16 mss; /* 6 2 */\n __be32 flow_table_metadata; /* 8 4 */\n union {\n struct {\n __be16 sz; /* 12 2 */\n u8 start[2]; /* 14 2 */\n } inline_hdr; /* 12 4 */\n struct {\n __be16 type; /* 12 2 */\n __be16 vlan_tci; /* 14 2 */\n } insert; /* 12 4 */\n __be32 trailer; /* 12 4 */\n }; /* 12 4 */\n\n /* size: 16, cachelines: 1, members: 9 */\n /* last cacheline: 16 bytes */\n};\n\nstruct mlx5_wqe_data_seg {\n __be32 byte_count; /* 0 4 */\n __be32 lkey; /* 4 4 */\n __be64 addr; /* 8 8 */\n\n /* size: 16, cachelines: 1, members: 3 */\n /* last cacheline: 16 bytes */\n};\n\nSo, split the memcpy() so the compiler can reason about the buffer\nsizes.\n\n\"pahole\" shows no size nor member offset changes to struct mlx5e_tx_wqe\nnor struct mlx5e_umr_wqe. \"objdump -d\" shows no meaningful object\ncode changes (i.e. only source line number induced differences and\noptimizations)."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/mlx5e: Evite el desbordamiento de campos memcpy() En preparaci\u00f3n para FORTIFY_SOURCE, se realizan comprobaciones de los l\u00edmites de campos en tiempo de compilaci\u00f3n y tiempo de ejecuci\u00f3n para memcpy(), memmove() y memset( ), evite escribir intencionalmente en campos vecinos. Utilice matrices flexibles en lugar de matrices de elementos cero (que parecen estar siempre desbordadas) y divida el campo cruzado memcpy() en dos mitades que el compilador pueda verificar adecuadamente los l\u00edmites. Est\u00e1bamos haciendo: #define ETH_HLEN 14 #define VLAN_HLEN 4... #define MLX5E_XDP_MIN_INLINE (ETH_HLEN + VLAN_HLEN)... struct mlx5e_tx_wqe *wqe = mlx5_wq_cyc_get_wqe(wq, pi); ... estructura mlx5_wqe_eth_seg *eseg = &wqe->eth; struct mlx5_wqe_data_seg *dseg = wqe->datos; ... memcpy(eseg->inline_hdr.start, xdptxd->data, MLX5E_XDP_MIN_INLINE); El objetivo es wqe->eth.inline_hdr.start (que el compilador considera que tiene un tama\u00f1o de 2 bytes), pero copia 18, con la intenci\u00f3n de escribir a lo largo del inicio (en realidad, vlan_tci, 2 bytes). Los 16 bytes restantes se escriben en wqe->data[0], cubriendo byte_count (4 bytes), lkey (4 bytes) y addr (8 bytes). estructura mlx5e_tx_wqe { estructura mlx5_wqe_ctrl_seg ctrl; /* 0 16 */ struct mlx5_wqe_eth_seg eth; /* 16 16 */ struct mlx5_wqe_data_seg datos[]; /* 32 0 */ /* tama\u00f1o: 32, l\u00edneas de cach\u00e9: 1, miembros: 3 */ /* \u00faltima l\u00ednea de cach\u00e9: 32 bytes */ }; struct mlx5_wqe_eth_seg { u8 swp_outer_l4_offset; /* 0 1 */ u8 swp_outer_l3_offset; /* 1 1 */ u8 swp_inner_l4_offset; /* 2 1 */ u8 swp_inner_l3_offset; /* 3 1 */ u8 cs_flags; /* 4 1 */ u8 swp_flags; /* 5 1 */ __be16 mss; /* 6 2 */ __be32 flow_table_metadata; /* 8 4 */ uni\u00f3n { estructura { __be16 sz; /* 12 2 */ u8 inicio[2]; /* 14 2 */ } inline_hdr; /* 12 4 */ struct { __be16 tipo; /* 12 2 */ __be16 vlan_tci; /* 14 2 */ } insertar; /* 12 4 */ __be32 remolque; /* 12 4 */ }; /* 12 4 */ /* tama\u00f1o: 16, l\u00edneas de cach\u00e9: 1, miembros: 9 */ /* \u00faltima l\u00ednea de cach\u00e9: 16 bytes */ }; struct mlx5_wqe_data_seg { __be32 byte_count; /* 0 4 */ __be32 lkey; /* 4 4 */ __be64 direcci\u00f3n; /* 8 8 */ /* tama\u00f1o: 16, l\u00edneas de cach\u00e9: 1, miembros: 3 */ /* \u00faltima l\u00ednea de cach\u00e9: 16 bytes */ }; Entonces, divida memcpy() para que el compilador pueda razonar sobre los tama\u00f1os del b\u00fafer. \"pahole\" no muestra cambios de tama\u00f1o ni de compensaci\u00f3n de miembros en la estructura mlx5e_tx_wqe ni en la estructura mlx5e_umr_wqe. \"objdump -d\" no muestra cambios significativos en el c\u00f3digo objeto (es decir, solo diferencias y optimizaciones inducidas por el n\u00famero de l\u00ednea de origen)."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/8fbdf8c8b8ab82beab882175157650452c46493e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ad5185735f7dab342fdd0dd41044da4c9ccfef67", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48745", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T12:15:12.783", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Use del_timer_sync in fw reset flow of halting poll\n\nSubstitute del_timer() with del_timer_sync() in fw reset polling\ndeactivation flow, in order to prevent a race condition which occurs\nwhen del_timer() is called and timer is deactivated while another\nprocess is handling the timer interrupt. A situation that led to\nthe following call trace:\n\tRIP: 0010:run_timer_softirq+0x137/0x420\n\t\n\trecalibrate_cpu_khz+0x10/0x10\n\tktime_get+0x3e/0xa0\n\t? sched_clock_cpu+0xb/0xc0\n\t__do_softirq+0xf5/0x2ea\n\tirq_exit_rcu+0xc1/0xf0\n\tsysvec_apic_timer_interrupt+0x9e/0xc0\n\tasm_sysvec_apic_timer_interrupt+0x12/0x20\n\t"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/mlx5: Utilice del_timer_sync en el flujo de desactivaci\u00f3n del sondeo de reinicio de fw. Sustituya del_timer() por del_timer_sync() en el flujo de desactivaci\u00f3n del sondeo de reinicio de fw, para evitar una condici\u00f3n de ejecuci\u00f3n que se produce cuando se llama a del_timer() y el temporizador se desactiva mientras otro proceso maneja la interrupci\u00f3n del temporizador. Una situaci\u00f3n que llev\u00f3 al siguiente seguimiento de llamadas: RIP: 0010:run_timer_softirq+0x137/0x420 recalibrate_cpu_khz+0x10/0x10 ktime_get+0x3e/0xa0 ? sched_clock_cpu+0xb/0xc0 __do_softirq+0xf5/0x2ea irq_exit_rcu+0xc1/0xf0 sysvec_apic_timer_interrupt+0x9e/0xc0 asm_sysvec_apic_timer_interrupt+0x12/0x20 "}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/2a038dd1d942f8fbc495c58fa592ff24af05f1c2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3c5193a87b0fea090aa3f769d020337662d87b5e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/502c37b033fab7cde3e95a570af4f073306be45e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f895ebeb44d09d02674cfdd0cfc2bf687603918c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48746", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T12:15:12.870", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix handling of wrong devices during bond netevent\n\nCurrent implementation of bond netevent handler only check if\nthe handled netdev is VF representor and it missing a check if\nthe VF representor is on the same phys device of the bond handling\nthe netevent.\n\nFix by adding the missing check and optimizing the check if\nthe netdev is VF representor so it will not access uninitialized\nprivate data and crashes.\n\nBUG: kernel NULL pointer dereference, address: 000000000000036c\nPGD 0 P4D 0\nOops: 0000 [#1] SMP NOPTI\nWorkqueue: eth3bond0 bond_mii_monitor [bonding]\nRIP: 0010:mlx5e_is_uplink_rep+0xc/0x50 [mlx5_core]\nRSP: 0018:ffff88812d69fd60 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: ffff8881cf800000 RCX: 0000000000000000\nRDX: ffff88812d69fe10 RSI: 000000000000001b RDI: ffff8881cf800880\nRBP: ffff8881cf800000 R08: 00000445cabccf2b R09: 0000000000000008\nR10: 0000000000000004 R11: 0000000000000008 R12: ffff88812d69fe10\nR13: 00000000fffffffe R14: ffff88820c0f9000 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffff88846fb00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000000000000036c CR3: 0000000103d80006 CR4: 0000000000370ea0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n mlx5e_eswitch_uplink_rep+0x31/0x40 [mlx5_core]\n mlx5e_rep_is_lag_netdev+0x94/0xc0 [mlx5_core]\n mlx5e_rep_esw_bond_netevent+0xeb/0x3d0 [mlx5_core]\n raw_notifier_call_chain+0x41/0x60\n call_netdevice_notifiers_info+0x34/0x80\n netdev_lower_state_changed+0x4e/0xa0\n bond_mii_monitor+0x56b/0x640 [bonding]\n process_one_work+0x1b9/0x390\n worker_thread+0x4d/0x3d0\n ? rescuer_thread+0x350/0x350\n kthread+0x124/0x150\n ? set_kthread_struct+0x40/0x40\n ret_from_fork+0x1f/0x30"}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: net/mlx5e: Se corrigi\u00f3 el manejo de dispositivos incorrectos durante el bond netevent. La implementaci\u00f3n actual del controlador bond netevent solo verifica si el netdev manejado es el representante VF y falta una verificaci\u00f3n si el representante VF est\u00e1 activado. el mismo dispositivo f\u00edsico del v\u00ednculo que maneja el evento neto. Para solucionarlo, agregue la verificaci\u00f3n que falta y optimice la verificaci\u00f3n si netdev es el representante de VF para que no acceda a datos privados no inicializados y se bloquee. ERROR: desreferencia del puntero NULL del kernel, direcci\u00f3n: 000000000000036c PGD 0 P4D 0 Ups: 0000 [#1] Cola de trabajo SMP NOPTI: eth3bond0 bond_mii_monitor [uni\u00f3n] RIP: 0010:mlx5e_is_uplink_rep+0xc/0x50 [mlx5_core] RSP: 018:ffff88812d69fd60 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff8881cf800000 RCX: 0000000000000000 RDX: ffff88812d69fe10 RSI: 0000000000000001b RDI: ffff8881cf800880 RBP: ffff8881 cf800000 R08: 00000445cabccf2b R09: 0000000000000008 R10: 0000000000000004 R11: 0000000000000008 R12: ffff88812d69fe10 R13: 00000000ffffffe R 14: ffff88820c0f9000 R15: 0000000000000000 FS: 0000000000000000(0000 ) GS:ffff88846fb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000036c CR3: 0000000103d80 006 CR4: 0000000000370ea0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 00000000000000000 DR6: 00000000ffe0ff0 000000000000400 Llamar Seguimiento: mlx5e_eswitch_uplink_rep+0x31/0x40 [mlx5_core] mlx5e_rep_is_lag_netdev+0x94/0xc0 [mlx5_core] mlx5e_rep_esw_bond_netevent+0xeb/0x3d0 [mlx5_core] raw_notifier_call_chain+0x41/0x60 _notifiers_info+0x34/0x80 netdev_lower_state_changed+0x4e/0xa0 bond_mii_monitor+0x56b/0x640 [vinculaci\u00f3n] proceso_one_work +0x1b9/0x390 hilo_trabajador+0x4d/0x3d0 ? hilo_rescate+0x350/0x350 khilo+0x124/0x150 ? set_kthread_struct+0x40/0x40 ret_from_fork+0x1f/0x30"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/4fad499d7fece448e7230d5e5b92f6d8a073e0bb", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a01ee1b8165f4161459b5ec4e728bc7130fe8cd4", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ec41332e02bd0acf1f24206867bb6a02f5877a62", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/fe70126da6063c29ca161cdec7ad1dae9af836b3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48747", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T12:15:12.960", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: Fix wrong offset in bio_truncate()\n\nbio_truncate() clears the buffer outside of last block of bdev, however\ncurrent bio_truncate() is using the wrong offset of page. So it can\nreturn the uninitialized data.\n\nThis happened when both of truncated/corrupted FS and userspace (via\nbdev) are trying to read the last of bdev."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: bloque: corrige el desplazamiento incorrecto en bio_truncate() bio_truncate() borra el b\u00fafer fuera del \u00faltimo bloque de bdev, sin embargo, el bio_truncate() actual est\u00e1 usando el desplazamiento de p\u00e1gina incorrecto. Entonces puede devolver los datos no inicializados. Esto sucedi\u00f3 cuando tanto el FS truncado/corrupto como el espacio de usuario (a trav\u00e9s de bdev) intentaban leer lo \u00faltimo de bdev."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/3ee859e384d453d6ac68bfd5971f630d9fa46ad3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4633a79ff8bc82770486a063a08b55e5162521d8", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/6cbf4c731d7812518cd857c2cfc3da9fd120f6ae", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/941d5180c430ce5b0f7a3622ef9b76077bfa3d82", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b63e120189fd92aff00096d11e2fc5253f60248b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48748", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T12:15:13.047", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: vlan: fix memory leak in __allowed_ingress\n\nWhen using per-vlan state, if vlan snooping and stats are disabled,\nuntagged or priority-tagged ingress frame will go to check pvid state.\nIf the port state is forwarding and the pvid state is not\nlearning/forwarding, untagged or priority-tagged frame will be dropped\nbut skb memory is not freed.\nShould free skb when __allowed_ingress returns false."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: net: bridge: vlan: corrige la p\u00e9rdida de memoria en __allowed_ingress Cuando se usa el estado por VLAN, si la vigilancia de VLAN y las estad\u00edsticas est\u00e1n deshabilitadas, el marco de ingreso sin etiquetar o con etiqueta de prioridad ir\u00e1 a verificar pvid estado. Si el estado del puerto est\u00e1 reenviando y el estado del pvid no est\u00e1 aprendiendo/reenviando, se descartar\u00e1 la trama sin etiquetar o con etiqueta de prioridad, pero no se liberar\u00e1 la memoria skb. Deber\u00eda liberar skb cuando __allowed_ingress devuelva falso."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/14be8d448fca6fe7b2a413831eedd55aef6c6511", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/446ff1fc37c74093e81db40811a07b5a19f1d797", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c5e216e880fa6f2cd9d4a6541269377657163098", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/fd20d9738395cf8e27d0a17eba34169699fccdff", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48749", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T12:15:13.143", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dpu: invalid parameter check in dpu_setup_dspp_pcc\n\nThe function performs a check on the \"ctx\" input parameter, however, it\nis used before the check.\n\nInitialize the \"base\" variable after the sanity check to avoid a\npossible NULL pointer dereference.\n\nAddresses-Coverity-ID: 1493866 (\"Null pointer dereference\")"}, {"lang": "es", "value": "En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: drm/msm/dpu: comprobaci\u00f3n de par\u00e1metro no v\u00e1lido en dpu_setup_dspp_pcc La funci\u00f3n realiza una comprobaci\u00f3n del par\u00e1metro de entrada \"ctx\", sin embargo, se utiliza antes de la comprobaci\u00f3n. Inicialice la variable \"base\" despu\u00e9s de la verificaci\u00f3n de cordura para evitar una posible desreferencia del puntero NULL. Direcciones-Coverity-ID: 1493866 (\"Desreferencia de puntero nulo\")"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/170b22234d5495f5e0844246e23f004639ee89ba", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/1ebc18836d5df09061657f8c548e594cbb519476", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8f069f6dde518dfebe86e848508c07e497bd9298", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/93a6e920d8ccb4df846c03b6e72f7e08843d294c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48750", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T12:15:13.223", "lastModified": "2024-06-24T16:15:10.050", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (nct6775) Fix crash in clear_caseopen\n\nPawe\u0142 Marciniak reports the following crash, observed when clearing\nthe chassis intrusion alarm.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000028\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP PTI\nCPU: 3 PID: 4815 Comm: bash Tainted: G S 5.16.2-200.fc35.x86_64 #1\nHardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./Z97 Extreme4, BIOS P2.60A 05/03/2018\nRIP: 0010:clear_caseopen+0x5a/0x120 [nct6775]\nCode: 68 70 e8 e9 32 b1 e3 85 c0 0f 85 d2 00 00 00 48 83 7c 24 ...\nRSP: 0018:ffffabcb02803dd8 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000\nRDX: ffff8e8808192880 RSI: 0000000000000000 RDI: ffff8e87c7509a68\nRBP: 0000000000000000 R08: 0000000000000001 R09: 000000000000000a\nR10: 000000000000000a R11: f000000000000000 R12: 000000000000001f\nR13: ffff8e87c7509828 R14: ffff8e87c7509a68 R15: ffff8e88494527a0\nFS: 00007f4db9151740(0000) GS:ffff8e8ebfec0000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000028 CR3: 0000000166b66001 CR4: 00000000001706e0\nCall Trace:\n \n kernfs_fop_write_iter+0x11c/0x1b0\n new_sync_write+0x10b/0x180\n vfs_write+0x209/0x2a0\n ksys_write+0x4f/0xc0\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nThe problem is that the device passed to clear_caseopen() is the hwmon\ndevice, not the platform device, and the platform data is not set in the\nhwmon device. Store the pointer to sio_data in struct nct6775_data and\nget if from there if needed."}, {"lang": "es", "value": "En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: hwmon: (nct6775) \u00bfReparar fallo en clear_caseopen Pawe? Marciniak informa del siguiente accidente, observado al borrar la alarma de intrusi\u00f3n en el chasis. ERROR: desreferencia del puntero NULL del kernel, direcci\u00f3n: 00000000000000028 PGD 0 P4D 0 Ups: 0000 [#1] PREEMPT SMP PTI CPU: 3 PID: 4815 Comm: bash Contaminado: GS 5.16.2-200.fc35.x86_64 #1 Nombre de hardware: Para ser completado por OEM Para ser completado por OEM/Z97 Extreme4, BIOS P2.60A 03/05/2018 RIP: 0010:clear_caseopen+0x5a/0x120 [nct6775] C\u00f3digo: 68 70 e8 e9 32 b1 e3 85 c0 0f 85 d2 00 00 00 48 83 7c 24 ... RSP: 0018:ffffabcb02803dd8 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 00000000000000002 RCX: 0000000000000000 RDX: 8808192880 RSI: 0000000000000000 RDI: ffff8e87c7509a68 RBP: 0000000000000000 R08: 0000000000000001 R09: 000000000000000a R10: 000000a R11: f000000000000000 R12: 000000000000001f R13: ffff8e87c7509828 R14: ffff8e87c7509a68 R15: ffff8e88494527a0 FS: 00007f4db9151740(0000) GS:ffff8e8ebfec0000(0000) nlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000028 CR3: 0000000166b66001 CR4: 00000000001706e0 : kernfs_fop_write_iter+0x11c/0x1b0 new_sync_write+0x10b/0x180 vfs_write+0x209/0x2a0 ksys_write+0x4f/0xc0 do_syscall_64+0x3b/0x90 Entry_SYSCALL_64_after_hwframe+0x44/0xae El problema es que el dispositivo pasado a clear_caseopen() es el dispositivo hwmon, no el dispositivo de plataforma y los datos de la plataforma no est\u00e1n configurados en el dispositivo hwmon. Guarde el puntero a sio_data en la estructura nct6775_data y obtengalo desde all\u00ed si es necesario."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/79da533d3cc717ccc05ddbd3190da8a72bc2408b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/cfb7d12f2e4a4d694f49e9b4ebb352f7b67cdfbb", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48751", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T12:15:13.310", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: Transitional solution for clcsock race issue\n\nWe encountered a crash in smc_setsockopt() and it is caused by\naccessing smc->clcsock after clcsock was released.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000020\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP PTI\n CPU: 1 PID: 50309 Comm: nginx Kdump: loaded Tainted: G E 5.16.0-rc4+ #53\n RIP: 0010:smc_setsockopt+0x59/0x280 [smc]\n Call Trace:\n \n __sys_setsockopt+0xfc/0x190\n __x64_sys_setsockopt+0x20/0x30\n do_syscall_64+0x34/0x90\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n RIP: 0033:0x7f16ba83918e\n \n\nThis patch tries to fix it by holding clcsock_release_lock and\nchecking whether clcsock has already been released before access.\n\nIn case that a crash of the same reason happens in smc_getsockopt()\nor smc_switch_to_fallback(), this patch also checkes smc->clcsock\nin them too. And the caller of smc_switch_to_fallback() will identify\nwhether fallback succeeds according to the return value."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: net/smc: soluci\u00f3n transitoria para el problema de ejecuci\u00f3n de clcsock Encontramos un bloqueo en smc_setsockopt() y se debe al acceso a smc->clcsock despu\u00e9s de que se lanz\u00f3 clcsock. ERROR: desreferencia del puntero NULL del kernel, direcci\u00f3n: 0000000000000020 #PF: acceso de lectura del supervisor en modo kernel #PF: c\u00f3digo_error(0x0000) - p\u00e1gina no presente PGD 0 P4D 0 Ups: 0000 [#1] PREEMPT SMP PTI CPU: 1 PID: 50309 Comm: nginx Kdump: cargado Contaminado: GE 5.16.0-rc4+ #53 RIP: 0010:smc_setsockopt+0x59/0x280 [smc] Seguimiento de llamadas: __sys_setsockopt+0xfc/0x190 __x64_sys_setsockopt+0x20/0x30 do_syscall_64+0x34/0x90 Entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f16ba83918e Este parche intenta solucionarlo manteniendo presionado clcsock_release_lock y verificando si clcsock ya se ha liberado antes del acceso. En caso de que ocurra una falla por el mismo motivo en smc_getsockopt() o smc_switch_to_fallback(), este parche tambi\u00e9n verifica smc->clcsock en ellos. Y la persona que llama a smc_switch_to_fallback() identificar\u00e1 si el respaldo tiene \u00e9xito de acuerdo con el valor de retorno."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/38f0bdd548fd2ef5d481b88d8a2bfef968452e34", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4284225cd8001e134f5cf533a7cd244bbb654d0f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c0bf3d8a943b6f2e912b7c1de03e2ef28e76f760", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48752", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T12:15:13.397", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/perf: Fix power_pmu_disable to call clear_pmi_irq_pending only if PMI is pending\n\nRunning selftest with CONFIG_PPC_IRQ_SOFT_MASK_DEBUG enabled in kernel\ntriggered below warning:\n\n[ 172.851380] ------------[ cut here ]------------\n[ 172.851391] WARNING: CPU: 8 PID: 2901 at arch/powerpc/include/asm/hw_irq.h:246 power_pmu_disable+0x270/0x280\n[ 172.851402] Modules linked in: dm_mod bonding nft_ct nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables rfkill nfnetlink sunrpc xfs libcrc32c pseries_rng xts vmx_crypto uio_pdrv_genirq uio sch_fq_codel ip_tables ext4 mbcache jbd2 sd_mod t10_pi sg ibmvscsi ibmveth scsi_transport_srp fuse\n[ 172.851442] CPU: 8 PID: 2901 Comm: lost_exception_ Not tainted 5.16.0-rc5-03218-g798527287598 #2\n[ 172.851451] NIP: c00000000013d600 LR: c00000000013d5a4 CTR: c00000000013b180\n[ 172.851458] REGS: c000000017687860 TRAP: 0700 Not tainted (5.16.0-rc5-03218-g798527287598)\n[ 172.851465] MSR: 8000000000029033 CR: 48004884 XER: 20040000\n[ 172.851482] CFAR: c00000000013d5b4 IRQMASK: 1\n[ 172.851482] GPR00: c00000000013d5a4 c000000017687b00 c000000002a10600 0000000000000004\n[ 172.851482] GPR04: 0000000082004000 c0000008ba08f0a8 0000000000000000 00000008b7ed0000\n[ 172.851482] GPR08: 00000000446194f6 0000000000008000 c00000000013b118 c000000000d58e68\n[ 172.851482] GPR12: c00000000013d390 c00000001ec54a80 0000000000000000 0000000000000000\n[ 172.851482] GPR16: 0000000000000000 0000000000000000 c000000015d5c708 c0000000025396d0\n[ 172.851482] GPR20: 0000000000000000 0000000000000000 c00000000a3bbf40 0000000000000003\n[ 172.851482] GPR24: 0000000000000000 c0000008ba097400 c0000000161e0d00 c00000000a3bb600\n[ 172.851482] GPR28: c000000015d5c700 0000000000000001 0000000082384090 c0000008ba0020d8\n[ 172.851549] NIP [c00000000013d600] power_pmu_disable+0x270/0x280\n[ 172.851557] LR [c00000000013d5a4] power_pmu_disable+0x214/0x280\n[ 172.851565] Call Trace:\n[ 172.851568] [c000000017687b00] [c00000000013d5a4] power_pmu_disable+0x214/0x280 (unreliable)\n[ 172.851579] [c000000017687b40] [c0000000003403ac] perf_pmu_disable+0x4c/0x60\n[ 172.851588] [c000000017687b60] [c0000000003445e4] __perf_event_task_sched_out+0x1d4/0x660\n[ 172.851596] [c000000017687c50] [c000000000d1175c] __schedule+0xbcc/0x12a0\n[ 172.851602] [c000000017687d60] [c000000000d11ea8] schedule+0x78/0x140\n[ 172.851608] [c000000017687d90] [c0000000001a8080] sys_sched_yield+0x20/0x40\n[ 172.851615] [c000000017687db0] [c0000000000334dc] system_call_exception+0x18c/0x380\n[ 172.851622] [c000000017687e10] [c00000000000c74c] system_call_common+0xec/0x268\n\nThe warning indicates that MSR_EE being set(interrupt enabled) when\nthere was an overflown PMC detected. This could happen in\npower_pmu_disable since it runs under interrupt soft disable\ncondition ( local_irq_save ) and not with interrupts hard disabled.\ncommit 2c9ac51b850d (\"powerpc/perf: Fix PMU callbacks to clear\npending PMI before resetting an overflown PMC\") intended to clear\nPMI pending bit in Paca when disabling the PMU. It could happen\nthat PMC gets overflown while code is in power_pmu_disable\ncallback function. Hence add a check to see if PMI pending bit\nis set in Paca before clearing it via clear_pmi_pending."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: powerpc/perf: corrija power_pmu_disable para llamar a clear_pmi_irq_pending solo si PMI est\u00e1 pendiente Ejecutando la autoprueba con CONFIG_PPC_IRQ_SOFT_MASK_DEBUG habilitado en el kernel activado a continuaci\u00f3n: [172.851380] ---------- --[ cortar aqu\u00ed ]------------ [ 172.851391] ADVERTENCIA: CPU: 8 PID: 2901 en arch/powerpc/include/asm/hw_irq.h:246 power_pmu_disable+0x270/0x280 [ 172.851402 ] M\u00f3dulos vinculados en: dm_mod bonding nft_ct nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables rfkill nfnetlink sunrpc xfs libcrc32c pseries_rng xts vmx_crypto uio_pdrv_genirq uio sch_fq_codel ip_tables ext4 mbcache j bd2 sd_mod t10_pi sg ibmvscsi ibmveth scsi_transport_srp fusible [172.851442] CPU: 8 PID: 2901 Comm: lost_exception_ No contaminado 5.16 .0-rc5-03218-g798527287598 #2 [ 172.851451] NIP: c00000000013d600 LR: c00000000013d5a4 CTR: c00000000013b180 [ 172.851458] REGS: 7687860 TRAMPA: 0700 No contaminado (5.16.0-rc5-03218-g798527287598) [ 172.851465] MSR: 8000000000029033 CR: 48004884 XER: 20040000 [ 172.851482] CFAR: c00000000013d5b4 IRQMASK: 1 [ 172.851482] GPR00: c00000000013d5a4 c00000001768 7b00 c000000002a10600 0000000000000004 [ 172.851482] GPR04: 0000000082004000 c0000008ba08f0a8 0000000000000000 00000008b7ed0000 [ 17 2.851482 ] GPR08: 00000000446194f6 0000000000008000 c00000000013b118 c000000000d58e68 [ 172.851482] GPR12: c00000000013d390 c00000001ec54a80 0000000000000000 0000000000000000 [ 172.851482] GPR16: 0000000000000000 0000000000000000 c000000015d5c708 c0000000025396d0 [ 172.8 51482] GPR20: 0000000000000000 0000000000000000 c00000000a3bbf40 0000000000000003 [ 172.851482] GPR24: 0000000000000000 c0000008ba097 400 c0000000161e0d00 c00000000a3bb600 [ 172.851482] GPR28: c000000015d5c700 0000000000000001 0000000082384090 c0000008ba0020d8 [ 172.851549] NIP [c00000000013d600] power_pmu_disable+0x270/0x280 [ 172.851557] LR [c00000000013d5a4] able+0x214/0x280 [ 172.851565] Seguimiento de llamadas: [ 172.851568] [c000000017687b00] [c00000000013d5a4] power_pmu_disable+0x214/0x280 (no confiable) [ 172.851579] [c000000017687b40] [c0000000003403ac] perf_pmu_disable+0x4c/0x60 [ 172.851588] [c000000017687b60] [c0000000003445e4] k_sched_out+0x1d4/0x660 [ 172.851596] [c000000017687c50] [c000000000d1175c] __schedule+0xbcc/0x12a0 [ 172.851602] [c000000017687d60] 00d11ea8] programaci\u00f3n+0x78/0x140 [ 172.851608] [c000000017687d90] [c0000000001a8080] sys_sched_yield+0x20/0x40 [ 172.851615] [c000000017687db0] 34dc] system_call_exception+0x18c/0x380 [ 172.851622] [c000000017687e10] [c00000000000c74c] system_call_common+0xec/0x268 La advertencia indica que MSR_EE se configur\u00f3 (interrupci\u00f3n habilitada) cuando se detect\u00f3 un PMC desbordado. Esto podr\u00eda suceder en power_pmu_disable ya que se ejecuta bajo la condici\u00f3n de desactivaci\u00f3n suave de interrupci\u00f3n ( local_irq_save ) y no con interrupciones desactivadas por completo. commit 2c9ac51b850d (\"powerpc/perf: Fix devoluciones de llamada de PMU para borrar el PMI pendiente antes de restablecer un PMC desbordado\") destinado a borrar el bit pendiente de PMI en Paca al deshabilitar la PMU. Podr\u00eda suceder que PMC se desborde mientras el c\u00f3digo est\u00e1 en la funci\u00f3n de devoluci\u00f3n de llamada power_pmu_disable. Por lo tanto, agregue una verificaci\u00f3n para ver si el bit pendiente de PMI est\u00e1 configurado en Paca antes de borrarlo a trav\u00e9s de clear_pmi_pending."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/28aaed966e76807a71de79dd40a8eee9042374dd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/55402a4618721f350a9ab660bb42717d8aa18e7c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/fa4ad064a6bd49208221df5e62adf27b426d1720", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/fb6433b48a178d4672cb26632454ee0b21056eaa", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48753", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T12:15:13.480", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix memory leak in disk_register_independent_access_ranges\n\nkobject_init_and_add() takes reference even when it fails.\nAccording to the doc of kobject_init_and_add()\n\n If this function returns an error, kobject_put() must be called to\n properly clean up the memory associated with the object.\n\nFix this issue by adding kobject_put().\nCallback function blk_ia_ranges_sysfs_release() in kobject_put()\ncan handle the pointer \"iars\" properly."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bloque: corrige la p\u00e9rdida de memoria en disk_register_independent_access_ranges kobject_init_and_add() toma referencia incluso cuando falla. Seg\u00fan el documento de kobject_init_and_add() Si esta funci\u00f3n devuelve un error, se debe llamar a kobject_put() para limpiar adecuadamente la memoria asociada con el objeto. Solucione este problema agregando kobject_put(). La funci\u00f3n de devoluci\u00f3n de llamada blk_ia_ranges_sysfs_release() en kobject_put() puede manejar el puntero \"iars\" correctamente."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/83114df32ae779df57e0af99a8ba6c3968b2ba3d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/fe4214a07e0b53d2af711f57519e33739c5df23f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48754", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T12:15:13.563", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nphylib: fix potential use-after-free\n\nCommit bafbdd527d56 (\"phylib: Add device reset GPIO support\") added call\nto phy_device_reset(phydev) after the put_device() call in phy_detach().\n\nThe comment before the put_device() call says that the phydev might go\naway with put_device().\n\nFix potential use-after-free by calling phy_device_reset() before\nput_device()."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: phylib: corrige el posible use-after-free. Commit bafbdd527d56 (\"phylib: agregue soporte GPIO para restablecer el dispositivo\") se agreg\u00f3 una llamada a phy_device_reset(phydev) despu\u00e9s de la llamada put_device() en phy_detach( ). El comentario antes de la llamada put_device() dice que phydev podr\u00eda desaparecer con put_device(). Solucione el posible use-after-free llamando a phy_device_reset() antes de put_device()."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/67d271760b037ce0806d687ee6057edc8afd4205", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/aefaccd19379d6c4620269a162bfb88ff687f289", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/bd024e36f68174b1793906c39ca16cee0c9295c2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/cb2fab10fc5e7a3aa1bb0a68a3abdcf3e37852af", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/cbda1b16687580d5beee38273f6241ae3725960c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f39027cbada43b33566c312e6be3db654ca3ad17", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48755", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T12:15:13.653", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc64/bpf: Limit 'ldbrx' to processors compliant with ISA v2.06\n\nJohan reported the below crash with test_bpf on ppc64 e5500:\n\n test_bpf: #296 ALU_END_FROM_LE 64: 0x0123456789abcdef -> 0x67452301 jited:1\n Oops: Exception in kernel mode, sig: 4 [#1]\n BE PAGE_SIZE=4K SMP NR_CPUS=24 QEMU e500\n Modules linked in: test_bpf(+)\n CPU: 0 PID: 76 Comm: insmod Not tainted 5.14.0-03771-g98c2059e008a-dirty #1\n NIP: 8000000000061c3c LR: 80000000006dea64 CTR: 8000000000061c18\n REGS: c0000000032d3420 TRAP: 0700 Not tainted (5.14.0-03771-g98c2059e008a-dirty)\n MSR: 0000000080089000 CR: 88002822 XER: 20000000 IRQMASK: 0\n <...>\n NIP [8000000000061c3c] 0x8000000000061c3c\n LR [80000000006dea64] .__run_one+0x104/0x17c [test_bpf]\n Call Trace:\n .__run_one+0x60/0x17c [test_bpf] (unreliable)\n .test_bpf_init+0x6a8/0xdc8 [test_bpf]\n .do_one_initcall+0x6c/0x28c\n .do_init_module+0x68/0x28c\n .load_module+0x2460/0x2abc\n .__do_sys_init_module+0x120/0x18c\n .system_call_exception+0x110/0x1b8\n system_call_common+0xf0/0x210\n --- interrupt: c00 at 0x101d0acc\n <...>\n ---[ end trace 47b2bf19090bb3d0 ]---\n\n Illegal instruction\n\nThe illegal instruction turned out to be 'ldbrx' emitted for\nBPF_FROM_[L|B]E, which was only introduced in ISA v2.06. Guard use of\nthe same and implement an alternative approach for older processors."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: powerpc64/bpf: Limite 'ldbrx' a procesadores compatibles con ISA v2.06 Johan inform\u00f3 el siguiente fallo con test_bpf en ppc64 e5500: test_bpf: #296 ALU_END_FROM_LE 64: 0x0123456789abcdef -> 0x67452301 jited:1 Ups: Excepci\u00f3n en modo kernel, sign: 4 [#1] BE PAGE_SIZE=4K SMP NR_CPUS=24 M\u00f3dulos QEMU e500 vinculados en: test_bpf(+) CPU: 0 PID: 76 Comm: insmod Not tainted 5.14.0- 03771-g98c2059e008a-dirty #1 NIP: 8000000000061c3c LR: 80000000006dea64 CTR: 8000000000061c18 REGS: c0000000032d3420 TRAP: 0700 No contaminado (5.14.0-0 3771-g98c2059e008a-dirty) MSR: 0000000080089000 CR: 88002822 XER: 20000000 IRQMASK : 0 <...> NIP [8000000000061c3c] 0x8000000000061c3c LR [80000000006dea64] .__run_one+0x104/0x17c [test_bpf] Seguimiento de llamadas: .__run_one+0x60/0x17c [test_bpf] (no confiable). test_bpf_init+0x6a8/0xdc8 [test_bpf] . do_one_initcall+0x6c/0x28c .do_init_module+0x68/0x28c .load_module+0x2460/0x2abc .__do_sys_init_module+0x120/0x18c .system_call_exception+0x110/0x1b8 system_call_common+0xf0/0x210 --- interrupci\u00f3n : c00 en 0x101d0acc <...> --- [ end trace 47b2bf19090bb3d0 ]--- Instrucci\u00f3n ilegal La instrucci\u00f3n ilegal result\u00f3 ser 'ldbrx' emitida para BPF_FROM_[L|B]E, que solo se introdujo en ISA v2.06. Proteger el uso de los mismos e implementar un enfoque alternativo para procesadores m\u00e1s antiguos."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/129c71829d7f46423d95c19e8d87ce956d4c6e1c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3bfbc00587dc883eaed383558ae512a351c2cd09", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3f5f766d5f7f95a69a630da3544a1a0cee1cdddf", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/aaccfeeee1630b155e8ff0d6c449d3de1ef86e73", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48756", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T12:15:13.740", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dsi: invalid parameter check in msm_dsi_phy_enable\n\nThe function performs a check on the \"phy\" input parameter, however, it\nis used before the check.\n\nInitialize the \"dev\" variable after the sanity check to avoid a possible\nNULL pointer dereference.\n\nAddresses-Coverity-ID: 1493860 (\"Null pointer dereference\")"}, {"lang": "es", "value": "En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: drm/msm/dsi: comprobaci\u00f3n de par\u00e1metro no v\u00e1lido en msm_dsi_phy_enable La funci\u00f3n realiza una comprobaci\u00f3n del par\u00e1metro de entrada \"phy\", sin embargo, se utiliza antes de la comprobaci\u00f3n. Inicialice la variable \"dev\" despu\u00e9s de la verificaci\u00f3n de cordura para evitar una posible desreferencia del puntero NULL. Direcciones-Coverity-ID: 1493860 (\"Desreferencia de puntero nulo\")"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/2b7e7df1eacd280e561ede3e977853606871c951", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/56480fb10b976581a363fd168dc2e4fbee87a1a7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/581317b1f001b7509041544d7019b75571daa100", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5e761a2287234bc402ba7ef07129f5103bcd775c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/6d9f8ba28f3747ca0f910a363e46f1114856dbbe", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/79c0b5287ded74f4eacde4dfd8aa0a76cbd853b5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ca63eeb70fcb53c42e1fe54e1735a54d8e7759fd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48757", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T12:15:13.823", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix information leakage in /proc/net/ptype\n\nIn one net namespace, after creating a packet socket without binding\nit to a device, users in other net namespaces can observe the new\n`packet_type` added by this packet socket by reading `/proc/net/ptype`\nfile. This is minor information leakage as packet socket is\nnamespace aware.\n\nAdd a net pointer in `packet_type` to keep the net namespace of\nof corresponding packet socket. In `ptype_seq_show`, this net pointer\nmust be checked when it is not NULL."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: corrige la fuga de informaci\u00f3n en /proc/net/ptype en un espacio de nombres de red, despu\u00e9s de crear un socket de paquetes sin vincularlo a un dispositivo, los usuarios de otros espacios de nombres de red pueden observar la nueva `packet_type` agregado por este socket de paquete leyendo el archivo `/proc/net/ptype`. Esta es una fuga de informaci\u00f3n menor ya que el socket del paquete reconoce el espacio de nombres. Agregue un puntero de red en `packet_type` para mantener el espacio de nombres de red del socket de paquete correspondiente. En `ptype_seq_show`, este puntero de red debe verificarse cuando no sea NULL."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/47934e06b65637c88a762d9c98329ae6e3238888", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/839ec7039513a4f84bfbaff953a9393471176bee", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8f88c78d24f6f346919007cd459fd7e51a8c7779", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b67ad6170c0ea87391bb253f35d1f78857736e54", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/be1ca30331c7923c6f376610c1bd6059be9b1908", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c38023032a598ec6263e008d62c7f02def72d5c7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/db044d97460ea792110eb8b971e82569ded536c6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e372ecd455b6ebc7720f52bf4b5f5d44d02f2092", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e43669c77cb3a742b7d84ecdc7c68c4167a7709b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48758", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T12:15:13.927", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: bnx2fc: Flush destroy_work queue before calling bnx2fc_interface_put()\n\nThe bnx2fc_destroy() functions are removing the interface before calling\ndestroy_work. This results multiple WARNings from sysfs_remove_group() as\nthe controller rport device attributes are removed too early.\n\nReplace the fcoe_port's destroy_work queue. It's not needed.\n\nThe problem is easily reproducible with the following steps.\n\nExample:\n\n $ dmesg -w &\n $ systemctl enable --now fcoe\n $ fipvlan -s -c ens2f1\n $ fcoeadm -d ens2f1.802\n [ 583.464488] host2: libfc: Link down on port (7500a1)\n [ 583.472651] bnx2fc: 7500a1 - rport not created Yet!!\n [ 583.490468] ------------[ cut here ]------------\n [ 583.538725] sysfs group 'power' not found for kobject 'rport-2:0-0'\n [ 583.568814] WARNING: CPU: 3 PID: 192 at fs/sysfs/group.c:279 sysfs_remove_group+0x6f/0x80\n [ 583.607130] Modules linked in: dm_service_time 8021q garp mrp stp llc bnx2fc cnic uio rpcsec_gss_krb5 auth_rpcgss nfsv4 ...\n [ 583.942994] CPU: 3 PID: 192 Comm: kworker/3:2 Kdump: loaded Not tainted 5.14.0-39.el9.x86_64 #1\n [ 583.984105] Hardware name: HP ProLiant DL120 G7, BIOS J01 07/01/2013\n [ 584.016535] Workqueue: fc_wq_2 fc_rport_final_delete [scsi_transport_fc]\n [ 584.050691] RIP: 0010:sysfs_remove_group+0x6f/0x80\n [ 584.074725] Code: ff 5b 48 89 ef 5d 41 5c e9 ee c0 ff ff 48 89 ef e8 f6 b8 ff ff eb d1 49 8b 14 24 48 8b 33 48 c7 c7 ...\n [ 584.162586] RSP: 0018:ffffb567c15afdc0 EFLAGS: 00010282\n [ 584.188225] RAX: 0000000000000000 RBX: ffffffff8eec4220 RCX: 0000000000000000\n [ 584.221053] RDX: ffff8c1586ce84c0 RSI: ffff8c1586cd7cc0 RDI: ffff8c1586cd7cc0\n [ 584.255089] RBP: 0000000000000000 R08: 0000000000000000 R09: ffffb567c15afc00\n [ 584.287954] R10: ffffb567c15afbf8 R11: ffffffff8fbe7f28 R12: ffff8c1486326400\n [ 584.322356] R13: ffff8c1486326480 R14: ffff8c1483a4a000 R15: 0000000000000004\n [ 584.355379] FS: 0000000000000000(0000) GS:ffff8c1586cc0000(0000) knlGS:0000000000000000\n [ 584.394419] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [ 584.421123] CR2: 00007fe95a6f7840 CR3: 0000000107674002 CR4: 00000000000606e0\n [ 584.454888] Call Trace:\n [ 584.466108] device_del+0xb2/0x3e0\n [ 584.481701] device_unregister+0x13/0x60\n [ 584.501306] bsg_unregister_queue+0x5b/0x80\n [ 584.522029] bsg_remove_queue+0x1c/0x40\n [ 584.541884] fc_rport_final_delete+0xf3/0x1d0 [scsi_transport_fc]\n [ 584.573823] process_one_work+0x1e3/0x3b0\n [ 584.592396] worker_thread+0x50/0x3b0\n [ 584.609256] ? rescuer_thread+0x370/0x370\n [ 584.628877] kthread+0x149/0x170\n [ 584.643673] ? set_kthread_struct+0x40/0x40\n [ 584.662909] ret_from_fork+0x22/0x30\n [ 584.680002] ---[ end trace 53575ecefa942ece ]---"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: scsi: bnx2fc: Vaciar la cola destroy_work antes de llamar a bnx2fc_interface_put() Las funciones bnx2fc_destroy() eliminan la interfaz antes de llamar a destroy_work. Esto genera m\u00faltiples ADVERTENCIAS de sysfs_remove_group() ya que los atributos del dispositivo de informe del controlador se eliminan demasiado pronto. Reemplace la cola destroy_work de fcoe_port. No es necesario. El problema es f\u00e1cilmente reproducible con los siguientes pasos. Ejemplo: $ dmesg -w & $ systemctl enable --now fcoe $ fipvlan -s -c ens2f1 $ fcoeadm -d ens2f1.802 [ 583.464488] host2: libfc: Enlace ca\u00eddo en el puerto (7500a1) [ 583.472651] bnx2fc: 7500a1 - rport \u00a1\u00a1A\u00fan no creado!! [583.490468] ------------[ cortar aqu\u00ed ]------------ [ 583.538725] grupo sysfs 'power' no encontrado para kobject 'rport-2:0- 0' [583.568814] ADVERTENCIA: CPU: 3 PID: 192 en fs/sysfs/group.c:279 sysfs_remove_group+0x6f/0x80 [583.607130] M\u00f3dulos vinculados en: dm_service_time 8021q garp mrp stp llc bnx2fc cnic uio ss_krb5 auth_rpcgss nfsv4 ... [ 583.942994] CPU: 3 PID: 192 Comm: kworker/3:2 Kdump: cargado No contaminado 5.14.0-39.el9.x86_64 #1 [ 583.984105] Nombre de hardware: HP ProLiant DL120 G7, BIOS J01 01/07/2013 [ 584.016535] Cola de trabajo: fc_wq_2 fc_rport_final_delete [scsi_transport_fc] [ 584.050691] RIP: 0010:sysfs_remove_group+0x6f/0x80 [ 584.074725] C\u00f3digo: ff 5b 48 89 ef 5d 41 c e9 ee c0 ff ff 48 89 ef e8 f6 b8 ff ff eb d1 49 8b 14 24 48 8b 33 48 c7 c7 ... [ 584.162586] RSP: 0018:ffffb567c15afdc0 EFLAGS: 00010282 [ 584.188225] RAX: 0000000000000000 RBX: 4220 RCX: 0000000000000000 [ 584.221053] RDX: ffff8c1586ce84c0 RSI: ffff8c1586cd7cc0 RDI: ffff8c1586cd7cc0 [ 584.255089 ] RBP: 0000000000000000 R08: 00000000000000000 R09: ffffb567c15afc00 [ 584.287954] R10: ffffb567c15afbf8 R11: ffffffff8fbe7f28 R12: 6400 [ 584.322356] R13: ffff8c1486326480 R14: ffff8c1483a4a000 R15: 0000000000000004 [ 584.355379] FS: 0000000000000000(0000) 6cc0000(0000) knlGS :0000000000000000 [ 584.394419] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 584.421123] CR2: 00007fe95a6f7840 CR3: 0000000107674002 CR4: 00000000000606e0 [ 584.454888] Seguimiento de llamadas: [ 584.466108] dispositivo_del+0xb2/0x3e0 [ 584.481701] dispositivo_unregister+0x13/ 0x60 [ 584.501306] bsg_unregister_queue+0x5b/0x80 [ 584.522029] bsg_remove_queue+0x1c/0x40 [ 584.541884] fc_rport_final_delete+0xf3/0x1d0 [scsi_transport_fc] [ 3823] proceso_one_work+0x1e3/0x3b0 [ 584.592396] hilo_trabajador+0x50/0x3b0 [ 584.609256] ? hilo_rescate+0x370/0x370 [ 584.628877] kthread+0x149/0x170 [ 584.643673] ? set_kthread_struct+0x40/0x40 [ 584.662909] ret_from_fork+0x22/0x30 [ 584.680002] ---[ final de seguimiento 53575ecefa942ece ]---"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/00849de10f798a9538242824a51b1756e7110754", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/262550f29c750f7876b6ed1244281e72b64ebffb", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/2a12fe8248a38437b95b942bbe85aced72e6e2eb", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/847f9ea4c5186fdb7b84297e3eeed9e340e83fce", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ace7b6ef41251c5fe47f629a9a922382fb7b0a6b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b11e34f7bab21df36f02a5e54fb69e858c09a65d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/bf2bd892a0cb14dd2d21f2c658f4b747813be311", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c93a290c862ccfa404e42d7420565730d67cbff9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/de6336b17a1376db1c0f7a528cce8783db0881c0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48759", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T12:15:14.023", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrpmsg: char: Fix race between the release of rpmsg_ctrldev and cdev\n\nstruct rpmsg_ctrldev contains a struct cdev. The current code frees\nthe rpmsg_ctrldev struct in rpmsg_ctrldev_release_device(), but the\ncdev is a managed object, therefore its release is not predictable\nand the rpmsg_ctrldev could be freed before the cdev is entirely\nreleased, as in the backtrace below.\n\n[ 93.625603] ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x7c\n[ 93.636115] WARNING: CPU: 0 PID: 12 at lib/debugobjects.c:488 debug_print_object+0x13c/0x1b0\n[ 93.644799] Modules linked in: veth xt_cgroup xt_MASQUERADE rfcomm algif_hash algif_skcipher af_alg uinput ip6table_nat fuse uvcvideo videobuf2_vmalloc venus_enc venus_dec videobuf2_dma_contig hci_uart btandroid btqca snd_soc_rt5682_i2c bluetooth qcom_spmi_temp_alarm snd_soc_rt5682v\n[ 93.715175] CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: G B 5.4.163-lockdep #26\n[ 93.723855] Hardware name: Google Lazor (rev3 - 8) with LTE (DT)\n[ 93.730055] Workqueue: events kobject_delayed_cleanup\n[ 93.735271] pstate: 60c00009 (nZCv daif +PAN +UAO)\n[ 93.740216] pc : debug_print_object+0x13c/0x1b0\n[ 93.744890] lr : debug_print_object+0x13c/0x1b0\n[ 93.749555] sp : ffffffacf5bc7940\n[ 93.752978] x29: ffffffacf5bc7940 x28: dfffffd000000000\n[ 93.758448] x27: ffffffacdb11a800 x26: dfffffd000000000\n[ 93.763916] x25: ffffffd0734f856c x24: dfffffd000000000\n[ 93.769389] x23: 0000000000000000 x22: ffffffd0733c35b0\n[ 93.774860] x21: ffffffd0751994a0 x20: ffffffd075ec27c0\n[ 93.780338] x19: ffffffd075199100 x18: 00000000000276e0\n[ 93.785814] x17: 0000000000000000 x16: dfffffd000000000\n[ 93.791291] x15: ffffffffffffffff x14: 6e6968207473696c\n[ 93.796768] x13: 0000000000000000 x12: ffffffd075e2b000\n[ 93.802244] x11: 0000000000000001 x10: 0000000000000000\n[ 93.807723] x9 : d13400dff1921900 x8 : d13400dff1921900\n[ 93.813200] x7 : 0000000000000000 x6 : 0000000000000000\n[ 93.818676] x5 : 0000000000000080 x4 : 0000000000000000\n[ 93.824152] x3 : ffffffd0732a0fa4 x2 : 0000000000000001\n[ 93.829628] x1 : ffffffacf5bc7580 x0 : 0000000000000061\n[ 93.835104] Call trace:\n[ 93.837644] debug_print_object+0x13c/0x1b0\n[ 93.841963] __debug_check_no_obj_freed+0x25c/0x3c0\n[ 93.846987] debug_check_no_obj_freed+0x18/0x20\n[ 93.851669] slab_free_freelist_hook+0xbc/0x1e4\n[ 93.856346] kfree+0xfc/0x2f4\n[ 93.859416] rpmsg_ctrldev_release_device+0x78/0xb8\n[ 93.864445] device_release+0x84/0x168\n[ 93.868310] kobject_cleanup+0x12c/0x298\n[ 93.872356] kobject_delayed_cleanup+0x10/0x18\n[ 93.876948] process_one_work+0x578/0x92c\n[ 93.881086] worker_thread+0x804/0xcf8\n[ 93.884963] kthread+0x2a8/0x314\n[ 93.888303] ret_from_fork+0x10/0x18\n\nThe cdev_device_add/del() API was created to address this issue (see\ncommit '233ed09d7fda (\"chardev: add helper function to register char\ndevs with a struct device\")'), use it instead of cdev add/del()."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: rpmsg: char: corrige la ejecuci\u00f3n entre el lanzamiento de rpmsg_ctrldev y cdev struct rpmsg_ctrldev contiene una estructura cdev. El c\u00f3digo actual libera la estructura rpmsg_ctrldev en rpmsg_ctrldev_release_device(), pero el cdev es un objeto administrado, por lo tanto su liberaci\u00f3n no es predecible y rpmsg_ctrldev podr\u00eda liberarse antes de que el cdev se libere por completo, como se muestra en el seguimiento a continuaci\u00f3n. [ 93.625603] ODEBUG: tipo de objeto activo libre (estado activo 0): timer_list sugerencia: retardado_work_timer_fn+0x0/0x7c [ 93.636115] ADVERTENCIA: CPU: 0 PID: 12 en lib/debugobjects.c:488 debug_print_object+0x13c/0x1b0 [ 93.644799 ] M\u00f3dulos vinculados en: veth xt_cgroup xt_MASQUERADE rfcomm algif_hash algif_skcipher af_alg uinput ip6table_nat fuse uvcvideo videobuf2_vmalloc venus_enc venus_dec videobuf2_dma_contig hci_uart btandroid btqca snd_soc_rt5682_i2c bluetooth qcom_spmi_temp_al arm snd_soc_rt5682v [93.715175] CPU: 0 PID: 12 Comm: kworker/0:1 Contaminado: GB 5.4.163-lockdep #26 [93.723855] Nombre del hardware: Google Lazor (rev3 - 8) con LTE (DT) [93.730055] Cola de trabajo: eventos kobject_delayed_cleanup [93.735271] pstate: 60c00009 (nZCv daif +PAN +UAO) [93.740216] pc: debug_print_object+0x 13c/ 0x1b0 [93.744890] lr: debug_print_object+0x13c/0x1b0 [93.749555] sp: ffffffacf5bc7940 [93.752978] x29: ffffffacf5bc7940 x28: dfffffd000000000 [93.758448] 27: fffffacdb11a800 x26: dfffffd000000000 [ 93.763916] x25: ffffffd0734f856c x24: dfffffd000000000 [ 93.769389] x23: 0000000000000000 x22: ffffffd0733c35b0 [ 93.774860] x21: ffffffd0751994a0 x20: ffffffd075ec27c0 [ 93.780338] x19: ffffffd075199100 x18: 00000000000276e0 [ 93.78 5814] x17: 0000000000000000 x16: dfffffd000000000 [ 93.791291] x15: ffffffffffffffff x14: 6e6968207473696c [ 93.796768] x13: 00000000000000000 x 12: ffffffd075e2b000 [ 93.802244 ] x11: 0000000000000001 x10: 0000000000000000 [ 93.807723] x9 : d13400dff1921900 x8 : d13400dff1921900 [ 93.813200] x7 : 000000000000000 0 x6: 0000000000000000 [93.818676] x5: 0000000000000080 x4: 0000000000000000 [93.824152] x3: ffffffd0732a0fa4 x2: 0000000000000001 [9 3.829628] x1 : ffffffacf5bc7580 x0 : 0000000000000061 [93.835104] Rastreo de llamadas: [93.837644] debug_print_object+0x13c/0x1b0 [93.841963] __debug_check_no_obj_freed+0x25c/0x3c0 [93.846987] _freed+0x18/0x20 [ 93.851669] slab_free_freelist_hook+0xbc/0x1e4 [ 93.856346] kfree+0xfc/0x2f4 [ 93.859416 ] rpmsg_ctrldev_release_device+0x78/0xb8 [ 93.864445] device_release+0x84/0x168 [ 93.868310] kobject_cleanup+0x12c/0x298 [ 93.872356] kobject_delayed_cleanup+0x10/0x18 [ 93.87694 8] proceso_one_work+0x578/0x92c [ 93.881086] hilo_trabajador+0x804/0xcf8 [ 93.884963] kthread +0x2a8/0x314 [ 93.888303] ret_from_fork+0x10/0x18 La API cdev_device_add/del() se cre\u00f3 para solucionar este problema (consulte el commit '233ed09d7fda (\"chardev: agregar funci\u00f3n auxiliar para registrar desarrolladores de caracteres con un dispositivo de estructura\")'), \u00daselo en lugar de cdev add/del()."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/1dbb206730f3e5ce90014ad569ddf8167ec4124a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/70cb4295ec806b663665e1d2ed15caab6159880e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/74d85e9fbc7022a4011102c7474a9c7aeb704a35", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/85aba11a8ea92a8eef2de95ebbe063086fd62d9c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b7fb2dad571d1e21173c06cef0bced77b323990a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d6cdc6ae542845d4d0ac8b6d99362bde7042a3c7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/da27b834c1e0222e149e06caddf7718478086d1b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48760", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T12:15:14.110", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: core: Fix hang in usb_kill_urb by adding memory barriers\n\nThe syzbot fuzzer has identified a bug in which processes hang waiting\nfor usb_kill_urb() to return. It turns out the issue is not unlinking\nthe URB; that works just fine. Rather, the problem arises when the\nwakeup notification that the URB has completed is not received.\n\nThe reason is memory-access ordering on SMP systems. In outline form,\nusb_kill_urb() and __usb_hcd_giveback_urb() operating concurrently on\ndifferent CPUs perform the following actions:\n\nCPU 0\t\t\t\t\tCPU 1\n----------------------------\t\t---------------------------------\nusb_kill_urb():\t\t\t\t__usb_hcd_giveback_urb():\n ...\t\t\t\t\t ...\n atomic_inc(&urb->reject);\t\t atomic_dec(&urb->use_count);\n ...\t\t\t\t\t ...\n wait_event(usb_kill_urb_queue,\n\tatomic_read(&urb->use_count) == 0);\n\t\t\t\t\t if (atomic_read(&urb->reject))\n\t\t\t\t\t\twake_up(&usb_kill_urb_queue);\n\nConfining your attention to urb->reject and urb->use_count, you can\nsee that the overall pattern of accesses on CPU 0 is:\n\n\twrite urb->reject, then read urb->use_count;\n\nwhereas the overall pattern of accesses on CPU 1 is:\n\n\twrite urb->use_count, then read urb->reject.\n\nThis pattern is referred to in memory-model circles as SB (for \"Store\nBuffering\"), and it is well known that without suitable enforcement of\nthe desired order of accesses -- in the form of memory barriers -- it\nis entirely possible for one or both CPUs to execute their reads ahead\nof their writes. The end result will be that sometimes CPU 0 sees the\nold un-decremented value of urb->use_count while CPU 1 sees the old\nun-incremented value of urb->reject. Consequently CPU 0 ends up on\nthe wait queue and never gets woken up, leading to the observed hang\nin usb_kill_urb().\n\nThe same pattern of accesses occurs in usb_poison_urb() and the\nfailure pathway of usb_hcd_submit_urb().\n\nThe problem is fixed by adding suitable memory barriers. To provide\nproper memory-access ordering in the SB pattern, a full barrier is\nrequired on both CPUs. The atomic_inc() and atomic_dec() accesses\nthemselves don't provide any memory ordering, but since they are\npresent, we can use the optimized smp_mb__after_atomic() memory\nbarrier in the various routines to obtain the desired effect.\n\nThis patch adds the necessary memory barriers."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: USB: core: corrige el bloqueo en usb_kill_urb agregando barreras de memoria el syzbot fuzzer ha identificado un error en el que los procesos se bloquean esperando que regrese usb_kill_urb(). Resulta que el problema no es desvincular la URB; eso funciona bien. M\u00e1s bien, el problema surge cuando no se recibe la notificaci\u00f3n de activaci\u00f3n de que la URB ha completado. El motivo son los pedidos de acceso a la memoria en los sistemas SMP. En forma resumida, usb_kill_urb() y __usb_hcd_giveback_urb() operando simult\u00e1neamente en diferentes CPU realizan las siguientes acciones: CPU 0 CPU 1 ------------------------- --- --------------------------------- usb_kill_urb(): __usb_hcd_giveback_urb(): ... ... atomic_inc(&urb->rechazar); atomic_dec(&urb->use_count); ... ... wait_event(usb_kill_urb_queue, atomic_read(&urb->use_count) == 0); if (atomic_read(&urb->reject)) wake_up(&usb_kill_urb_queue); Limitando su atenci\u00f3n a urb->reject y urb->use_count, puede ver que el patr\u00f3n general de accesos en la CPU 0 es: escribir urb->reject, luego leer urb->use_count; mientras que el patr\u00f3n general de accesos en la CPU 1 es: escribir urb->use_count, luego leer urb->reject. En los c\u00edrculos de modelos de memoria se hace referencia a este patr\u00f3n como SB (por \"Store Buffering\"), y es bien sabido que sin una aplicaci\u00f3n adecuada del orden deseado de accesos (en forma de barreras de memoria) es completamente posible que una o ambas CPU para ejecutar sus lecturas antes de sus escrituras. El resultado final ser\u00e1 que a veces la CPU 0 ve el antiguo valor no incrementado de urb->use_count mientras que la CPU 1 ve el antiguo valor no incrementado de urb->reject. En consecuencia, la CPU 0 termina en la cola de espera y nunca se activa, lo que provoca el bloqueo observado en usb_kill_urb(). El mismo patr\u00f3n de accesos ocurre en usb_poison_urb() y la ruta de falla de usb_hcd_submit_urb(). El problema se soluciona agregando barreras de memoria adecuadas. Para proporcionar un orden adecuado de acceso a la memoria en el patr\u00f3n SB, se requiere una barrera completa en ambas CPU. Los accesos atomic_inc() y atomic_dec() en s\u00ed no proporcionan ning\u00fan orden de memoria, pero como est\u00e1n presentes, podemos usar la barrera de memoria optimizada smp_mb__after_atomic() en las distintas rutinas para obtener el efecto deseado. Este parche agrega las barreras de memoria necesarias."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/26fbe9772b8c459687930511444ce443011f86bf", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/546ba238535d925254e0b3f12012a5c55801e2f3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5904dfd3ddaff3bf4a41c3baf0a8e8f31ed4599b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5f138ef224dffd15d5e5c5b095859719e0038427", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9340226388c66a7e090ebb00e91ed64a753b6c26", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9c61fce322ac2ef7fecf025285353570d60e41d6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b50f5ca60475710bbc9a3af32fbfc17b1e69c2f0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c9a18f7c5b071dce5e6939568829d40994866ab0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e3b131e30e612ff0e32de6c1cb4f69f89db29193", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48761", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T12:15:14.203", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: xhci-plat: fix crash when suspend if remote wake enable\n\nCrashed at i.mx8qm platform when suspend if enable remote wakeup\n\nInternal error: synchronous external abort: 96000210 [#1] PREEMPT SMP\nModules linked in:\nCPU: 2 PID: 244 Comm: kworker/u12:6 Not tainted 5.15.5-dirty #12\nHardware name: Freescale i.MX8QM MEK (DT)\nWorkqueue: events_unbound async_run_entry_fn\npstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : xhci_disable_hub_port_wake.isra.62+0x60/0xf8\nlr : xhci_disable_hub_port_wake.isra.62+0x34/0xf8\nsp : ffff80001394bbf0\nx29: ffff80001394bbf0 x28: 0000000000000000 x27: ffff00081193b578\nx26: ffff00081193b570 x25: 0000000000000000 x24: 0000000000000000\nx23: ffff00081193a29c x22: 0000000000020001 x21: 0000000000000001\nx20: 0000000000000000 x19: ffff800014e90490 x18: 0000000000000000\nx17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\nx14: 0000000000000000 x13: 0000000000000002 x12: 0000000000000000\nx11: 0000000000000000 x10: 0000000000000960 x9 : ffff80001394baa0\nx8 : ffff0008145d1780 x7 : ffff0008f95b8e80 x6 : 000000001853b453\nx5 : 0000000000000496 x4 : 0000000000000000 x3 : ffff00081193a29c\nx2 : 0000000000000001 x1 : 0000000000000000 x0 : ffff000814591620\nCall trace:\n xhci_disable_hub_port_wake.isra.62+0x60/0xf8\n xhci_suspend+0x58/0x510\n xhci_plat_suspend+0x50/0x78\n platform_pm_suspend+0x2c/0x78\n dpm_run_callback.isra.25+0x50/0xe8\n __device_suspend+0x108/0x3c0\n\nThe basic flow:\n\t1. run time suspend call xhci_suspend, xhci parent devices gate the clock.\n 2. echo mem >/sys/power/state, system _device_suspend call xhci_suspend\n 3. xhci_suspend call xhci_disable_hub_port_wake, which access register,\n\t but clock already gated by run time suspend.\n\nThis problem was hidden by power domain driver, which call run time resume before it.\n\nBut the below commit remove it and make this issue happen.\n\tcommit c1df456d0f06e (\"PM: domains: Don't runtime resume devices at genpd_prepare()\")\n\nThis patch call run time resume before suspend to make sure clock is on\nbefore access register.\n\nTesteb-by: Abel Vesa "}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: usb: xhci-plat: corrige el bloqueo al suspender si se habilita la activaci\u00f3n remota. Fall\u00f3 en la plataforma i.mx8qm al suspender si se habilita la activaci\u00f3n remota. Error interno: aborto externo sincr\u00f3nico: 96000210 [#1] PREEMPT M\u00f3dulos SMP vinculados en: CPU: 2 PID: 244 Comm: kworker/u12:6 Not tainted 5.15.5-dirty #12 Nombre del hardware: Freescale i.MX8QM MEK (DT) Cola de trabajo: events_unbound async_run_entry_fn pstate: 600000c5 (nZCv daIF - PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc: xhci_disable_hub_port_wake.isra.62+0x60/0xf8 lr: xhci_disable_hub_port_wake.isra.62+0x34/0xf8 sp: ffff80001394bbf0 x29: ffff80001394bbf0 x28: 0000000000000000 x27: ffff00081193b578 x26: ffff00081193b570 x25: 0000000000000000 x24: 0000000000000000 x23: ffff00081193a29c x22: 0000000000020001 x21: 0000000000000001 x20: 0000000000000000 x19: ffff800014e90490 x18: 000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000002 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000960 x9 : ffff80001394baa0 x8 : ffff0008145d1780 x7 : ffff0008f95b8e80 x6 : 000000001853b453 x5 : 0000000000000496 x4 : 0000000000000000 x3 : ffff000811 93a29c x2: 0000000000000001 x1: 0000000000000000 x0: ffff000814591620 Rastreo de llamadas: xhci_disable_hub_port_wake.isra.62+0x60/0xf8 xhci_suspend+0x58/0x510 0x50/ 0x78 platform_pm_suspend+0x2c/0x78 dpm_run_callback.isra.25+0x50/0xe8 __device_suspend+0x108/0x3c0 El flujo b\u00e1sico: 1. llamada de suspensi\u00f3n en tiempo de ejecuci\u00f3n xhci_suspend, los dispositivos principales xhci controlan el reloj. 2. echo mem >/sys/power/state, system _device_suspend llama a xhci_suspend 3. xhci_suspend llama a xhci_disable_hub_port_wake, que accede al registro, pero el reloj ya est\u00e1 cerrado por la suspensi\u00f3n del tiempo de ejecuci\u00f3n. Este problema fue ocultado por el controlador de dominio de energ\u00eda, que solicita la reanudaci\u00f3n del tiempo de ejecuci\u00f3n antes. Pero el siguiente compromiso lo elimina y hace que este problema suceda. commit c1df456d0f06e (\"PM: dominios: no reanudar el tiempo de ejecuci\u00f3n de los dispositivos en genpd_prepare()\") Este parche llama al tiempo de ejecuci\u00f3n para reanudar antes de la suspensi\u00f3n para asegurarse de que el reloj est\u00e9 encendido antes del registro de acceso. Testeb-by: Abel Vesa "}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/20c51a4c52208f98e27308c456a1951778f41fa5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8b05ad29acb972850ad795fa850e814b2e758b83", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9df478463d9feb90dae24f183383961cf123a0ec", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d5755832a1e47f5d8773f0776e211ecd4e02da72", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48762", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T12:15:14.287", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: extable: fix load_unaligned_zeropad() reg indices\n\nIn ex_handler_load_unaligned_zeropad() we erroneously extract the data and\naddr register indices from ex->type rather than ex->data. As ex->type will\ncontain EX_TYPE_LOAD_UNALIGNED_ZEROPAD (i.e. 4):\n * We'll always treat X0 as the address register, since EX_DATA_REG_ADDR is\n extracted from bits [9:5]. Thus, we may attempt to dereference an\n arbitrary address as X0 may hold an arbitrary value.\n * We'll always treat X4 as the data register, since EX_DATA_REG_DATA is\n extracted from bits [4:0]. Thus we will corrupt X4 and cause arbitrary\n behaviour within load_unaligned_zeropad() and its caller.\n\nFix this by extracting both values from ex->data as originally intended.\n\nOn an MTE-enabled QEMU image we are hitting the following crash:\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n Call trace:\n fixup_exception+0xc4/0x108\n __do_kernel_fault+0x3c/0x268\n do_tag_check_fault+0x3c/0x104\n do_mem_abort+0x44/0xf4\n el1_abort+0x40/0x64\n el1h_64_sync_handler+0x60/0xa0\n el1h_64_sync+0x7c/0x80\n link_path_walk+0x150/0x344\n path_openat+0xa0/0x7dc\n do_filp_open+0xb8/0x168\n do_sys_openat2+0x88/0x17c\n __arm64_sys_openat+0x74/0xa0\n invoke_syscall+0x48/0x148\n el0_svc_common+0xb8/0xf8\n do_el0_svc+0x28/0x88\n el0_svc+0x24/0x84\n el0t_64_sync_handler+0x88/0xec\n el0t_64_sync+0x1b4/0x1b8\n Code: f8695a69 71007d1f 540000e0 927df12a (f940014a)"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: arm64: extable: corrige los \u00edndices de registro load_unaligned_zeropad() En ex_handler_load_unaligned_zeropad() extraemos err\u00f3neamente los datos y los \u00edndices de registro de direcciones de ex->type en lugar de ex->data. Como ex->type contendr\u00e1 EX_TYPE_LOAD_UNALIGNED_ZEROPAD (es decir, 4): * Siempre trataremos a X0 como el registro de direcci\u00f3n, ya que EX_DATA_REG_ADDR se extrae de los bits [9:5]. Por lo tanto, podemos intentar eliminar la referencia a una direcci\u00f3n arbitraria ya que X0 puede tener un valor arbitrario. * Siempre trataremos a X4 como el registro de datos, ya que EX_DATA_REG_DATA se extrae de los bits [4:0]. Por lo tanto, corromperemos X4 y provocaremos un comportamiento arbitrario dentro de load_unaligned_zeropad() y su llamador. Solucione este problema extrayendo ambos valores de ex->data como se pretend\u00eda originalmente. En una imagen QEMU habilitada para MTE, nos encontramos con el siguiente bloqueo: No se puede manejar la desreferencia del puntero NULL del kernel en la direcci\u00f3n virtual 0000000000000000 Rastreo de llamadas: fixup_exception+0xc4/0x108 __do_kernel_fault+0x3c/0x268 do_tag_check_fault+0x3c/0x104 do_mem_abort+0x44/0 xf4 el1_abort+ 0x40/0x64 el1h_64_sync_handler+0x60/0xa0 el1h_64_sync+0x7c/0x80 link_path_walk+0x150/0x344 path_openat+0xa0/0x7dc do_filp_open+0xb8/0x168 do_sys_openat2+0x88/0x17c __arm64_s ys_openat+0x74/0xa0 invoke_syscall+0x48/0x148 el0_svc_common+0xb8/0xf8 do_el0_svc+ 0x28/0x88 el0_svc+0x24/0x84 el0t_64_sync_handler+0x88/0xec el0t_64_sync+0x1b4/0x1b8 C\u00f3digo: f8695a69 71007d1f 540000e0 927df12a (f940014a)"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/3758a6c74e08bdc15ccccd6872a6ad37d165239a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/47fe7a1c5e3e011eeb4ab79f2d54a794fdd1c3eb", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48763", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T12:15:14.363", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Forcibly leave nested virt when SMM state is toggled\n\nForcibly leave nested virtualization operation if userspace toggles SMM\nstate via KVM_SET_VCPU_EVENTS or KVM_SYNC_X86_EVENTS. If userspace\nforces the vCPU out of SMM while it's post-VMXON and then injects an SMI,\nvmx_enter_smm() will overwrite vmx->nested.smm.vmxon and end up with both\nvmxon=false and smm.vmxon=false, but all other nVMX state allocated.\n\nDon't attempt to gracefully handle the transition as (a) most transitions\nare nonsencial, e.g. forcing SMM while L2 is running, (b) there isn't\nsufficient information to handle all transitions, e.g. SVM wants access\nto the SMRAM save state, and (c) KVM_SET_VCPU_EVENTS must precede\nKVM_SET_NESTED_STATE during state restore as the latter disallows putting\nthe vCPU into L2 if SMM is active, and disallows tagging the vCPU as\nbeing post-VMXON in SMM if SMM is not active.\n\nAbuse of KVM_SET_VCPU_EVENTS manifests as a WARN and memory leak in nVMX\ndue to failure to free vmcs01's shadow VMCS, but the bug goes far beyond\njust a memory leak, e.g. toggling SMM on while L2 is active puts the vCPU\nin an architecturally impossible state.\n\n WARNING: CPU: 0 PID: 3606 at free_loaded_vmcs arch/x86/kvm/vmx/vmx.c:2665 [inline]\n WARNING: CPU: 0 PID: 3606 at free_loaded_vmcs+0x158/0x1a0 arch/x86/kvm/vmx/vmx.c:2656\n Modules linked in:\n CPU: 1 PID: 3606 Comm: syz-executor725 Not tainted 5.17.0-rc1-syzkaller #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\n RIP: 0010:free_loaded_vmcs arch/x86/kvm/vmx/vmx.c:2665 [inline]\n RIP: 0010:free_loaded_vmcs+0x158/0x1a0 arch/x86/kvm/vmx/vmx.c:2656\n Code: <0f> 0b eb b3 e8 8f 4d 9f 00 e9 f7 fe ff ff 48 89 df e8 92 4d 9f 00\n Call Trace:\n \n kvm_arch_vcpu_destroy+0x72/0x2f0 arch/x86/kvm/x86.c:11123\n kvm_vcpu_destroy arch/x86/kvm/../../../virt/kvm/kvm_main.c:441 [inline]\n kvm_destroy_vcpus+0x11f/0x290 arch/x86/kvm/../../../virt/kvm/kvm_main.c:460\n kvm_free_vcpus arch/x86/kvm/x86.c:11564 [inline]\n kvm_arch_destroy_vm+0x2e8/0x470 arch/x86/kvm/x86.c:11676\n kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:1217 [inline]\n kvm_put_kvm+0x4fa/0xb00 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1250\n kvm_vm_release+0x3f/0x50 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1273\n __fput+0x286/0x9f0 fs/file_table.c:311\n task_work_run+0xdd/0x1a0 kernel/task_work.c:164\n exit_task_work include/linux/task_work.h:32 [inline]\n do_exit+0xb29/0x2a30 kernel/exit.c:806\n do_group_exit+0xd2/0x2f0 kernel/exit.c:935\n get_signal+0x4b0/0x28c0 kernel/signal.c:2862\n arch_do_signal_or_restart+0x2a9/0x1c40 arch/x86/kernel/signal.c:868\n handle_signal_work kernel/entry/common.c:148 [inline]\n exit_to_user_mode_loop kernel/entry/common.c:172 [inline]\n exit_to_user_mode_prepare+0x17d/0x290 kernel/entry/common.c:207\n __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]\n syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300\n do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n "}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: KVM: x86: abandonar por la fuerza la virt anidada cuando se alterna el estado de SMM. Dejar por la fuerza la operaci\u00f3n de virtualizaci\u00f3n anidada si el espacio de usuario alterna el estado de SMM mediante KVM_SET_VCPU_EVENTS o KVM_SYNC_X86_EVENTS. Si el espacio de usuario fuerza a la vCPU a salir de SMM mientras es posterior a VMXON y luego inyecta un SMI, vmx_enter_smm() sobrescribir\u00e1 vmx->nested.smm.vmxon y terminar\u00e1 con vmxon=false y smm.vmxon=false, pero todos los dem\u00e1s Estado nVMX asignado. No intente manejar la transici\u00f3n con elegancia ya que (a) la mayor\u00eda de las transiciones no tienen sentido, por ejemplo, forzar SMM mientras se ejecuta L2, (b) no hay suficiente informaci\u00f3n para manejar todas las transiciones, por ejemplo, SVM quiere acceder al estado de guardado de SMRAM, y (c) KVM_SET_VCPU_EVENTS debe preceder a KVM_SET_NESTED_STATE durante la restauraci\u00f3n del estado, ya que este \u00faltimo no permite colocar la vCPU en L2 si SMM est\u00e1 activo y no permite etiquetar la vCPU como posterior a VMXON en SMM si SMM no est\u00e1 activo. El abuso de KVM_SET_VCPU_EVENTS se manifiesta como una ADVERTENCIA y una p\u00e9rdida de memoria en nVMX debido a una falla al liberar el VMCS oculto de vmcs01, pero el error va mucho m\u00e1s all\u00e1 de una simple p\u00e9rdida de memoria; por ejemplo, activar SMM mientras L2 est\u00e1 activo coloca la vCPU en un estado arquitect\u00f3nicamente imposible. ADVERTENCIA: CPU: 0 PID: 3606 en free_loaded_vmcs arch/x86/kvm/vmx/vmx.c:2665 [en l\u00ednea] ADVERTENCIA: CPU: 0 PID: 3606 en free_loaded_vmcs+0x158/0x1a0 arch/x86/kvm/vmx/vmx. c:2656 M\u00f3dulos vinculados en: CPU: 1 PID: 3606 Comm: syz-executor725 Not tainted 5.17.0-rc1-syzkaller #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:free_loaded_vmcs arch/x86/kvm/vmx/vmx.c:2665 [en l\u00ednea] RIP: 0010:free_loaded_vmcs+0x158/0x1a0 arch/x86/kvm/vmx/vmx.c:2656 C\u00f3digo: <0f> 0b eb b3 e8 8f 4d 9f 00 e9 f7 fe ff ff 48 89 df e8 92 4d 9f 00 Seguimiento de llamadas: kvm_arch_vcpu_destroy+0x72/0x2f0 arch/x86/kvm/x86.c:11123 kvm_vcpu_destroy arch/x86/kvm/../. ./../virt/kvm/kvm_main.c:441 [en l\u00ednea] kvm_destroy_vcpus+0x11f/0x290 arch/x86/kvm/../../../virt/kvm/kvm_main.c:460 kvm_free_vcpus arch/x86 /kvm/x86.c:11564 [en l\u00ednea] kvm_arch_destroy_vm+0x2e8/0x470 arch/x86/kvm/x86.c:11676 kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c :1217 [en l\u00ednea] kvm_put_kvm+0x4fa/0xb00 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1250 kvm_vm_release+0x3f/0x50 arch/x86/kvm/../.. /../virt/kvm/kvm_main.c:1273 __fput+0x286/0x9f0 fs/file_table.c:311 task_work_run+0xdd/0x1a0 kernel/task_work.c:164 exit_task_work include/linux/task_work.h:32 [en l\u00ednea] do_exit+0xb29/0x2a30 kernel/exit.c:806 do_group_exit+0xd2/0x2f0 kernel/exit.c:935 get_signal+0x4b0/0x28c0 kernel/signal.c:2862 arch_do_signal_or_restart+0x2a9/0x1c40 arch/x86/kernel/signal.c :868 handle_signal_work kernel/entry/common.c:148 [en l\u00ednea] exit_to_user_mode_loop kernel/entry/common.c:172 [en l\u00ednea] exit_to_user_mode_prepare+0x17d/0x290 kernel/entry/common.c:207 __syscall_exit_to_user_mode_work kernel/entry/common.c :289 [en l\u00ednea] syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 Entry_SYSCALL_64_after_hwframe+0x44/0xae "}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/080dbe7e9b86a0392d8dffc00d9971792afc121f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b4c0d89c92e957ecccce12e66b63875d0cc7af7e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e302786233e6bc512986d007c96458ccf5ca21c7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f7e570780efc5cec9b2ed1e0472a7da14e864fdb", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48764", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T12:15:14.450", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Free kvm_cpuid_entry2 array on post-KVM_RUN KVM_SET_CPUID{,2}\n\nFree the \"struct kvm_cpuid_entry2\" array on successful post-KVM_RUN\nKVM_SET_CPUID{,2} to fix a memory leak, the callers of kvm_set_cpuid()\nfree the array only on failure.\n\n BUG: memory leak\n unreferenced object 0xffff88810963a800 (size 2048):\n comm \"syz-executor025\", pid 3610, jiffies 4294944928 (age 8.080s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 0d 00 00 00 ................\n 47 65 6e 75 6e 74 65 6c 69 6e 65 49 00 00 00 00 GenuntelineI....\n backtrace:\n [] kmalloc_node include/linux/slab.h:604 [inline]\n [] kvmalloc_node+0x3e/0x100 mm/util.c:580\n [] kvmalloc include/linux/slab.h:732 [inline]\n [] vmemdup_user+0x22/0x100 mm/util.c:199\n [] kvm_vcpu_ioctl_set_cpuid2+0x8f/0xf0 arch/x86/kvm/cpuid.c:423\n [] kvm_arch_vcpu_ioctl+0xb99/0x1e60 arch/x86/kvm/x86.c:5251\n [] kvm_vcpu_ioctl+0x4ad/0x950 arch/x86/kvm/../../../virt/kvm/kvm_main.c:4066\n [] vfs_ioctl fs/ioctl.c:51 [inline]\n [] __do_sys_ioctl fs/ioctl.c:874 [inline]\n [] __se_sys_ioctl fs/ioctl.c:860 [inline]\n [] __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:860\n [] do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n [] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n [] entry_SYSCALL_64_after_hwframe+0x44/0xae"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: KVM: x86: Libere la matriz kvm_cpuid_entry2 en KVM_RUN KVM_SET_CPUID{,2} posterior a KVM_RUN KVM_SET_CPUID{,2} Libere la matriz \"struct kvm_cpuid_entry2\" en KVM_RUN KVM_SET_CPUID{,2} posterior a \u00e9xito para corregir una p\u00e9rdida de memoria , las personas que llaman a kvm_set_cpuid() liberan la matriz solo en caso de falla. ERROR: p\u00e9rdida de memoria, objeto sin referencia 0xffff88810963a800 (size 2048): comm \"syz-executor025\", pid 3610, jiffies 4294944928 (age 8.080s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 0d 00 00 00 ................ 47 65 6e 75 6e 74 65 6c 69 6e 65 49 00 00 00 00 GenuntelineI.... backtrace: [] kmalloc_node include/linux/slab.h:604 [inline] [] kvmalloc_node+0x3e/0x100 mm/util.c:580 [] kvmalloc include/linux/slab.h:732 [inline] [] vmemdup_user+0x22/0x100 mm/util.c:199 [] kvm_vcpu_ioctl_set_cpuid2+0x8f/0xf0 arch/x86/kvm/cpuid.c:423 [] kvm_arch_vcpu_ioctl+0xb99/0x1e60 arch/x86/kvm/x86.c:5251 [] kvm_vcpu_ioctl+0x4ad/0x950 arch/x86/kvm/../../../virt/kvm/kvm_main.c:4066 [] vfs_ioctl fs/ioctl.c:51 [inline] [] __do_sys_ioctl fs/ioctl.c:874 [inline] [] __se_sys_ioctl fs/ioctl.c:860 [inline] [] __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:860 [] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 [] entry_SYSCALL_64_after_hwframe+0x44/0xae "}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/811f95ff95270e6048197821434d9301e3d7f07c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b9ee734a14bb685b2088f2176d82b34cb4e30dbc", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48765", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T12:15:14.530", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: LAPIC: Also cancel preemption timer during SET_LAPIC\n\nThe below warning is splatting during guest reboot.\n\n ------------[ cut here ]------------\n WARNING: CPU: 0 PID: 1931 at arch/x86/kvm/x86.c:10322 kvm_arch_vcpu_ioctl_run+0x874/0x880 [kvm]\n CPU: 0 PID: 1931 Comm: qemu-system-x86 Tainted: G I 5.17.0-rc1+ #5\n RIP: 0010:kvm_arch_vcpu_ioctl_run+0x874/0x880 [kvm]\n Call Trace:\n \n kvm_vcpu_ioctl+0x279/0x710 [kvm]\n __x64_sys_ioctl+0x83/0xb0\n do_syscall_64+0x3b/0xc0\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n RIP: 0033:0x7fd39797350b\n\nThis can be triggered by not exposing tsc-deadline mode and doing a reboot in\nthe guest. The lapic_shutdown() function which is called in sys_reboot path\nwill not disarm the flying timer, it just masks LVTT. lapic_shutdown() clears\nAPIC state w/ LVT_MASKED and timer-mode bit is 0, this can trigger timer-mode\nswitch between tsc-deadline and oneshot/periodic, which can result in preemption\ntimer be cancelled in apic_update_lvtt(). However, We can't depend on this when\nnot exposing tsc-deadline mode and oneshot/periodic modes emulated by preemption\ntimer. Qemu will synchronise states around reset, let's cancel preemption timer\nunder KVM_SET_LAPIC."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: KVM: LAPIC: cancele tambi\u00e9n el temporizador de preferencia durante SET_LAPIC La siguiente advertencia aparece durante el reinicio del invitado. ------------[ cortar aqu\u00ed ]------------ ADVERTENCIA: CPU: 0 PID: 1931 en arch/x86/kvm/x86.c:10322 kvm_arch_vcpu_ioctl_run+ 0x874/0x880 [kvm] CPU: 0 PID: 1931 Comm: qemu-system-x86 Contaminado: GI 5.17.0-rc1+ #5 RIP: 0010:kvm_arch_vcpu_ioctl_run+0x874/0x880 [kvm] Seguimiento de llamadas: 79 /0x710 [kvm] __x64_sys_ioctl+0x83/0xb0 do_syscall_64+0x3b/0xc0 Entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fd39797350b Esto se puede activar al no exponer el modo tsc-deadline y reiniciar el invitado. La funci\u00f3n lapic_shutdown() que se llama en la ruta sys_reboot no desarmar\u00e1 el temporizador de vuelo, simplemente enmascara el LVTT. lapic_shutdown() borra el estado de APIC con LVT_MASKED y el bit del modo de temporizador es 0, esto puede activar el cambio del modo de temporizador entre tsc-deadline y oneshot/peri\u00f3dico, lo que puede provocar que el temporizador de preferencia se cancele en apic_update_lvtt(). Sin embargo, no podemos depender de esto cuando no exponemos el modo tsc-deadline y los modos oneshot/peri\u00f3dico emulados por el temporizador de preferencia. Qemu sincronizar\u00e1 los estados alrededor del reinicio, cancelemos el temporizador de preferencia en KVM_SET_LAPIC."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/35fe7cfbab2e81f1afb23fc4212210b1de6d9633", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/54b3439c8e70e0bcfea59aeef9dd98908cbbf655", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ce55f63f6cea4cab8ae9212f73285648a5baa30d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48766", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T12:15:14.617", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Wrap dcn301_calculate_wm_and_dlg for FPU.\n\nMirrors the logic for dcn30. Cue lots of WARNs and some\nkernel panics without this fix."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/amd/display: Wrap dcn301_calculate_wm_and_dlg para FPU. Refleja la l\u00f3gica de dcn30. Sin esta soluci\u00f3n, aparecen muchas ADVERTENCIAS y algunos p\u00e1nicos del kernel."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/25f1488bdbba63415239ff301fe61a8546140d9f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/456ba2433844a6483cc4c933aa8f43d24575e341", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48767", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T12:15:14.703", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: properly put ceph_string reference after async create attempt\n\nThe reference acquired by try_prep_async_create is currently leaked.\nEnsure we put it."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ceph: coloque correctamente la referencia ceph_string despu\u00e9s del intento de creaci\u00f3n as\u00edncrona. La referencia adquirida por try_prep_async_create se ha filtrado actualmente. Aseg\u00farate de que lo pongamos."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/36d433ae3242aa714176378850e6d1a5a3e78f18", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/932a9b5870d38b87ba0a9923c804b1af7d3605b9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a0c22e970cd78b81c94691e6cb09713e8074d580", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e7be12ca7d3947765b0d7c1c7e0537e748da993a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48768", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T12:15:14.783", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/histogram: Fix a potential memory leak for kstrdup()\n\nkfree() is missing on an error path to free the memory allocated by\nkstrdup():\n\n p = param = kstrdup(data->params[i], GFP_KERNEL);\n\nSo it is better to free it via kfree(p)."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: rastreo/histograma: corrige una posible p\u00e9rdida de memoria para kstrdup(). Falta kfree() en una ruta de error para liberar la memoria asignada por kstrdup(): p = param = kstrdup( datos->params[i], GFP_KERNEL); Por eso es mejor liberarlo mediante kfree(p)."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/8a8878ebb596281f50fc0b9a6e1f23f0d7f154e8", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d71b06aa995007eafd247626d0669b9364c42ad7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/df86e2fe808c3536a9dba353cc2bebdfea00d0cf", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e33fa4a46ee22de88a700e2e3d033da8214a5175", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e629e7b525a179e29d53463d992bdee759c950fb", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48769", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T12:15:14.870", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nefi: runtime: avoid EFIv2 runtime services on Apple x86 machines\n\nAditya reports [0] that his recent MacbookPro crashes in the firmware\nwhen using the variable services at runtime. The culprit appears to be a\ncall to QueryVariableInfo(), which we did not use to call on Apple x86\nmachines in the past as they only upgraded from EFI v1.10 to EFI v2.40\nfirmware fairly recently, and QueryVariableInfo() (along with\nUpdateCapsule() et al) was added in EFI v2.00.\n\nThe only runtime service introduced in EFI v2.00 that we actually use in\nLinux is QueryVariableInfo(), as the capsule based ones are optional,\ngenerally not used at runtime (all the LVFS/fwupd firmware update\ninfrastructure uses helper EFI programs that invoke capsule update at\nboot time, not runtime), and not implemented by Apple machines in the\nfirst place. QueryVariableInfo() is used to 'safely' set variables,\ni.e., only when there is enough space. This prevents machines with buggy\nfirmwares from corrupting their NVRAMs when they run out of space.\n\nGiven that Apple machines have been using EFI v1.10 services only for\nthe longest time (the EFI v2.0 spec was released in 2006, and Linux\nsupport for the newly introduced runtime services was added in 2011, but\nthe MacbookPro12,1 released in 2015 still claims to be EFI v1.10 only),\nlet's avoid the EFI v2.0 ones on all Apple x86 machines.\n\n[0] https://lore.kernel.org/all/6D757C75-65B1-468B-842D-10410081A8E4@live.com/"}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: efi: runtime: evite los servicios de tiempo de ejecuci\u00f3n EFIv2 en m\u00e1quinas Apple x86 Aditya informa [0] que su reciente MacbookPro falla en el firmware cuando usa los servicios variables en tiempo de ejecuci\u00f3n. El culpable parece ser una llamada a QueryVariableInfo(), que no utilizamos para llamar a m\u00e1quinas Apple x86 en el pasado, ya que recientemente se actualizaron del firmware EFI v1.10 al firmware EFI v2.40, y QueryVariableInfo() (junto con con UpdateCapsule() et al) se agreg\u00f3 en EFI v2.00. El \u00fanico servicio de tiempo de ejecuci\u00f3n introducido en EFI v2.00 que realmente usamos en Linux es QueryVariableInfo(), ya que los basados en c\u00e1psulas son opcionales y generalmente no se usan en tiempo de ejecuci\u00f3n (toda la infraestructura de actualizaci\u00f3n de firmware LVFS/fwupd utiliza programas EFI auxiliares que invocan la c\u00e1psula). actualizar en el momento del arranque, no en el tiempo de ejecuci\u00f3n) y, en primer lugar, no lo implementan las m\u00e1quinas Apple. QueryVariableInfo() se utiliza para establecer variables de forma \"segura\", es decir, s\u00f3lo cuando hay suficiente espacio. Esto evita que las m\u00e1quinas con firmwares defectuosos da\u00f1en sus NVRAM cuando se quedan sin espacio. Dado que las m\u00e1quinas Apple han estado usando los servicios EFI v1.10 solo durante m\u00e1s tiempo (la especificaci\u00f3n EFI v2.0 se lanz\u00f3 en 2006 y el soporte de Linux para los servicios de ejecuci\u00f3n recientemente introducidos se agreg\u00f3 en 2011, pero el MacbookPro12,1 se lanz\u00f3 en 2015 todav\u00eda afirma ser solo EFI v1.10), evitemos los EFI v2.0 en todas las m\u00e1quinas Apple x86. [0] https://lore.kernel.org/all/6D757C75-65B1-468B-842D-10410081A8E4@live.com/"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/3df52448978802ae15dcebf66beba1029df957b4", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a4085859411c825c321c9b55b8a9dc5a128a6684", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b0f1cc093bc2493ac259c53766fd2b800e085807", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f5390cd0b43c2e54c7cf5506c7da4a37c5cef746", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48770", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T12:15:14.953", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Guard against accessing NULL pt_regs in bpf_get_task_stack()\n\ntask_pt_regs() can return NULL on powerpc for kernel threads. This is\nthen used in __bpf_get_stack() to check for user mode, resulting in a\nkernel oops. Guard against this by checking return value of\ntask_pt_regs() before trying to obtain the call chain."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf: protecci\u00f3n contra el acceso a pt_regs NULL en bpf_get_task_stack() task_pt_regs() puede devolver NULL en powerpc para subprocesos del kernel. Luego, esto se usa en __bpf_get_stack() para verificar el modo de usuario, lo que genera un kernel ups. Prot\u00e9jase contra esto verificando el valor de retorno de task_pt_regs() antes de intentar obtener la cadena de llamadas."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/0bcd484587b3b3092e448d27dc369e347e1810c3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b82ef4985a6d05e80f604624332430351df7b79a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b992f01e66150fc5e90be4a96f5eb8e634c8249e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ff6bdc205fd0a83bd365405d4e31fb5905826996", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48771", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T12:15:15.043", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Fix stale file descriptors on failed usercopy\n\nA failing usercopy of the fence_rep object will lead to a stale entry in\nthe file descriptor table as put_unused_fd() won't release it. This\nenables userland to refer to a dangling 'file' object through that still\nvalid file descriptor, leading to all kinds of use-after-free\nexploitation scenarios.\n\nFix this by deferring the call to fd_install() until after the usercopy\nhas succeeded."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/vmwgfx: corrige descriptores de archivos obsoletos en una copia de usuario fallida. Una copia de usuario fallida del objeto valla_rep generar\u00e1 una entrada obsoleta en la tabla de descriptores de archivos, ya que put_unused_fd() no lo liberar\u00e1. Esto permite al usuario hacer referencia a un objeto 'archivo' pendiente a trav\u00e9s de ese descriptor de archivo a\u00fan v\u00e1lido, lo que lleva a todo tipo de escenarios de explotaci\u00f3n de use-after-free. Solucione este problema posponiendo la llamada a fd_install() hasta que la copia del usuario se haya realizado correctamente."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/0008a0c78fc33a84e2212a7c04e6b21a36ca6f4d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/1d833b27fb708d6fdf5de9f6b3a8be4bd4321565", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/6066977961fc6f437bc064f628cf9b0e4571c56c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/84b1259fe36ae0915f3d6ddcea6377779de48b82", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a0f90c8815706981c483a652a6aefca51a5e191c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ae2b20f27732fe92055d9e7b350abc5cdf3e2414", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e8d092a62449dcfc73517ca43963d2b8f44d0516", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2023-52883", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-20T12:15:15.140", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix possible null pointer dereference\n\nabo->tbo.resource may be NULL in amdgpu_vm_bo_update."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: drm/amdgpu: se corrigi\u00f3 la posible desreferencia del puntero nulo abo->tbo.resource puede ser NULL en amdgpu_vm_bo_update."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/51b79f33817544e3b4df838d86e8e8e4388ff684", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/fefac8c4686fd81fde6830c6dae32f9001d2ac28", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-6183", "sourceIdentifier": "cna@vuldb.com", "published": "2024-06-20T12:15:15.233", "lastModified": "2024-06-20T16:15:14.903", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability classified as problematic has been found in EZ-Suite EZ-Partner 5. Affected is an unknown function of the component Forgot Password Handler. The manipulation leads to basic cross site scripting. It is possible to launch the attack remotely. VDB-269154 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Una vulnerabilidad ha sido encontrada en EZ-Suite EZ-Partner 5 y clasificada como problem\u00e1tica. Una funci\u00f3n desconocida del componente Forgot Password Handler es afectada por esta vulnerabilidad. La manipulaci\u00f3n conduce a Cross Site Scripting b\u00e1sico. Es posible lanzar el ataque de forma remota. VDB-269154 es el identificador asignado a esta vulnerabilidad. NOTA: Se contact\u00f3 primeramente con el proveedor sobre esta divulgaci\u00f3n, pero no respondi\u00f3 de ninguna manera."}], "metrics": {"cvssMetricV31": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 1.4}], "cvssMetricV2": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 5.0}, "baseSeverity": "MEDIUM", "exploitabilityScore": 10.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "cna@vuldb.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-80"}]}], "references": [{"url": "https://vuldb.com/?ctiid.269154", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.269154", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.353713", "source": "cna@vuldb.com"}]}}, {"cve": {"id": "CVE-2024-6184", "sourceIdentifier": "cna@vuldb.com", "published": "2024-06-20T12:15:15.560", "lastModified": "2024-06-20T14:15:11.953", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability classified as critical was found in Ruijie RG-UAC 1.0. Affected by this vulnerability is an unknown functionality of the file /view/systemConfig/reboot/reboot_commit.php. The manipulation of the argument servicename leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-269155. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Una vulnerabilidad fue encontrada en Ruijie RG-UAC 1.0 y clasificada como cr\u00edtica. Una funci\u00f3n desconocida del archivo /view/systemConfig/reboot/reboot_commit.php es afectada por esta vulnerabilidad. La manipulaci\u00f3n del argumento nombre de servicio conduce a la inyecci\u00f3n de comando del sistema operativo. El ataque se puede lanzar de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. El identificador asociado de esta vulnerabilidad es VDB-269155. NOTA: Se contact\u00f3 primeramente con el proveedor sobre esta divulgaci\u00f3n, pero no respondi\u00f3 de ninguna manera."}], "metrics": {"cvssMetricV31": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 3.4}], "cvssMetricV2": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 6.5}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "cna@vuldb.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-78"}]}], "references": [{"url": "https://github.com/L1OudFd8cl09/CVE/blob/main/11_06_2024_a.md", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.269155", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.269155", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.354119", "source": "cna@vuldb.com"}]}}, {"cve": {"id": "CVE-2024-6185", "sourceIdentifier": "cna@vuldb.com", "published": "2024-06-20T12:15:15.873", "lastModified": "2024-06-25T21:16:01.940", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability, which was classified as critical, has been found in Ruijie RG-UAC 1.0. Affected by this issue is the function get_ip_addr_details of the file /view/dhcp/dhcpConfig/commit.php. The manipulation of the argument ethname leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-269156. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Una vulnerabilidad fue encontrada en Ruijie RG-UAC 1.0 y clasificada como cr\u00edtica. La funci\u00f3n get_ip_addr_details del archivo /view/dhcp/dhcpConfig/commit.php es afectada por esta vulnerabilidad. La manipulaci\u00f3n del argumento ethname conduce a la inyecci\u00f3n del comando os. El ataque puede lanzarse de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. El identificador de esta vulnerabilidad es VDB-269156. NOTA: Se contact\u00f3 primeramente con el proveedor sobre esta divulgaci\u00f3n, pero no respondi\u00f3 de ninguna manera."}], "metrics": {"cvssMetricV31": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 3.4}], "cvssMetricV2": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 6.5}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "cna@vuldb.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-78"}]}], "references": [{"url": "https://github.com/L1OudFd8cl09/CVE/blob/main/11_06_2024_b.md", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.269156", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.269156", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.354121", "source": "cna@vuldb.com"}]}}, {"cve": {"id": "CVE-2023-49110", "sourceIdentifier": "551230f0-3615-47bd-b7cc-93e92e730bbf", "published": "2024-06-20T13:15:49.250", "lastModified": "2024-06-20T16:07:50.417", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "When the Kiuwan Local Analyzer uploads the scan results to the Kiuwan SAST web \napplication (either on-premises or cloud/SaaS solution), the transmitted data \nconsists of a ZIP archive containing several files, some of them in the \nXML file format. During Kiuwan's server-side processing of these XML \nfiles, it resolves external XML entities, resulting in a XML external \nentity injection attack.\u00a0An attacker with privileges to scan \nsource code within the \"Code Security\" module is able to extract any \nfiles of the operating system with the rights of the application server \nuser and is potentially able to gain sensitive files, such as \nconfiguration and passwords. Furthermore, this vulnerability also allows\n an attacker to initiate connections to internal systems, e.g. for port \nscans or accessing other internal functions / applications such as the \nWildfly admin console of Kiuwan.\n\nThis issue affects Kiuwan SAST: v0.17.0 to be protected. Users unable to upgrade may set the `--rejecthtlc` CLI flag and also disable forwarding on channels via the `UpdateChanPolicyCommand`, or disable listening on a public network interface via the `--nolisten` flag as a mitigation."}, {"lang": "es", "value": "Lightning Network Daemon (lnd): es una implementaci\u00f3n completa de un nodo Lightning Network. Una vulnerabilidad de an\u00e1lisis en la l\u00f3gica de procesamiento de cebolla de lnd y conduce a un vector DoS debido a una asignaci\u00f3n excesiva de memoria. El problema se solucion\u00f3 en lnd v0.17.0. Los usuarios deben actualizar a una versi\u00f3n > v0.17.0 para estar protegidos. Los usuarios que no puedan actualizar pueden configurar el indicador CLI `--rejecthtlc` y tambi\u00e9n deshabilitar el reenv\u00edo de canales a trav\u00e9s de `UpdateChanPolicyCommand`, o desactivar la escucha en una interfaz de red p\u00fablica a trav\u00e9s del indicador `--nolisten` como mitigaci\u00f3n."}], "metrics": {"cvssMetricV31": [{"source": "security-advisories@github.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "security-advisories@github.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}]}], "references": [{"url": "https://delvingbitcoin.org/t/dos-disclosure-lnd-onion-bomb/979", "source": "security-advisories@github.com"}, {"url": "https://github.com/lightningnetwork/lnd/releases/tag/v0.17.0-beta", "source": "security-advisories@github.com"}, {"url": "https://github.com/lightningnetwork/lnd/security/advisories/GHSA-9gxx-58q6-42p7", "source": "security-advisories@github.com"}, {"url": "https://lightning.network", "source": "security-advisories@github.com"}, {"url": "https://morehouse.github.io/lightning/lnd-onion-bomb", "source": "security-advisories@github.com"}]}}, {"cve": {"id": "CVE-2024-38361", "sourceIdentifier": "security-advisories@github.com", "published": "2024-06-20T23:15:52.930", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Spicedb is an Open Source, Google Zanzibar-inspired permissions database to enable fine-grained authorization for customer applications. Use of an exclusion under an arrow that has multiple resources may resolve to `NO_PERMISSION` when permission is expected. If the resource exists under *multiple* folders and the user has access to view more than a single folder, SpiceDB may report the user does not have access due to a failure in the exclusion dispatcher to request that *all* the folders in which the user is a member be returned. Permission is returned as `NO_PERMISSION` when `PERMISSION` is expected on the `CheckPermission` API. This issue has been addressed in version 1.33.1. All users are advised to upgrade. There are no known workarounds for this issue."}, {"lang": "es", "value": "Spicedb es una base de datos de permisos de c\u00f3digo abierto inspirada en Google Zanz\u00edbar para permitir una autorizaci\u00f3n detallada para las aplicaciones de los clientes. El uso de una exclusi\u00f3n debajo de una flecha que tiene m\u00faltiples recursos puede resolverse como \"NO_PERMISSION\" cuando se espera permiso. Si el recurso existe en *m\u00faltiples* carpetas y el usuario tiene acceso para ver m\u00e1s de una carpeta, SpiceDB puede informar que el usuario no tiene acceso debido a una falla en el despachador de exclusi\u00f3n al solicitar que *todas* las carpetas en las que se encuentra el recurso. El usuario es miembro y se devolver\u00e1. El permiso se devuelve como \"NO_PERMISSION\" cuando se espera \"PERMISSION\" en la API \"CheckPermission\". Este problema se solucion\u00f3 en la versi\u00f3n 1.33.1. Se recomienda a todos los usuarios que actualicen. No se conocen workarounds para este problema."}], "metrics": {"cvssMetricV31": [{"source": "security-advisories@github.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW"}, "exploitabilityScore": 2.2, "impactScore": 1.4}]}, "weaknesses": [{"source": "security-advisories@github.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-281"}]}], "references": [{"url": "https://github.com/authzed/spicedb/commit/ecef31d2b266fde17eb2c3415e2ec4ceff96fbeb", "source": "security-advisories@github.com"}, {"url": "https://github.com/authzed/spicedb/security/advisories/GHSA-grjv-gjgr-66g2", "source": "security-advisories@github.com"}]}}, {"cve": {"id": "CVE-2019-15797", "sourceIdentifier": "security@ubuntu.com", "published": "2024-06-21T00:15:09.240", "lastModified": "2024-06-21T00:15:09.240", "vulnStatus": "Rejected", "descriptions": [{"lang": "en", "value": "Rejected reason: CVE ID was once reserved, but never used."}], "metrics": {}, "references": []}}, {"cve": {"id": "CVE-2019-15798", "sourceIdentifier": "security@ubuntu.com", "published": "2024-06-21T00:15:09.387", "lastModified": "2024-06-21T00:15:09.387", "vulnStatus": "Rejected", "descriptions": [{"lang": "en", "value": "Rejected reason: CVE ID was once reserved, but never used."}], "metrics": {}, "references": []}}, {"cve": {"id": "CVE-2020-35155", "sourceIdentifier": "security@ubuntu.com", "published": "2024-06-21T00:15:09.510", "lastModified": "2024-06-21T00:15:09.510", "vulnStatus": "Rejected", "descriptions": [{"lang": "en", "value": "Rejected reason: CVE ID was once reserved, but never used."}], "metrics": {}, "references": []}}, {"cve": {"id": "CVE-2020-35156", "sourceIdentifier": "security@ubuntu.com", "published": "2024-06-21T00:15:09.580", "lastModified": "2024-06-21T00:15:09.580", "vulnStatus": "Rejected", "descriptions": [{"lang": "en", "value": "Rejected reason: CVE ID was once reserved, but never used."}], "metrics": {}, "references": []}}, {"cve": {"id": "CVE-2020-35157", "sourceIdentifier": "security@ubuntu.com", "published": "2024-06-21T00:15:09.640", "lastModified": "2024-06-21T00:15:09.640", "vulnStatus": "Rejected", "descriptions": [{"lang": "en", "value": "Rejected reason: CVE ID was once reserved, but never used."}], "metrics": {}, "references": []}}, {"cve": {"id": "CVE-2020-35158", "sourceIdentifier": "security@ubuntu.com", "published": "2024-06-21T00:15:09.713", "lastModified": "2024-06-21T00:15:09.713", "vulnStatus": "Rejected", "descriptions": [{"lang": "en", "value": "Rejected reason: CVE ID was once reserved, but never used."}], "metrics": {}, "references": []}}, {"cve": {"id": "CVE-2020-35159", "sourceIdentifier": "security@ubuntu.com", "published": "2024-06-21T00:15:09.773", "lastModified": "2024-06-21T00:15:09.773", "vulnStatus": "Rejected", "descriptions": [{"lang": "en", "value": "Rejected reason: CVE ID was once reserved, but never used."}], "metrics": {}, "references": []}}, {"cve": {"id": "CVE-2020-35160", "sourceIdentifier": "security@ubuntu.com", "published": "2024-06-21T00:15:09.833", "lastModified": "2024-06-21T00:15:09.833", "vulnStatus": "Rejected", "descriptions": [{"lang": "en", "value": "Rejected reason: CVE ID was once reserved, but never used."}], "metrics": {}, "references": []}}, {"cve": {"id": "CVE-2020-35161", "sourceIdentifier": "security@ubuntu.com", "published": "2024-06-21T00:15:09.897", "lastModified": "2024-06-21T00:15:09.897", "vulnStatus": "Rejected", "descriptions": [{"lang": "en", "value": "Rejected reason: CVE ID was once reserved, but never used."}], "metrics": {}, "references": []}}, {"cve": {"id": "CVE-2020-35162", "sourceIdentifier": "security@ubuntu.com", "published": "2024-06-21T00:15:09.957", "lastModified": "2024-06-21T00:15:09.957", "vulnStatus": "Rejected", "descriptions": [{"lang": "en", "value": "Rejected reason: CVE ID was once reserved, but never used."}], "metrics": {}, "references": []}}, {"cve": {"id": "CVE-2024-6212", "sourceIdentifier": "cna@vuldb.com", "published": "2024-06-21T00:15:10.080", "lastModified": "2024-06-21T15:15:16.313", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability was found in SourceCodester Simple Student Attendance System 1.0 and classified as problematic. Affected by this issue is the function get_student of the file student_form.php. The manipulation of the argument id leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-269276."}, {"lang": "es", "value": "Una vulnerabilidad fue encontrada en SourceCodester Simple Student Attendance System 1.0 y clasificada como problem\u00e1tica. La funci\u00f3n get_student del archivo Student_form.php es afectada por esta vulnerabilidad. La manipulaci\u00f3n del argumento id conduce a Cross-Site Scripting. El ataque puede lanzarse de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. El identificador de esta vulnerabilidad es VDB-269276."}], "metrics": {"cvssMetricV31": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW"}, "exploitabilityScore": 2.1, "impactScore": 1.4}], "cvssMetricV2": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 4.0}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "cna@vuldb.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://docs.google.com/document/d/1tl9-EAxUR64Og9zS-nyUx3YtG1V32Monkvq-h39tjpw/edit?usp=sharing", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.269276", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.269276", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.359229", "source": "cna@vuldb.com"}]}}, {"cve": {"id": "CVE-2024-6213", "sourceIdentifier": "cna@vuldb.com", "published": "2024-06-21T01:16:02.880", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability was found in SourceCodester Food Ordering Management System up to 1.0. It has been classified as critical. This affects an unknown part of the file login.php of the component Login Panel. The manipulation of the argument username leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-269277 was assigned to this vulnerability."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en SourceCodester Food Ordering Management System hasta la versi\u00f3n 1.0. Ha sido clasificada como cr\u00edtica. Una parte desconocida del archivo login.php del componente Login Panel afecta a una parte desconocida. La manipulaci\u00f3n del argumento nombre de usuario conduce a la inyecci\u00f3n de SQL. Es posible iniciar el ataque de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. A esta vulnerabilidad se le asign\u00f3 el identificador VDB-269277."}], "metrics": {"cvssMetricV31": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.4}], "cvssMetricV2": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "cna@vuldb.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://github.com/jadu101/CVE/blob/main/SourceCodester_Food_Ordering_Management_System_Sqli.md", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.269277", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.269277", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.359574", "source": "cna@vuldb.com"}]}}, {"cve": {"id": "CVE-2024-6214", "sourceIdentifier": "cna@vuldb.com", "published": "2024-06-21T01:16:04.743", "lastModified": "2024-06-21T15:15:16.430", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability was found in SourceCodester Food Ordering Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file add-item.php. The manipulation of the argument price leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-269278 is the identifier assigned to this vulnerability."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en SourceCodester Food Ordering Management System 1.0. Ha sido declarada cr\u00edtica. Esta vulnerabilidad afecta a un c\u00f3digo desconocido del archivo add-item.php. La manipulaci\u00f3n del precio del argumento conduce a la inyecci\u00f3n de SQL. El ataque se puede iniciar de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. VDB-269278 es el identificador asignado a esta vulnerabilidad."}], "metrics": {"cvssMetricV31": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 3.4}], "cvssMetricV2": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 6.5}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "cna@vuldb.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://github.com/jadu101/CVE/blob/main/SourceCoderster_Food_Ordering_Management_System_add_item_Sqli.md", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.269278", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.269278", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.359582", "source": "cna@vuldb.com"}]}}, {"cve": {"id": "CVE-2023-3352", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-21T02:15:09.880", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The Smush plugin for WordPress is vulnerable to unauthorized deletion of the resmush list due to a missing capability check on the delete_resmush_list() function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to delete the resmush list for Nextgen or the Media Library."}, {"lang": "es", "value": "El complemento Smush para WordPress es vulnerable a la eliminaci\u00f3n no autorizada de la lista resmush debido a una falta de verificaci\u00f3n de capacidad en la funci\u00f3n delete_resmush_list(). Esto hace posible que atacantes autenticados, con permisos m\u00ednimos, como un suscriptor, eliminen la lista de resmush de Nextgen o la librer\u00eda multimedia."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3105107/wp-smushit/trunk/app/class-ajax.php", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dfbaa3e4-40c2-41d8-996c-232e27a04b73?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-1639", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-21T02:15:10.117", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Undergoing Analysis", "descriptions": [{"lang": "en", "value": "The License Manager for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the showLicenseKey() and showAllLicenseKeys() functions in all versions up to, and including, 3.0.7. This makes it possible for authenticated attackers, with admin dashboard access (contributors by default due to WooCommerce) to view arbitrary decrypted license keys. The functions contain a referrer nonce check. However, these can be retrieved via the dashboard through the \"license\" JS variable."}, {"lang": "es", "value": "El complemento License Manager para WooCommerce para WordPress es vulnerable al acceso no autorizado a los datos debido a una falta de verificaci\u00f3n de capacidad en las funciones showLicenseKey() y showAllLicenseKeys() en todas las versiones hasta la 3.0.7 incluida. Esto hace posible que atacantes autenticados, con acceso al panel de administraci\u00f3n (colaboradores de forma predeterminada debido a WooCommerce) vean claves de licencia descifradas arbitrarias. Las funciones contienen una verificaci\u00f3n nonce de referencia. Sin embargo, estos se pueden recuperar a trav\u00e9s del panel a trav\u00e9s de la variable JS \"licencia\"."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "references": [{"url": "https://plugins.trac.wordpress.org/browser/license-manager-for-woocommerce/tags/3.0.5/includes/Controllers/License.php", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/92e444db-72d5-444f-811e-ade0bc097769?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-1955", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-21T02:15:10.327", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Undergoing Analysis", "descriptions": [{"lang": "en", "value": "The Hide Dashboard Notifications plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'warning_notices_settings' function in all versions up to, and including, 1.3. This makes it possible for authenticated attackers, with contributor access and above, to modify the plugin's settings."}, {"lang": "es", "value": "El complemento Hide Dashboard Notifications para WordPress es vulnerable a modificaciones no autorizadas de datos debido a una falta de verificaci\u00f3n de capacidad en la funci\u00f3n 'warning_notices_settings' en todas las versiones hasta la 1.3 incluida. Esto hace posible que atacantes autenticados, con acceso de colaborador y superior, modifiquen la configuraci\u00f3n del complemento."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "references": [{"url": "https://plugins.trac.wordpress.org/browser/wp-hide-backed-notices/tags/1.3/admin/class-wp-hide-backed-notices-admin.php", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3104675%40wp-hide-backed-notices&new=3104675%40wp-hide-backed-notices&sfp_email=&sfph_mail=", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d4655236-7dfe-40ae-9d0c-6eacc59af13d?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-3610", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-21T02:15:10.537", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Undergoing Analysis", "descriptions": [{"lang": "en", "value": "The WP Child Theme Generator plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wctg_easy_child_theme() function in all versions up to, and including, 1.1.1. This makes it possible for unauthenticated attackers to create a blank child theme and activate it cause the site to whitescreen."}, {"lang": "es", "value": "El complemento WP Child Theme Generator para WordPress es vulnerable a modificaciones no autorizadas de datos debido a una falta de verificaci\u00f3n de capacidad en la funci\u00f3n wctg_easy_child_theme() en todas las versiones hasta la 1.1.1 incluida. Esto hace posible que atacantes no autenticados creen un tema secundario en blanco y lo activen para que el sitio aparezca en pantalla blanca."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "references": [{"url": "https://plugins.trac.wordpress.org/browser/wp-child-theme-generator/trunk/wp-easy-child/wp-easy-child.php#L60", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=/wp-child-theme-generator/tags/1.1.1&new_path=/wp-child-theme-generator/tags/1.1.2&sfp_email=&sfph_mail=", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/581e6686-a103-43f6-aa99-6a9862d98837?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-5344", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-21T02:15:11.057", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Undergoing Analysis", "descriptions": [{"lang": "en", "value": "The The Plus Addons for Elementor Page Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the \u2018forgoturl\u2019 attribute within the plugin's WP Login & Register widget in all versions up to, and including, 5.5.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}, {"lang": "es", "value": "El complemento The Plus Addons para Elementor Page Builder para WordPress es vulnerable a Cross-Site Scripting Reflejado a trav\u00e9s del atributo 'forgoturl' dentro del widget de inicio de sesi\u00f3n y registro de WP del complemento en todas las versiones hasta la 5.5.6 incluida debido a una sanitizaci\u00f3n de entrada insuficiente y la salida se escapa. Esto hace posible que atacantes no autenticados inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutan si logran enga\u00f1ar a un usuario para que realice una acci\u00f3n como hacer clic en un enlace."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "references": [{"url": "https://roadmap.theplusaddons.com/updates/", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1ac8fb0b-21a9-4b94-bb24-b349a7fe3305?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-5503", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-21T02:15:11.260", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Undergoing Analysis", "descriptions": [{"lang": "en", "value": "The WP Blog Post Layouts plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1.3. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary PHP files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other \u201csafe\u201d file types can be uploaded and included."}, {"lang": "es", "value": "El complemento WP Blog Post Layouts para WordPress es vulnerable a la inclusi\u00f3n de archivos locales en todas las versiones hasta la 1.1.3 incluida. Esto hace posible que atacantes autenticados, con acceso de nivel Colaborador y superior, incluyan y ejecuten archivos PHP arbitrarios en el servidor, permitiendo la ejecuci\u00f3n de cualquier c\u00f3digo PHP en esos archivos. Esto se puede utilizar para eludir los controles de acceso, obtener datos confidenciales o lograr la ejecuci\u00f3n de c\u00f3digo en los casos en que se puedan cargar e incluir im\u00e1genes y otros tipos de archivos \"seguros\"."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "references": [{"url": "https://plugins.trac.wordpress.org/browser/wp-blog-post-layouts/trunk/includes/gutenberg.php#L883", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-blog-post-layouts/trunk/includes/gutenberg.php#L900", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-blog-post-layouts/trunk/includes/gutenberg.php#L917", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-blog-post-layouts/trunk/includes/src/grid/element.php#L1146", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-blog-post-layouts/trunk/includes/src/list/element.php#L1136", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-blog-post-layouts/trunk/includes/src/masonry/element.php#L1134", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5205cc95-06d1-4bc6-a9ea-082df9566935?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-6215", "sourceIdentifier": "cna@vuldb.com", "published": "2024-06-21T02:15:11.877", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability was found in SourceCodester Food Ordering Management System up to 1.0. It has been rated as critical. This issue affects some unknown processing of the file view-ticket-admin.php. The manipulation of the argument id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-269279."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en SourceCodester Food Ordering Management System hasta la versi\u00f3n 1.0. Ha sido calificada como cr\u00edtica. Este problema afecta un procesamiento desconocido del archivo view-ticket-admin.php. La manipulaci\u00f3n del argumento id conduce a la inyecci\u00f3n de SQL. El ataque puede iniciarse de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. El identificador asociado de esta vulnerabilidad es VDB-269279."}], "metrics": {"cvssMetricV31": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 3.4}], "cvssMetricV2": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 6.5}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "cna@vuldb.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://github.com/jadu101/CVE/blob/main/SourceCodester_Food_Ordering_Management_System_view_ticket_admin_Sqli.md", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.269279", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.269279", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.359595", "source": "cna@vuldb.com"}]}}, {"cve": {"id": "CVE-2024-6216", "sourceIdentifier": "cna@vuldb.com", "published": "2024-06-21T02:15:12.173", "lastModified": "2024-06-24T20:15:11.177", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability classified as critical has been found in SourceCodester Food Ordering Management System 1.0. Affected is an unknown function of the file add-users.php. The manipulation of the argument contact leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-269280."}, {"lang": "es", "value": "Una vulnerabilidad fue encontrada en SourceCodester Food Ordering Management System 1.0 y clasificada como cr\u00edtica. Una funci\u00f3n desconocida del archivo add-users.php es afectada por esta vulnerabilidad. La manipulaci\u00f3n del argumento contacto conduce a la inyecci\u00f3n de SQL. Es posible lanzar el ataque de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. El identificador de esta vulnerabilidad es VDB-269280."}], "metrics": {"cvssMetricV31": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 3.4}], "cvssMetricV2": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 6.5}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "cna@vuldb.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://github.com/jadu101/CVE/blob/main/SourceCodester_Food_Ordering_Management_System_add_users_Sqli.md", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.269280", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.269280", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.359634", "source": "cna@vuldb.com"}]}}, {"cve": {"id": "CVE-2024-6217", "sourceIdentifier": "cna@vuldb.com", "published": "2024-06-21T02:15:12.673", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability classified as critical was found in SourceCodester Food Ordering Management System 1.0. Affected by this vulnerability is an unknown functionality of the file user-router.php. The manipulation of the argument 1_verified leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-269281 was assigned to this vulnerability."}, {"lang": "es", "value": "Una vulnerabilidad fue encontrada en SourceCodester Food Ordering Management System 1.0 y clasificada como cr\u00edtica. Una funci\u00f3n desconocida del archivo user-router.php es afectada por esta vulnerabilidad. La manipulaci\u00f3n del argumento 1_verified conduce a la inyecci\u00f3n de SQL. El ataque se puede lanzar de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. A esta vulnerabilidad se le asign\u00f3 el identificador VDB-269281."}], "metrics": {"cvssMetricV31": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 3.4}], "cvssMetricV2": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 6.5}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "cna@vuldb.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://github.com/jadu101/CVE/blob/main/SourceCodester_Food_Ordering_Management_System_user_router_Sqli.md", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.269281", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.269281", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.359644", "source": "cna@vuldb.com"}]}}, {"cve": {"id": "CVE-2024-6218", "sourceIdentifier": "cna@vuldb.com", "published": "2024-06-21T02:15:13.090", "lastModified": "2024-06-21T15:15:16.547", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability, which was classified as critical, has been found in itsourcecode Vehicle Management System 1.0. Affected by this issue is some unknown functionality of the file busprofile.php. The manipulation of the argument busid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-269282 is the identifier assigned to this vulnerability."}, {"lang": "es", "value": "Una vulnerabilidad fue encontrada en itsourcecode Vehicle Management System 1.0 y clasificada como cr\u00edtica. Una funci\u00f3n desconocida del archivo busprofile.php es afectada por esta vulnerabilidad. La manipulaci\u00f3n del argumento busid conduce a la inyecci\u00f3n de SQL. El ataque puede lanzarse de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. VDB-269282 es el identificador asignado a esta vulnerabilidad."}], "metrics": {"cvssMetricV31": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.4}], "cvssMetricV2": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "cna@vuldb.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://github.com/HryspaHodor/CVE/issues/7", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.269282", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.269282", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.360697", "source": "cna@vuldb.com"}]}}, {"cve": {"id": "CVE-2024-3961", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-21T04:15:11.283", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Undergoing Analysis", "descriptions": [{"lang": "en", "value": "The ConvertKit \u2013 Email Newsletter, Email Marketing, Subscribers and Landing Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tag_subscriber function in all versions up to, and including, 2.4.9. This makes it possible for unauthenticated attackers to subscribe users to tags. Financial damages may occur to site owners if their API quota is exceeded."}, {"lang": "es", "value": "El complemento ConvertKit \u2013 Email Newsletter, Email Marketing, Subscribers and Landing Pages para WordPress es vulnerable a modificaciones no autorizadas de datos debido a una falta de verificaci\u00f3n de capacidad en la funci\u00f3n tag_subscriber en todas las versiones hasta la 2.4.9 incluida. Esto hace posible que atacantes no autenticados suscriban usuarios a etiquetas. Los propietarios de sitios pueden sufrir da\u00f1os financieros si se excede su cuota de API."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "references": [{"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3104932%40convertkit%2Ftrunk&old=3085997%40convertkit%2Ftrunk&sfp_email=&sfph_mail=", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/79d828b8-aea2-4705-ae23-ac70133a6c3e?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-5455", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-21T04:15:11.627", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Undergoing Analysis", "descriptions": [{"lang": "en", "value": "The Plus Addons for Elementor Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.5.4 via the 'magazine_style' parameter within the Dynamic Smart Showcase widget. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other \u201csafe\u201d file types can be uploaded and included."}, {"lang": "es", "value": "El complemento Plus Addons para Elementor Page Builder para WordPress es vulnerable a la inclusi\u00f3n de archivos locales en todas las versiones hasta la 5.5.4 incluida a trav\u00e9s del par\u00e1metro 'magazine_style' dentro del widget Dynamic Smart Showcase. Esto hace posible que atacantes autenticados, con acceso de nivel Colaborador y superior, incluyan y ejecuten archivos arbitrarios en el servidor, permitiendo la ejecuci\u00f3n de cualquier c\u00f3digo PHP en esos archivos. Esto se puede utilizar para eludir los controles de acceso, obtener datos confidenciales o lograr la ejecuci\u00f3n de c\u00f3digo en los casos en que se puedan cargar e incluir im\u00e1genes y otros tipos de archivos \"seguros\"."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "references": [{"url": "https://roadmap.theplusaddons.com/updates/", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8699142d-4ddd-4ca1-9886-9b2d905a36cd?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-5756", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-21T05:15:10.120", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Undergoing Analysis", "descriptions": [{"lang": "en", "value": "The Email Subscribers by Icegram Express \u2013 Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the db parameter in all versions up to, and including, 5.7.23 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}, {"lang": "es", "value": "El complemento Email Subscribers by Icegram Express \u2013 Email Marketing, Newsletters, Automation for WordPress & WooCommerce para WordPress es vulnerable a la inyecci\u00f3n SQL basada en tiempo a trav\u00e9s del par\u00e1metro db en todas las versiones hasta la 5.7.23 incluida debido a un escape insuficiente en el par\u00e1metro proporcionado por el usuario y falta de preparaci\u00f3n suficiente en la consulta SQL existente. Esto hace posible que atacantes no autenticados agreguen consultas SQL adicionales a consultas ya existentes que pueden usarse para extraer informaci\u00f3n confidencial de la base de datos."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "references": [{"url": "https://plugins.trac.wordpress.org/browser/email-subscribers/trunk/lite/includes/db/class-es-db-contacts.php#L532", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/changeset/3101638/email-subscribers/trunk/lite/includes/db/class-es-db-contacts.php", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c5bd11c6-2f55-4eee-834a-c4e405482b9c?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2021-47621", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-21T06:15:10.487", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "ClassGraph before 4.8.112 was not resistant to XML eXternal Entity (XXE) attacks."}, {"lang": "es", "value": "ClassGraph anterior a 4.8.112 no era resistente a los ataques de entidades externas XML (XXE)."}], "metrics": {}, "references": [{"url": "https://docs.r3.com/en/platform/corda/4.8/enterprise/release-notes-enterprise.html", "source": "cve@mitre.org"}, {"url": "https://github.com/classgraph/classgraph/commit/681362ad6b0b9d9abaffb2e07099ce54d7a41fa3", "source": "cve@mitre.org"}, {"url": "https://github.com/classgraph/classgraph/pull/539", "source": "cve@mitre.org"}, {"url": "https://github.com/classgraph/classgraph/releases/tag/classgraph-4.8.112", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-4377", "sourceIdentifier": "contact@wpscan.com", "published": "2024-06-21T06:15:11.773", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Undergoing Analysis", "descriptions": [{"lang": "en", "value": "The DOP Shortcodes WordPress plugin through 1.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks"}, {"lang": "es", "value": "El complemento DOP Shortcodes WordPress hasta la versi\u00f3n 1.2 no valida ni escapa algunos de sus atributos de shortcode antes de devolverlos a una p\u00e1gina/publicaci\u00f3n donde est\u00e1 incrustado el shortcode, lo que podr\u00eda permitir a los usuarios con el rol de colaborador y superior realizar ataques de Cross-Site Scripting Almacenado."}], "metrics": {}, "references": [{"url": "https://wpscan.com/vulnerability/778cebec-bdbb-4538-9518-c5bd50f76961/", "source": "contact@wpscan.com"}]}}, {"cve": {"id": "CVE-2024-4381", "sourceIdentifier": "contact@wpscan.com", "published": "2024-06-21T06:15:11.907", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Undergoing Analysis", "descriptions": [{"lang": "en", "value": "The CB (legacy) WordPress plugin through 0.9.4.18 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)"}, {"lang": "es", "value": "El complemento CB (heredado) de WordPress hasta la versi\u00f3n 0.9.4.18 no sanitiza ni escapa a algunas de sus configuraciones, lo que podr\u00eda permitir a usuarios con privilegios elevados, como el administrador, realizar ataques de Cross-Site Scripting Almacenado incluso cuando la capacidad unfiltered_html no est\u00e1 permitida (por ejemplo, en una configuraci\u00f3n multisitio)"}], "metrics": {}, "references": [{"url": "https://wpscan.com/vulnerability/9b3cda9a-17a7-4173-93a2-d552a874fae9/", "source": "contact@wpscan.com"}]}}, {"cve": {"id": "CVE-2024-4382", "sourceIdentifier": "contact@wpscan.com", "published": "2024-06-21T06:15:12.017", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Undergoing Analysis", "descriptions": [{"lang": "en", "value": "The CB (legacy) WordPress plugin through 0.9.4.18 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting codes, timeframes, and bookings via CSRF attacks"}, {"lang": "es", "value": "El complemento CB (heredado) de WordPress hasta la versi\u00f3n 0.9.4.18 no tiene comprobaciones CSRF en algunas acciones masivas, lo que podr\u00eda permitir a los atacantes hacer que los administradores que han iniciado sesi\u00f3n realicen acciones no deseadas, como eliminar c\u00f3digos, plazos y reservas a trav\u00e9s de ataques CSRF."}], "metrics": {}, "references": [{"url": "https://wpscan.com/vulnerability/1a67aeab-8145-4c8a-9c18-e6436fa39b63/", "source": "contact@wpscan.com"}]}}, {"cve": {"id": "CVE-2024-4384", "sourceIdentifier": "contact@wpscan.com", "published": "2024-06-21T06:15:12.103", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Undergoing Analysis", "descriptions": [{"lang": "en", "value": "The CSSable Countdown WordPress plugin through 1.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)"}, {"lang": "es", "value": "El complemento CSSable Countdown WordPress hasta la versi\u00f3n 1.5 no sanitiza ni escapa a algunas de sus configuraciones, lo que podr\u00eda permitir a usuarios con privilegios elevados, como el administrador, realizar ataques de Cross-Site Scripting Almacenado incluso cuando la capacidad unfiltered_html no est\u00e1 permitida (por ejemplo, en una configuraci\u00f3n multisitio)."}], "metrics": {}, "references": [{"url": "https://wpscan.com/vulnerability/ad714196-2590-4dc9-b5b9-50808e9e0d26/", "source": "contact@wpscan.com"}]}}, {"cve": {"id": "CVE-2024-4474", "sourceIdentifier": "contact@wpscan.com", "published": "2024-06-21T06:15:12.187", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Undergoing Analysis", "descriptions": [{"lang": "en", "value": "The WP Logs Book WordPress plugin through 1.0.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack"}, {"lang": "es", "value": "El complemento WP Logs Book WordPress hasta la versi\u00f3n 1.0.1 no tiene activada la verificaci\u00f3n CSRF al actualizar su configuraci\u00f3n, lo que podr\u00eda permitir a los atacantes hacer que un administrador que haya iniciado sesi\u00f3n los cambie mediante un ataque CSRF."}], "metrics": {}, "references": [{"url": "https://wpscan.com/vulnerability/71954c60-6a5b-4cac-9920-6d9b787ead9c/", "source": "contact@wpscan.com"}]}}, {"cve": {"id": "CVE-2024-4475", "sourceIdentifier": "contact@wpscan.com", "published": "2024-06-21T06:15:12.267", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Undergoing Analysis", "descriptions": [{"lang": "en", "value": "The WP Logs Book WordPress plugin through 1.0.1 does not have CSRF check when clearing logs, which could allow attackers to make a logged in admin clear the logs them via a CSRF attack"}, {"lang": "es", "value": "El complemento WP Logs Book WordPress hasta la versi\u00f3n 1.0.1 no tiene verificaci\u00f3n CSRF al borrar los registros, lo que podr\u00eda permitir a los atacantes hacer que un administrador que haya iniciado sesi\u00f3n borre los registros mediante un ataque CSRF."}], "metrics": {}, "references": [{"url": "https://wpscan.com/vulnerability/f0c7fa00-da6e-4f07-875f-7b85759a54b3/", "source": "contact@wpscan.com"}]}}, {"cve": {"id": "CVE-2024-4477", "sourceIdentifier": "contact@wpscan.com", "published": "2024-06-21T06:15:12.347", "lastModified": "2024-06-24T19:34:12.440", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "The WP Logs Book WordPress plugin through 1.0.1 does not sanitise and escape some of its log data before outputting them back in an admin dashboard, leading to an Unauthenticated Stored Cross-Site Scripting"}, {"lang": "es", "value": "El complemento WP Logs Book WordPress hasta la versi\u00f3n 1.0.1 no sanitiza ni escapa algunos de sus datos de registro antes de devolverlos a un panel de administraci\u00f3n, lo que genera un Cross-Site Scripting Almacenado no autenticado."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:onetarek:wp_logs_book:*:*:*:*:*:wordpress:*:*", "versionEndIncluding": "1.0.1", "matchCriteriaId": "6741B07F-84FB-4D46-815E-275BBAD5D6B4"}]}]}], "references": [{"url": "https://wpscan.com/vulnerability/ab551552-944c-4e2a-9355-7011cbe553b0/", "source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-4616", "sourceIdentifier": "contact@wpscan.com", "published": "2024-06-21T06:15:12.427", "lastModified": "2024-06-24T19:34:00.263", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "The Widget Bundle WordPress plugin through 2.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated users"}, {"lang": "es", "value": "El complemento Widget Bundle de WordPress hasta la versi\u00f3n 2.0.0 no sanitiza ni escapa un par\u00e1metro antes de devolverlo a la p\u00e1gina, lo que genera un Cross-Site Scripting Reflejado que podr\u00eda usarse solo contra usuarios no autenticados."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:devnath_verma:widget_bundle:*:*:*:*:*:wordpress:*:*", "versionEndIncluding": "2.0.0", "matchCriteriaId": "BE45C4D0-99DA-495C-A032-A329C38D5963"}]}]}], "references": [{"url": "https://wpscan.com/vulnerability/d203bf3b-aee9-4755-b429-d6bbdd940890/", "source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-4755", "sourceIdentifier": "contact@wpscan.com", "published": "2024-06-21T06:15:12.507", "lastModified": "2024-06-24T19:31:03.263", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "The Google CSE WordPress plugin through 1.0.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)"}, {"lang": "es", "value": "El complemento Google CSE WordPress hasta la versi\u00f3n 1.0.7 no sanitiza ni escapa a algunas de sus configuraciones, lo que podr\u00eda permitir a usuarios con privilegios elevados, como el administrador, realizar ataques de Cross-Site Scripting Almacenado incluso cuando la capacidad unfiltered_html no est\u00e1 permitida (por ejemplo, en una configuraci\u00f3n multisitio)."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.7, "impactScore": 2.7}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:erikeng:google_cse:*:*:*:*:*:wordpress:*:*", "versionEndIncluding": "1.0.7", "matchCriteriaId": "FFDB6E6C-5D13-47A8-9A87-EF3094CA1671"}]}]}], "references": [{"url": "https://wpscan.com/vulnerability/adc6ea6d-29d8-4ad0-b0db-2540e8b3f9a9/", "source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-4969", "sourceIdentifier": "contact@wpscan.com", "published": "2024-06-21T06:15:12.587", "lastModified": "2024-06-24T19:30:53.110", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "The Widget Bundle WordPress plugin through 2.0.0 does not have CSRF checks when logging Widgets, which could allow attackers to make logged in admin enable/disable widgets via a CSRF attack"}, {"lang": "es", "value": "El complemento Widget Bundle de WordPress hasta la versi\u00f3n 2.0.0 no tiene comprobaciones CSRF al registrar widgets, lo que podr\u00eda permitir a los atacantes habilitar/deshabilitar los widgets del administrador registrado a trav\u00e9s de un ataque CSRF."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-352"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:devnath_verma:widget_bundle:*:*:*:*:*:wordpress:*:*", "versionEndIncluding": "2.0.0", "matchCriteriaId": "BE45C4D0-99DA-495C-A032-A329C38D5963"}]}]}], "references": [{"url": "https://wpscan.com/vulnerability/1a7ec5dc-eda4-4fed-9df9-f41d2b937fed/", "source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-4970", "sourceIdentifier": "contact@wpscan.com", "published": "2024-06-21T06:15:12.670", "lastModified": "2024-06-24T19:30:39.397", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "The Widget Bundle WordPress plugin through 2.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)"}, {"lang": "es", "value": "El complemento Widget Bundle de WordPress hasta la versi\u00f3n 2.0.0 no sanitiza ni escapa a algunas de sus configuraciones, lo que podr\u00eda permitir a usuarios con privilegios elevados, como el administrador, realizar ataques de Cross-Site Scripting Almacenado incluso cuando la capacidad unfiltered_html no est\u00e1 permitida (por ejemplo, en una configuraci\u00f3n multisitio)."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.7, "impactScore": 2.7}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:devnath_verma:widget_bundle:*:*:*:*:*:wordpress:*:*", "versionEndIncluding": "2.0.0", "matchCriteriaId": "BE45C4D0-99DA-495C-A032-A329C38D5963"}]}]}], "references": [{"url": "https://wpscan.com/vulnerability/4a9fc352-7ec2-4992-9cda-7bdca4f42788/", "source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-5447", "sourceIdentifier": "contact@wpscan.com", "published": "2024-06-21T06:15:12.757", "lastModified": "2024-06-24T19:27:17.300", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "The PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode WordPress plugin through 1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)"}, {"lang": "es", "value": "El complemento PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode de WordPress hasta la versi\u00f3n 1.7 no sanitiza ni escapa a algunas de sus configuraciones, lo que podr\u00eda permitir a usuarios con privilegios elevados, como el administrador, realizar ataques de Cross-Site Scripting Almacenadoincluso cuando la capacidad unfiltered_html no est\u00e1 permitida (por ejemplo, en configuraci\u00f3n multisitio)"}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.7, "impactScore": 2.7}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mohsinrasool:paypal_pay_now\\,_buy_now\\,_donation_and_cart_buttons_shortcode:*:*:*:*:*:wordpress:*:*", "versionEndIncluding": "1.7", "matchCriteriaId": "A28078A9-0A0F-4191-8C1C-54BE39B0EF6C"}]}]}], "references": [{"url": "https://wpscan.com/vulnerability/a692b869-1666-42d1-b56d-dfcccd68ab67/", "source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-5448", "sourceIdentifier": "contact@wpscan.com", "published": "2024-06-21T06:15:12.837", "lastModified": "2024-06-24T19:26:43.517", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "The PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode WordPress plugin through 1.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks"}, {"lang": "es", "value": "El complemento PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode de WordPress hasta la versi\u00f3n 1.7 no valida ni escapa algunos de sus atributos de shortcode antes de devolverlos a una p\u00e1gina/publicaci\u00f3n donde est\u00e1 incrustado el shortcode, lo que podr\u00eda permitir a los usuarios con el rol de colaborador y superiores para realizar ataques de Cross-Site Scripting Almacenado"}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mohsinrasool:paypal_pay_now\\,_buy_now\\,_donation_and_cart_buttons_shortcode:*:*:*:*:*:wordpress:*:*", "versionEndIncluding": "1.7", "matchCriteriaId": "A28078A9-0A0F-4191-8C1C-54BE39B0EF6C"}]}]}], "references": [{"url": "https://wpscan.com/vulnerability/c482fe19-b643-41ea-8194-22776b388290/", "source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-38873", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-21T07:15:09.110", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "An issue was discovered in the friendlycaptcha_official (aka Integration of Friendly Captcha) extension before 0.1.4 for TYPO3. The extension fails to check the requirement of the captcha field in submitted form data, allowing a remote user to bypass the captcha check. This only affects the captcha integration for the ext:form extension."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en la extensi\u00f3n amigablecaptcha_official (tambi\u00e9n conocida como Integraci\u00f3n de Friendly Captcha) antes de la versi\u00f3n 0.1.4 para TYPO3. La extensi\u00f3n no verifica el requisito del campo captcha en los datos del formulario enviado, lo que permite a un usuario remoto omitir la verificaci\u00f3n de captcha. Esto solo afecta la integraci\u00f3n de captcha para la extensi\u00f3n ext:form."}], "metrics": {"cvssMetricV31": [{"source": "cve@mitre.org", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "references": [{"url": "https://typo3.org/security/advisory/typo3-ext-sa-2024-004", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-38874", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-21T07:15:10.200", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "An issue was discovered in the events2 (aka Events 2) extension before 8.3.8 and 9.x before 9.0.6 for TYPO3. Missing access checks in the management plugin lead to an insecure direct object reference (IDOR) vulnerability with the potential to activate or delete various events for unauthenticated users."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en la extensi\u00f3n events2 (tambi\u00e9n conocida como Events 2) anterior a 8.3.8 y 9.x anterior a 9.0.6 para TYPO3. La falta de comprobaciones de acceso en el complemento de administraci\u00f3n genera una vulnerabilidad de referencia directa a objetos (IDOR) insegura con el potencial de activar o eliminar varios eventos para usuarios no autenticados."}], "metrics": {"cvssMetricV31": [{"source": "cve@mitre.org", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "references": [{"url": "https://typo3.org/security/advisory/typo3-ext-sa-2024-003", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-5191", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-21T07:15:10.420", "lastModified": "2024-06-24T19:25:23.943", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "The Branda \u2013 White Label WordPress, Custom Login Page Customizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018mime_types\u2019 parameter in all versions up to, and including, 3.4.17 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento Branda \u2013 White Label WordPress, Custom Login Page Customizer para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s del par\u00e1metro 'mime_types' en todas las versiones hasta la 3.4.17 incluida debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes. Esto hace posible que atacantes autenticados, con acceso de nivel de autor y superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.3, "impactScore": 2.7}, {"source": "security@wordfence.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wpmudev:branda:*:*:*:*:*:wordpress:*:*", "versionEndExcluding": "3.4.18", "matchCriteriaId": "FABF85B8-0B1C-4050-BE76-254B421DA27F"}]}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/branda-white-labeling/tags/3.4.17/inc/modules/utilities/images.php#L58", "source": "security@wordfence.com", "tags": ["Product"]}, {"url": "https://plugins.trac.wordpress.org/changeset/3104910/", "source": "security@wordfence.com", "tags": ["Patch"]}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/31f4bad5-3a11-42c6-a336-6bd178ab5113?source=cve", "source": "security@wordfence.com", "tags": ["Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-5639", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-21T07:15:10.640", "lastModified": "2024-06-24T19:24:23.883", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "The User Profile Picture plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.6.1 via the 'rest_api_change_profile_image' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to update the profile picture of any user."}, {"lang": "es", "value": "El complemento User Profile Picture para WordPress es vulnerable a Insecure Direct Object Reference en todas las versiones hasta la 2.6.1 incluida a trav\u00e9s de la funci\u00f3n 'rest_api_change_profile_image' debido a la falta de validaci\u00f3n en una clave controlada por el usuario. Esto hace posible que atacantes autenticados, con acceso de nivel de autor y superior, actualicen la imagen de perfil de cualquier usuario."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-639"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:cozmoslabs:user_profile_picture:*:*:*:*:*:wordpress:*:*", "versionEndExcluding": "2.6.2", "matchCriteriaId": "87685CE0-3130-4BE4-B1CD-5F6BA8418095"}]}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/metronet-profile-picture/tags/2.6.1/metronet-profile-picture.php#L1122", "source": "security@wordfence.com", "tags": ["Product"]}, {"url": "https://plugins.trac.wordpress.org/browser/metronet-profile-picture/tags/2.6.1/metronet-profile-picture.php#L989", "source": "security@wordfence.com", "tags": ["Product"]}, {"url": "https://plugins.trac.wordpress.org/changeset/3105132/", "source": "security@wordfence.com", "tags": ["Patch"]}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/01a3b9ba-b18a-48d9-8365-d10f79fc6a6b?source=cve", "source": "security@wordfence.com", "tags": ["Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-2003", "sourceIdentifier": "security@eset.com", "published": "2024-06-21T08:15:09.543", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Local privilege escalation vulnerability allowed an attacker to misuse ESET's file operations during a restore operation from quarantine."}, {"lang": "es", "value": "Una vulnerabilidad de escalada de privilegios local permiti\u00f3 a un atacante hacer un mal uso de las operaciones de archivos de ESET durante una operaci\u00f3n de restauraci\u00f3n desde la cuarentena."}], "metrics": {"cvssMetricV31": [{"source": "security@eset.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH"}, "exploitabilityScore": 1.3, "impactScore": 5.9}]}, "weaknesses": [{"source": "security@eset.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-269"}]}], "references": [{"url": "https://support.eset.com/ca8674", "source": "security@eset.com"}]}}, {"cve": {"id": "CVE-2024-5945", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-21T08:15:09.860", "lastModified": "2024-06-24T19:24:00.433", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "The WP SVG Images plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018type\u2019 parameter in all versions up to, and including, 4.2 due to insufficient input sanitization. This makes it possible for authenticated attackers, with Author-level access and above, who have permissions to upload sanitized files, to bypass SVG sanitization and inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento WP SVG Images para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s del par\u00e1metro 'tipo' en todas las versiones hasta la 4.2 incluida debido a una sanitizaci\u00f3n de entrada insuficiente. Esto hace posible que los atacantes autenticados, con acceso de nivel de autor y superior, que tienen permisos para cargar archivos sanitizados, eviten la sanitizaci\u00f3n de SVG e inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.3, "impactScore": 2.7}, {"source": "security@wordfence.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:kubiq:wp_svg_images:*:*:*:*:*:wordpress:*:*", "versionEndExcluding": "4.3", "matchCriteriaId": "E14AAAD4-FA7D-40B8-8DF7-BC5EE2818788"}]}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/wp-svg-images/trunk/wp-svg-images.php#L111", "source": "security@wordfence.com", "tags": ["Product"]}, {"url": "https://plugins.trac.wordpress.org/browser/wp-svg-images/trunk/wp-svg-images.php#L313", "source": "security@wordfence.com", "tags": ["Product"]}, {"url": "https://plugins.trac.wordpress.org/changeset/3105276/", "source": "security@wordfence.com", "tags": ["Patch"]}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/389d96e9-1fad-49a6-89b6-8f7f108d8117?source=cve", "source": "security@wordfence.com", "tags": ["Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-6225", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-21T08:15:10.057", "lastModified": "2024-06-24T19:21:28.450", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "The Booking for Appointments and Events Calendar \u2013 Amelia plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.5 (and 7.5.1 for the Pro version) due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}, {"lang": "es", "value": "El complemento Booking for Appointments and Events Calendar \u2013 Amelia para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s de la configuraci\u00f3n de administrador en todas las versiones hasta la 1.1.5 incluida (y 7.5.1 para la versi\u00f3n Pro) debido a una sanitizaci\u00f3n de entrada insuficiente y un escape de salida. Esto hace posible que atacantes autenticados, con permisos de nivel de administrador y superiores, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada. Esto solo afecta a las instalaciones multisitio y a las instalaciones en las que se ha deshabilitado unfiltered_html."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.7, "impactScore": 2.7}, {"source": "security@wordfence.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:tms-outsource:amelia:*:*:*:*:*:wordpress:*:*", "versionEndExcluding": "1.1.6", "matchCriteriaId": "9915DCF4-DF4F-4C42-8E68-2747FB89A464"}]}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3092932%40ameliabooking&new=3092932%40ameliabooking&sfp_email=&sfph_mail=", "source": "security@wordfence.com", "tags": ["Product"]}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/04597908-7086-4158-ae2b-8aa634a217c6?source=cve", "source": "security@wordfence.com", "tags": ["Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-5859", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-21T09:15:09.657", "lastModified": "2024-06-24T19:21:07.943", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the \u2018d\u2019 parameter in all versions up to, and including, 4.4.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}, {"lang": "es", "value": "El complemento Online Booking & Scheduling Calendar for WordPress by vcita para WordPress es vulnerable a Cross-Site Scripting Reflejado a trav\u00e9s del par\u00e1metro 'd' en todas las versiones hasta la 4.4.2 incluida debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes. Esto hace posible que atacantes no autenticados inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutan si logran enga\u00f1ar a un usuario para que realice una acci\u00f3n como hacer clic en un enlace."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:vcita:online_booking_\\&_scheduling_calendar_for_wordpress_by_vcita:*:*:*:*:*:wordpress:*:*", "versionEndExcluding": "4.2.3", "matchCriteriaId": "7026BCAB-2BBA-473C-8B89-3F2E8BCA3739"}]}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3104980%40meeting-scheduler-by-vcita&new=3104980%40meeting-scheduler-by-vcita&sfp_email=&sfph_mail=", "source": "security@wordfence.com", "tags": ["Product"]}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a8ea0559-dec7-4c20-956d-dbfe7bc67634?source=cve", "source": "security@wordfence.com", "tags": ["Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-31890", "sourceIdentifier": "psirt@us.ibm.com", "published": "2024-06-21T10:15:12.023", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "IBM i 7.3, 7.4, and 7.5 product IBM TCP/IP Connectivity Utilities for i contains a local privilege escalation vulnerability. A malicious actor with command line access to the host operating system can elevate privileges to gain root access to the host operating system. IBM X-Force ID: 288171."}, {"lang": "es", "value": "El producto IBM i 7.3, 7.4 y 7.5 IBM TCP/IP Connectivity Utilities para i contiene una vulnerabilidad de escalada de privilegios local. Un actor malintencionado con acceso a la l\u00ednea de comandos del sistema operativo host puede elevar los privilegios para obtener acceso ra\u00edz al sistema operativo host. ID de IBM X-Force: 288171."}], "metrics": {"cvssMetricV31": [{"source": "psirt@us.ibm.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "psirt@us.ibm.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-250"}]}], "references": [{"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/288171", "source": "psirt@us.ibm.com"}, {"url": "https://www.ibm.com/support/pages/node/7158240", "source": "psirt@us.ibm.com"}]}}, {"cve": {"id": "CVE-2024-6027", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-21T10:15:12.437", "lastModified": "2024-06-24T19:17:50.240", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "The Themify \u2013 WooCommerce Product Filter plugin for WordPress is vulnerable to time-based SQL Injection via the \u2018conditions\u2019 parameter in all versions up to, and including, 1.4.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}, {"lang": "es", "value": "El complemento Themify \u2013 WooCommerce Product Filter para WordPress es vulnerable a la inyecci\u00f3n SQL basada en tiempo a trav\u00e9s del par\u00e1metro 'condiciones' en todas las versiones hasta la 1.4.9 incluida debido a un escape insuficiente en el par\u00e1metro proporcionado por el usuario y a la falta de preparaci\u00f3n suficiente en la consulta SQL existente. Esto hace posible que atacantes no autenticados agreguen consultas SQL adicionales a consultas ya existentes que pueden usarse para extraer informaci\u00f3n confidencial de la base de datos."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, {"source": "security@wordfence.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:themify:product_filter:*:*:*:*:*:wordpress:*:*", "versionEndExcluding": "1.5.0", "matchCriteriaId": "3A41AFF5-93BB-4FF6-96C3-6BBFEE4F4FA2"}]}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/themify-wc-product-filter/trunk/public/class-wpf-public.php#L604", "source": "security@wordfence.com", "tags": ["Product"]}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3104239%40themify-wc-product-filter%2Ftrunk&old=3100861%40themify-wc-product-filter%2Ftrunk&sfp_email=&sfph_mail=#file2", "source": "security@wordfence.com", "tags": ["Product"]}, {"url": "https://themify.org/changelogs/themify-wc-product-filter.txt", "source": "security@wordfence.com", "tags": ["Release Notes"]}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/451db756-9d62-4c8e-b735-e5e5207b81e3?source=cve", "source": "security@wordfence.com", "tags": ["Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2023-52884", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-21T11:15:09.560", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: cyapa - add missing input core locking to suspend/resume functions\n\nGrab input->mutex during suspend/resume functions like it is done in\nother input drivers. This fixes the following warning during system\nsuspend/resume cycle on Samsung Exynos5250-based Snow Chromebook:\n\n------------[ cut here ]------------\nWARNING: CPU: 1 PID: 1680 at drivers/input/input.c:2291 input_device_enabled+0x68/0x6c\nModules linked in: ...\nCPU: 1 PID: 1680 Comm: kworker/u4:12 Tainted: G W 6.6.0-rc5-next-20231009 #14109\nHardware name: Samsung Exynos (Flattened Device Tree)\nWorkqueue: events_unbound async_run_entry_fn\n unwind_backtrace from show_stack+0x10/0x14\n show_stack from dump_stack_lvl+0x58/0x70\n dump_stack_lvl from __warn+0x1a8/0x1cc\n __warn from warn_slowpath_fmt+0x18c/0x1b4\n warn_slowpath_fmt from input_device_enabled+0x68/0x6c\n input_device_enabled from cyapa_gen3_set_power_mode+0x13c/0x1dc\n cyapa_gen3_set_power_mode from cyapa_reinitialize+0x10c/0x15c\n cyapa_reinitialize from cyapa_resume+0x48/0x98\n cyapa_resume from dpm_run_callback+0x90/0x298\n dpm_run_callback from device_resume+0xb4/0x258\n device_resume from async_resume+0x20/0x64\n async_resume from async_run_entry_fn+0x40/0x15c\n async_run_entry_fn from process_scheduled_works+0xbc/0x6a8\n process_scheduled_works from worker_thread+0x188/0x454\n worker_thread from kthread+0x108/0x140\n kthread from ret_from_fork+0x14/0x28\nException stack(0xf1625fb0 to 0xf1625ff8)\n...\n---[ end trace 0000000000000000 ]---\n...\n------------[ cut here ]------------\nWARNING: CPU: 1 PID: 1680 at drivers/input/input.c:2291 input_device_enabled+0x68/0x6c\nModules linked in: ...\nCPU: 1 PID: 1680 Comm: kworker/u4:12 Tainted: G W 6.6.0-rc5-next-20231009 #14109\nHardware name: Samsung Exynos (Flattened Device Tree)\nWorkqueue: events_unbound async_run_entry_fn\n unwind_backtrace from show_stack+0x10/0x14\n show_stack from dump_stack_lvl+0x58/0x70\n dump_stack_lvl from __warn+0x1a8/0x1cc\n __warn from warn_slowpath_fmt+0x18c/0x1b4\n warn_slowpath_fmt from input_device_enabled+0x68/0x6c\n input_device_enabled from cyapa_gen3_set_power_mode+0x13c/0x1dc\n cyapa_gen3_set_power_mode from cyapa_reinitialize+0x10c/0x15c\n cyapa_reinitialize from cyapa_resume+0x48/0x98\n cyapa_resume from dpm_run_callback+0x90/0x298\n dpm_run_callback from device_resume+0xb4/0x258\n device_resume from async_resume+0x20/0x64\n async_resume from async_run_entry_fn+0x40/0x15c\n async_run_entry_fn from process_scheduled_works+0xbc/0x6a8\n process_scheduled_works from worker_thread+0x188/0x454\n worker_thread from kthread+0x108/0x140\n kthread from ret_from_fork+0x14/0x28\nException stack(0xf1625fb0 to 0xf1625ff8)\n...\n---[ end trace 0000000000000000 ]---"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: Entrada: cyapa: agrega bloqueo del n\u00facleo de entrada faltante para suspender/reanudar funciones. Toma entrada->mutex durante las funciones de suspensi\u00f3n/reanudaci\u00f3n como se hace en otros controladores de entrada. Esto corrige la siguiente advertencia durante el ciclo de suspensi\u00f3n/reanudaci\u00f3n del sistema en Snow Chromebook basado en Samsung Exynos5250: ------------[ cortar aqu\u00ed ]------------ ADVERTENCIA: CPU : 1 PID: 1680 en drivers/input/input.c:2291 input_device_enabled+0x68/0x6c M\u00f3dulos vinculados en: ... CPU: 1 PID: 1680 Comm: kworker/u4:12 Contaminado: GW 6.6.0-rc5-next -20231009 #14109 Nombre de hardware: Samsung Exynos (\u00e1rbol de dispositivos aplanados) Cola de trabajo: events_unbound async_run_entry_fn unwind_backtrace de show_stack+0x10/0x14 show_stack de dump_stack_lvl+0x58/0x70 dump_stack_lvl de __warn+0x1a8/0x1cc __warn de warn _slowpath_fmt+0x18c/0x1b4 warn_slowpath_fmt de input_device_enabled+ 0x68/0x6c input_device_enabled de cyapa_gen3_set_power_mode+0x13c/0x1dc cyapa_gen3_set_power_mode de cyapa_reinitialize+0x10c/0x15c cyapa_reinitialize de cyapa_resume+0x48/0x98 cyapa_resume de dpm_run_callback+0x90/ 0x298 dpm_run_callback de dispositivo_resume+0xb4/0x258 dispositivo_resume de async_resume+0x20/0x64 async_resume de async_run_entry_fn+0x40 /0x15c async_run_entry_fn de Process_scheduled_works+0xbc/0x6a8 Process_scheduled_works de trabajador_thread+0x188/0x454 trabajador_thread de kthread+0x108/0x140 kthread de ret_from_fork+0x14/0x28 Pila de excepciones (0xf1625fb0 a 0xf1 625ff8) ... ---[ final de seguimiento 0000000000000000 ]-- - ... ------------[ cortar aqu\u00ed ]------------ ADVERTENCIA: CPU: 1 PID: 1680 en drivers/input/input.c:2291 input_device_enabled+0x68/0x6c M\u00f3dulos vinculados en: ... CPU: 1 PID: 1680 Comm: kworker/u4:12 Tainted: GW 6.6.0-rc5-next-20231009 #14109 Nombre de hardware: Samsung Exynos (\u00e1rbol de dispositivos aplanados) Cola de trabajo : events_unbound async_run_entry_fn unwind_backtrace de show_stack+0x10/0x14 show_stack de dump_stack_lvl+0x58/0x70 dump_stack_lvl de __warn+0x1a8/0x1cc __warn de warn_slowpath_fmt+0x18c/0x1b4 warn_slowpath_fmt de input_ dispositivo_enabled+0x68/0x6c input_device_enabled de cyapa_gen3_set_power_mode+0x13c/0x1dc cyapa_gen3_set_power_mode de cyapa_reinitialize+0x10c /0x15c cyapa_reinitialize de cyapa_resume+0x48/0x98 cyapa_resume de dpm_run_callback+0x90/0x298 dpm_run_callback de device_resume+0xb4/0x258 device_resume de async_resume+0x20/0x64 async_resume de async_run_entry_fn+0x40/0x 15c async_run_entry_fn de Process_scheduled_works+0xbc/0x6a8 Process_scheduled_works de trabajador_thread+0x188/ 0x454 work_thread de kthread+0x108/0x140 kthread de ret_from_fork+0x14/0x28 Pila de excepciones (0xf1625fb0 a 0xf1625ff8)... ---[fin de seguimiento 0000000000000000]---"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/7b4e0b39182cf5e677c1fc092a3ec40e621c25b6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9400caf566f65c703e99d95f87b00c4b445627a7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a4c638ab25786bd5aab5978fe51b2b9be16a4ebd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a5fc298fa8f67cf1f0e1fc126eab70578cd40adc", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f99809fdeb50d65bcbc1661ef391af94eebb8a75", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-31076", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-21T11:15:09.673", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngenirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline\n\nThe absence of IRQD_MOVE_PCNTXT prevents immediate effectiveness of\ninterrupt affinity reconfiguration via procfs. Instead, the change is\ndeferred until the next instance of the interrupt being triggered on the\noriginal CPU.\n\nWhen the interrupt next triggers on the original CPU, the new affinity is\nenforced within __irq_move_irq(). A vector is allocated from the new CPU,\nbut the old vector on the original CPU remains and is not immediately\nreclaimed. Instead, apicd->move_in_progress is flagged, and the reclaiming\nprocess is delayed until the next trigger of the interrupt on the new CPU.\n\nUpon the subsequent triggering of the interrupt on the new CPU,\nirq_complete_move() adds a task to the old CPU's vector_cleanup list if it\nremains online. Subsequently, the timer on the old CPU iterates over its\nvector_cleanup list, reclaiming old vectors.\n\nHowever, a rare scenario arises if the old CPU is outgoing before the\ninterrupt triggers again on the new CPU.\n\nIn that case irq_force_complete_move() is not invoked on the outgoing CPU\nto reclaim the old apicd->prev_vector because the interrupt isn't currently\naffine to the outgoing CPU, and irq_needs_fixup() returns false. Even\nthough __vector_schedule_cleanup() is later called on the new CPU, it\ndoesn't reclaim apicd->prev_vector; instead, it simply resets both\napicd->move_in_progress and apicd->prev_vector to 0.\n\nAs a result, the vector remains unreclaimed in vector_matrix, leading to a\nCPU vector leak.\n\nTo address this issue, move the invocation of irq_force_complete_move()\nbefore the irq_needs_fixup() call to reclaim apicd->prev_vector, if the\ninterrupt is currently or used to be affine to the outgoing CPU.\n\nAdditionally, reclaim the vector in __vector_schedule_cleanup() as well,\nfollowing a warning message, although theoretically it should never see\napicd->move_in_progress with apicd->prev_cpu pointing to an offline CPU."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: genirq/cpuhotplug, x86/vector: evita la fuga de vectores durante la CPU fuera de l\u00ednea. La ausencia de IRQD_MOVE_PCNTXT impide la efectividad inmediata de la reconfiguraci\u00f3n de la afinidad de interrupci\u00f3n a trav\u00e9s de procfs. En cambio, el cambio se difiere hasta la siguiente instancia de interrupci\u00f3n que se activa en la CPU original. La siguiente vez que se activa la interrupci\u00f3n en la CPU original, la nueva afinidad se aplica dentro de __irq_move_irq(). Se asigna un vector desde la nueva CPU, pero el vector antiguo en la CPU original permanece y no se recupera inmediatamente. En su lugar, se marca apicd->move_in_progress y el proceso de recuperaci\u00f3n se retrasa hasta el siguiente desencadenante de la interrupci\u00f3n en la nueva CPU. Tras la activaci\u00f3n posterior de la interrupci\u00f3n en la nueva CPU, irq_complete_move() agrega una tarea a la lista vector_cleanup de la CPU anterior si permanece en l\u00ednea. Posteriormente, el temporizador de la CPU antigua itera sobre su lista vector_cleanup, recuperando vectores antiguos. Sin embargo, surge un escenario poco com\u00fan si la CPU antigua sale antes de que la interrupci\u00f3n se active nuevamente en la nueva CPU. En ese caso, irq_force_complete_move() no se invoca en la CPU saliente para recuperar el antiguo apicd->prev_vector porque la interrupci\u00f3n no es actualmente af\u00edn a la CPU saliente, e irq_needs_fixup() devuelve false. Aunque m\u00e1s tarde se llama a __vector_schedule_cleanup() en la nueva CPU, no reclama apicd->prev_vector; en su lugar, simplemente restablece apicd->move_in_progress y apicd->prev_vector a 0. Como resultado, el vector permanece sin reclamar en vector_matrix, lo que provoca una fuga de vector de CPU. Para solucionar este problema, mueva la invocaci\u00f3n de irq_force_complete_move() antes de la llamada irq_needs_fixup() para recuperar apicd->prev_vector, si la interrupci\u00f3n es actualmente o sol\u00eda ser af\u00edn a la CPU saliente. Adem\u00e1s, recupere tambi\u00e9n el vector en __vector_schedule_cleanup(), despu\u00e9s de un mensaje de advertencia, aunque en teor\u00eda nunca deber\u00eda ver apicd->move_in_progress con apicd->prev_cpu apuntando a una CPU fuera de l\u00ednea."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/59f86a2908380d09cdc726461c0fbb8d8579c99f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/6752dfcfff3ac3e16625ebd3f0ad9630900e7e76", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9eeda3e0071a329af1eba15f4e57dc39576bb420", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a40209d355afe4ed6d533507838c9e5cd70a76d8", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a6c11c0a5235fb144a65e0cb2ffd360ddc1f6c32", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e9c96d01d520498b169ce734a8ad1142bef86a30", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ebfb16fc057a016abb46a9720a54abf0d4f6abe1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f5f4675960609d8c5ee95f027fbf6ce380f98372", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-33619", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-21T11:15:09.767", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nefi: libstub: only free priv.runtime_map when allocated\n\npriv.runtime_map is only allocated when efi_novamap is not set.\nOtherwise, it is an uninitialized value. In the error path, it is freed\nunconditionally. Avoid passing an uninitialized value to free_pool.\nFree priv.runtime_map only when it was allocated.\n\nThis bug was discovered and resolved using Coverity Static Analysis\nSecurity Testing (SAST) by Synopsys, Inc."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: efi: libstub: solo se libera priv.runtime_map cuando se asigna priv.runtime_map solo se asigna cuando efi_novamap no est\u00e1 configurado. De lo contrario, es un valor no inicializado. En la ruta del error se libera incondicionalmente. Evite pasar un valor no inicializado a free_pool. Priv.runtime_map gratuito solo cuando se asign\u00f3. Este error fue descubierto y resuelto utilizando Coverity Static Analysis Security Testing (SAST) por Synopsys, Inc."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/4b2543f7e1e6b91cfc8dd1696e3cdf01c3ac8974", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/6ca67a5fe1c606d1fbe24c30a9fc0bdc43a18554", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9dce01f386c9ce6990c0a83fa14b1c95330b037e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b8938d6f570f010a1dcdbfed3e5b5d3258c2a908", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-33621", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-21T11:15:09.860", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvlan: Dont Use skb->sk in ipvlan_process_v{4,6}_outbound\n\nRaw packet from PF_PACKET socket ontop of an IPv6-backed ipvlan device will\nhit WARN_ON_ONCE() in sk_mc_loop() through sch_direct_xmit() path.\n\nWARNING: CPU: 2 PID: 0 at net/core/sock.c:775 sk_mc_loop+0x2d/0x70\nModules linked in: sch_netem ipvlan rfkill cirrus drm_shmem_helper sg drm_kms_helper\nCPU: 2 PID: 0 Comm: swapper/2 Kdump: loaded Not tainted 6.9.0+ #279\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nRIP: 0010:sk_mc_loop+0x2d/0x70\nCode: fa 0f 1f 44 00 00 65 0f b7 15 f7 96 a3 4f 31 c0 66 85 d2 75 26 48 85 ff 74 1c\nRSP: 0018:ffffa9584015cd78 EFLAGS: 00010212\nRAX: 0000000000000011 RBX: ffff91e585793e00 RCX: 0000000002c6a001\nRDX: 0000000000000000 RSI: 0000000000000040 RDI: ffff91e589c0f000\nRBP: ffff91e5855bd100 R08: 0000000000000000 R09: 3d00545216f43d00\nR10: ffff91e584fdcc50 R11: 00000060dd8616f4 R12: ffff91e58132d000\nR13: ffff91e584fdcc68 R14: ffff91e5869ce800 R15: ffff91e589c0f000\nFS: 0000000000000000(0000) GS:ffff91e898100000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f788f7c44c0 CR3: 0000000008e1a000 CR4: 00000000000006f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\n ? __warn (kernel/panic.c:693)\n ? sk_mc_loop (net/core/sock.c:760)\n ? report_bug (lib/bug.c:201 lib/bug.c:219)\n ? handle_bug (arch/x86/kernel/traps.c:239)\n ? exc_invalid_op (arch/x86/kernel/traps.c:260 (discriminator 1))\n ? asm_exc_invalid_op (./arch/x86/include/asm/idtentry.h:621)\n ? sk_mc_loop (net/core/sock.c:760)\n ip6_finish_output2 (net/ipv6/ip6_output.c:83 (discriminator 1))\n ? nf_hook_slow (net/netfilter/core.c:626)\n ip6_finish_output (net/ipv6/ip6_output.c:222)\n ? __pfx_ip6_finish_output (net/ipv6/ip6_output.c:215)\n ipvlan_xmit_mode_l3 (drivers/net/ipvlan/ipvlan_core.c:602) ipvlan\n ipvlan_start_xmit (drivers/net/ipvlan/ipvlan_main.c:226) ipvlan\n dev_hard_start_xmit (net/core/dev.c:3594)\n sch_direct_xmit (net/sched/sch_generic.c:343)\n __qdisc_run (net/sched/sch_generic.c:416)\n net_tx_action (net/core/dev.c:5286)\n handle_softirqs (kernel/softirq.c:555)\n __irq_exit_rcu (kernel/softirq.c:589)\n sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1043)\n\nThe warning triggers as this:\npacket_sendmsg\n packet_snd //skb->sk is packet sk\n __dev_queue_xmit\n __dev_xmit_skb //q->enqueue is not NULL\n __qdisc_run\n sch_direct_xmit\n dev_hard_start_xmit\n ipvlan_start_xmit\n ipvlan_xmit_mode_l3 //l3 mode\n ipvlan_process_outbound //vepa flag\n ipvlan_process_v6_outbound\n ip6_local_out\n __ip6_finish_output\n ip6_finish_output2 //multicast packet\n sk_mc_loop //sk->sk_family is AF_PACKET\n\nCall ip{6}_local_out() with NULL sk in ipvlan as other tunnels to fix this."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: ipvlan: no use skb->sk en ipvlan_process_v{4,6}_outbound El paquete sin procesar del socket PF_PACKET en la parte superior de un dispositivo ipvlan respaldado por IPv6 alcanzar\u00e1 WARN_ON_ONCE() en sk_mc_loop() a trav\u00e9s de la ruta sch_direct_xmit(). ADVERTENCIA: CPU: 2 PID: 0 en net/core/sock.c:775 sk_mc_loop+0x2d/0x70 M\u00f3dulos vinculados en: sch_netem ipvlan rfkill cirrus drm_shmem_helper sg drm_kms_helper CPU: 2 PID: 0 Comm: swapper/2 Kdump: cargado No contaminado 6.9.0+ #279 Nombre de hardware: PC est\u00e1ndar QEMU (i440FX + PIIX, 1996), BIOS 1.15.0-1 01/04/2014 RIP: 0010:sk_mc_loop+0x2d/0x70 C\u00f3digo: fa 0f 1f 44 00 00 65 0f b7 15 f7 96 a3 4f 31 c0 66 85 d2 75 26 48 85 ff 74 1c RSP: 0018:ffffa9584015cd78 EFLAGS: 00010212 RAX: 0000000000000011 RBX: ffff91e585793e00 RCX: 0000000002c6a001 RDX: 0000000000000000 RSI: 0000000000000040 RDI: ffff91e589c0f000 RBP: ffff91e5855bd100 R08: 0000000000000000 R09: 3d00545216f43d00 R10: ffff91e584fdcc50 R11: 00000060dd8616f4 R12: ffff91e58132d000 R13: ffff91e584fdcc68 R14: ffff91e5869ce800 R15: e589c0f000 FS: 0000000000000000(0000) GS:ffff91e898100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 00007f788f7c44c0 CR3: 0000000008e1a000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 00000000000000000 DR2: 0000000000000000 DR3: 00000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Seguimiento de llamadas: ? __advertir (kernel/panic.c:693)? sk_mc_loop (net/core/sock.c:760)? report_bug (lib/bug.c:201 lib/bug.c:219)? handle_bug (arch/x86/kernel/traps.c:239)? exc_invalid_op (arch/x86/kernel/traps.c:260 (discriminador 1))? asm_exc_invalid_op (./arch/x86/include/asm/idtentry.h:621)? sk_mc_loop (net/core/sock.c:760) ip6_finish_output2 (net/ipv6/ip6_output.c:83 (discriminador 1))? nf_hook_slow (net/netfilter/core.c:626) ip6_finish_output (net/ipv6/ip6_output.c:222)? __pfx_ip6_finish_output (net/ipv6/ip6_output.c:215) ipvlan_xmit_mode_l3 (drivers/net/ipvlan/ipvlan_core.c:602) ipvlan ipvlan_start_xmit (drivers/net/ipvlan/ipvlan_main.c:226) ipvlan dev_hard_start_xmit (net/core/dev . c:3594) sch_direct_xmit (net/sched/sch_generic.c:343) __qdisc_run (net/sched/sch_generic.c:416) net_tx_action (net/core/dev.c:5286) handle_softirqs (kernel/softirq.c:555) __irq_exit_rcu (kernel/softirq.c:589) sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1043) La advertencia se activa de la siguiente manera: paquete_sendmsg paquete_snd //skb->sk es el paquete sk __dev_queue_xmit __dev_xmit_skb //q-> la cola no es NULL __qdisc_run sch_direct_xmit dev_hard_start_xmit ipvlan_start_xmit ipvlan_xmit_mode_l3 //modo l3 ipvlan_process_outbound //vepa flag ipvlan_process_v6_outbound ip6_local_out __ip6_finish_output ip6_finish_output2 //paquete de multidifusi\u00f3n sk_mc_loop //sk-> sk_family es AF_PACKET Llame a ip{6}_local_out() con NULL sk en ipvlan como otro t\u00faneles para solucionar este problema."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/0049a623dfbbb49888de7f0c2f33a582b5ead989", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/13c4543db34e0da5a7d2f550b6262d860f248381", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/183c4b416454b9983dc1b8aa0022b748911adc48", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/1abbf079da59ef559d0ab4219d2a0302f7970761", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/54213c09801e0bd2549ac42961093be36f65a7d0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/54768bacfde60e8e4757968d79f8726711dd2cf5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b3dc6e8003b500861fa307e9a3400c52e78e4d3a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/cb53706a3403ba67f4040b2a82d9cf79e11b1a48", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-36244", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-21T11:15:09.957", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: taprio: extend minimum interval restriction to entire cycle too\n\nIt is possible for syzbot to side-step the restriction imposed by the\nblamed commit in the Fixes: tag, because the taprio UAPI permits a\ncycle-time different from (and potentially shorter than) the sum of\nentry intervals.\n\nWe need one more restriction, which is that the cycle time itself must\nbe larger than N * ETH_ZLEN bit times, where N is the number of schedule\nentries. This restriction needs to apply regardless of whether the cycle\ntime came from the user or was the implicit, auto-calculated value, so\nwe move the existing \"cycle == 0\" check outside the \"if \"(!new->cycle_time)\"\nbranch. This way covers both conditions and scenarios.\n\nAdd a selftest which illustrates the issue triggered by syzbot."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/sched: taprio: extiende la restricci\u00f3n de intervalo m\u00ednimo a todo el ciclo tambi\u00e9n. Es posible que syzbot eluda la restricci\u00f3n impuesta por el commit culpable en la etiqueta Fixes:, porque el taprio UAPI permite un tiempo de ciclo diferente (y potencialmente m\u00e1s corto) de la suma de los intervalos de entrada. Necesitamos una restricci\u00f3n m\u00e1s, que es que el tiempo del ciclo en s\u00ed debe ser mayor que N * ETH_ZLEN bits, donde N es el n\u00famero de entradas de programaci\u00f3n. Esta restricci\u00f3n debe aplicarse independientemente de si el tiempo del ciclo provino del usuario o fue un valor impl\u00edcito calculado autom\u00e1ticamente, por lo que movemos la verificaci\u00f3n \"ciclo == 0\" existente fuera de \"if \"(!new->cycle_time)\". rama. De esta manera cubre tanto las condiciones como los escenarios. Agregue una autoprueba que ilustre el problema desencadenado por syzbot."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/91f249b01fe490fce11fbb4307952ca8cce78724", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b939d1e04a90248b4cdf417b0969c270ceb992b2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/fb66df20a7201e60f2b13d7f95d031b31a8831d3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-36270", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-21T11:15:10.117", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: tproxy: bail out if IP has been disabled on the device\n\nsyzbot reports:\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]\n[..]\nRIP: 0010:nf_tproxy_laddr4+0xb7/0x340 net/ipv4/netfilter/nf_tproxy_ipv4.c:62\nCall Trace:\n nft_tproxy_eval_v4 net/netfilter/nft_tproxy.c:56 [inline]\n nft_tproxy_eval+0xa9a/0x1a00 net/netfilter/nft_tproxy.c:168\n\n__in_dev_get_rcu() can return NULL, so check for this."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: netfilter: tproxy: rescate si se ha deshabilitado la IP en el dispositivo syzbot informa: falla de protecci\u00f3n general, probablemente para direcci\u00f3n no can\u00f3nica 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref en el rango [0x0000000000000018-0x000000000000001f] [..] RIP: 0010:nf_tproxy_laddr4+0xb7/0x340 net/ipv4/netfilter/nf_tproxy_ipv4.c:62 Seguimiento de llamadas: nft_tproxy_ eval_v4 net/netfilter/nft_tproxy.c: 56 [en l\u00ednea] nft_tproxy_eval+0xa9a/0x1a00 net/netfilter/nft_tproxy.c:168 __in_dev_get_rcu() puede devolver NULL, as\u00ed que verifique esto."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/07eeedafc59c45fe5de43958128542be3784764c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/10f0af5234dafd03d2b75233428ec3f11cf7e43d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/21a673bddc8fd4873c370caf9ae70ffc6d47e8d3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/570b4c52096e62fda562448f5760fd0ff06110f0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/6fe5af4ff06db3d4d80e07a19356640428159f03", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/819bfeca16eb9ad647ddcae25e7e12c30612147c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/caf3a8afb5ea00db6d5398adf148d5534615fd80", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-36281", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-21T11:15:10.197", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Use mlx5_ipsec_rx_status_destroy to correctly delete status rules\n\nrx_create no longer allocates a modify_hdr instance that needs to be\ncleaned up. The mlx5_modify_header_dealloc call will lead to a NULL pointer\ndereference. A leak in the rules also previously occurred since there are\nnow two rules populated related to status.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 109907067 P4D 109907067 PUD 116890067 PMD 0\n Oops: 0000 [#1] SMP\n CPU: 1 PID: 484 Comm: ip Not tainted 6.9.0-rc2-rrameshbabu+ #254\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS Arch Linux 1.16.3-1-1 04/01/2014\n RIP: 0010:mlx5_modify_header_dealloc+0xd/0x70\n \n Call Trace:\n \n ? show_regs+0x60/0x70\n ? __die+0x24/0x70\n ? page_fault_oops+0x15f/0x430\n ? free_to_partial_list.constprop.0+0x79/0x150\n ? do_user_addr_fault+0x2c9/0x5c0\n ? exc_page_fault+0x63/0x110\n ? asm_exc_page_fault+0x27/0x30\n ? mlx5_modify_header_dealloc+0xd/0x70\n rx_create+0x374/0x590\n rx_add_rule+0x3ad/0x500\n ? rx_add_rule+0x3ad/0x500\n ? mlx5_cmd_exec+0x2c/0x40\n ? mlx5_create_ipsec_obj+0xd6/0x200\n mlx5e_accel_ipsec_fs_add_rule+0x31/0xf0\n mlx5e_xfrm_add_state+0x426/0xc00\n "}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: net/mlx5: utilice mlx5_ipsec_rx_status_destroy para eliminar correctamente las reglas de estado. rx_create ya no asigna una instancia de modifique_hdr que debe limpiarse. La llamada mlx5_modify_header_dealloc dar\u00e1 lugar a una desreferencia del puntero NULL. Anteriormente tambi\u00e9n se produjo una fuga en las reglas, ya que ahora hay dos reglas relacionadas con el estado. ERROR: desreferencia del puntero NULL del kernel, direcci\u00f3n: 0000000000000000 #PF: acceso de lectura del supervisor en modo kernel #PF: c\u00f3digo_error(0x0000) - p\u00e1gina no presente PGD 109907067 P4D 109907067 PUD 116890067 PMD 0 Ups: 0000 [#1] SMP CPU: 1 PID: 484 Comm: ip Not tainted 6.9.0-rc2-rrameshbabu+ #254 Nombre del hardware: PC est\u00e1ndar QEMU (Q35 + ICH9, 2009), BIOS Arch Linux 1.16.3-1-1 01/04/2014 RIP: 0010: mlx5_modify_header_dealloc+0xd/0x70 Seguimiento de llamadas: ? mostrar_regs+0x60/0x70? __morir+0x24/0x70 ? page_fault_oops+0x15f/0x430? free_to_partial_list.constprop.0+0x79/0x150? do_user_addr_fault+0x2c9/0x5c0? exc_page_fault+0x63/0x110? asm_exc_page_fault+0x27/0x30? mlx5_modify_header_dealloc+0xd/0x70 rx_create+0x374/0x590 rx_add_rule+0x3ad/0x500 ? rx_add_rule+0x3ad/0x500? mlx5_cmd_exec+0x2c/0x40? mlx5_create_ipsec_obj+0xd6/0x200 mlx5e_accel_ipsec_fs_add_rule+0x31/0xf0 mlx5e_xfrm_add_state+0x426/0xc00 "}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/16d66a4fa81da07bc4ed19f4e53b87263c2f8d38", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b0a15cde37a8388e57573686f650a17208ae1212", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/cc9ac559f2e21894c21ac5b0c85fb24a5cab266c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-36286", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-21T11:15:10.277", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nfnetlink_queue: acquire rcu_read_lock() in instance_destroy_rcu()\n\nsyzbot reported that nf_reinject() could be called without rcu_read_lock() :\n\nWARNING: suspicious RCU usage\n6.9.0-rc7-syzkaller-02060-g5c1672705a1a #0 Not tainted\n\nnet/netfilter/nfnetlink_queue.c:263 suspicious rcu_dereference_check() usage!\n\nother info that might help us debug this:\n\nrcu_scheduler_active = 2, debug_locks = 1\n2 locks held by syz-executor.4/13427:\n #0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:329 [inline]\n #0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_do_batch kernel/rcu/tree.c:2190 [inline]\n #0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_core+0xa86/0x1830 kernel/rcu/tree.c:2471\n #1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]\n #1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: nfqnl_flush net/netfilter/nfnetlink_queue.c:405 [inline]\n #1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: instance_destroy_rcu+0x30/0x220 net/netfilter/nfnetlink_queue.c:172\n\nstack backtrace:\nCPU: 0 PID: 13427 Comm: syz-executor.4 Not tainted 6.9.0-rc7-syzkaller-02060-g5c1672705a1a #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n lockdep_rcu_suspicious+0x221/0x340 kernel/locking/lockdep.c:6712\n nf_reinject net/netfilter/nfnetlink_queue.c:323 [inline]\n nfqnl_reinject+0x6ec/0x1120 net/netfilter/nfnetlink_queue.c:397\n nfqnl_flush net/netfilter/nfnetlink_queue.c:410 [inline]\n instance_destroy_rcu+0x1ae/0x220 net/netfilter/nfnetlink_queue.c:172\n rcu_do_batch kernel/rcu/tree.c:2196 [inline]\n rcu_core+0xafd/0x1830 kernel/rcu/tree.c:2471\n handle_softirqs+0x2d6/0x990 kernel/softirq.c:554\n __do_softirq kernel/softirq.c:588 [inline]\n invoke_softirq kernel/softirq.c:428 [inline]\n __irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637\n irq_exit_rcu+0x9/0x30 kernel/softirq.c:649\n instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]\n sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043\n \n "}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: netfilter: nfnetlink_queue: adquirir rcu_read_lock() en instancia_destroy_rcu() syzbot inform\u00f3 que se pod\u00eda llamar a nf_reinject() sin rcu_read_lock() : ADVERTENCIA: uso sospechoso de RCU 6.9.0-rc7-syzkaller -02060-g5c1672705a1a #0 \u00a1No est\u00e1 contaminado net/netfilter/nfnetlink_queue.c:263 uso sospechoso de rcu_dereference_check()! otra informaci\u00f3n que podr\u00eda ayudarnos a depurar esto: rcu_scheduler_active = 2, debug_locks = 1 2 bloqueos mantenidos por syz-executor.4/13427: #0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, en: rcu_lock_acquire include/linux/rcupdate.h:329 [en l\u00ednea] #0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, en: rcu_do_batch kernel/rcu/tree.c:2190 [en l\u00ednea] #0 : ffffffff8e334f60 (rcu_callback){....}-{0:0}, en: rcu_core+0xa86/0x1830 kernel/rcu/tree.c:2471 #1: ffff88801ca92958 (&inst->lock){+.-.} -{2:2}, en: spin_lock_bh include/linux/spinlock.h:356 [en l\u00ednea] #1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, en: nfqnl_flush net/ netfilter/nfnetlink_queue.c:405 [en l\u00ednea] #1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, en: instancia_destroy_rcu+0x30/0x220 net/netfilter/nfnetlink_queue.c:172 pila backtrace: CPU: 0 PID: 13427 Comm: syz-executor.4 No contaminado 6.9.0-rc7-syzkaller-02060-g5c1672705a1a #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Llamada de Google 02/04/2024 Trace: __dump_stack lib/dump_stack.c: 88 [en l\u00ednea] dump_stack_lvl+0x241/0x360 lib/dump_stack.c: 114 Lockdep_rcu_suspicious+0x221/0x340 kernel/locking/lockdep.c: 6712 nf_filt. C :323 [en l\u00ednea] nfqnl_reinject+0x6ec/0x1120 net/netfilter/nfnetlink_queue.c:397 nfqnl_flush net/netfilter/nfnetlink_queue.c:410 [en l\u00ednea] instancia_destroy_rcu+0x1ae/0x220 net/netfilter/nfnetlink_queue.c:172 do_batch kernel/rcu /tree.c:2196 [en l\u00ednea] rcu_core+0xafd/0x1830 kernel/rcu/tree.c:2471 handle_softirqs+0x2d6/0x990 kernel/softirq.c:554 __do_softirq kernel/softirq.c:588 [en l\u00ednea] invoke_softirq kernel/softirq .c:428 [en l\u00ednea] __irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637 irq_exit_rcu+0x9/0x30 kernel/softirq.c:649 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [en l\u00ednea] r_interrupci\u00f3n+ 0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043 "}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/215df6490e208bfdd5b3012f5075e7f8736f3e7a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/25ea5377e3d2921a0f96ae2551f5ab1b36825dd4", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3989b817857f4890fab9379221a9d3f52bf5c256", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/68f40354a3851df46c27be96b84f11ae193e36c5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8658bd777cbfcb0c13df23d0ea120e70517761b9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8f365564af898819a523f1a8cf5c6ce053e9f718", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/dc21c6cc3d6986d938efbf95de62473982c98dec", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e01065b339e323b3dfa1be217fd89e9b3208b0ab", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-36478", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-21T11:15:10.360", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnull_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues'\n\nWriting 'power' and 'submit_queues' concurrently will trigger kernel\npanic:\n\nTest script:\n\nmodprobe null_blk nr_devices=0\nmkdir -p /sys/kernel/config/nullb/nullb0\nwhile true; do echo 1 > submit_queues; echo 4 > submit_queues; done &\nwhile true; do echo 1 > power; echo 0 > power; done\n\nTest result:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000148\nOops: 0000 [#1] PREEMPT SMP\nRIP: 0010:__lock_acquire+0x41d/0x28f0\nCall Trace:\n \n lock_acquire+0x121/0x450\n down_write+0x5f/0x1d0\n simple_recursive_removal+0x12f/0x5c0\n blk_mq_debugfs_unregister_hctxs+0x7c/0x100\n blk_mq_update_nr_hw_queues+0x4a3/0x720\n nullb_update_nr_hw_queues+0x71/0xf0 [null_blk]\n nullb_device_submit_queues_store+0x79/0xf0 [null_blk]\n configfs_write_iter+0x119/0x1e0\n vfs_write+0x326/0x730\n ksys_write+0x74/0x150\n\nThis is because del_gendisk() can concurrent with\nblk_mq_update_nr_hw_queues():\n\nnullb_device_power_store\tnullb_apply_submit_queues\n null_del_dev\n del_gendisk\n\t\t\t\t nullb_update_nr_hw_queues\n\t\t\t\t if (!dev->nullb)\n\t\t\t\t // still set while gendisk is deleted\n\t\t\t\t return 0\n\t\t\t\t blk_mq_update_nr_hw_queues\n dev->nullb = NULL\n\nFix this problem by resuing the global mutex to protect\nnullb_device_power_store() and nullb_update_nr_hw_queues() from configfs."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: null_blk: corrige la dereferencia null-ptr al configurar 'power' y 'submit_queues'. Escribir 'power' y 'submit_queues' simult\u00e1neamente provocar\u00e1 un p\u00e1nico en el kernel: Script de prueba: modprobe null_blk nr_devices= 0 mkdir -p /sys/kernel/config/nullb/nullb0 mientras sea verdadero; hacer eco 1 > enviar_queues; eco 4 > enviar_colas; hecho y mientras sea cierto; hacer eco 1 > potencia; eco 0 > potencia; hecho Resultado de la prueba: ERROR: desreferencia del puntero NULL del kernel, direcci\u00f3n: 0000000000000148 Ups: 0000 [#1] RIP SMP PREEMPLEADO: 0010:__lock_acquire+0x41d/0x28f0 Seguimiento de llamada: lock_acquire+0x121/0x450 down_write+0x5f/0x1d0 simple_recursive _eliminaci\u00f3n+ 0x12f/0x5c0 blk_mq_debugfs_unregister_hctxs+0x7c/0x100 blk_mq_update_nr_hw_queues+0x4a3/0x720 nullb_update_nr_hw_queues+0x71/0xf0 [null_blk] /0xf0 [null_blk] configfs_write_iter+0x119/0x1e0 vfs_write+0x326/0x730 ksys_write+0x74/0x150 Esto se debe a que del_gendisk() puede concurrente con blk_mq_update_nr_hw_queues(): nullb_device_power_store nullb_apply_submit_queues null_del_dev del_gendisk nullb_update_nr_hw_queues if (!dev->nullb) // todav\u00eda est\u00e1 configurado mientras se elimina gendisk return 0 blk_mq_update_nr_hw_queues dev->nullb = NULL Fix este problema reutilizando el mutex global para proteger nullb_device_power_store() y nullb_update_nr_hw_queues() de configfs."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/5d0495473ee4c1d041b5a917f10446a22c047f47", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a2db328b0839312c169eb42746ec46fc1ab53ed2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-36484", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-21T11:15:10.437", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: relax socket state check at accept time.\n\nChristoph reported the following splat:\n\nWARNING: CPU: 1 PID: 772 at net/ipv4/af_inet.c:761 __inet_accept+0x1f4/0x4a0\nModules linked in:\nCPU: 1 PID: 772 Comm: syz-executor510 Not tainted 6.9.0-rc7-g7da7119fe22b #56\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014\nRIP: 0010:__inet_accept+0x1f4/0x4a0 net/ipv4/af_inet.c:759\nCode: 04 38 84 c0 0f 85 87 00 00 00 41 c7 04 24 03 00 00 00 48 83 c4 10 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 ec b7 da fd <0f> 0b e9 7f fe ff ff e8 e0 b7 da fd 0f 0b e9 fe fe ff ff 89 d9 80\nRSP: 0018:ffffc90000c2fc58 EFLAGS: 00010293\nRAX: ffffffff836bdd14 RBX: 0000000000000000 RCX: ffff888104668000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: dffffc0000000000 R08: ffffffff836bdb89 R09: fffff52000185f64\nR10: dffffc0000000000 R11: fffff52000185f64 R12: dffffc0000000000\nR13: 1ffff92000185f98 R14: ffff88810754d880 R15: ffff8881007b7800\nFS: 000000001c772880(0000) GS:ffff88811b280000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fb9fcf2e178 CR3: 00000001045d2002 CR4: 0000000000770ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n \n inet_accept+0x138/0x1d0 net/ipv4/af_inet.c:786\n do_accept+0x435/0x620 net/socket.c:1929\n __sys_accept4_file net/socket.c:1969 [inline]\n __sys_accept4+0x9b/0x110 net/socket.c:1999\n __do_sys_accept net/socket.c:2016 [inline]\n __se_sys_accept net/socket.c:2013 [inline]\n __x64_sys_accept+0x7d/0x90 net/socket.c:2013\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x58/0x100 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x4315f9\nCode: fd ff 48 81 c4 80 00 00 00 e9 f1 fe ff ff 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 ab b4 fd ff c3 66 2e 0f 1f 84 00 00 00 00\nRSP: 002b:00007ffdb26d9c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002b\nRAX: ffffffffffffffda RBX: 0000000000400300 RCX: 00000000004315f9\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004\nRBP: 00000000006e1018 R08: 0000000000400300 R09: 0000000000400300\nR10: 0000000000400300 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000040cdf0 R14: 000000000040ce80 R15: 0000000000000055\n \n\nThe reproducer invokes shutdown() before entering the listener status.\nAfter commit 94062790aedb (\"tcp: defer shutdown(SEND_SHUTDOWN) for\nTCP_SYN_RECV sockets\"), the above causes the child to reach the accept\nsyscall in FIN_WAIT1 status.\n\nEric noted we can relax the existing assertion in __inet_accept()"}, {"lang": "es", "value": "En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: net: relajaci\u00f3n del estado del socket en el momento de la aceptaci\u00f3n. Christoph inform\u00f3 el siguiente s\u00edmbolo: ADVERTENCIA: CPU: 1 PID: 772 en net/ipv4/af_inet.c:761 __inet_accept+0x1f4/0x4a0 M\u00f3dulos vinculados en: CPU: 1 PID: 772 Comunicaciones: syz-executor510 No contaminado 6.9.0- rc7-g7da7119fe22b #56 Nombre del hardware: PC est\u00e1ndar QEMU (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 01/04/2014 RIP: 0010:__inet_accept+0x1f4/0x4a0 net/ipv4/af_inet.c:759 C\u00f3digo: 04 38 84 c0 0f 85 87 00 00 00 41 c7 04 24 03 00 00 00 48 83 c4 10 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 ec b7 da fd <0f> 0b 7f fe ff ff e8 e0 b7 da fd 0f 0b e9 fe fe ff ff 89 d9 80 RSP: 0018:ffffc90000c2fc58 EFLAGS: 00010293 RAX: ffffffff836bdd14 RBX: 0000000000000000 RCX: ffff88810466 8000 RDX: 0000000000000000 RSI: 00000000000000000 RDI: 0000000000000000 RBP: dffffc0000000000 R08: ffffffff836bdb89 R09: fffff52000185f64 R10: dffffc0000000000 R11: fffff52000185f64 R12: dffffc0000000000 R13: 1ffff92000185f98 R14: ffff88810754d880 R15: 7b7800 FS: 000000001c772880(0000) GS:ffff88811b280000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb9fcf2e178 CR3: 00000001045d2002 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 00000000000000000 DR2: 0000000000000000 DR3: 000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Seguimiento de llamadas: inet_accept+0x138/0x1d0 net/ipv4/af_inet.c:786 do_accept+ 0x435/0x620 net/socket.c:1929 __sys_accept4_file net/socket.c:1969 [en l\u00ednea] __sys_accept4+0x9b/0x110 net/socket.c:1999 __do_sys_accept net/socket.c:2016 [en l\u00ednea] __se_sys_accept net/socket.c : 2013 [en l\u00ednea] __x64_sys_accept+0x7d/0x90 net/Socket.c: 2013 do_syscall_x64 arch/x86/entry/comunes.c: 52 [inline] do_syscall_64+0x58/0x100 arch/x86/entry/comunes 0x76/0x7e RIP: 0033:0x4315f9 C\u00f3digo: fd ff 48 81 c4 80 00 00 00 e9 f1 fe ff ff 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 ab b4 fd ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007ffdb26d9c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002 b RAX: ffffffffffffffda RBX: 0000000000400300 RCX: 00000000004315f9 RDX: 0000000000000000 RSI : 0000000000000000 RDI: 0000000000000004 RBP: 00000000006e1018 R08: 0000000000400300 R09: 0000000000400300 R10: 0000000000400300 1: 0000000000000246 R12: 0000000000000000 R13: 000000000040cdf0 R14: 000000000040ce80 R15: 0000000000000055 El reproductor invoca el apagado() antes de ingresar al estado de escucha. Despu\u00e9s de confirmar 94062790aedb (\"tcp: aplazar el apagado (SEND_SHUTDOWN) para sockets TCP_SYN_RECV\"), lo anterior hace que el ni\u00f1o alcance la llamada al sistema de aceptaci\u00f3n en el estado FIN_WAIT1. Eric not\u00f3 que podemos relajar la afirmaci\u00f3n existente en __inet_accept()"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/26afda78cda3da974fd4c287962c169e9462c495", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5f9a04a94fd1894d7009055ab8e5832a0242dba3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/87bdc9f6f58b4417362d6932b49b828e319f97dc", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c09ddc605893df542c6cf8dde6a57a93f7cf0adb", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-36489", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-21T11:15:10.513", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: fix missing memory barrier in tls_init\n\nIn tls_init(), a write memory barrier is missing, and store-store\nreordering may cause NULL dereference in tls_{setsockopt,getsockopt}.\n\nCPU0 CPU1\n----- -----\n// In tls_init()\n// In tls_ctx_create()\nctx = kzalloc()\nctx->sk_proto = READ_ONCE(sk->sk_prot) -(1)\n\n// In update_sk_prot()\nWRITE_ONCE(sk->sk_prot, tls_prots) -(2)\n\n // In sock_common_setsockopt()\n READ_ONCE(sk->sk_prot)->setsockopt()\n\n // In tls_{setsockopt,getsockopt}()\n ctx->sk_proto->setsockopt() -(3)\n\nIn the above scenario, when (1) and (2) are reordered, (3) can observe\nthe NULL value of ctx->sk_proto, causing NULL dereference.\n\nTo fix it, we rely on rcu_assign_pointer() which implies the release\nbarrier semantic. By moving rcu_assign_pointer() after ctx->sk_proto is\ninitialized, we can ensure that ctx->sk_proto are visible when\nchanging sk->sk_prot."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: tls: corrige la barrera de memoria faltante en tls_init En tls_init(), falta una barrera de memoria de escritura y el reordenamiento tienda-tienda puede causar una desreferencia NULL en tls_{setsockopt,getsockopt}. CPU0 CPU1 ----- ----- // En tls_init() // En tls_ctx_create() ctx = kzalloc() ctx->sk_proto = READ_ONCE(sk->sk_prot) -(1) // En update_sk_prot( ) WRITE_ONCE(sk->sk_prot, tls_prots) -(2) // En sock_common_setsockopt() READ_ONCE(sk->sk_prot)->setsockopt() // En tls_{setsockopt,getsockopt}() ctx->sk_proto->setsockopt () -(3) En el escenario anterior, cuando (1) y (2) se reordenan, (3) puede observar el valor NULL de ctx->sk_proto, lo que provoca la desreferencia NULL. Para solucionarlo, confiamos en rcu_assign_pointer() que implica la sem\u00e1ntica de barrera de liberaci\u00f3n. Al mover rcu_assign_pointer() despu\u00e9s de inicializar ctx->sk_proto, podemos asegurarnos de que ctx->sk_proto sean visibles al cambiar sk->sk_prot."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/2c260a24cf1c4d30ea3646124f766ee46169280b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/335c8f1566d8e44c384d16b450a18554896d4e8b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/91e61dd7a0af660408e87372d8330ceb218be302", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ab67c2fd3d070a21914d0c31319d3858ab4e199c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d72e126e9a36d3d33889829df8fc90100bb0e071", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ef21007a7b581c7fe64d5a10c320880a033c837b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-37353", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-21T11:15:10.590", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio: delete vq in vp_find_vqs_msix() when request_irq() fails\n\nWhen request_irq() fails, error path calls vp_del_vqs(). There, as vq is\npresent in the list, free_irq() is called for the same vector. That\ncauses following splat:\n\n[ 0.414355] Trying to free already-free IRQ 27\n[ 0.414403] WARNING: CPU: 1 PID: 1 at kernel/irq/manage.c:1899 free_irq+0x1a1/0x2d0\n[ 0.414510] Modules linked in:\n[ 0.414540] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 6.9.0-rc4+ #27\n[ 0.414540] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014\n[ 0.414540] RIP: 0010:free_irq+0x1a1/0x2d0\n[ 0.414540] Code: 1e 00 48 83 c4 08 48 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 90 8b 74 24 04 48 c7 c7 98 80 6c b1 e8 00 c9 f7 ff 90 <0f> 0b 90 90 48 89 ee 4c 89 ef e8 e0 20 b8 00 49 8b 47 40 48 8b 40\n[ 0.414540] RSP: 0000:ffffb71480013ae0 EFLAGS: 00010086\n[ 0.414540] RAX: 0000000000000000 RBX: ffffa099c2722000 RCX: 0000000000000000\n[ 0.414540] RDX: 0000000000000000 RSI: ffffb71480013998 RDI: 0000000000000001\n[ 0.414540] RBP: 0000000000000246 R08: 00000000ffffdfff R09: 0000000000000001\n[ 0.414540] R10: 00000000ffffdfff R11: ffffffffb18729c0 R12: ffffa099c1c91760\n[ 0.414540] R13: ffffa099c1c916a4 R14: ffffa099c1d2f200 R15: ffffa099c1c91600\n[ 0.414540] FS: 0000000000000000(0000) GS:ffffa099fec40000(0000) knlGS:0000000000000000\n[ 0.414540] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 0.414540] CR2: 0000000000000000 CR3: 0000000008e3e001 CR4: 0000000000370ef0\n[ 0.414540] Call Trace:\n[ 0.414540] \n[ 0.414540] ? __warn+0x80/0x120\n[ 0.414540] ? free_irq+0x1a1/0x2d0\n[ 0.414540] ? report_bug+0x164/0x190\n[ 0.414540] ? handle_bug+0x3b/0x70\n[ 0.414540] ? exc_invalid_op+0x17/0x70\n[ 0.414540] ? asm_exc_invalid_op+0x1a/0x20\n[ 0.414540] ? free_irq+0x1a1/0x2d0\n[ 0.414540] vp_del_vqs+0xc1/0x220\n[ 0.414540] vp_find_vqs_msix+0x305/0x470\n[ 0.414540] vp_find_vqs+0x3e/0x1a0\n[ 0.414540] vp_modern_find_vqs+0x1b/0x70\n[ 0.414540] init_vqs+0x387/0x600\n[ 0.414540] virtnet_probe+0x50a/0xc80\n[ 0.414540] virtio_dev_probe+0x1e0/0x2b0\n[ 0.414540] really_probe+0xc0/0x2c0\n[ 0.414540] ? __pfx___driver_attach+0x10/0x10\n[ 0.414540] __driver_probe_device+0x73/0x120\n[ 0.414540] driver_probe_device+0x1f/0xe0\n[ 0.414540] __driver_attach+0x88/0x180\n[ 0.414540] bus_for_each_dev+0x85/0xd0\n[ 0.414540] bus_add_driver+0xec/0x1f0\n[ 0.414540] driver_register+0x59/0x100\n[ 0.414540] ? __pfx_virtio_net_driver_init+0x10/0x10\n[ 0.414540] virtio_net_driver_init+0x90/0xb0\n[ 0.414540] do_one_initcall+0x58/0x230\n[ 0.414540] kernel_init_freeable+0x1a3/0x2d0\n[ 0.414540] ? __pfx_kernel_init+0x10/0x10\n[ 0.414540] kernel_init+0x1a/0x1c0\n[ 0.414540] ret_from_fork+0x31/0x50\n[ 0.414540] ? __pfx_kernel_init+0x10/0x10\n[ 0.414540] ret_from_fork_asm+0x1a/0x30\n[ 0.414540] \n\nFix this by calling deleting the current vq when request_irq() fails."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: virtio: eliminar vq en vp_find_vqs_msix() cuando request_irq() falla Cuando request_irq() falla, la ruta de error llama a vp_del_vqs(). All\u00ed, como vq est\u00e1 presente en la lista, se llama a free_irq() para el mismo vector. Eso provoca el siguiente s\u00edmbolo: [0.414355] Intentando liberar IRQ 27 que ya est\u00e1 libre [0.414403] ADVERTENCIA: CPU: 1 PID: 1 en kernel/irq/manage.c:1899 free_irq+0x1a1/0x2d0 [0.414510] M\u00f3dulos vinculados en: [ 0.414540] CPU: 1 PID: 1 Comunicaciones: swapper/0 No contaminado 6.9.0-rc4+ #27 [ 0.414540] Nombre de hardware: PC est\u00e1ndar QEMU (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01 /2014 [0.414540] RIP: 0010:free_irq+0x1a1/0x2d0 [0.414540] C\u00f3digo: 1e 00 48 83 c4 08 48 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc 90 8b 74 24 04 48 c7 c7 98 80 6c b1 e8 00 c9 f7 ff 90 <0f> 0b 90 90 48 89 ee 4c 89 ef e8 e0 20 b8 00 49 8b 47 40 48 8b 40 [ 0.414540] RSP: 0000:ffffb71480013ae0 EFLAGS: 00010086 [0,414540] RAX : 0000000000000000 RBX: ffffa099c2722000 RCX: 0000000000000000 [ 0.414540] RDX: 0000000000000000 RSI: ffffb71480013998 RDI: 0000000000000 001 [ 0.414540] RBP: 0000000000000246 R08: 00000000ffffdfff R09: 0000000000000001 [ 0.414540] R10: 00000000ffffdfff R11: fffffffb18729c0 fffa099c1c91760 [ 0.414540] R13: fffa099c1c916a4 R14: ffffa099c1d2f200 R15: ffffa099c1c91600 [ 0.414540] FS: 0000000000000000(0000) GS:ffffa099fec40000(0000) knlGS:0000000000000000 [ 0.41454 0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 0.414540] CR2: 0000000000000000 CR3: 0000000008e3e001 CR4: 0000000000370ef0 [0.414540] Seguimiento de llamadas: [0.414540] [0.414540]? __advertir+0x80/0x120 [0.414540]? free_irq+0x1a1/0x2d0 [0.414540]? report_bug+0x164/0x190 [0.414540]? handle_bug+0x3b/0x70 [0.414540]? exc_invalid_op+0x17/0x70 [0.414540]? asm_exc_invalid_op+0x1a/0x20 [0.414540]? free_irq+0x1a1/0x2d0 [ 0.414540] vp_del_vqs+0xc1/0x220 [ 0.414540] vp_find_vqs_msix+0x305/0x470 [ 0.414540] vp_find_vqs+0x3e/0x1a0 [ 0.414540 ] vp_modern_find_vqs+0x1b/0x70 [ 0.414540] init_vqs+0x387/0x600 [ 0.414540] virtnet_probe+ 0x50a/0xc80 [0.414540] virtio_dev_probe+0x1e0/0x2b0 [0.414540]realmente_probe+0xc0/0x2c0 [0.414540]? __pfx___driver_attach+0x10/0x10 [ 0.414540] __driver_probe_device+0x73/0x120 [ 0.414540] driver_probe_device+0x1f/0xe0 [ 0.414540] __driver_attach+0x88/0x180 [ 0.414540] _for_each_dev+0x85/0xd0 [ 0.414540] bus_add_driver+0xec/0x1f0 [ 0.414540] driver_register+ 0x59/0x100 [0,414540]? __pfx_virtio_net_driver_init+0x10/0x10 [ 0.414540] virtio_net_driver_init+0x90/0xb0 [ 0.414540] do_one_initcall+0x58/0x230 [ 0.414540] kernel_init_freeable+0x1a3/0x2d0 [ 0.41 4540] ? __pfx_kernel_init+0x10/0x10 [0.414540] kernel_init+0x1a/0x1c0 [0.414540] ret_from_fork+0x31/0x50 [0.414540]? __pfx_kernel_init+0x10/0x10 [ 0.414540] ret_from_fork_asm+0x1a/0x30 [ 0.414540] Solucione este problema llamando a eliminar el vq actual cuando request_irq() falla."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/04207a9c64e0b16dac842e5b2ecfa53af25bdea7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/42d30da50d5c1ec433fd9551bfddd6887407c352", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/43a9aaf63254ab821f0f25fea25698ebe69ea16a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7fbe54f02a5c77ff5dd65e8ed0b58e3bd8c43e9c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/89875151fccdd024d571aa884ea97a0128b968b6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/abf001651acd1858252764fa39d79e3d0b5c86b2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/bb61a84793858330ba2ca1d202d3779096f6fb54", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/cb7a7c8144b434e06aba99b13b045a7efe859587", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-37356", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-21T11:15:10.677", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Fix shift-out-of-bounds in dctcp_update_alpha().\n\nIn dctcp_update_alpha(), we use a module parameter dctcp_shift_g\nas follows:\n\n alpha -= min_not_zero(alpha, alpha >> dctcp_shift_g);\n ...\n delivered_ce <<= (10 - dctcp_shift_g);\n\nIt seems syzkaller started fuzzing module parameters and triggered\nshift-out-of-bounds [0] by setting 100 to dctcp_shift_g:\n\n memcpy((void*)0x20000080,\n \"/sys/module/tcp_dctcp/parameters/dctcp_shift_g\\000\", 47);\n res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x20000080ul,\n /*flags=*/2ul, /*mode=*/0ul);\n memcpy((void*)0x20000000, \"100\\000\", 4);\n syscall(__NR_write, /*fd=*/r[0], /*val=*/0x20000000ul, /*len=*/4ul);\n\nLet's limit the max value of dctcp_shift_g by param_set_uint_minmax().\n\nWith this patch:\n\n # echo 10 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g\n # cat /sys/module/tcp_dctcp/parameters/dctcp_shift_g\n 10\n # echo 11 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g\n -bash: echo: write error: Invalid argument\n\n[0]:\nUBSAN: shift-out-of-bounds in net/ipv4/tcp_dctcp.c:143:12\nshift exponent 100 is too large for 32-bit type 'u32' (aka 'unsigned int')\nCPU: 0 PID: 8083 Comm: syz-executor345 Not tainted 6.9.0-05151-g1b294a1f3561 #2\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.13.0-1ubuntu1.1 04/01/2014\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x201/0x300 lib/dump_stack.c:114\n ubsan_epilogue lib/ubsan.c:231 [inline]\n __ubsan_handle_shift_out_of_bounds+0x346/0x3a0 lib/ubsan.c:468\n dctcp_update_alpha+0x540/0x570 net/ipv4/tcp_dctcp.c:143\n tcp_in_ack_event net/ipv4/tcp_input.c:3802 [inline]\n tcp_ack+0x17b1/0x3bc0 net/ipv4/tcp_input.c:3948\n tcp_rcv_state_process+0x57a/0x2290 net/ipv4/tcp_input.c:6711\n tcp_v4_do_rcv+0x764/0xc40 net/ipv4/tcp_ipv4.c:1937\n sk_backlog_rcv include/net/sock.h:1106 [inline]\n __release_sock+0x20f/0x350 net/core/sock.c:2983\n release_sock+0x61/0x1f0 net/core/sock.c:3549\n mptcp_subflow_shutdown+0x3d0/0x620 net/mptcp/protocol.c:2907\n mptcp_check_send_data_fin+0x225/0x410 net/mptcp/protocol.c:2976\n __mptcp_close+0x238/0xad0 net/mptcp/protocol.c:3072\n mptcp_close+0x2a/0x1a0 net/mptcp/protocol.c:3127\n inet_release+0x190/0x1f0 net/ipv4/af_inet.c:437\n __sock_release net/socket.c:659 [inline]\n sock_close+0xc0/0x240 net/socket.c:1421\n __fput+0x41b/0x890 fs/file_table.c:422\n task_work_run+0x23b/0x300 kernel/task_work.c:180\n exit_task_work include/linux/task_work.h:38 [inline]\n do_exit+0x9c8/0x2540 kernel/exit.c:878\n do_group_exit+0x201/0x2b0 kernel/exit.c:1027\n __do_sys_exit_group kernel/exit.c:1038 [inline]\n __se_sys_exit_group kernel/exit.c:1036 [inline]\n __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1036\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xe4/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x67/0x6f\nRIP: 0033:0x7f6c2b5005b6\nCode: Unable to access opcode bytes at 0x7f6c2b50058c.\nRSP: 002b:00007ffe883eb948 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7\nRAX: ffffffffffffffda RBX: 00007f6c2b5862f0 RCX: 00007f6c2b5005b6\nRDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001\nRBP: 0000000000000001 R08: 00000000000000e7 R09: ffffffffffffffc0\nR10: 0000000000000006 R11: 0000000000000246 R12: 00007f6c2b5862f0\nR13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001\n "}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: tcp: corrige el desplazamiento fuera de los l\u00edmites en dctcp_update_alpha(). En dctcp_update_alpha(), utilizamos un par\u00e1metro de m\u00f3dulo dctcp_shift_g de la siguiente manera: alpha -= min_not_zero(alpha, alpha >> dctcp_shift_g); ... entregado_ce <<= (10 - dctcp_shift_g); Parece que syzkaller comenz\u00f3 a modificar los par\u00e1metros del m\u00f3dulo y activ\u00f3 el desplazamiento fuera de los l\u00edmites [0] estableciendo 100 en dctcp_shift_g: memcpy((void*)0x20000080, \"/sys/module/tcp_dctcp/parameters/dctcp_shift_g\\000\", 47) ; res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x20000080ul, /*flags=*/2ul, /*mode=*/0ul); memcpy((void*)0x20000000, \"100\\000\", 4); syscall(__NR_write, /*fd=*/r[0], /*val=*/0x20000000ul, /*len=*/4ul); Limitemos el valor m\u00e1ximo de dctcp_shift_g mediante param_set_uint_minmax(). Con este parche: # echo 10 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g # cat /sys/module/tcp_dctcp/parameters/dctcp_shift_g 10 # echo 11 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g -bash: echo: error de escritura: argumento no v\u00e1lido [0]: UBSAN: desplazamiento fuera de los l\u00edmites en net/ipv4/tcp_dctcp.c:143:12 el exponente de desplazamiento 100 es demasiado grande para el tipo 'u32' de 32 bits (tambi\u00e9n conocido como 'int sin signo' ) CPU: 0 PID: 8083 Comm: syz-executor345 No contaminado 6.9.0-05151-g1b294a1f3561 #2 Nombre del hardware: PC est\u00e1ndar QEMU (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 01/04/2014 Seguimiento de llamadas: __dump_stack lib/dump_stack.c:88 [en l\u00ednea] dump_stack_lvl+0x201/0x300 lib/dump_stack.c:114 ubsan_epilogue lib/ubsan.c:231 [en l\u00ednea] __ubsan_handle_shift_out_of_bounds+0x346/0x3a0 lib/ubsan.c :468 dctcp_update_alpha+0x540/0x570 net/ipv4/tcp_dctcp.c:143 tcp_in_ack_event net/ipv4/tcp_input.c:3802 [en l\u00ednea] tcp_ack+0x17b1/0x3bc0 net/ipv4/tcp_input.c:3948 v_state_process+0x57a/0x2290 neto/ ipv4/tcp_input.c:6711 tcp_v4_do_rcv+0x764/0xc40 net/ipv4/tcp_ipv4.c:1937 sk_backlog_rcv include/net/sock.h:1106 [en l\u00ednea] __release_sock+0x20f/0x350 net/core/sock.c:2983 release_sock+ 0x61/0x1f0 net/core/sock.c:3549 mptcp_subflow_shutdown+0x3d0/0x620 net/mptcp/protocol.c:2907 mptcp_check_send_data_fin+0x225/0x410 net/mptcp/protocol.c:2976 __mptcp_close+0x238/0x ad0 net/mptcp/protocolo .c:3072 mptcp_close+0x2a/0x1a0 net/mptcp/protocol.c:3127 inet_release+0x190/0x1f0 net/ipv4/af_inet.c:437 __sock_release net/socket.c:659 [en l\u00ednea] sock_close+0xc0/0x240 net/ socket.c:1421 __fput+0x41b/0x890 fs/file_table.c:422 task_work_run+0x23b/0x300 kernel/task_work.c:180 exit_task_work include/linux/task_work.h:38 [en l\u00ednea] do_exit+0x9c8/0x2540 kernel/exit .c:878 do_group_exit+0x201/0x2b0 kernel/exit.c:1027 __do_sys_exit_group kernel/exit.c:1038 [en l\u00ednea] __se_sys_exit_group kernel/exit.c:1036 [en l\u00ednea] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:10 36 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xe4/0x240 arch/x86/entry/common.c:83 Entry_SYSCALL_64_after_hwframe+0x67/0x6f RIP: 0033:0x7f6c2b5005b6 C\u00f3digo: no se puede acceder a los bytes del c\u00f3digo de operaci\u00f3n en 0x7f6c2b50058c . RSP: 002b:00007ffe883eb948 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 00007f6c2b5862f0 RCX: 00007f6c2b5005b6 RDX: 0000000001 RSI: 000000000000003c RDI: 0000000000000001 RBP: 0000000000000001 R08: 00000000000000e7 R09: ffffffffffffffc0 R10: 06 R11: 0000000000000246 R12: 00007f6c2b5862f0 R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 "}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/02261d3f9dc7d1d7be7d778f839e3404ab99034c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/06d0fe049b51b0a92a70df8333fd85c4ba3eb2c6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/237340dee373b97833a491d2e99fcf1d4a9adafd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3ebc46ca8675de6378e3f8f40768e180bb8afa66", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/6aacaa80d962f4916ccf90e2080306cec6c90fcf", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8602150286a2a860a1dc55cbd04f99316f19b40a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e65d13ec00a738fa7661925fd5929ab3c765d4be", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e9b2f60636d18dfd0dd4965b3316f88dfd6a2b31", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38381", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-21T11:15:10.757", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nci: Fix uninit-value in nci_rx_work\n\nsyzbot reported the following uninit-value access issue [1]\n\nnci_rx_work() parses received packet from ndev->rx_q. It should be\nvalidated header size, payload size and total packet size before\nprocessing the packet. If an invalid packet is detected, it should be\nsilently discarded."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: nfc: nci: corrigi\u00f3 el valor uninit en nci_rx_work syzbot inform\u00f3 el siguiente problema de acceso al valor uninit [1] nci_rx_work() analiza el paquete recibido de ndev->rx_q. Se debe validar el tama\u00f1o del encabezado, el tama\u00f1o del payload y el tama\u00f1o total del paquete antes de procesar el paquete. Si se detecta un paquete no v\u00e1lido, se debe descartar silenciosamente."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/017ff397624930fd7ac7f1761f3c9d6a7100f68c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/406cfac9debd4a6d3dc5d9258ee086372a8c08b6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/485ded868ed62ceb2acb3a459d7843fd71472619", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ad4d196d2008c7f413167f0a693feb4f0439d7fe", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e4a87abf588536d1cdfb128595e6e680af5cf3ed", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e53a7f8afcbd2886f2a94c5d56757328109730ea", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e8c8e0d0d214c877fbad555df5b3ed558cd9b0c3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f80b786ab0550d0020191a59077b2c7e069db2d1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38388", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-21T11:15:10.837", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: hda/cs_dsp_ctl: Use private_free for control cleanup\n\nUse the control private_free callback to free the associated data\nblock. This ensures that the memory won't leak, whatever way the\ncontrol gets destroyed.\n\nThe original implementation didn't actually remove the ALSA\ncontrols in hda_cs_dsp_control_remove(). It only freed the internal\ntracking structure. This meant it was possible to remove/unload the\namp driver while leaving its ALSA controls still present in the\nsoundcard. Obviously attempting to access them could cause segfaults\nor at least dereferencing stale pointers."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ALSA: hda/cs_dsp_ctl: use private_free para la limpieza del control. Use la devoluci\u00f3n de llamada de control private_free para liberar el bloque de datos asociado. Esto garantiza que la memoria no se pierda, sea cual sea la forma en que se destruya el control. La implementaci\u00f3n original en realidad no elimin\u00f3 los controles ALSA en hda_cs_dsp_control_remove(). S\u00f3lo liber\u00f3 la estructura de seguimiento interna. Esto significaba que era posible quitar/descargar el controlador del amplificador dejando sus controles ALSA todav\u00eda presentes en la tarjeta de sonido. Obviamente, intentar acceder a ellos podr\u00eda provocar errores de segmentaci\u00f3n o al menos eliminar la referencia a punteros obsoletos."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/172811e3a557d8681a5e2d0f871dc04a2d17eb13", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/191dc1b2ff0fb35e7aff15a53224837637df8bff", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3291486af5636540980ea55bae985f3eaa5b0740", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/6e359be4975006ff72818e79dad8fe48293f2eb2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38390", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-21T11:15:10.913", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/a6xx: Avoid a nullptr dereference when speedbin setting fails\n\nCalling a6xx_destroy() before adreno_gpu_init() leads to a null pointer\ndereference on:\n\nmsm_gpu_cleanup() : platform_set_drvdata(gpu->pdev, NULL);\n\nas gpu->pdev is only assigned in:\n\na6xx_gpu_init()\n|_ adreno_gpu_init\n |_ msm_gpu_init()\n\nInstead of relying on handwavy null checks down the cleanup chain,\nexplicitly de-allocate the LLC data and free a6xx_gpu instead.\n\nPatchwork: https://patchwork.freedesktop.org/patch/588919/"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/msm/a6xx: evite una desreferencia de nullptr cuando falla la configuraci\u00f3n de speedbin. Llamar a a6xx_destroy() antes de adreno_gpu_init() conduce a una desreferencia de puntero nulo en: msm_gpu_cleanup() : platform_set_drvdata(gpu- >pdev, NULO); ya que gpu->pdev solo se asigna en: a6xx_gpu_init() |_ adreno_gpu_init |_ msm_gpu_init() En lugar de depender de comprobaciones nulas manuales en la cadena de limpieza, desasigne expl\u00edcitamente los datos LLC y libere a6xx_gpu en su lugar. Remiendo: https://patchwork.freedesktop.org/patch/588919/"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/247849eeb3fd88f8990ed73e33af70d5c10f9aec", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/46d4efcccc688cbacdd70a238bedca510acaa8e4", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/617e3d1680504a3f9d88e1582892c68be155498f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a1955a6df91355fef72a3a254700acd3cc1fec0d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38391", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-21T11:15:11.030", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/region: Fix cxlr_pmem leaks\n\nBefore this error path, cxlr_pmem pointed to a kzalloc() memory, free\nit to avoid this memory leaking."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: cxl/region: reparar fugas de cxlr_pmem Antes de esta ruta de error, cxlr_pmem apuntaba a una memoria kzalloc(), lib\u00e9rela para evitar esta p\u00e9rdida de memoria."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/1c987cf22d6b65ade46145c03eef13f0e3e81d83", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/24b9362c9fa57f9291b380a3cc77b8b5c9fa27da", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/eef8d414b07a1e85c1367324fb6c6a46b79269bd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38621", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-21T11:15:11.103", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: stk1160: fix bounds checking in stk1160_copy_video()\n\nThe subtract in this condition is reversed. The ->length is the length\nof the buffer. The ->bytesused is how many bytes we have copied thus\nfar. When the condition is reversed that means the result of the\nsubtraction is always negative but since it's unsigned then the result\nis a very high positive value. That means the overflow check is never\ntrue.\n\nAdditionally, the ->bytesused doesn't actually work for this purpose\nbecause we're not writing to \"buf->mem + buf->bytesused\". Instead, the\nmath to calculate the destination where we are writing is a bit\ninvolved. You calculate the number of full lines already written,\nmultiply by two, skip a line if necessary so that we start on an odd\nnumbered line, and add the offset into the line.\n\nTo fix this buffer overflow, just take the actual destination where we\nare writing, if the offset is already out of bounds print an error and\nreturn. Otherwise, write up to buf->length bytes."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: medios: stk1160: revisi\u00f3n de los l\u00edmites fijos en stk1160_copy_video() La resta en esta condici\u00f3n se invierte. La ->longitud es la longitud del b\u00fafer. El ->byteused es cu\u00e1ntos bytes hemos copiado hasta ahora. Cuando la condici\u00f3n se invierte, eso significa que el resultado de la resta siempre es negativo, pero como no tiene signo, el resultado es un valor positivo muy alto. Eso significa que la verificaci\u00f3n de desbordamiento nunca es cierta. Adem\u00e1s, ->bytesused en realidad no funciona para este prop\u00f3sito porque no estamos escribiendo en \"buf->mem + buf->bytesused\". En cambio, las matem\u00e1ticas para calcular el destino donde estamos escribiendo son un poco complicadas. Calcula el n\u00famero de l\u00edneas completas ya escritas, multiplica por dos, omite una l\u00ednea si es necesario para comenzar en una l\u00ednea impar y agrega el desplazamiento a la l\u00ednea. Para solucionar este desbordamiento del b\u00fafer, simplemente tome el destino real donde estamos escribiendo, si el desplazamiento ya est\u00e1 fuera de los l\u00edmites imprima un error y regrese. De lo contrario, escriba hasta buf->bytes de longitud."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/7532bcec0797adfa08791301c3bcae14141db3bd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a08492832cc4cacc24e0612f483c86ca899b9261", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a16775828aaed1c54ff4e6fe83e8e4d5c6a50cb7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b504518a397059e1d55c521ba0ea2b545a6c4b52", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d410017a7181cb55e4a5c810b32b75e4416c6808", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ecf4ddc3aee8ade504c4d36b7b4053ce6093e200", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f6a392266276730bea893b55d12940e32a25f56a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/faa4364bef2ec0060de381ff028d1d836600a381", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38622", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-21T11:15:11.187", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dpu: Add callback function pointer check before its call\n\nIn dpu_core_irq_callback_handler() callback function pointer is compared to NULL,\nbut then callback function is unconditionally called by this pointer.\nFix this bug by adding conditional return.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\n\nPatchwork: https://patchwork.freedesktop.org/patch/588237/"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/msm/dpu: agregar verificaci\u00f3n del puntero de la funci\u00f3n de devoluci\u00f3n de llamada antes de su llamada. En dpu_core_irq_callback_handler(), el puntero de la funci\u00f3n de devoluci\u00f3n de llamada se compara con NULL, pero luego este puntero llama incondicionalmente a la funci\u00f3n de devoluci\u00f3n de llamada. Corrija este error agregando devoluci\u00f3n condicional. Encontrado por el Centro de verificaci\u00f3n de Linux (linuxtesting.org) con SVACE. Remiendo: https://patchwork.freedesktop.org/patch/588237/"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/530f272053a5e72243a9cb07bb1296af6c346002", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/873f67699114452c2a996c4e10faac8ff860c241", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9078630ed7f8f25d65d11823e7f2b11a8e2f4f0f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38623", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-21T11:15:11.277", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Use variable length array instead of fixed size\n\nShould fix smatch warning:\n\tntfs_set_label() error: __builtin_memcpy() 'uni->name' too small (20 vs 256)"}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: fs/ntfs3: use una matriz de longitud variable en lugar de un tama\u00f1o fijo. Deber\u00eda corregirse la advertencia de coincidencia: error ntfs_set_label(): __builtin_memcpy() 'uni->name' demasiado peque\u00f1o (20 vs 256)"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/1997cdc3e727526aa5d84b32f7cbb3f56459b7ef", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/1fe1c9dc21ee52920629d2d9b9bd84358931a8d1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3839a9b19a4b70eff6b6ad70446f639f7fd5a3d7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a2de301d90b782ac5d7a5fe32995caaee9ab3a0f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/cceef44b34819c24bb6ed70dce5b524bd3e368d1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38624", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-21T11:15:11.353", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Use 64 bit variable to avoid 32 bit overflow\n\nFor example, in the expression:\n\tvbo = 2 * vbo + skip"}, {"lang": "es", "value": "En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: fs/ntfs3: Utilice variable de 64 bits para evitar el desbordamiento de 32 bits. Por ejemplo, en la expresi\u00f3n: vbo = 2 * vbo + skip"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/109d85a98345ee52d47c650405dc51bdd2bc7d40", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/2d1ad595d15f36a925480199bf1d9ad72614210b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/847db4049f6189427ddaefcfc967d4d235b73c57", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/98db3155b54d3684ef0ab5bfa0b856d13f65843d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e931f6b630ffb22d66caab202a52aa8cbb10c649", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38625", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-21T11:15:11.430", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Check 'folio' pointer for NULL\n\nIt can be NULL if bmap is called."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: fs/ntfs3: Verifique que el puntero 'folio' sea NULL. Puede ser NULL si se llama a bmap."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/1cd6c96219c429ebcfa8e79a865277376c563803", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/6c8054d590668629bb2eb6fb4cbf22455d08ada8", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ff1068929459347f9e47f8d14c409dcf938c2641", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38626", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-21T11:15:11.517", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfuse: clear FR_SENT when re-adding requests into pending list\n\nThe following warning was reported by lee bruce:\n\n ------------[ cut here ]------------\n WARNING: CPU: 0 PID: 8264 at fs/fuse/dev.c:300\n fuse_request_end+0x685/0x7e0 fs/fuse/dev.c:300\n Modules linked in:\n CPU: 0 PID: 8264 Comm: ab2 Not tainted 6.9.0-rc7\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)\n RIP: 0010:fuse_request_end+0x685/0x7e0 fs/fuse/dev.c:300\n ......\n Call Trace:\n \n fuse_dev_do_read.constprop.0+0xd36/0x1dd0 fs/fuse/dev.c:1334\n fuse_dev_read+0x166/0x200 fs/fuse/dev.c:1367\n call_read_iter include/linux/fs.h:2104 [inline]\n new_sync_read fs/read_write.c:395 [inline]\n vfs_read+0x85b/0xba0 fs/read_write.c:476\n ksys_read+0x12f/0x260 fs/read_write.c:619\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xce/0x260 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n ......\n \n\nThe warning is due to the FUSE_NOTIFY_RESEND notify sent by the write()\nsyscall in the reproducer program and it happens as follows:\n\n(1) calls fuse_dev_read() to read the INIT request\nThe read succeeds. During the read, bit FR_SENT will be set on the\nrequest.\n(2) calls fuse_dev_write() to send an USE_NOTIFY_RESEND notify\nThe resend notify will resend all processing requests, so the INIT\nrequest is moved from processing list to pending list again.\n(3) calls fuse_dev_read() with an invalid output address\nfuse_dev_read() will try to copy the same INIT request to the output\naddress, but it will fail due to the invalid address, so the INIT\nrequest is ended and triggers the warning in fuse_request_end().\n\nFix it by clearing FR_SENT when re-adding requests into pending list."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: fusible: borre FR_SENT al volver a agregar solicitudes a la lista pendiente Lee bruce inform\u00f3 la siguiente advertencia: ------------[ cortar aqu\u00ed ]- ----------- ADVERTENCIA: CPU: 0 PID: 8264 en fs/fuse/dev.c:300 fuse_request_end+0x685/0x7e0 fs/fuse/dev.c:300 M\u00f3dulos vinculados en: CPU: 0 PID: 8264 Comm: ab2 No contaminado 6.9.0-rc7 Nombre del hardware: PC est\u00e1ndar QEMU (i440FX + PIIX, 1996) RIP: 0010:fuse_request_end+0x685/0x7e0 fs/fuse/dev.c:300 ...... Seguimiento de llamadas: fuse_dev_do_read.constprop.0+0xd36/0x1dd0 fs/fuse/dev.c:1334 fuse_dev_read+0x166/0x200 fs/fuse/dev.c:1367 call_read_iter include/linux/fs.h:2104 [en l\u00ednea ] new_sync_read fs/read_write.c:395 [en l\u00ednea] vfs_read+0x85b/0xba0 fs/read_write.c:476 ksys_read+0x12f/0x260 fs/read_write.c:619 do_syscall_x64 arch/x86/entry/common.c:52 [en l\u00ednea ] do_syscall_64+0xce/0x260 arch/x86/entry/common.c:83 Entry_SYSCALL_64_after_hwframe+0x77/0x7f ...... La advertencia se debe a la notificaci\u00f3n FUSE_NOTIFY_RESEND enviada por la llamada al sistema write() en el reproductor programa y sucede de la siguiente manera: (1) llama a fuse_dev_read() para leer la solicitud INIT La lectura se realiza correctamente. Durante la lectura, se establecer\u00e1 el bit FR_SENT en la solicitud. (2) llama a fuse_dev_write() para enviar una notificaci\u00f3n USE_NOTIFY_RESEND. La notificaci\u00f3n de reenv\u00edo reenviar\u00e1 todas las solicitudes de procesamiento, por lo que la solicitud INIT se mueve nuevamente de la lista de procesamiento a la lista pendiente. (3) llama a fuse_dev_read() con una direcci\u00f3n de salida no v\u00e1lida. fuse_dev_read() intentar\u00e1 copiar la misma solicitud INIT a la direcci\u00f3n de salida, pero fallar\u00e1 debido a la direcci\u00f3n no v\u00e1lida, por lo que la solicitud INIT finaliza y activa la advertencia en fuse_request_end (). Solucionelo borrando FR_SENT al volver a agregar solicitudes a la lista pendiente."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/246014876d782bbf2e652267482cd2e799fb5fcd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/533070db659a9589310a743e9de14cf9d651ffaf", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38627", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-21T11:15:11.583", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nstm class: Fix a double free in stm_register_device()\n\nThe put_device(&stm->dev) call will trigger stm_device_release() which\nfrees \"stm\" so the vfree(stm) on the next line is a double free."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: clase stm: corrige un doble free en stm_register_device() La llamada put_device(&stm->dev) activar\u00e1 stm_device_release() que libera \"stm\" para que vfree(stm) en el La siguiente l\u00ednea es un doble libre."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/370c480410f60b90ba3e96abe73ead21ec827b20", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3df463865ba42b8f88a590326f4c9ea17a1ce459", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4bfd48bb6e62512b9c392c5002c11e1e3b18d247", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/6cc30ef8eb6d8f8d6df43152264bbf8835d99931", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/713fc00c571dde4af3db2dbd5d1b0eadc327817b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7419df1acffbcc90037f6b5a2823e81389659b36", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a0450d3f38e7c6c0a7c0afd4182976ee15573695", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d782a2db8f7ac49c33b9ca3e835500a28667d1be", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38628", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-21T11:15:11.660", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: u_audio: Fix race condition use of controls after free during gadget unbind.\n\nHang on to the control IDs instead of pointers since those are correctly\nhandled with locks."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: usb: gadget: u_audio: se corrigi\u00f3 el uso de los controles en condiciones de ejecuci\u00f3n despu\u00e9s de liberarse durante la desvinculaci\u00f3n del gadget. Conserve las ID de control en lugar de los punteros, ya que se manejan correctamente con candados."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/1b739388aa3f8dfb63a9fca777e6dfa6912d0464", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/453d3fa9266e53f85377b911c19b9a4563fa88c0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/89e66809684485590ea0b32c3178e42cba36ac09", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/bea73b58ab67fe581037ad9cdb93c2557590c068", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38629", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-21T11:15:11.733", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Avoid unnecessary destruction of file_ida\n\nfile_ida is allocated during cdev open and is freed accordingly\nduring cdev release. This sequence is guaranteed by driver file\noperations. Therefore, there is no need to destroy an already empty\nfile_ida when the WQ cdev is removed.\n\nWorse, ida_free() in cdev release may happen after destruction of\nfile_ida per WQ cdev. This can lead to accessing an id in file_ida\nafter it has been destroyed, resulting in a kernel panic.\n\nRemove ida_destroy(&file_ida) to address these issues."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: dmaengine: idxd: evita la destrucci\u00f3n innecesaria de file_ida file_ida se asigna durante la apertura de cdev y se libera en consecuencia durante el lanzamiento de cdev. Esta secuencia est\u00e1 garantizada por las operaciones del archivo del controlador. Por lo tanto, no es necesario destruir un file_ida que ya est\u00e1 vac\u00edo cuando se elimina WQ cdev. Peor a\u00fan, ida_free() en la versi\u00f3n cdev puede ocurrir despu\u00e9s de la destrucci\u00f3n de file_ida seg\u00fan WQ cdev. Esto puede llevar a acceder a una identificaci\u00f3n en file_ida despu\u00e9s de haber sido destruida, lo que resulta en un p\u00e1nico en el kernel. Elimine ida_destroy(&file_ida) para solucionar estos problemas."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/15edb906211bf53e7b5574f7326ab734d6bff4f9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/76e43fa6a456787bad31b8d0daeabda27351a480", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9eb15f24a0b9b017b39cde8b8c07243676b63687", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38630", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-21T11:15:11.810", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwatchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger\n\nWhen the cpu5wdt module is removing, the origin code uses del_timer() to\nde-activate the timer. If the timer handler is running, del_timer() could\nnot stop it and will return directly. If the port region is released by\nrelease_region() and then the timer handler cpu5wdt_trigger() calls outb()\nto write into the region that is released, the use-after-free bug will\nhappen.\n\nChange del_timer() to timer_shutdown_sync() in order that the timer handler\ncould be finished before the port region is released."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: watchdog: cpu5wdt.c: corrige el error de use-after-free causado por cpu5wdt_trigger Cuando se elimina el m\u00f3dulo cpu5wdt, el c\u00f3digo de origen usa del_timer() para desactivar el temporizador. Si el controlador del temporizador se est\u00e1 ejecutando, del_timer() no pudo detenerlo y regresar\u00e1 directamente. Si la regi\u00f3n del puerto es liberada por release_region() y luego el controlador del temporizador cpu5wdt_trigger() llama a outb() para escribir en la regi\u00f3n que se libera, se producir\u00e1 el error de use-after-free. Cambie del_timer() a timer_shutdown_sync() para que el controlador del temporizador pueda finalizar antes de que se libere la regi\u00f3n del puerto."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/573601521277119f2e2ba5f28ae6e87fc594f4d4", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9b1c063ffc075abf56f63e55d70b9778ff534314", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f19686d616500cd0d47b30cee82392b53f7f784a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38631", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-21T11:15:11.890", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: adc: PAC1934: fix accessing out of bounds array index\n\nFix accessing out of bounds array index for average\ncurrent and voltage measurements. The device itself has\nonly 4 channels, but in sysfs there are \"fake\"\nchannels for the average voltages and currents too."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: iio: adc: PAC1934: corrige el acceso al \u00edndice de matriz fuera de los l\u00edmites. Se corrige el acceso al \u00edndice de matriz fuera de los l\u00edmites para mediciones promedio de corriente y voltaje. El dispositivo en s\u00ed tiene s\u00f3lo 4 canales, pero en sysfs tambi\u00e9n hay canales \"falsos\" para voltajes y corrientes promedio."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/51fafb3cd7fcf4f4682693b4d2883e2a5bfffe33", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8dbcb3a8cfdf8ff5afce62dad50790278ff0d3b7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38632", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-21T11:15:11.960", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: fix potential memory leak in vfio_intx_enable()\n\nIf vfio_irq_ctx_alloc() failed will lead to 'name' memory leak."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: vfio/pci: corrige una posible p\u00e9rdida de memoria en vfio_intx_enable() Si falla vfio_irq_ctx_alloc(), se producir\u00e1 una p\u00e9rdida de memoria del 'nombre'."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/0bd22a4966d55f1d2c127a53300d5c2b50152376", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/35fef97c33f3d3ca0455f9a8e2a3f2c1f8cc9140", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/82b951e6fbd31d85ae7f4feb5f00ddd4c5d256e2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38633", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-21T11:15:12.053", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: max3100: Update uart_driver_registered on driver removal\n\nThe removal of the last MAX3100 device triggers the removal of\nthe driver. However, code doesn't update the respective global\nvariable and after insmod \u2014 rmmod \u2014 insmod cycle the kernel\noopses:\n\n max3100 spi-PRP0001:01: max3100_probe: adding port 0\n BUG: kernel NULL pointer dereference, address: 0000000000000408\n ...\n RIP: 0010:serial_core_register_port+0xa0/0x840\n ...\n max3100_probe+0x1b6/0x280 [max3100]\n spi_probe+0x8d/0xb0\n\nUpdate the actual state so next time UART driver will be registered\nagain.\n\nHugo also noticed, that the error path in the probe also affected\nby having the variable set, and not cleared. Instead of clearing it\nmove the assignment after the successfull uart_register_driver() call."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: serial: max3100: actualizaci\u00f3n uart_driver_registered al eliminar el controlador La eliminaci\u00f3n del \u00faltimo dispositivo MAX3100 desencadena la eliminaci\u00f3n del controlador. Sin embargo, el c\u00f3digo no actualiza la variable global respectiva y despu\u00e9s del ciclo insmod \u2014 rmmod \u2014 insmod, el kernel falla: max3100 spi-PRP0001:01: max3100_probe: agregando el puerto 0 ERROR: desreferencia del puntero NULL del kernel, direcci\u00f3n: 0000000000000408... RIP: 0010:serial_core_register_port+0xa0/0x840 ... max3100_probe+0x1b6/0x280 [max3100] spi_probe+0x8d/0xb0 Actualice el estado actual para que la pr\u00f3xima vez el controlador UART se registre nuevamente. Hugo tambi\u00e9n not\u00f3 que la ruta de error en la sonda tambi\u00e9n se ve\u00eda afectada por tener la variable configurada y no borrada. En lugar de borrarlo, mueva la asignaci\u00f3n despu\u00e9s de la llamada exitosa a uart_register_driver()."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/21a61a7fbcfdd3493cede43ebc7c4dfae2147a8b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/361a92c9038e8c8c3996f8eeaa14522a8ad90752", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/712a1fcb38dc7cac6da63ee79a88708fbf9c45ec", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9db4222ed8cd3e50b81c8b910ae74c26427a4003", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b6eb7aff23e05f362e8c9b560f6ac5e727b70e00", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e8a10089eddba40d4b2080c9d3fc2d2b2488f762", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e8e2a4339decad7e59425b594a98613402652d72", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/fa84ca78b048dfb00df0ef446f5c35e0a98ca6a0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38634", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-21T11:15:12.160", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: max3100: Lock port->lock when calling uart_handle_cts_change()\n\nuart_handle_cts_change() has to be called with port lock taken,\nSince we run it in a separate work, the lock may not be taken at\nthe time of running. Make sure that it's taken by explicitly doing\nthat. Without it we got a splat:\n\n WARNING: CPU: 0 PID: 10 at drivers/tty/serial/serial_core.c:3491 uart_handle_cts_change+0xa6/0xb0\n ...\n Workqueue: max3100-0 max3100_work [max3100]\n RIP: 0010:uart_handle_cts_change+0xa6/0xb0\n ...\n max3100_handlerx+0xc5/0x110 [max3100]\n max3100_work+0x12a/0x340 [max3100]"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: serial: max3100: Bloquear puerto->bloquear al llamar a uart_handle_cts_change() uart_handle_cts_change() debe llamarse con el bloqueo de puerto tomado. Dado que lo ejecutamos en un trabajo separado, el bloqueo puede No se tomar\u00e1 en el momento de correr. Aseg\u00farese de que se tome haci\u00e9ndolo expl\u00edcitamente. Sin \u00e9l, tenemos un s\u00edmbolo: ADVERTENCIA: CPU: 0 PID: 10 en drivers/tty/serial/serial_core.c:3491 uart_handle_cts_change+0xa6/0xb0 ... Workqueue: max3100-0 max3100_work [max3100] RIP: 0010:uart_handle_cts_change+ 0xa6/0xb0 ... max3100_handlerx+0xc5/0x110 [max3100] max3100_work+0x12a/0x340 [max3100]"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/44b38924135d2093e2ec1812969464845dd66dc9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/77ab53371a2066fdf9b895246505f5ef5a4b5d47", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/78dbda51bb4241b88a52d71620f06231a341f9ba", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8296bb9e5925b6634259c5d4daee88f0cc0884ec", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/865b30c8661924ee9145f442bf32cea549faa869", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/93df2fba6c7dfa9a2f08546ea9a5ca4728758458", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/cc121e3722a0a2c8f716ef991e5425b180a5fb94", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ea9b35372b58ac2931bfc1d5bc25e839d1221e30", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38635", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-21T11:15:12.240", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoundwire: cadence: fix invalid PDI offset\n\nFor some reason, we add an offset to the PDI, presumably to skip the\nPDI0 and PDI1 which are reserved for BPT.\n\nThis code is however completely wrong and leads to an out-of-bounds\naccess. We were just lucky so far since we used only a couple of PDIs\nand remained within the PDI array bounds.\n\nA Fixes: tag is not provided since there are no known platforms where\nthe out-of-bounds would be accessed, and the initial code had problems\nas well.\n\nA follow-up patch completely removes this useless offset."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: soundwire: cadencia: corrige el desplazamiento de PDI no v\u00e1lido. Por alguna raz\u00f3n, agregamos un desplazamiento al PDI, presumiblemente para omitir el PDI0 y el PDI1 que est\u00e1n reservados para BPT. Sin embargo, este c\u00f3digo es completamente err\u00f3neo y conduce a un acceso fuera de los l\u00edmites. Hasta ahora tuvimos suerte ya que solo usamos un par de PDI y nos mantuvimos dentro de los l\u00edmites de la matriz de PDI. No se proporciona una etiqueta de Correcciones: ya que no hay plataformas conocidas donde se pueda acceder a los l\u00edmites, y el c\u00f3digo inicial tambi\u00e9n ten\u00eda problemas. Un parche de seguimiento elimina por completo esta compensaci\u00f3n in\u00fatil."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/002364b2d594a9afc0385c09e00994c510b1d089", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/2ebcaa0e5db9b6044bb487ae1cf41bc601761567", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4e99103f757cdf636c6ee860994a19a346a11785", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7eeef1e935d23db5265233d92395bd5c648a4021", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8ee1b439b1540ae543149b15a2a61b9dff937d91", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/902f6d656441a511ac25c6cffce74496db10a078", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/fd4bcb991ebaf0d1813d81d9983cfa99f9ef5328", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38636", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-21T11:15:12.317", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: multidev: fix to recognize valid zero block address\n\nAs reported by Yi Zhang in mailing list [1], kernel warning was catched\nduring zbd/010 test as below:\n\n./check zbd/010\nzbd/010 (test gap zone support with F2FS) [failed]\n runtime ... 3.752s\n something found in dmesg:\n [ 4378.146781] run blktests zbd/010 at 2024-02-18 11:31:13\n [ 4378.192349] null_blk: module loaded\n [ 4378.209860] null_blk: disk nullb0 created\n [ 4378.413285] scsi_debug:sdebug_driver_probe: scsi_debug: trim\npoll_queues to 0. poll_q/nr_hw = (0/1)\n [ 4378.422334] scsi host15: scsi_debug: version 0191 [20210520]\n dev_size_mb=1024, opts=0x0, submit_queues=1, statistics=0\n [ 4378.434922] scsi 15:0:0:0: Direct-Access-ZBC Linux\nscsi_debug 0191 PQ: 0 ANSI: 7\n [ 4378.443343] scsi 15:0:0:0: Power-on or device reset occurred\n [ 4378.449371] sd 15:0:0:0: Attached scsi generic sg5 type 20\n [ 4378.449418] sd 15:0:0:0: [sdf] Host-managed zoned block device\n ...\n (See '/mnt/tests/gitlab.com/api/v4/projects/19168116/repository/archive.zip/storage/blktests/blk/blktests/results/nodev/zbd/010.dmesg'\n\nWARNING: CPU: 22 PID: 44011 at fs/iomap/iter.c:51\nCPU: 22 PID: 44011 Comm: fio Not tainted 6.8.0-rc3+ #1\nRIP: 0010:iomap_iter+0x32b/0x350\nCall Trace:\n \n __iomap_dio_rw+0x1df/0x830\n f2fs_file_read_iter+0x156/0x3d0 [f2fs]\n aio_read+0x138/0x210\n io_submit_one+0x188/0x8c0\n __x64_sys_io_submit+0x8c/0x1a0\n do_syscall_64+0x86/0x170\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nShinichiro Kawasaki helps to analyse this issue and proposes a potential\nfixing patch in [2].\n\nQuoted from reply of Shinichiro Kawasaki:\n\n\"I confirmed that the trigger commit is dbf8e63f48af as Yi reported. I took a\nlook in the commit, but it looks fine to me. So I thought the cause is not\nin the commit diff.\n\nI found the WARN is printed when the f2fs is set up with multiple devices,\nand read requests are mapped to the very first block of the second device in the\ndirect read path. In this case, f2fs_map_blocks() and f2fs_map_blocks_cached()\nmodify map->m_pblk as the physical block address from each block device. It\nbecomes zero when it is mapped to the first block of the device. However,\nf2fs_iomap_begin() assumes that map->m_pblk is the physical block address of the\nwhole f2fs, across the all block devices. It compares map->m_pblk against\nNULL_ADDR == 0, then go into the unexpected branch and sets the invalid\niomap->length. The WARN catches the invalid iomap->length.\n\nThis WARN is printed even for non-zoned block devices, by following steps.\n\n - Create two (non-zoned) null_blk devices memory backed with 128MB size each:\n nullb0 and nullb1.\n # mkfs.f2fs /dev/nullb0 -c /dev/nullb1\n # mount -t f2fs /dev/nullb0 \"${mount_dir}\"\n # dd if=/dev/zero of=\"${mount_dir}/test.dat\" bs=1M count=192\n # dd if=\"${mount_dir}/test.dat\" of=/dev/null bs=1M count=192 iflag=direct\n\n...\"\n\nSo, the root cause of this issue is: when multi-devices feature is on,\nf2fs_map_blocks() may return zero blkaddr in non-primary device, which is\na verified valid block address, however, f2fs_iomap_begin() treats it as\nan invalid block address, and then it triggers the warning in iomap\nframework code.\n\nFinally, as discussed, we decide to use a more simple and direct way that\nchecking (map.m_flags & F2FS_MAP_MAPPED) condition instead of\n(map.m_pblk != NULL_ADDR) to fix this issue.\n\nThanks a lot for the effort of Yi Zhang and Shinichiro Kawasaki on this\nissue.\n\n[1] https://lore.kernel.org/linux-f2fs-devel/CAHj4cs-kfojYC9i0G73PRkYzcxCTex=-vugRFeP40g_URGvnfQ@mail.gmail.com/\n[2] https://lore.kernel.org/linux-f2fs-devel/gngdj77k4picagsfdtiaa7gpgnup6fsgwzsltx6milmhegmjff@iax2n4wvrqye/"}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: f2fs: multidev: correcci\u00f3n para reconocer una direcci\u00f3n de bloque cero v\u00e1lida. Seg\u00fan lo informado por Yi Zhang en la lista de correo [1], se detect\u00f3 una advertencia del kernel durante la prueba zbd/010 como se muestra a continuaci\u00f3n: ./check zbd/010 zbd/010 (probar soporte de zona de brecha con F2FS) [fall\u00f3] tiempo de ejecuci\u00f3n... 3.752s algo encontrado en dmesg: [4378.146781] ejecutar blktests zbd/010 en 2024-02-18 11:31:13 [4378.192349] null_blk: m\u00f3dulo cargado [4378.209860] null_blk: disco nullb0 creado [4378.413285] scsi_debug:sdebug_driver_probe: scsi_debug: recortar poll_queues a 0. poll_q/nr_hw = (0/1) [4378.422334] scsi host15: scsi_debug: versi\u00f3n 019 1 [20210520] dev_size_mb= 1024, opciones = 0x0, enviar_colas = 1, estad\u00edsticas = 0 [4378.434922] scsi 15:0:0:0: Acceso directo-ZBC Linux scsi_debug 0191 PQ: 0 ANSI: 7 [4378.443343] scsi 15:0:0:0 : Se produjo el encendido o el restablecimiento del dispositivo [ 4378.449371] sd 15:0:0:0: SCSI gen\u00e9rico sg5 tipo 20 adjunto [ 4378.449418] sd 15:0:0:0: [sdf] Dispositivo de bloqueo de zonas administrado por host... (Consulte '/mnt/tests/gitlab.com/api/v4/projects/19168116/repository/archive.zip/storage/blktests/blk/blktests/results/nodev/zbd/010.dmesg' ADVERTENCIA: CPU: 22 PID : 44011 en fs/iomap/iter.c:51 CPU: 22 PID: 44011 Comm: fio No contaminado 6.8.0-rc3+ #1 RIP: 0010:iomap_iter+0x32b/0x350 Seguimiento de llamadas: __iomap_dio_rw+0x1df/0x830 f2fs_file_read_iter+0x156/0x3d0 [f2fs] aio_read+0x138/0x210 io_submit_one+0x188/0x8c0 __x64_sys_io_submit+0x8c/0x1a0 do_syscall_64+0x86/0x170 Entry_SYSCALL_64_after_hwframe +0x6e/0x76 Shinichiro Kawasaki ayuda a analizar este problema y propone un posible parche de soluci\u00f3n en [2] . Citado de la respuesta de Shinichiro Kawasaki: \"Confirm\u00e9 que el commit desencadenante es dbf8e63f48af como inform\u00f3 Yi. Ech\u00e9 un vistazo al compromiso, pero me parece bien. As\u00ed que pens\u00e9 que la causa no est\u00e1 en la diferencia de compromiso. Encontr\u00e9 el WARN se imprime cuando f2fs est\u00e1 configurado con m\u00faltiples dispositivos y las solicitudes de lectura se asignan al primer bloque del segundo dispositivo en la ruta de lectura directa. En este caso, f2fs_map_blocks() y f2fs_map_blocks_cached() modifican map->m_pblk como. la direcci\u00f3n del bloque f\u00edsico de cada dispositivo de bloque se vuelve cero cuando se asigna al primer bloque del dispositivo. Sin embargo, f2fs_iomap_begin() asume que map->m_pblk es la direcci\u00f3n del bloque f\u00edsico de todo el f2fs, en todos los dispositivos de bloque. Compara map->m_pblk con NULL_ADDR == 0, luego ingresa a la rama inesperada y establece la longitud iomap-> no v\u00e1lida. La ADVERTENCIA detecta la longitud iomap-> no v\u00e1lida. Esta ADVERTENCIA se imprime incluso para dispositivos de bloque no zonificados. siguiendo los siguientes pasos: - Cree dos dispositivos null_blk con memoria respaldada con un tama\u00f1o de 128 MB cada uno: nullb0 y nullb1. # mkfs.f2fs /dev/nullb0 -c /dev/nullb1 # mount -t f2fs /dev/nullb0 \"${mount_dir}\" # dd if=/dev/zero of=\"${mount_dir}/test.dat\" bs =1M count=192 # dd if=\"${mount_dir}/test.dat\" of=/dev/null bs=1M count=192 iflag=direct ...\" Entonces, la causa principal de este problema es: cuando -la funci\u00f3n de dispositivos est\u00e1 activada, f2fs_map_blocks() puede devolver cero blkaddr en un dispositivo no principal, que es una direcci\u00f3n de bloque v\u00e1lida verificada; sin embargo, f2fs_iomap_begin() la trata como una direcci\u00f3n de bloque no v\u00e1lida y luego activa la advertencia en el c\u00f3digo del marco iomap Finalmente, como se mencion\u00f3, decidimos utilizar una forma m\u00e1s simple y directa que verificar la condici\u00f3n (map.m_flags & F2FS_MAP_MAPPED) en lugar de (map.m_pblk! = NULL_ADDR) para solucionar este problema. y Shinichiro Kawasaki sobre este tema [1] https://lore.kernel.org/linux-f2fs-devel/CAHj4cs-kfojYC9i0G73PRkYzcxCTex=-vugRFeP40g_URGvnfQ@mail.gmail.com/ [2] https://lore.kernel. org/linux-f2fs-devel/gngdj77k4picagsfdtiaa7gpgnup6fsgwzsltx6milmhegmjff@iax2n4wvrqye/"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/1a9225fdd0ec95fcf32936bcea9ceef0cf1512dc", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/2b2611a42462c6c685d40b5f3aedcd8d21c27065", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/33e62cd7b4c281cd737c62e5d8c4f0e602a8c5c5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e8b485e39b4d17afa9a2821fc778d5a67abfc03a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38637", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-21T11:15:12.400", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngreybus: lights: check return of get_channel_from_mode\n\nIf channel for the given node is not found we return null from\nget_channel_from_mode. Make sure we validate the return pointer\nbefore using it in two of the missing places.\n\nThis was originally reported in [0]:\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\n\n[0] https://lore.kernel.org/all/20240301190425.120605-1-m.lobanov@rosalinux.ru"}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: greybus: luces: verificar el retorno de get_channel_from_mode Si no se encuentra el canal para el nodo dado, devolvemos nulo de get_channel_from_mode. Aseg\u00farese de validar el puntero de retorno antes de usarlo en dos de los lugares que faltan. Esto se inform\u00f3 originalmente en [0]: Encontrado por el Centro de verificaci\u00f3n de Linux (linuxtesting.org) con SVACE. [0] https://lore.kernel.org/all/20240301190425.120605-1-m.lobanov@rosalinux.ru"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/330f6bcdcef03f70f81db5f2ed6747af656a09f2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/518e2c46b5dbce40b1aa0100001d03c3ceaa7d38", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/895cdd9aa9546523df839f9cc1488a0ecc1e0731", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8f4a76d477f0cc3c54d512f07f6f88c8e1c1e07b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9b41a9b9c8be8c552f10633453fdb509e83b66f8", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a1ba19a1ae7cd1e324685ded4ab563e78fe68648", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e2c64246e5dc8c0d35ec41770b85e2b4cafdff21", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/eac10cf3a97ffd4b4deb0a29f57c118225a42850", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38659", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-21T11:15:12.480", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nenic: Validate length of nl attributes in enic_set_vf_port\n\nenic_set_vf_port assumes that the nl attribute IFLA_PORT_PROFILE\nis of length PORT_PROFILE_MAX and that the nl attributes\nIFLA_PORT_INSTANCE_UUID, IFLA_PORT_HOST_UUID are of length PORT_UUID_MAX.\nThese attributes are validated (in the function do_setlink in rtnetlink.c)\nusing the nla_policy ifla_port_policy. The policy defines IFLA_PORT_PROFILE\nas NLA_STRING, IFLA_PORT_INSTANCE_UUID as NLA_BINARY and\nIFLA_PORT_HOST_UUID as NLA_STRING. That means that the length validation\nusing the policy is for the max size of the attributes and not on exact\nsize so the length of these attributes might be less than the sizes that\nenic_set_vf_port expects. This might cause an out of bands\nread access in the memcpys of the data of these\nattributes in enic_set_vf_port."}, {"lang": "es", "value": "En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: enic: Validar la longitud de los atributos nl en enic_set_vf_port enic_set_vf_port supone que el atributo nl IFLA_PORT_PROFILE tiene una longitud PORT_PROFILE_MAX y que los atributos nl IFLA_PORT_INSTANCE_UUID, IFLA_PORT_HOST_UUID tienen una longitud PORT_UUID_MAX. Estos atributos se validan (en la funci\u00f3n do_setlink en rtnetlink.c) usando nla_policy ifla_port_policy. La pol\u00edtica define IFLA_PORT_PROFILE como NLA_STRING, IFLA_PORT_INSTANCE_UUID como NLA_BINARY e IFLA_PORT_HOST_UUID como NLA_STRING. Eso significa que la validaci\u00f3n de longitud que utiliza la pol\u00edtica es para el tama\u00f1o m\u00e1ximo de los atributos y no para el tama\u00f1o exacto, por lo que la longitud de estos atributos puede ser menor que los tama\u00f1os que espera enic_set_vf_port. Esto podr\u00eda causar un acceso de lectura fuera de banda en los memcpys de los datos de estos atributos en enic_set_vf_port."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/25571a12fbc8a1283bd8380d461267956fd426f7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/2b649d7e0cb42a660f0260ef25fd55fdc9c6c600", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3c0d36972edbe56fcf98899622d9b90ac9965227", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7077c22f84f41974a711604a42fd0e0684232ee5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/aee1955a1509a921c05c70dad5d6fc8563dfcb31", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ca63fb7af9d3e531aa25f7ae187bfc6c7166ec2d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e8021b94b0412c37bcc79027c2e382086b6ce449", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f6638e955ca00c489894789492776842e102af9c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-3036", "sourceIdentifier": "cybersecurity@ch.abb.com", "published": "2024-06-21T11:15:12.553", "lastModified": "2024-06-21T11:22:01.687", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Improper Input Validation vulnerability in ABB 800xA Base.\nAn attacker who successfully exploited this \nvulnerability could cause services to crash by sending specifically crafted messages.\nThis issue affects 800xA Base: from 6.0.0 through 6.1.1-2."}, {"lang": "es", "value": "Vulnerabilidad de validaci\u00f3n de entrada incorrecta en ABB 800xA Base. Un atacante que aprovechara con \u00e9xito esta vulnerabilidad podr\u00eda provocar que los servicios fallaran al enviar mensajes espec\u00edficamente dise\u00f1ados. Este problema afecta a 800xA Base: desde 6.0.0 hasta 6.1.1-2."}], "metrics": {"cvssMetricV31": [{"source": "cybersecurity@ch.abb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 5.7, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.1, "impactScore": 3.6}]}, "weaknesses": [{"source": "cybersecurity@ch.abb.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-20"}]}], "references": [{"url": "https://search.abb.com/library/Download.aspx?DocumentID=7PAA013309&LanguageCode=en&DocumentPartId=&Action=Launch", "source": "cybersecurity@ch.abb.com"}]}}, {"cve": {"id": "CVE-2024-34777", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-21T12:15:10.157", "lastModified": "2024-06-21T15:58:51.410", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma-mapping: benchmark: fix node id validation\n\nWhile validating node ids in map_benchmark_ioctl(), node_possible() may\nbe provided with invalid argument outside of [0,MAX_NUMNODES-1] range\nleading to:\n\nBUG: KASAN: wild-memory-access in map_benchmark_ioctl (kernel/dma/map_benchmark.c:214)\nRead of size 8 at addr 1fffffff8ccb6398 by task dma_map_benchma/971\nCPU: 7 PID: 971 Comm: dma_map_benchma Not tainted 6.9.0-rc6 #37\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996)\nCall Trace:\n \ndump_stack_lvl (lib/dump_stack.c:117)\nkasan_report (mm/kasan/report.c:603)\nkasan_check_range (mm/kasan/generic.c:189)\nvariable_test_bit (arch/x86/include/asm/bitops.h:227) [inline]\narch_test_bit (arch/x86/include/asm/bitops.h:239) [inline]\n_test_bit at (include/asm-generic/bitops/instrumented-non-atomic.h:142) [inline]\nnode_state (include/linux/nodemask.h:423) [inline]\nmap_benchmark_ioctl (kernel/dma/map_benchmark.c:214)\nfull_proxy_unlocked_ioctl (fs/debugfs/file.c:333)\n__x64_sys_ioctl (fs/ioctl.c:890)\ndo_syscall_64 (arch/x86/entry/common.c:83)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\nCompare node ids with sane bounds first. NUMA_NO_NODE is considered a\nspecial valid case meaning that benchmarking kthreads won't be bound to a\ncpuset of a given node.\n\nFound by Linux Verification Center (linuxtesting.org)."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: dma-mapping: benchmark: corregir la validaci\u00f3n de ID de nodo Al validar los ID de nodo en map_benchmark_ioctl(), node_possible() puede recibir un argumento no v\u00e1lido fuera del rango [0,MAX_NUMNODES-1]. lo que lleva a: ERROR: KASAN: acceso a memoria salvaje en map_benchmark_ioctl (kernel/dma/map_benchmark.c:214) Lectura de tama\u00f1o 8 en la direcci\u00f3n 1fffffff8ccb6398 por tarea dma_map_benchma/971 CPU: 7 PID: 971 Comm: dma_map_benchma No contaminado 6.9. 0-rc6 #37 Nombre de hardware: PC est\u00e1ndar QEMU (i440FX + PIIX, 1996) Seguimiento de llamadas: dump_stack_lvl (lib/dump_stack.c:117) kasan_report (mm/kasan/report.c:603) kasan_check_range (mm/ kasan/generic.c:189) variable_test_bit (arch/x86/include/asm/bitops.h:227) [en l\u00ednea] arch_test_bit (arch/x86/include/asm/bitops.h:239) [en l\u00ednea] _test_bit en (incluir /asm-generic/bitops/instrumented-non-atomic.h:142) [en l\u00ednea] node_state (include/linux/nodemask.h:423) [en l\u00ednea] map_benchmark_ioctl (kernel/dma/map_benchmark.c:214) full_proxy_unlocked_ioctl (fs /debugfs/file.c:333) __x64_sys_ioctl (fs/ioctl.c:890) do_syscall_64 (arch/x86/entry/common.c:83) Entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Comparar ID de nodo con l\u00edmites cuerdos primero. NUMA_NO_NODE se considera un caso v\u00e1lido especial, lo que significa que los kthreads de evaluaci\u00f3n comparativa no estar\u00e1n vinculados a un cpuset de un nodo determinado. Encontrado por el Centro de verificaci\u00f3n de Linux (linuxtesting.org)."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/1ff05e723f7ca30644b8ec3fb093f16312e408ad", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/34a816d8735f3924b74be8e5bf766ade1f3bd10b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/35d31c8bd4722b107f5a2f5ddddce839de04b936", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/63e7e05a48a35308aeddd7ecccb68363a5988e87", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c57874265a3c5206d7aece3793bb2fc9abcd7570", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-35769", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-21T12:15:10.250", "lastModified": "2024-06-24T18:45:09.447", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in John West Slideshow SE allows Stored XSS.This issue affects Slideshow SE: from n/a through 2.5.17."}, {"lang": "es", "value": "La vulnerabilidad de neutralizaci\u00f3n inadecuada de la entrada durante la generaci\u00f3n de p\u00e1ginas web (XSS o 'Cross-site Scripting') en John West Slideshow SE permite XSS Almacenado. Este problema afecta a Slideshow SE: desde n/a hasta 2.5.17."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.7, "impactScore": 2.7}, {"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.7, "impactScore": 3.7}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:slideshow_se_project:slideshow_se:*:*:*:*:*:wordpress:*:*", "versionEndIncluding": "2.5.17", "matchCriteriaId": "76A01BFC-CB20-4215-ABB4-9DBBB7E070F0"}]}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/slideshow-se/wordpress-slideshow-se-plugin-2-5-17-cross-site-scripting-xss-vulnerability?_s_id=cve", "source": "audit@patchstack.com", "tags": ["Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-35774", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-21T12:15:10.500", "lastModified": "2024-06-24T18:43:57.633", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in D\u2019arteweb DImage 360 allows Stored XSS.This issue affects DImage 360: from n/a through 2.0."}, {"lang": "es", "value": "La vulnerabilidad de neutralizaci\u00f3n inadecuada de la entrada durante la generaci\u00f3n de p\u00e1ginas web (XSS o 'Cross-site Scripting') en D'arteweb DImage 360 permite XSS Almacenado. Este problema afecta a DImage 360: desde n/a hasta 2.0."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.3, "impactScore": 2.7}, {"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.3, "impactScore": 3.7}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:darteweb:dimage_360:*:*:*:*:*:wordpress:*:*", "versionEndIncluding": "2.0", "matchCriteriaId": "96710C7D-9508-4744-8B70-70D12D37A473"}]}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/dimage-360/wordpress-dimage-360-plugin-2-0-cross-site-scripting-xss-vulnerability?_s_id=cve", "source": "audit@patchstack.com", "tags": ["Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-35779", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-21T12:15:10.747", "lastModified": "2024-06-24T18:40:26.157", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Live Composer Team Page Builder: Live Composer allows Stored XSS.This issue affects Page Builder: Live Composer: from n/a through 1.5.42."}, {"lang": "es", "value": "Vulnerabilidad de neutralizaci\u00f3n inadecuada de la entrada durante la generaci\u00f3n de p\u00e1ginas web (XSS o 'Cross-site Scripting') en Live Composer Team Page Builder: Live Composer permite XSS Almacenado. Este problema afecta a Page Builder: Live Composer: desde n/a hasta 1.5.42."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.3, "impactScore": 2.7}, {"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.3, "impactScore": 3.7}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:livecomposerplugin:live-composer-page-builder:*:*:*:*:*:wordpress:*:*", "versionEndIncluding": "1.5.42", "matchCriteriaId": "253CA218-7FC5-4515-9C35-4FC8B7E4E923"}]}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/live-composer-page-builder/wordpress-page-builder-live-composer-plugin-1-5-42-contributor-shortcode-cross-site-scripting-xss-vulnerability?_s_id=cve", "source": "audit@patchstack.com", "tags": ["Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-36288", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-21T12:15:10.967", "lastModified": "2024-06-24T18:39:00.683", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: Fix loop termination condition in gss_free_in_token_pages()\n\nThe in_token->pages[] array is not NULL terminated. This results in\nthe following KASAN splat:\n\n KASAN: maybe wild-memory-access in range [0x04a2013400000008-0x04a201340000000f]"}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: SUNRPC: corrigi\u00f3 la condici\u00f3n de terminaci\u00f3n del bucle en gss_free_in_token_pages() La matriz in_token->pages[] no tiene terminaci\u00f3n NULL. Esto da como resultado el siguiente s\u00edmbolo KASAN: KASAN: quiz\u00e1s acceso a memoria salvaje en el rango [0x04a2013400000008-0x04a201340000000f]"}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-835"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.9.4", "matchCriteriaId": "329978FD-8C0A-434C-8A41-06341C7675F9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.10.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "C40DD2D9-90E3-4E95-9F1A-E7C680F11F2A"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/0a1cb0c6102bb4fd310243588d39461da49497ad", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"]}, {"url": "https://git.kernel.org/stable/c/4a77c3dead97339478c7422eb07bf4bf63577008", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"]}, {"url": "https://git.kernel.org/stable/c/4cefcd0af7458bdeff56a9d8dfc6868ce23d128a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"]}, {"url": "https://git.kernel.org/stable/c/57ff6c0a175930856213b2aa39f8c845a53e5b1c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"]}, {"url": "https://git.kernel.org/stable/c/6ed45d20d30005bed94c8c527ce51d5ad8121018", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"]}, {"url": "https://git.kernel.org/stable/c/af628d43a822b78ad8d4a58d8259f8bf8bc71115", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"]}, {"url": "https://git.kernel.org/stable/c/b4878ea99f2b40ef1925720b1b4ca7f4af1ba785", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"]}, {"url": "https://git.kernel.org/stable/c/f9977e4e0cd98a5f06f2492b4f3547db58deabf5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"]}]}}, {"cve": {"id": "CVE-2024-36477", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-21T12:15:11.040", "lastModified": "2024-06-24T18:38:40.737", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntpm_tis_spi: Account for SPI header when allocating TPM SPI xfer buffer\n\nThe TPM SPI transfer mechanism uses MAX_SPI_FRAMESIZE for computing the\nmaximum transfer length and the size of the transfer buffer. As such, it\ndoes not account for the 4 bytes of header that prepends the SPI data\nframe. This can result in out-of-bounds accesses and was confirmed with\nKASAN.\n\nIntroduce SPI_HDRSIZE to account for the header and use to allocate the\ntransfer buffer."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: tpm_tis_spi: Cuenta para el encabezado SPI al asignar el b\u00fafer de transferencia TPM SPI El mecanismo de transferencia TPM SPI utiliza MAX_SPI_FRAMESIZE para calcular la longitud m\u00e1xima de transferencia y el tama\u00f1o del b\u00fafer de transferencia. Como tal, no tiene en cuenta los 4 bytes del encabezado que antepone el marco de datos SPI. Esto puede resultar en accesos fuera de los l\u00edmites y fue confirmado con KASAN. Introduzca SPI_HDRSIZE para tener en cuenta el encabezado y util\u00edcelo para asignar el b\u00fafer de transferencia."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.0", "matchCriteriaId": "FF299551-1C36-496E-820D-BB75E2D6E5C7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6.1", "versionEndExcluding": "6.6.33", "matchCriteriaId": "6277DEEA-F81C-4E0A-A6D8-AC6163A00A7D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9", "versionEndExcluding": "6.9.4", "matchCriteriaId": "A500F935-F0ED-4DC7-AD02-9D7C365D13AE"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.10.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "C40DD2D9-90E3-4E95-9F1A-E7C680F11F2A"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/1547183852dcdfcc25878db7dd3620509217b0cd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"]}, {"url": "https://git.kernel.org/stable/c/195aba96b854dd664768f382cd1db375d8181f88", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"]}, {"url": "https://git.kernel.org/stable/c/de13c56f99477b56980c7e00b09c776d16b7563d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"]}]}}, {"cve": {"id": "CVE-2024-36481", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-21T12:15:11.110", "lastModified": "2024-06-24T18:35:33.157", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/probes: fix error check in parse_btf_field()\n\nbtf_find_struct_member() might return NULL or an error via the\nERR_PTR() macro. However, its caller in parse_btf_field() only checks\nfor the NULL condition. Fix this by using IS_ERR() and returning the\nerror up the stack."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: rastreo/sondas: correcci\u00f3n de verificaci\u00f3n de errores en parse_btf_field() btf_find_struct_member() puede devolver NULL o un error a trav\u00e9s de la macro ERR_PTR(). Sin embargo, su llamador en parse_btf_field() solo verifica la condici\u00f3n NULL. Solucione este problema usando IS_ERR() y devolviendo el error en la pila."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-754"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6", "matchCriteriaId": "9D42A7C6-CE38-4D73-B7AC-615F6D53F783"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6.1", "versionEndExcluding": "6.6.33", "matchCriteriaId": "6277DEEA-F81C-4E0A-A6D8-AC6163A00A7D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9", "versionEndExcluding": "6.9.4", "matchCriteriaId": "A500F935-F0ED-4DC7-AD02-9D7C365D13AE"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.10.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "C40DD2D9-90E3-4E95-9F1A-E7C680F11F2A"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/4ed468edfeb54c7202e559eba74c25fac6a0dad0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"]}, {"url": "https://git.kernel.org/stable/c/ad4b202da2c498fefb69e5d87f67b946e7fe1e6a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"]}, {"url": "https://git.kernel.org/stable/c/e569eb34970281438e2b48a3ef11c87459fcfbcb", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"]}]}}, {"cve": {"id": "CVE-2024-38662", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-21T12:15:11.180", "lastModified": "2024-06-24T18:34:17.547", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Allow delete from sockmap/sockhash only if update is allowed\n\nWe have seen an influx of syzkaller reports where a BPF program attached to\na tracepoint triggers a locking rule violation by performing a map_delete\non a sockmap/sockhash.\n\nWe don't intend to support this artificial use scenario. Extend the\nexisting verifier allowed-program-type check for updating sockmap/sockhash\nto also cover deleting from a map.\n\nFrom now on only BPF programs which were previously allowed to update\nsockmap/sockhash can delete from these map types."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: bpf: permitir la eliminaci\u00f3n de sockmap/sockhash solo si se permite la actualizaci\u00f3n. Hemos visto una afluencia de informes de syzkaller donde un programa BPF adjunto a un punto de seguimiento desencadena una violaci\u00f3n de la regla de bloqueo al realizar un map_delete en un mapa de calcetines/sockhash. No pretendemos apoyar este escenario de uso artificial. Ampl\u00ede la verificaci\u00f3n de tipo de programa permitido del verificador existente para actualizar sockmap/sockhash para cubrir tambi\u00e9n la eliminaci\u00f3n de un mapa. De ahora en adelante, s\u00f3lo los programas BPF a los que anteriormente se les permit\u00eda actualizar sockmap/sockhash pueden eliminar de estos tipos de mapas."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.0, "impactScore": 3.6}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10", "versionEndExcluding": "5.10.219", "matchCriteriaId": "5311C980-4CDF-4C10-8875-F04ED0F03398"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "5.15.161", "matchCriteriaId": "E2AB5A01-EFFD-4A24-8CCB-4A016C8C4BB3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1", "versionEndExcluding": "6.1.93", "matchCriteriaId": "7446FC33-DC4F-4D31-94B5-FB577CFA66F4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6", "versionEndExcluding": "6.6.33", "matchCriteriaId": "53BC60D9-65A5-4D8F-96C8-149F09214DBD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9", "versionEndExcluding": "6.9.4", "matchCriteriaId": "A500F935-F0ED-4DC7-AD02-9D7C365D13AE"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.10.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "C40DD2D9-90E3-4E95-9F1A-E7C680F11F2A"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/000a65bf1dc04fb2b65e2abf116f0bc0fc2ee7b1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"]}, {"url": "https://git.kernel.org/stable/c/11e8ecc5b86037fec43d07b1c162e233e131b1d9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"]}, {"url": "https://git.kernel.org/stable/c/29467edc23818dc5a33042ffb4920b49b090e63d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"]}, {"url": "https://git.kernel.org/stable/c/6693b172f008846811f48a099f33effc26068e1e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"]}, {"url": "https://git.kernel.org/stable/c/98e948fb60d41447fd8d2d0c3b8637fc6b6dc26d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"]}, {"url": "https://git.kernel.org/stable/c/b81e1c5a3c70398cf76631ede63a03616ed1ba3c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"]}]}}, {"cve": {"id": "CVE-2024-38780", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-21T12:15:11.253", "lastModified": "2024-06-24T19:17:28.313", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma-buf/sw-sync: don't enable IRQ from sync_print_obj()\n\nSince commit a6aa8fca4d79 (\"dma-buf/sw-sync: Reduce irqsave/irqrestore from\nknown context\") by error replaced spin_unlock_irqrestore() with\nspin_unlock_irq() for both sync_debugfs_show() and sync_print_obj() despite\nsync_print_obj() is called from sync_debugfs_show(), lockdep complains\ninconsistent lock state warning.\n\nUse plain spin_{lock,unlock}() for sync_print_obj(), for\nsync_debugfs_show() is already using spin_{lock,unlock}_irq()."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: dma-buf/sw-sync: no habilitar IRQ desde sync_print_obj() Desde el commit a6aa8fca4d79 (\"dma-buf/sw-sync: reducir irqsave/irqrestore desde el contexto conocido\" ) por error reemplaz\u00f3 spin_unlock_irqrestore() con spin_unlock_irq() tanto para sync_debugfs_show() como para sync_print_obj() a pesar de que sync_print_obj() se llama desde sync_debugfs_show(), lockdep se queja de una advertencia de estado de bloqueo inconsistente. Utilice spin_{lock,unlock}() simple para sync_print_obj(), ya que sync_debugfs_show() ya est\u00e1 usando spin_{lock,unlock}_irq()."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-667"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.14", "matchCriteriaId": "B315D019-A13E-4F3D-A112-34814763334F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19", "versionEndExcluding": "4.19.316", "matchCriteriaId": "34445C8D-D7E6-4796-B792-C9257E89257B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4", "versionEndExcluding": "5.4.278", "matchCriteriaId": "8E2371B0-4787-4038-B526-021D4CF93B31"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10", "versionEndExcluding": "5.10.219", "matchCriteriaId": "5311C980-4CDF-4C10-8875-F04ED0F03398"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "5.15.161", "matchCriteriaId": "E2AB5A01-EFFD-4A24-8CCB-4A016C8C4BB3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1", "versionEndExcluding": "6.1.93", "matchCriteriaId": "7446FC33-DC4F-4D31-94B5-FB577CFA66F4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6", "versionEndExcluding": "6.6.33", "matchCriteriaId": "53BC60D9-65A5-4D8F-96C8-149F09214DBD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9", "versionEndExcluding": "6.9.4", "matchCriteriaId": "A500F935-F0ED-4DC7-AD02-9D7C365D13AE"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.10.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "C40DD2D9-90E3-4E95-9F1A-E7C680F11F2A"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/165b25e3ee9333f7b04f8db43895beacb51582ed", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"]}, {"url": "https://git.kernel.org/stable/c/1ff116f68560a25656933d5a18e7619cb6773d8a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"]}, {"url": "https://git.kernel.org/stable/c/242b30466879e6defa521573c27e12018276c33a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"]}, {"url": "https://git.kernel.org/stable/c/8a283cdfc8beeb14024387a925247b563d614e1e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"]}, {"url": "https://git.kernel.org/stable/c/9d75fab2c14a25553a1664586ed122c316bd1878", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"]}, {"url": "https://git.kernel.org/stable/c/a4ee78244445ab73af22bfc5a5fc543963b25aef", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"]}, {"url": "https://git.kernel.org/stable/c/ae6fc4e6a3322f6d1c8ff59150d8469487a73dd8", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"]}, {"url": "https://git.kernel.org/stable/c/b794918961516f667b0c745aebdfebbb8a98df39", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"]}]}}, {"cve": {"id": "CVE-2024-39277", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-21T12:15:11.330", "lastModified": "2024-06-24T19:17:48.380", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma-mapping: benchmark: handle NUMA_NO_NODE correctly\n\ncpumask_of_node() can be called for NUMA_NO_NODE inside do_map_benchmark()\nresulting in the following sanitizer report:\n\nUBSAN: array-index-out-of-bounds in ./arch/x86/include/asm/topology.h:72:28\nindex -1 is out of range for type 'cpumask [64][1]'\nCPU: 1 PID: 990 Comm: dma_map_benchma Not tainted 6.9.0-rc6 #29\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996)\nCall Trace:\n \ndump_stack_lvl (lib/dump_stack.c:117)\nubsan_epilogue (lib/ubsan.c:232)\n__ubsan_handle_out_of_bounds (lib/ubsan.c:429)\ncpumask_of_node (arch/x86/include/asm/topology.h:72) [inline]\ndo_map_benchmark (kernel/dma/map_benchmark.c:104)\nmap_benchmark_ioctl (kernel/dma/map_benchmark.c:246)\nfull_proxy_unlocked_ioctl (fs/debugfs/file.c:333)\n__x64_sys_ioctl (fs/ioctl.c:890)\ndo_syscall_64 (arch/x86/entry/common.c:83)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\nUse cpumask_of_node() in place when binding a kernel thread to a cpuset\nof a particular node.\n\nNote that the provided node id is checked inside map_benchmark_ioctl().\nIt's just a NUMA_NO_NODE case which is not handled properly later.\n\nFound by Linux Verification Center (linuxtesting.org)."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: dma-mapping: benchmark: maneja NUMA_NO_NODE correctamente. Se puede llamar a cpumask_of_node() para NUMA_NO_NODE dentro de do_map_benchmark(), lo que genera el siguiente informe de sanitizaci\u00f3n: UBSAN: array-index-out-of- Los l\u00edmites en ./arch/x86/include/asm/topology.h:72:28 el \u00edndice -1 est\u00e1n fuera del rango para el tipo 'cpumask [64][1]' CPU: 1 PID: 990 Comm: dma_map_benchma No contaminado 6.9. 0-rc6 #29 Nombre de hardware: PC est\u00e1ndar QEMU (i440FX + PIIX, 1996) Seguimiento de llamadas: dump_stack_lvl (lib/dump_stack.c:117) ubsan_epilogue (lib/ubsan.c:232) __ubsan_handle_out_of_bounds (lib/ubsan. c:429) cpumask_of_node (arch/x86/include/asm/topology.h:72) [en l\u00ednea] do_map_benchmark (kernel/dma/map_benchmark.c:104) map_benchmark_ioctl (kernel/dma/map_benchmark.c:246) full_proxy_unlocked_ioctl (fs /debugfs/file.c:333) __x64_sys_ioctl (fs/ioctl.c:890) do_syscall_64 (arch/x86/entry/common.c:83) Entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Utilice cpumask_of_node( ) en su lugar al vincular un subproceso del kernel a un cpuset de un nodo en particular. Tenga en cuenta que la identificaci\u00f3n del nodo proporcionada se verifica dentro de map_benchmark_ioctl(). Es s\u00f3lo un caso NUMA_NO_NODE que no se maneja adecuadamente m\u00e1s adelante. Encontrado por el Centro de verificaci\u00f3n de Linux (linuxtesting.org)."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.11", "matchCriteriaId": "89EC14A5-9B15-472C-A870-D93968B329AD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "5.15.161", "matchCriteriaId": "E2AB5A01-EFFD-4A24-8CCB-4A016C8C4BB3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1", "versionEndExcluding": "6.1.93", "matchCriteriaId": "7446FC33-DC4F-4D31-94B5-FB577CFA66F4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6", "versionEndExcluding": "6.6.33", "matchCriteriaId": "53BC60D9-65A5-4D8F-96C8-149F09214DBD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9", "versionEndExcluding": "6.9.4", "matchCriteriaId": "A500F935-F0ED-4DC7-AD02-9D7C365D13AE"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.10.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "C40DD2D9-90E3-4E95-9F1A-E7C680F11F2A"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/50ee21bfc005e69f183d6b4b454e33f0c2571e1f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"]}, {"url": "https://git.kernel.org/stable/c/5a91116b003175302f2e6ad94b76fb9b5a141a41", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"]}, {"url": "https://git.kernel.org/stable/c/8e1ba9df9a35e8dc64f657a64e523c79ba01e464", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"]}, {"url": "https://git.kernel.org/stable/c/b41b0018e8ca06e985e87220a618ec633988fd13", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"]}, {"url": "https://git.kernel.org/stable/c/e64746e74f717961250a155e14c156616fcd981f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"]}]}}, {"cve": {"id": "CVE-2024-5058", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-21T12:15:11.443", "lastModified": "2024-06-24T19:18:35.517", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WPDeveloper Typing Text allows Stored XSS.This issue affects Typing Text: from n/a through 1.2.5."}, {"lang": "es", "value": "La vulnerabilidad de neutralizaci\u00f3n inadecuada de la entrada durante la generaci\u00f3n de p\u00e1ginas web (XSS o 'Cross-site Scripting') en WPDeveloper Typing Text permite XSS Almacenado. Este problema afecta a Typing Text: desde n/a hasta 1.2.5."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.3, "impactScore": 2.7}, {"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.3, "impactScore": 3.7}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wpdeveloper:typing_text:*:*:*:*:*:wordpress:*:*", "versionEndExcluding": "1.2.6", "matchCriteriaId": "3AEBE339-1429-45D5-80F6-6FC12D86000D"}]}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/typing-text/wordpress-typing-text-plugin-1-2-5-cross-site-scripting-xss-vulnerability?_s_id=cve", "source": "audit@patchstack.com", "tags": ["Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-35757", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-21T13:15:09.250", "lastModified": "2024-06-24T19:19:01.097", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in 5 Star Plugins Easy Age Verify allows Stored XSS.This issue affects Easy Age Verify: from n/a through 1.8.2."}, {"lang": "es", "value": "Vulnerabilidad de neutralizaci\u00f3n inadecuada de la entrada durante la generaci\u00f3n de p\u00e1ginas web (XSS o 'Cross-site Scripting') en los complementos de 5 estrellas Easy Age Verify permite XSS Almacenado. Este problema afecta a Easy Age Verify: desde n/a hasta 1.8.2."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.7, "impactScore": 2.7}, {"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.7, "impactScore": 3.7}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:5starplugins:easy_age_verify:*:*:*:*:*:wordpress:*:*", "versionEndExcluding": "1.8.3", "matchCriteriaId": "A7F5928C-A982-4A70-9E7D-07C5F6FE1C0C"}]}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/easy-age-verify/wordpress-easy-age-verify-plugin-1-8-2-cross-site-scripting-xss-vulnerability?_s_id=cve", "source": "audit@patchstack.com", "tags": ["Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-35758", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-21T13:15:09.487", "lastModified": "2024-06-24T19:19:51.957", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Theme Horse Interface allows Stored XSS.This issue affects Interface: from n/a through 3.1.0."}, {"lang": "es", "value": "La vulnerabilidad de neutralizaci\u00f3n inadecuada de la entrada durante la generaci\u00f3n de p\u00e1ginas web (XSS o 'Cross-site Scripting') en Theme Horse Interface permite XSS Almacenado. Este problema afecta a la Interface: desde n/a hasta 3.1.0."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.3, "impactScore": 2.7}, {"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.3, "impactScore": 3.7}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}, {"source": "audit@patchstack.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:themehorse:interface:*:*:*:*:*:wordpress:*:*", "versionEndExcluding": "3.1.1", "matchCriteriaId": "6CFA38DC-3106-4154-9920-94DAED06C741"}]}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/interface/wordpress-interface-theme-3-1-0-cross-site-scripting-xss-vulnerability?_s_id=cve", "source": "audit@patchstack.com", "tags": ["Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-35759", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-21T13:15:09.740", "lastModified": "2024-06-24T19:20:39.243", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WP Job Portal allows Stored XSS.This issue affects WP Job Portal: from n/a through 2.1.3."}, {"lang": "es", "value": "La vulnerabilidad de neutralizaci\u00f3n inadecuada de la entrada durante la generaci\u00f3n de p\u00e1ginas web (XSS o 'Cross-site Scripting') en WP Job Portal permite XSS Almacenado. Este problema afecta a WP Job Portal: desde n/a hasta 2.1.3."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.7, "impactScore": 2.7}, {"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.7, "impactScore": 3.7}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wpjobportal:wp_job_portal:*:*:*:*:*:wordpress:*:*", "versionEndExcluding": "2.1.4", "matchCriteriaId": "857E0867-2AD0-4A44-8C60-BCA65E34611C"}]}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/wp-job-portal/wordpress-wp-job-portal-plugin-2-1-3-admin-cross-site-scripting-xss-vulnerability?_s_id=cve", "source": "audit@patchstack.com", "tags": ["Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-35760", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-21T13:15:09.977", "lastModified": "2024-06-24T19:21:04.613", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WP Job Portal allows Stored XSS.This issue affects WP Job Portal: from n/a through 2.1.3."}, {"lang": "es", "value": "La vulnerabilidad de neutralizaci\u00f3n inadecuada de la entrada durante la generaci\u00f3n de p\u00e1ginas web (XSS o 'Cross-site Scripting') en WP Job Portal permite XSS Almacenado. Este problema afecta a WP Job Portal: desde n/a hasta 2.1.3."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.7, "impactScore": 2.7}, {"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.7, "impactScore": 3.7}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wpjobportal:wp_job_portal:*:*:*:*:*:wordpress:*:*", "versionEndExcluding": "2.1.4", "matchCriteriaId": "857E0867-2AD0-4A44-8C60-BCA65E34611C"}]}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/wp-job-portal/wordpress-wp-job-portal-a-complete-job-board-plugin-2-1-3-cross-site-scripting-xss-vulnerability?_s_id=cve", "source": "audit@patchstack.com", "tags": ["Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-35761", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-21T13:15:10.233", "lastModified": "2024-06-24T19:21:26.413", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in vCita Online Booking & Scheduling Calendar for WordPress by vcita allows Stored XSS.This issue affects Online Booking & Scheduling Calendar for WordPress by vcita: from n/a through 4.4.0."}, {"lang": "es", "value": "La vulnerabilidad de neutralizaci\u00f3n inadecuada de la entrada durante la generaci\u00f3n de p\u00e1ginas web (XSS o 'Cross-site Scripting') en vCita Online Booking & Scheduling Calendar para WordPress de vcita permite XSS Almacenado. Este problema afecta a Online Booking & Scheduling Calendar for WordPress by vcita: de n/ a hasta 4.4.0."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.3, "impactScore": 2.7}, {"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.3, "impactScore": 3.7}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:vcita:online_booking_\\&_scheduling_calendar_for_wordpress_by_vcita:*:*:*:*:*:wordpress:*:*", "versionEndExcluding": "4.4.1", "matchCriteriaId": "0160182F-E5A5-4D21-BE4F-809588561C55"}]}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/meeting-scheduler-by-vcita/wordpress-online-booking-scheduling-calendar-for-wordpress-by-vcita-plugin-4-4-0-cross-site-scripting-xss-vulnerability?_s_id=cve", "source": "audit@patchstack.com", "tags": ["Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-35762", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-21T13:15:10.460", "lastModified": "2024-06-24T19:21:47.457", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Cryout Creations Serious Slider allows Stored XSS.This issue affects Serious Slider: from n/a through 1.2.4."}, {"lang": "es", "value": "La vulnerabilidad de neutralizaci\u00f3n inadecuada de la entrada durante la generaci\u00f3n de p\u00e1ginas web (XSS o 'Cross-site Scripting') en Cryout Creations Serious Slider permite XSS Almacenado. Este problema afecta a Serious Slider: desde n/a hasta 1.2.4."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.3, "impactScore": 2.7}, {"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.3, "impactScore": 3.7}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:cryoutcreations:serious_slider:*:*:*:*:*:wordpress:*:*", "versionEndExcluding": "1.2.5", "matchCriteriaId": "CAB26632-E6D6-4081-8D07-1D5B40F794A7"}]}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/cryout-serious-slider/wordpress-serious-slider-plugin-1-2-4-cross-site-scripting-xss-vulnerability?_s_id=cve", "source": "audit@patchstack.com", "tags": ["Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-35763", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-21T13:15:10.700", "lastModified": "2024-06-24T19:22:44.850", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Theme Freesia Excellent allows Stored XSS.This issue affects Excellent: from n/a through 1.2.9."}, {"lang": "es", "value": "La vulnerabilidad de neutralizaci\u00f3n inadecuada de la entrada durante la generaci\u00f3n de p\u00e1ginas web (XSS o 'Cross-site Scripting') en el tema Freesia Excellent permite XSS Almacenado. Este problema afecta a Excellent: desde n/a hasta 1.2.9."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.3, "impactScore": 2.7}, {"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.3, "impactScore": 3.7}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:themefreesia:excellent:*:*:*:*:*:wordpress:*:*", "versionEndExcluding": "1.3.0", "matchCriteriaId": "DDAB6769-0F55-4341-A573-37E0814F71EB"}]}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/excellent/wordpress-excellent-theme-1-2-9-cross-site-scripting-xss-vulnerability?_s_id=cve", "source": "audit@patchstack.com", "tags": ["Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-35764", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-21T13:15:10.950", "lastModified": "2024-06-24T19:23:24.417", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Andy Moyle Church Admin allows Stored XSS.This issue affects Church Admin: from n/a through 4.4.4."}, {"lang": "es", "value": "La vulnerabilidad de neutralizaci\u00f3n inadecuada de la entrada durante la generaci\u00f3n de p\u00e1ginas web (XSS o 'Cross-site Scripting') en Andy Moyle Church Admin permite XSS Almacenado. Este problema afecta a Church Admin: desde n/a hasta 4.4.4."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.3, "impactScore": 2.7}, {"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.3, "impactScore": 3.7}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:church_admin_project:church_admin:*:*:*:*:*:wordpress:*:*", "versionEndExcluding": "4.4.5", "matchCriteriaId": "92E3440F-06E1-4672-BBAF-01DC974FD83C"}]}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/church-admin/wordpress-church-admin-plugin-4-4-4-cross-site-scripting-xss-vulnerability?_s_id=cve", "source": "audit@patchstack.com", "tags": ["Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-35766", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-21T13:15:11.183", "lastModified": "2024-06-24T19:24:15.167", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in ollybach WPPizza allows Reflected XSS.This issue affects WPPizza: from n/a through 3.18.13."}, {"lang": "es", "value": "La vulnerabilidad de neutralizaci\u00f3n inadecuada de la entrada durante la generaci\u00f3n de p\u00e1ginas web (XSS o 'Cross-site Scripting') en ollybach WPPizza permite el XSS reflejado. Este problema afecta a WPPizza: desde n/a hasta 3.18.13."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, {"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.7}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wp-pizza:wppizza:*:*:*:*:*:wordpress:*:*", "versionEndExcluding": "3.18.14", "matchCriteriaId": "C73F22EC-019E-4F35-86B3-C7BA46E98C86"}]}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/wppizza/wordpress-wppizza-a-restaurant-plugin-plugin-3-18-13-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve", "source": "audit@patchstack.com", "tags": ["Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-35768", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-21T13:15:11.460", "lastModified": "2024-06-24T19:24:52.483", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Live Composer Team Page Builder: Live Composer allows Stored XSS.This issue affects Page Builder: Live Composer: from n/a through 1.5.42."}, {"lang": "es", "value": "Vulnerabilidad de neutralizaci\u00f3n inadecuada de la entrada durante la generaci\u00f3n de p\u00e1ginas web (XSS o 'Cross-site Scripting') en Live Composer Team Page Builder: Live Composer permite XSS Almacenado. Este problema afecta a Page Builder: Live Composer: desde n/a hasta 1.5.42."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.7, "impactScore": 2.7}, {"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.7, "impactScore": 3.7}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:livecomposerplugin:live-composer-page-builder:*:*:*:*:*:wordpress:*:*", "versionEndIncluding": "1.5.42", "matchCriteriaId": "253CA218-7FC5-4515-9C35-4FC8B7E4E923"}]}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/live-composer-page-builder/wordpress-page-builder-live-composer-plugin-1-5-42-cross-site-scripting-xss-vulnerability?_s_id=cve", "source": "audit@patchstack.com", "tags": ["Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-35770", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-21T13:15:11.697", "lastModified": "2024-06-24T19:25:21.117", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in Dave Kiss Vimeography: Vimeo Video Gallery WordPress Plugin.This issue affects Vimeography: Vimeo Video Gallery WordPress Plugin: from n/a through 2.4.1."}, {"lang": "es", "value": "Vulnerabilidad de Cross-Site Request Forgery (CSRF) en Dave Kiss Vimeography: Vimeo Video Gallery WordPress Plugin. Este problema afecta a Vimeography: Vimeo Video Gallery WordPress Plugin: desde n/a hasta 2.4.1."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, {"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-352"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:davekiss:vimeography:*:*:*:*:*:wordpress:*:*", "versionEndExcluding": "2.4.2", "matchCriteriaId": "1DD11648-5770-4F36-AF54-3A9347CC8A08"}]}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/vimeography/wordpress-vimeography-plugin-2-4-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve", "source": "audit@patchstack.com", "tags": ["Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-35771", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-21T13:15:11.950", "lastModified": "2024-06-24T19:25:46.967", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in presscustomizr Customizr.This issue affects Customizr: from n/a through 4.4.21."}, {"lang": "es", "value": "Vulnerabilidad de Cross-Site Request Forgery (CSRF) en presscustomizr Customizr. Este problema afecta a Customizr: desde n/a hasta 4.4.21."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, {"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-352"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:presscustomizr:customizr:*:*:*:*:*:wordpress:*:*", "versionEndExcluding": "4.4.22", "matchCriteriaId": "076D993D-0708-46C4-ABE3-D1582541BE9F"}]}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/customizr/wordpress-customizr-theme-4-4-21-cross-site-request-forgery-csrf-vulnerability?_s_id=cve", "source": "audit@patchstack.com", "tags": ["Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-35772", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-21T13:15:12.183", "lastModified": "2024-06-24T19:26:14.460", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in presscustomizr Hueman.This issue affects Hueman: from n/a through 3.7.24."}, {"lang": "es", "value": "Vulnerabilidad de Cross-Site Request Forgery (CSRF) en presscustomizr Hueman. Este problema afecta a Hueman: desde n/a hasta 3.7.24."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, {"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-352"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:presscustomizr:hueman:*:*:*:*:*:wordpress:*:*", "versionEndExcluding": "3.7.25", "matchCriteriaId": "902153E0-87F1-4616-B96E-2B5C11F6EDE3"}]}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/hueman/wordpress-hueman-theme-3-7-24-cross-site-request-forgery-csrf-vulnerability?_s_id=cve", "source": "audit@patchstack.com", "tags": ["Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-35776", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-21T13:15:12.417", "lastModified": "2024-06-24T18:49:09.500", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Exeebit phpinfo() WP.This issue affects phpinfo() WP: from n/a through 5.0."}, {"lang": "es", "value": "Exposici\u00f3n de informaci\u00f3n confidencial a una vulnerabilidad de actor no autorizado en Exeebit phpinfo() WP. Este problema afecta a phpinfo() WP: desde n/a hasta 5.0."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, {"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"source": "audit@patchstack.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:exeebit:phpinfo-wp:*:*:*:*:*:wordpress:*:*", "versionEndIncluding": "5.0", "matchCriteriaId": "F913FFFB-5D6E-42A7-8B28-CCB4D2331158"}]}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/phpinfo-wp/wordpress-phpinfo-wp-plugin-5-0-unauthenticated-data-exposure-vulnerability?_s_id=cve", "source": "audit@patchstack.com", "tags": ["Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-5059", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-21T13:15:12.727", "lastModified": "2024-06-24T18:49:29.467", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in A WP Life Event Management Tickets Booking.This issue affects Event Management Tickets Booking: from n/a through 1.4.0."}, {"lang": "es", "value": "Exposici\u00f3n de informaci\u00f3n confidencial a una vulnerabilidad de actor no autorizado en A WP Life Event Management Tickets Booking. Este problema afecta a Event Management Tickets Booking: desde n/a hasta 1.4.0."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, {"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"source": "audit@patchstack.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:awplife:event_monster:*:*:*:*:*:wordpress:*:*", "versionEndIncluding": "1.4.0", "matchCriteriaId": "8B2AB4C2-3AC7-4A9D-B8AA-20C72EA37E19"}]}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/event-monster/wordpress-event-monster-plugin-1-4-0-sensitive-data-exposure-vulnerability?_s_id=cve", "source": "audit@patchstack.com", "tags": ["Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2022-43453", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-21T14:15:10.870", "lastModified": "2024-06-24T18:50:15.333", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Bill Minozzi WP Tools.This issue affects WP Tools: from n/a through 3.41."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Bill Minozzi WP Tools. Este problema afecta a WP Tools: desde n/a hasta 3.41."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, {"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:billminozzi:wp_tools:*:*:*:*:*:wordpress:*:*", "versionEndExcluding": "3.43", "matchCriteriaId": "92795DE1-6067-43A3-952E-750F691FC27B"}]}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/wptools/wordpress-wp-tools-plugin-2-51-3-41-auth-broken-access-control-vulnerability?_s_id=cve", "source": "audit@patchstack.com", "tags": ["Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2022-45803", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-21T14:15:11.103", "lastModified": "2024-06-24T18:51:29.867", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Nikolay Strikhar WordPress Form Builder Plugin \u2013 Gutenberg Forms.This issue affects WordPress Form Builder Plugin \u2013 Gutenberg Forms: from n/a through 2.2.8.3."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en el complemento Nikolay Strikhar WordPress Form Builder \u2013 Gutenberg Forms. Este problema afecta al complemento WordPress Form Builder \u2013 Gutenberg Forms: desde n/a hasta 2.2.8.3."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, {"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gutenbergforms:gutenberg_forms:*:*:*:*:*:wordpress:*:*", "versionEndExcluding": "2.2.9", "matchCriteriaId": "748B8783-2626-4DCB-A5EC-FC26F5BC8433"}]}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/forms-gutenberg/wordpress-gutenberg-forms-plugin-2-2-8-3-auth-broken-access-control-vulnerability?_s_id=cve", "source": "audit@patchstack.com", "tags": ["Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2023-51375", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-21T14:15:11.363", "lastModified": "2024-06-24T18:52:00.293", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in WPDeveloper EmbedPress.This issue affects EmbedPress: from n/a through 3.8.3."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en WPDeveloper EmbedPress. Este problema afecta a EmbedPress: desde n/a hasta 3.8.3."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, {"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wpdeveloper:embedpress:*:*:*:*:*:wordpress:*:*", "versionEndExcluding": "3.8.4", "matchCriteriaId": "A1119AAF-766A-4F5B-B08C-1057FEFB8BA0"}]}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/embedpress/wordpress-embedpress-plugin-3-8-3-broken-access-control-vulnerability?_s_id=cve", "source": "audit@patchstack.com", "tags": ["Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-37118", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-21T14:15:12.477", "lastModified": "2024-06-24T18:55:07.707", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "Cross Site Request Forgery (CSRF) vulnerability in Uncanny Owl Uncanny Automator Pro.This issue affects Uncanny Automator Pro: from n/a through 5.3."}, {"lang": "es", "value": "Vulnerabilidad de Cross-Site Request Forgery (CSRF) en Uncanny Owl Uncanny Automator Pro. Este problema afecta a Uncanny Automator Pro: desde n/a hasta 5.3."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, {"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-352"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:uncannyowl:uncanny_automator:*:*:*:*:pro:wordpress:*:*", "versionEndIncluding": "5.3", "matchCriteriaId": "F3CFABDF-A604-44E9-8556-1B5C39DA5DAC"}]}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/uncanny-automator-pro/wordpress-uncanny-automator-pro-plugin-5-3-cross-site-request-forgery-csrf-leading-to-license-settings-reset-vulnerability?_s_id=cve", "source": "audit@patchstack.com", "tags": ["Not Applicable"]}]}}, {"cve": {"id": "CVE-2024-37198", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-21T14:15:12.667", "lastModified": "2024-06-24T18:55:25.417", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in blazethemes Digital Newspaper.This issue affects Digital Newspaper: from n/a through 1.1.5."}, {"lang": "es", "value": "Vulnerabilidad de Cross-Site Request Forgery (CSRF) en blazethemes Digital Newspaper. Este problema afecta a Digital Newspaper: desde n/a hasta 1.1.5."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, {"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-352"}]}, {"source": "audit@patchstack.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:blazethemes:digital_newspaper:*:*:*:*:*:wordpress:*:*", "versionEndExcluding": "1.1.6", "matchCriteriaId": "BF363D9A-942E-47CD-84CE-DE1C0E7362C4"}]}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/digital-newspaper/wordpress-digital-newspaper-theme-1-1-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve", "source": "audit@patchstack.com", "tags": ["Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-37212", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-21T14:15:12.890", "lastModified": "2024-06-24T18:55:34.983", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in Ali2Woo Ali2Woo Lite.This issue affects Ali2Woo Lite: from n/a through 3.3.5."}, {"lang": "es", "value": "Vulnerabilidad de Cross-Site Request Forgery (CSRF) en Ali2Woo Ali2Woo Lite. Este problema afecta a Ali2Woo Lite: desde n/a hasta 3.3.5."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, {"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.3, "baseSeverity": "HIGH"}, "exploitabilityScore": 1.6, "impactScore": 6.0}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-352"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ali2woo:ali2woo:*:*:*:*:lite:wordpress:*:*", "versionEndIncluding": "3.3.5", "matchCriteriaId": "191F4381-3D88-4811-B8EB-E8A3A56642B8"}]}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/ali2woo-lite/wordpress-aliexpress-dropshipping-with-alinext-lite-plugin-3-3-5-csrf-to-php-object-injection-vulnerability?_s_id=cve", "source": "audit@patchstack.com", "tags": ["Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-37227", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-21T14:15:13.130", "lastModified": "2024-06-24T18:55:44.513", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "Cross Site Request Forgery (CSRF) vulnerability in Tribulant Newsletters.This issue affects Newsletters: from n/a through 4.9.7."}, {"lang": "es", "value": "Vulnerabilidad de Cross-Site Request Forgery (CSRF) en Tribulant Newsletters. Este problema afecta a Newsletters: desde n/a hasta 4.9.7."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, {"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-352"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:tribulant:newsletters:*:*:*:*:*:wordpress:*:*", "versionEndExcluding": "4.9.8", "matchCriteriaId": "5806F656-BCAE-4AB9-B899-4F1595118849"}]}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/newsletters-lite/wordpress-newsletters-plugin-4-9-7-cross-site-request-forgery-csrf-vulnerability?_s_id=cve", "source": "audit@patchstack.com", "tags": ["Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-37230", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-21T14:15:13.330", "lastModified": "2024-06-24T18:55:55.037", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Book Landing Page.This issue affects Book Landing Page: from n/a through 1.2.3."}, {"lang": "es", "value": "Vulnerabilidad de Cross-Site Request Forgery (CSRF) en Rara Theme Book Landing Page. Este problema afecta a Book Landing Page: desde n/a hasta 1.2.3."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, {"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-352"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:rarathemes:book_landing_page:*:*:*:*:*:wordpress:*:*", "versionEndExcluding": "1.2.4", "matchCriteriaId": "BC4354B6-EAFE-4CA1-A773-32EB1466C915"}]}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/book-landing-page/wordpress-book-landing-page-theme-1-2-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve", "source": "audit@patchstack.com", "tags": ["Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-6239", "sourceIdentifier": "secalert@redhat.com", "published": "2024-06-21T14:15:14.007", "lastModified": "2024-06-24T19:06:27.537", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "A flaw was found in the Poppler's Pdfinfo utility. This issue occurs when using -dests parameter with pdfinfo utility. By using certain malformed input files, an attacker could cause the utility to crash, leading to a denial of service."}, {"lang": "es", "value": "Se encontr\u00f3 una falla en la utilidad Pdfinfo de Poppler. Este problema ocurre cuando se usa el par\u00e1metro -dests con la utilidad pdfinfo. Al utilizar ciertos archivos de entrada con formato incorrecto, un atacante podr\u00eda provocar que la utilidad fallara, lo que provocar\u00eda una denegaci\u00f3n de servicio."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, {"source": "secalert@redhat.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"source": "secalert@redhat.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:freedesktop:poppler:*:*:*:*:*:*:*:*", "versionEndExcluding": "24.06.0", "matchCriteriaId": "0D378E45-D903-4883-931C-871444E32714"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D"}]}]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2024-6239", "source": "secalert@redhat.com", "tags": ["Third Party Advisory"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2293594", "source": "secalert@redhat.com", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-6240", "sourceIdentifier": "cve-coordination@incibe.es", "published": "2024-06-21T14:15:14.240", "lastModified": "2024-06-24T19:10:38.983", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "Improper privilege management vulnerability in Parallels Desktop Software, which affects versions earlier than 19.3.0. An attacker could add malicious code in a script and populate the BASH_ENV environment variable with the path to the malicious script, executing on application startup. An attacker could exploit this vulnerability to escalate privileges on the system."}, {"lang": "es", "value": "Vulnerabilidad de gesti\u00f3n de privilegios incorrecta en Parallels Desktop Software, que afecta a versiones anteriores a la 19.3.0. Un atacante podr\u00eda agregar c\u00f3digo malicioso en un script y completar la variable de entorno BASH_ENV con la ruta al script malicioso, ejecut\u00e1ndose al iniciar la aplicaci\u00f3n. Un atacante podr\u00eda aprovechar esta vulnerabilidad para aumentar los privilegios en el sistema."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 6.0}, {"source": "cve-coordination@incibe.es", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH"}, "exploitabilityScore": 1.3, "impactScore": 5.8}]}, "weaknesses": [{"source": "cve-coordination@incibe.es", "type": "Primary", "description": [{"lang": "en", "value": "CWE-269"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:parallels:parallels_desktop:*:*:*:*:*:macos:*:*", "versionEndExcluding": "19.3.0", "matchCriteriaId": "C8A30945-3C3C-4341-96FB-E64872B6559E"}]}]}], "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/improper-privilege-management-vulnerability-parallels-desktop", "source": "cve-coordination@incibe.es", "tags": ["Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2023-45197", "sourceIdentifier": "9119a7d8-5eab-497f-8521-727c672e3725", "published": "2024-06-21T15:15:15.647", "lastModified": "2024-06-24T21:15:25.760", "vulnStatus": "Modified", "descriptions": [{"lang": "en", "value": "The file upload plugin in Adminer and AdminerEvo allows an attacker to upload a file with a table name of \u201c..\u201d to the root of the Adminer directory. The attacker can effectively guess the name of the uploaded file and execute it. Adminer is no longer supported, but this issue was fixed in AdminerEvo version 4.8.3."}, {"lang": "es", "value": "El complemento de carga de archivos en Adminer y AdminerEvo permite a un atacante cargar un archivo con un nombre de tabla \"...\" en la ra\u00edz del directorio de Adminer. El atacante puede adivinar efectivamente el nombre del archivo cargado y ejecutarlo. Adminer ya no es compatible, pero este problema se solucion\u00f3 en la versi\u00f3n 4.8.3 de AdminerEvo."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-434"}]}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:adminerevo:adminerevo:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.8.3", "matchCriteriaId": "DCD7F783-BAAA-4824-AE44-CC5D0FE9D14F"}]}]}], "references": [{"url": "https://github.com/adminerevo/adminerevo/commit/1cc06d6a1005fd833fa009701badd5641627a1d4", "source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Patch"]}, {"url": "https://github.com/adminerevo/adminerevo/releases/tag/v4.8.3", "source": "9119a7d8-5eab-497f-8521-727c672e3725"}]}}, {"cve": {"id": "CVE-2022-38055", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-21T16:15:10.497", "lastModified": "2024-06-24T19:12:16.797", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in gVectors Team wpForo Forum allows Content Spoofing.This issue affects wpForo Forum: from n/a through 2.0.9."}, {"lang": "es", "value": "Neutralizaci\u00f3n inadecuada de etiquetas HTML relacionadas con scripts en una vulnerabilidad de p\u00e1gina web (XSS b\u00e1sico) en gVectors Team wpForo Forum permite la suplantaci\u00f3n de contenido. Este problema afecta a wpForo Forum: desde n/a hasta 2.0.9."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.3, "impactScore": 2.7}, {"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}, {"source": "audit@patchstack.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-80"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gvectors:wpforo_forum:*:*:*:*:*:wordpress:*:*", "versionEndExcluding": "2.1.0", "matchCriteriaId": "100EAEDA-0A7C-4BC4-878B-20AE94F4BC9C"}]}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/wpforo/wordpress-wpforo-forum-plugin-2-0-9-auth-html-injection-vulnerability?_s_id=cve", "source": "audit@patchstack.com", "tags": ["Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2022-44587", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-21T16:15:10.763", "lastModified": "2024-06-24T19:12:42.033", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "Insertion of Sensitive Information into Log File vulnerability in WP 2FA allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WP 2FA: from n/a through 2.6.3."}, {"lang": "es", "value": "La vulnerabilidad de inserci\u00f3n de informaci\u00f3n confidencial en el archivo de registro en WP 2FA permite acceder a la funcionalidad no restringida adecuadamente por las ACL. Este problema afecta a WP 2FA: desde n/a hasta 2.6.3."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, {"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-532"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:melapress:wp_2fa:*:*:*:*:*:wordpress:*:*", "versionEndExcluding": "2.6.4", "matchCriteriaId": "89EE231F-4C4B-47A8-80AE-63B982337D79"}]}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/wp-2fa/wordpress-wp-2fa-plugin-2-6-3-sensitive-data-exposure-via-log-file-vulnerability?_s_id=cve", "source": "audit@patchstack.com", "tags": ["Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2022-44593", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-21T16:15:11.013", "lastModified": "2024-06-24T19:13:16.607", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "Use of Less Trusted Source vulnerability in SolidWP Solid Security allows HTTP DoS.This issue affects Solid Security: from n/a through 9.3.1."}, {"lang": "es", "value": "El uso de la vulnerabilidad de fuente menos confiable en SolidWP Solid Security permite HTTP DoS. Este problema afecta a Solid Security: desde n/a hasta 9.3.1."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.9, "impactScore": 1.4}, {"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW", "baseScore": 3.7, "baseSeverity": "LOW"}, "exploitabilityScore": 2.2, "impactScore": 1.4}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-345"}]}, {"source": "audit@patchstack.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-348"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:solidwp:solid_security:*:*:*:*:*:wordpress:*:*", "versionEndExcluding": "9.3.2", "matchCriteriaId": "07B13EE4-2B86-43F9-A944-99C50A12D4D1"}]}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/better-wp-security/wordpress-solid-security-plugin-9-3-1-ip-spoofing-leading-to-denial-of-service-vulnerability?_s_id=cve", "source": "audit@patchstack.com", "tags": ["Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2023-38389", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-21T16:15:11.310", "lastModified": "2024-06-24T19:13:48.847", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "Incorrect Authorization vulnerability in Artbees JupiterX Core allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects JupiterX Core: from n/a through 3.3.8."}, {"lang": "es", "value": "La vulnerabilidad de autorizaci\u00f3n incorrecta en Artbees JupiterX Core permite acceder a una funcionalidad que no est\u00e1 correctamente restringida por las ACL. Este problema afecta a JupiterX Core: desde n/a hasta 3.3.8."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, {"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:artbees:jupiter_x_core:*:*:*:*:*:wordpress:*:*", "versionEndIncluding": "3.3.8", "matchCriteriaId": "E5B6F0E2-1DF6-47FD-B24E-5C38EF906D20"}]}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/jupiterx-core/wordpress-jupiter-x-core-plugin-3-3-0-unauthenticated-account-takeover-vulnerability?_s_id=cve", "source": "audit@patchstack.com", "tags": ["Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-35767", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-21T16:15:11.670", "lastModified": "2024-06-24T19:14:34.210", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "Unrestricted Upload of File with Dangerous Type vulnerability in Bogdan Bendziukov Squeeze allows Code Injection.This issue affects Squeeze: from n/a through 1.4."}, {"lang": "es", "value": "La carga sin restricciones de archivos con vulnerabilidad de tipo peligroso en Bogdan Bendziukov Squeeze permite la inyecci\u00f3n de c\u00f3digo. Este problema afecta a Squeeze: desde n/a hasta 1.4."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}, {"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 2.3, "impactScore": 6.0}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:squeeze_project:squeeze:*:*:*:*:*:wordpress:*:*", "versionEndExcluding": "1.4.1", "matchCriteriaId": "7D6C7DBA-DCCF-437B-B9EF-EF4070DBCC4F"}]}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/squeeze/wordpress-squeeze-plugin-1-4-arbitrary-file-upload-vulnerability?_s_id=cve", "source": "audit@patchstack.com", "tags": ["Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-35778", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-21T16:15:11.910", "lastModified": "2024-06-24T19:15:07.360", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in John West Slideshow SE allows PHP Local File Inclusion.This issue affects Slideshow SE: from n/a through 2.5.17."}, {"lang": "es", "value": "La limitaci\u00f3n inadecuada de un nombre de ruta a una vulnerabilidad de directorio restringido (\"Path Traversal\") en John West Slideshow SE permite la inclusi\u00f3n de archivos locales PHP. Este problema afecta a Slideshow SE: desde n/a hasta 2.5.17."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, {"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:slideshow_se_project:slideshow_se:*:*:*:*:*:wordpress:*:*", "versionEndIncluding": "2.5.17", "matchCriteriaId": "76A01BFC-CB20-4215-ABB4-9DBBB7E070F0"}]}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/slideshow-se/wordpress-slideshow-se-plugin-2-5-17-author-limited-local-file-inclusion-vulnerability?_s_id=cve", "source": "audit@patchstack.com", "tags": ["Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-35781", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-21T16:15:12.153", "lastModified": "2024-06-24T19:15:58.517", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in YAHMAN Word Balloon allows PHP Local File Inclusion.This issue affects Word Balloon: from n/a through 4.21.1."}, {"lang": "es", "value": "La limitaci\u00f3n inadecuada de un nombre de ruta a una vulnerabilidad de directorio restringido (\"Path Traversal\") en YAHMAN Word Balloon permite la inclusi\u00f3n de archivos locales PHP. Este problema afecta a Word Balloon: desde n/a hasta 4.21.1."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 3.6}, {"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:back2nature:word_balloon:*:*:*:*:*:wordpress:*:*", "versionEndIncluding": "4.21.1", "matchCriteriaId": "5C7F2CA7-8945-4955-A019-B6D0DAE49FAF"}]}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/word-balloon/wordpress-word-balloon-plugin-4-21-1-local-file-inclusion-vulnerability?_s_id=cve", "source": "audit@patchstack.com", "tags": ["Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-37790", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-21T16:15:12.440", "lastModified": "2024-06-21T16:15:12.440", "vulnStatus": "Rejected", "descriptions": [{"lang": "en", "value": "Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: none. Reason: This record was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none."}], "metrics": {}, "references": []}}, {"cve": {"id": "CVE-2024-35537", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-21T17:15:10.697", "lastModified": "2024-06-24T19:40:04.190", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "TVS Motor Company Limited TVS Connect Android v4.6.0 and IOS v5.0.0 was discovered to insecurely handle the RSA key pair, allowing attackers to possibly access sensitive information via decryption."}, {"lang": "es", "value": "Se descubri\u00f3 que TVS Motor Company Limited TVS Connect Android v4.6.0 e IOS v5.0.0 manejan de forma insegura el par de claves RSA, lo que permite a los atacantes posiblemente acceder a informaci\u00f3n confidencial mediante el descifrado."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-327"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:tvsmotor:tvs_connect:4.6.0:*:*:*:*:android:*:*", "matchCriteriaId": "B96C6E52-9DDB-4DD2-808D-E0E3A049CE6C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:tvsmotor:tvs_connect:5.0.0:*:*:*:*:iphone_os:*:*", "matchCriteriaId": "80CB646A-DE5C-48FA-82C0-0338284141F8"}]}]}], "references": [{"url": "https://github.com/aaravavi/TVS-Connect-Application-VAPT", "source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-37671", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-21T17:15:10.867", "lastModified": "2024-06-24T19:40:48.993", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "Cross Site Scripting vulnerability in Tessi Docubase Document Management product 5.x allows a remote attacker to execute arbitrary code via the page parameter."}, {"lang": "es", "value": "Vulnerabilidad de Cross-Site Scripting en el producto Tessi Docubase Document Management 5.x permite a un atacante remoto ejecutar c\u00f3digo arbitrario a trav\u00e9s del par\u00e1metro de p\u00e1gina."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:tessi:docubase:5.0:*:*:*:*:*:*:*", "matchCriteriaId": "DF3FCA90-0A8A-4A9D-8613-1C8DA52D6BEE"}]}]}], "references": [{"url": "http://docubase.com", "source": "cve@mitre.org", "tags": ["Product"]}, {"url": "http://tessi.com", "source": "cve@mitre.org", "tags": ["Product"]}, {"url": "https://github.com/MohamedAzizMSALLEMI/Docubase_Security/blob/main/CVE-2024-37671.md", "source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-37672", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-21T17:15:10.963", "lastModified": "2024-06-24T19:41:06.183", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "Cross Site Scripting vulnerability in Tessi Docubase Document Management product 5.x allows a remote attacker to execute arbitrary code via the idactivity parameter."}, {"lang": "es", "value": "Una vulnerabilidad de Cross-Site Scripting en el producto Tessi Docubase Document Management 5.x permite a un atacante remoto ejecutar c\u00f3digo arbitrario a trav\u00e9s del par\u00e1metro idactivity."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:tessi:docubase:5.0:*:*:*:*:*:*:*", "matchCriteriaId": "DF3FCA90-0A8A-4A9D-8613-1C8DA52D6BEE"}]}]}], "references": [{"url": "http://docubase.com", "source": "cve@mitre.org", "tags": ["Product"]}, {"url": "http://tessi.com", "source": "cve@mitre.org", "tags": ["Product"]}, {"url": "https://github.com/MohamedAzizMSALLEMI/Docubase_Security/blob/main/CVE-2024-37672.md", "source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-37673", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-21T17:15:11.053", "lastModified": "2024-06-24T19:41:19.880", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "Cross Site Scripting vulnerability in Tessi Docubase Document Management product 5.x allows a remote attacker to execute arbitrary code via the filename parameter."}, {"lang": "es", "value": "Vulnerabilidad de Cross-Site Scripting en el producto Tessi Docubase Document Management versi\u00f3n 5.x permite a un atacante remoto ejecutar c\u00f3digo arbitrario a trav\u00e9s del par\u00e1metro de nombre de archivo."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:tessi:docubase:5.0:*:*:*:*:*:*:*", "matchCriteriaId": "DF3FCA90-0A8A-4A9D-8613-1C8DA52D6BEE"}]}]}], "references": [{"url": "http://docubase.com", "source": "cve@mitre.org", "tags": ["Product"]}, {"url": "http://tessi.com", "source": "cve@mitre.org", "tags": ["Product"]}, {"url": "https://github.com/MohamedAzizMSALLEMI/Docubase_Security/blob/main/CVE-2024-37673.md", "source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-37675", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-21T17:15:11.143", "lastModified": "2024-06-24T19:41:31.713", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "Cross Site Scripting vulnerability in Tessi Docubase Document Management product 5.x allows a remote attacker to execute arbitrary code via the parameter \"sectionContent\" related to the functionality of adding notes to an uploaded file."}, {"lang": "es", "value": "Vulnerabilidad de Cross-Site Scripting en el producto Tessi Docubase Document Management versi\u00f3n 5.x permite a un atacante remoto ejecutar c\u00f3digo arbitrario a trav\u00e9s del par\u00e1metro \"sectionContent\" relacionado con la funcionalidad de agregar notas a un archivo cargado."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:tessi:docubase:5.0:*:*:*:*:*:*:*", "matchCriteriaId": "DF3FCA90-0A8A-4A9D-8613-1C8DA52D6BEE"}]}]}], "references": [{"url": "http://docubase.com", "source": "cve@mitre.org", "tags": ["Product"]}, {"url": "http://tessi.com", "source": "cve@mitre.org", "tags": ["Product"]}, {"url": "https://github.com/MohamedAzizMSALLEMI/Docubase_Security/blob/main/CVE-2024-37675.md", "source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-6241", "sourceIdentifier": "cna@vuldb.com", "published": "2024-06-21T17:15:11.453", "lastModified": "2024-06-24T19:42:44.280", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "A vulnerability was found in Pear Admin Boot up to 2.0.2 and classified as critical. This issue affects the function getDictItems of the file /system/dictData/getDictItems/. The manipulation with the input ,user(),1,1 leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-269375."}, {"lang": "es", "value": "Una vulnerabilidad fue encontrada en Pear Admin Boot hasta 2.0.2 y clasificada como cr\u00edtica. Este problema afecta la funci\u00f3n getDictItems del archivo /system/dictData/getDictItems/. La manipulaci\u00f3n con la entrada, usuario(),1,1 conduce a la inyecci\u00f3n de SQL. El ataque puede iniciarse de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. El identificador asociado de esta vulnerabilidad es VDB-269375."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, {"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 3.4}], "cvssMetricV2": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 6.5}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "cna@vuldb.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:pearadmin:pear_admin_boot:*:*:*:*:*:*:*:*", "versionEndIncluding": "2.0.2", "matchCriteriaId": "7090DEE1-B02D-46BE-81FE-DDE63085B5F1"}]}]}], "references": [{"url": "https://gitee.com/pear-admin/Pear-Admin-Boot/issues/IA5IPQ", "source": "cna@vuldb.com", "tags": ["Exploit"]}, {"url": "https://gitee.com/pear-admin/Pear-Admin-Boot/issues/IA5KBS", "source": "cna@vuldb.com", "tags": ["Exploit"]}, {"url": "https://vuldb.com/?ctiid.269375", "source": "cna@vuldb.com", "tags": ["Permissions Required"]}, {"url": "https://vuldb.com/?id.269375", "source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"]}]}}, {"cve": {"id": "CVE-2020-27352", "sourceIdentifier": "security@ubuntu.com", "published": "2024-06-21T20:15:10.630", "lastModified": "2024-06-24T12:57:36.513", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "When generating the systemd service units for the docker snap (and other similar snaps), snapd does not specify Delegate=yes - as a result systemd will move processes from the containers created and managed by these snaps into the cgroup of the main daemon within the snap itself when reloading system units. This may grant additional privileges to a container within the snap that were not originally intended."}, {"lang": "es", "value": "Al generar las unidades de servicio systemd para el complemento de Docker (y otros complementos similares), snapd no especifica Delegate=yes; como resultado, systemd mover\u00e1 los procesos de los contenedores creados y administrados por estos complementos al grupo c del daemon principal dentro del se rompe al recargar las unidades del sistema. Esto puede otorgar privilegios adicionales a un contenedor dentro del complemento que no estaban previstos originalmente."}], "metrics": {"cvssMetricV31": [{"source": "security@ubuntu.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.3, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 2.5, "impactScore": 6.0}]}, "references": [{"url": "https://bugs.launchpad.net/snapd/+bug/1910456", "source": "security@ubuntu.com"}, {"url": "https://ubuntu.com/security/notices/USN-4728-1", "source": "security@ubuntu.com"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2020-27352", "source": "security@ubuntu.com"}]}}, {"cve": {"id": "CVE-2023-37898", "sourceIdentifier": "security-advisories@github.com", "published": "2024-06-21T20:15:11.583", "lastModified": "2024-06-24T12:57:36.513", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Joplin is a free, open source note taking and to-do application. A Cross-site Scripting (XSS) vulnerability allows an untrusted note opened in safe mode to execute arbitrary code. `packages/renderer/MarkupToHtml.ts` renders note content in safe mode by surrounding it with 
 and
, without escaping any interior HTML tags. Thus, an attacker can create a note that closes the opening 
 tag, then includes HTML that runs JavaScript. Because the rendered markdown iframe has the same origin as the toplevel document and is not sandboxed, any scripts running in the preview iframe can access the top variable and, thus, access the toplevel NodeJS `require` function. `require` can then be used to import modules like fs or child_process and run arbitrary commands. This issue has been addressed in version 2.12.9 and all users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "Joplin es una aplicaci\u00f3n gratuita y de c\u00f3digo abierto para tomar notas y tareas pendientes. Una vulnerabilidad de Cross-Site Scripting (XSS) permite que una nota que no es de confianza abierta en modo seguro ejecute c\u00f3digo arbitrario. `packages/renderer/MarkupToHtml.ts` muestra el contenido de la nota en modo seguro rode\u00e1ndolo con 
 y 
, sin escapar de ninguna etiqueta HTML interior. Por lo tanto, un atacante puede crear una nota que cierre la etiqueta 
 de apertura y luego incluya HTML que ejecute JavaScript. Debido a que el iframe de rebajas renderizado tiene el mismo origen que el documento de nivel superior y no est\u00e1 en un espacio aislado, cualquier script que se ejecute en el iframe de vista previa puede acceder a la variable superior y, por lo tanto, acceder a la funci\u00f3n `require` de NodeJS de nivel superior. Luego, `require` se puede usar para importar m\u00f3dulos como fs o child_process y ejecutar comandos arbitrarios. Este problema se solucion\u00f3 en la versi\u00f3n 2.12.9 y se recomienda a todos los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad.
"}], "metrics": {"cvssMetricV31": [{"source": "security-advisories@github.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 8.2, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.3, "impactScore": 5.3}]}, "weaknesses": [{"source": "security-advisories@github.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#sandbox", "source": "security-advisories@github.com"}, {"url": "https://github.com/laurent22/joplin/security/advisories/GHSA-hjmq-3qh4-g2r8", "source": "security-advisories@github.com"}]}}, {"cve": {"id": "CVE-2023-38506", "sourceIdentifier": "security-advisories@github.com", "published": "2024-06-21T20:15:12.003", "lastModified": "2024-06-24T12:57:36.513", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Joplin is a free, open source note taking and to-do application. A Cross-site Scripting (XSS) vulnerability allows pasting untrusted data into the rich text editor to execute arbitrary code. HTML pasted into the rich text editor is not sanitized (or not sanitized properly). As such, the `onload` attribute of pasted images can execute arbitrary code. Because the TinyMCE editor frame does not use the `sandbox` attribute, such scripts can access NodeJS's `require` through the `top` variable. From this, an attacker can run arbitrary commands. This issue has been addressed in version 2.12.10 and users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "Joplin es una aplicaci\u00f3n gratuita y de c\u00f3digo abierto para tomar notas y tareas pendientes. Una vulnerabilidad de Cross-Site Scripting (XSS) permite pegar datos que no son de confianza en el editor de texto enriquecido para ejecutar c\u00f3digo arbitrario. El HTML pegado en el editor de texto enriquecido no se sanitiza (o no se sanitiza correctamente). Como tal, el atributo \"onload\" de las im\u00e1genes pegadas puede ejecutar c\u00f3digo arbitrario. Debido a que el marco del editor TinyMCE no utiliza el atributo `sandbox`, dichos scripts pueden acceder al `require` de NodeJS a trav\u00e9s de la variable `top`. A partir de esto, un atacante puede ejecutar comandos arbitrarios. Este problema se solucion\u00f3 en la versi\u00f3n 2.12.10 y se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}], "metrics": {"cvssMetricV31": [{"source": "security-advisories@github.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 8.2, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.3, "impactScore": 5.3}]}, "weaknesses": [{"source": "security-advisories@github.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://github.com/laurent22/joplin/security/advisories/GHSA-m59c-9rrj-c399", "source": "security-advisories@github.com"}]}}, {"cve": {"id": "CVE-2023-39517", "sourceIdentifier": "security-advisories@github.com", "published": "2024-06-21T20:15:12.307", "lastModified": "2024-06-24T12:57:36.513", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Joplin is a free, open source note taking and to-do application. A Cross site scripting (XSS) vulnerability in affected versions allows clicking on an untrusted image link to execute arbitrary shell commands. The HTML sanitizer (`packages/renderer/htmlUtils.ts::sanitizeHtml`) preserves `` `` links. However, unlike `` links, the `target` and `href` attributes are not removed. Additionally, because the note preview pane isn't sandboxed to prevent top navigation, links with `target` set to `_top` can replace the toplevel electron page. Because any toplevel electron page, with Joplin's setup, has access to `require` and can require node libraries, a malicious replacement toplevel page can import `child_process` and execute arbitrary shell commands. This issue has been fixed in commit 7c52c3e9a81a52ef1b42a951f9deb9d378d59b0f which is included in release version 2.12.8. Users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "Joplin es una aplicaci\u00f3n gratuita y de c\u00f3digo abierto para tomar notas y tareas pendientes. Una vulnerabilidad de Cross-Site Scripting (XSS) en las versiones afectadas permite hacer clic en un enlace de imagen que no es de confianza para ejecutar comandos de shell arbitrarios. El sanitizante HTML (`packages/renderer/htmlUtils.ts::sanitizeHtml`) conserva los enlaces `` ``. Sin embargo, a diferencia de los enlaces ``, los atributos `target` y `href` no se eliminan. Adem\u00e1s, debido a que el panel de vista previa de notas no est\u00e1 protegido para evitar la navegaci\u00f3n superior, los enlaces con \"destino\" configurado en \"_top\" pueden reemplazar la p\u00e1gina electr\u00f3nica de nivel superior. Debido a que cualquier p\u00e1gina electr\u00f3nica de nivel superior, con la configuraci\u00f3n de Joplin, tiene acceso a `require` y puede requerir librer\u00edas de nodos, una p\u00e1gina de nivel superior de reemplazo maliciosa puede importar `child_process` y ejecutar comandos de shell arbitrarios. Este problema se solucion\u00f3 en el commit 7c52c3e9a81a52ef1b42a951f9deb9d378d59b0f que se incluye en la versi\u00f3n 2.12.8. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}], "metrics": {"cvssMetricV31": [{"source": "security-advisories@github.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 8.2, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.3, "impactScore": 5.3}]}, "weaknesses": [{"source": "security-advisories@github.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#sandbox", "source": "security-advisories@github.com"}, {"url": "https://github.com/laurent22/joplin/commit/7c52c3e9a81a52ef1b42a951f9deb9d378d59b0f", "source": "security-advisories@github.com"}, {"url": "https://github.com/laurent22/joplin/security/advisories/GHSA-2h88-m32f-qh5m", "source": "security-advisories@github.com"}]}}, {"cve": {"id": "CVE-2023-45673", "sourceIdentifier": "security-advisories@github.com", "published": "2024-06-21T20:15:12.620", "lastModified": "2024-06-24T12:57:36.513", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Joplin is a free, open source note taking and to-do application. A remote code execution (RCE) vulnerability in affected versions allows clicking on a link in a PDF in an untrusted note to execute arbitrary shell commands. Clicking links in PDFs allows for arbitrary code execution because Joplin desktop: 1. has not disabled top redirection for note viewer iframes, and 2. and has node integration enabled. This is a remote code execution vulnerability that impacts anyone who attaches untrusted PDFs to notes and has the icon enabled. This issue has been addressed in version 2.13.3. Users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "Joplin es una aplicaci\u00f3n gratuita y de c\u00f3digo abierto para tomar notas y tareas pendientes. Una vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo (RCE) en las versiones afectadas permite hacer clic en un enlace en un PDF en una nota que no es de confianza para ejecutar comandos de shell arbitrarios. Hacer clic en enlaces en archivos PDF permite la ejecuci\u00f3n de c\u00f3digo arbitrario porque el escritorio Joplin: 1. no ha deshabilitado la redirecci\u00f3n superior para los iframes del visor de notas, y 2. y tiene habilitada la integraci\u00f3n de nodos. Esta es una vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo que afecta a cualquiera que adjunte archivos PDF que no sean de confianza a notas y tenga el \u00edcono habilitado. Este problema se solucion\u00f3 en la versi\u00f3n 2.13.3. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}], "metrics": {"cvssMetricV31": [{"source": "security-advisories@github.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW", "baseScore": 8.9, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.3, "impactScore": 6.0}]}, "weaknesses": [{"source": "security-advisories@github.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#sandbox", "source": "security-advisories@github.com"}, {"url": "https://github.com/laurent22/joplin/security/advisories/GHSA-g8qx-5vcm-3x59", "source": "security-advisories@github.com"}]}}, {"cve": {"id": "CVE-2012-6664", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-21T22:15:09.767", "lastModified": "2024-06-24T12:57:36.513", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Multiple directory traversal vulnerabilities in the TFTP Server in Distinct Intranet Servers 3.10 and earlier allow remote attackers to read or write arbitrary files via a .. (dot dot) in the (1) get or (2) put commands."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de directory traversal en el servidor TFTP en Distinct Intranet Servers 3.10 y anteriores permiten a atacantes remotos leer o escribir archivos de su elecci\u00f3n mediante un .. (punto punto) en los comandos (1) get o (2) put."}], "metrics": {}, "references": [{"url": "https://www.exploit-db.com/exploits/41714", "source": "cve@mitre.org"}, {"url": "https://www.fortiguard.com/encyclopedia/ips/48021", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2014-5470", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-21T22:15:10.417", "lastModified": "2024-06-24T12:57:36.513", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Actual Analyzer through 2014-08-29 allows code execution via shell metacharacters because untrusted input is used for part of the input data passed to an eval operation."}, {"lang": "es", "value": "Actual Analyzer hasta el 29 de agosto de 2014 permite la ejecuci\u00f3n de c\u00f3digo a trav\u00e9s de metacaracteres del shell porque se utilizan entradas que no son de confianza para parte de los datos de entrada pasados a una operaci\u00f3n de evaluaci\u00f3n."}], "metrics": {}, "references": [{"url": "https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=35549", "source": "cve@mitre.org"}, {"url": "https://www.exploit-db.com/exploits/35549", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2022-42974", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-21T22:15:10.557", "lastModified": "2024-06-24T12:57:36.513", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In Kostal PIKO 1.5-1 MP plus HMI OEM p 1.0.1, the web application for the Solar Panel is vulnerable to a Stored Cross-Site Scripting (XSS) attack on /file.bootloader.upload.html. The application fails to sanitize the parameter filename, in a POST request to /file.bootloader.upload.html for a system update, thus allowing one to inject HTML and/or JavaScript on the page that will then be processed and stored by the application. Any subsequent requests to pages that retrieve the malicious content will automatically exploit the vulnerability on the victim's browser. This also happens because the tag is loaded in the function innerHTML in the page HTML."}, {"lang": "es", "value": "En Kostal PIKO 1.5-1 MP plus HMI OEM p 1.0.1, la aplicaci\u00f3n web para el panel solar es vulnerable a un ataque de Cross-Site Scripting Almacenado (XSS) en /file.bootloader.upload.html. La aplicaci\u00f3n no puede sanitizar el nombre del archivo del par\u00e1metro, en una solicitud POST a /file.bootloader.upload.html para una actualizaci\u00f3n del sistema, lo que permite inyectar HTML y/o JavaScript en la p\u00e1gina que luego ser\u00e1 procesada y almacenada por la aplicaci\u00f3n. Cualquier solicitud posterior a p\u00e1ginas que recuperen contenido malicioso explotar\u00e1 autom\u00e1ticamente la vulnerabilidad en el navegador de la v\u00edctima. Esto tambi\u00e9n sucede porque la etiqueta se carga en la funci\u00f3n InnerHTML en la p\u00e1gina HTML."}], "metrics": {}, "references": [{"url": "https://medium.com/%40daviddepaulasantos/how-we-got-a-cve-for-a-dom-based-stored-xss-on-a-solar-panel-917b9d7b2545", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-34452", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-21T22:15:10.877", "lastModified": "2024-06-24T12:57:36.513", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "CMSimple_XH 1.7.6 allows XSS by uploading a crafted SVG document."}, {"lang": "es", "value": "CMSimple_XH 1.7.6 permite XSS cargando un documento SVG manipulado."}], "metrics": {}, "references": [{"url": "https://github.com/surajhacx/CVE-2024-34452/", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-34989", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-21T22:15:10.947", "lastModified": "2024-06-24T12:57:36.513", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the module RSI PDF/HTML catalog evolution (prestapdf) <= 7.0.0 from RSI for PrestaShop, a guest can perform SQL injection via `PrestaPDFProductListModuleFrontController::queryDb().'"}, {"lang": "es", "value": "En el m\u00f3dulo Evoluci\u00f3n del cat\u00e1logo RSI PDF/HTML (prestapdf) <= 7.0.0 de RSI para PrestaShop, un invitado puede realizar una inyecci\u00f3n SQL a trav\u00e9s de `PrestaPDFProductListModuleFrontController::queryDb().'"}], "metrics": {}, "references": [{"url": "https://security.friendsofpresta.org/modules/2024/06/20/prestapdf.html", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-36532", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-21T22:15:11.020", "lastModified": "2024-06-24T12:57:36.513", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Insecure permissions in kruise v1.6.2 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token."}, {"lang": "es", "value": "Los permisos inseguros en Kruise v1.6.2 permiten a los atacantes acceder a datos confidenciales y escalar privilegios obteniendo el token de la cuenta de servicio."}], "metrics": {}, "references": [{"url": "https://gist.github.com/HouqiyuA/43488e1d41110a5610146b87b2e88a02", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-37654", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-21T22:15:11.087", "lastModified": "2024-06-24T12:57:36.513", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "An issue in BAS-IP AV-01D, AV-01MD, AV-01MFD, AV-01ED, AV-01KD, AV-01BD, AV-01KBD, AV-02D, AV-02IDE, AV-02IDR, AV-02IPD, AV-02FDE, AV-02FDR, AV-03D, AV-03BD, AV-04AFD, AV-04ASD, AV-04FD, AV-04SD, AV-05FD, AV-05SD, AA-07BD, AA-07BDI, BA-04BD, BA-04MD, BA-08BD, BA-08MD, BA-12BD, BA-12MD, CR-02BD before 3.9.2 allows a remote attacker to obtain sensitive information via a crafted HTTP GET request."}, {"lang": "es", "value": "Un problema en BAS-IP AV-01D, AV-01MD, AV-01MFD, AV-01ED, AV-01KD, AV-01BD, AV-01KBD, AV-02D, AV-02IDE, AV-02IDR, AV-02IPD, AV-02FDE, AV-02FDR, AV-03D, AV-03BD, AV-04AFD, AV-04ASD, AV-04FD, AV-04SD, AV-05FD, AV-05SD, AA-07BD, AA-07BDI, BA- 04BD, BA-04MD, BA-08BD, BA-08MD, BA-12BD, BA-12MD, CR-02BD anteriores a 3.9.2 permiten a un atacante remoto obtener informaci\u00f3n confidencial a trav\u00e9s de una solicitud HTTP GET manipulada."}], "metrics": {}, "references": [{"url": "https://github.com/DrieVlad/BAS-IP-vulnerabilities", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-37694", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-21T22:15:11.157", "lastModified": "2024-06-24T12:57:36.513", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "ArcGIS Enterprise Server 10.8.0 allows a remote attacker to obtain sensitive information because /arcgis/rest/services does not require authentication."}, {"lang": "es", "value": "ArcGIS Enterprise Server 10.8.0 permite a un atacante remoto obtener informaci\u00f3n confidencial porque /arcgis/rest/services no requiere autenticaci\u00f3n."}], "metrics": {}, "references": [{"url": "https://github.com/NSSCYCTFER/SRC-CVE", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-6120", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-22T00:15:09.690", "lastModified": "2024-06-24T20:03:04.363", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "The Sparkle Demo Importer plugin for WordPress is vulnerable to unauthorized database reset and demo data import due to a missing capability check on the multiple functions in all versions up to and including 1.4.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all posts, pages, and uploaded files, as well as download and install a limited set of demo plugins."}, {"lang": "es", "value": "El complemento Sparkle Demo Importer para WordPress es vulnerable al restablecimiento no autorizado de la base de datos y a la importaci\u00f3n de datos de demostraci\u00f3n debido a una falta de verificaci\u00f3n de capacidad en las m\u00faltiples funciones en todas las versiones hasta la 1.4.7 incluida. Esto hace posible que los atacantes autenticados, con acceso de nivel de suscriptor y superior, eliminen todas las publicaciones, p\u00e1ginas y archivos cargados, as\u00ed como tambi\u00e9n descarguen e instalen un conjunto limitado de complementos de demostraci\u00f3n."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wpneuron:sparkle_demo_importer:*:*:*:*:*:wordpress:*:*", "versionEndExcluding": "1.4.8", "matchCriteriaId": "564B65B3-F58C-4F74-B7FF-5BC0FDFE5EAF"}]}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L446", "source": "security@wordfence.com", "tags": ["Product"]}, {"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L469", "source": "security@wordfence.com", "tags": ["Product"]}, {"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L497", "source": "security@wordfence.com", "tags": ["Product"]}, {"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L519", "source": "security@wordfence.com", "tags": ["Product"]}, {"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L541", "source": "security@wordfence.com", "tags": ["Product"]}, {"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L570", "source": "security@wordfence.com", "tags": ["Product"]}, {"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L595", "source": "security@wordfence.com", "tags": ["Product"]}, {"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L627", "source": "security@wordfence.com", "tags": ["Product"]}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8f411d17-5b0d-4a4a-afa8-7efebf6965f2?source=cve", "source": "security@wordfence.com", "tags": ["Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-2484", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-22T02:15:44.940", "lastModified": "2024-06-24T20:01:39.530", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Services and Post Type Grid widgets in all versions up to, and including, 2.10.34 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento Orbit Fox de ThemeIsle para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s de los widgets Servicios y Cuadr\u00edcula de tipo de publicaci\u00f3n en todas las versiones hasta la 2.10.34 incluida debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.3, "impactScore": 2.7}, {"source": "security@wordfence.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:themeisle:orbit_fox:*:*:*:*:*:wordpress:*:*", "versionEndExcluding": "2.10.35", "matchCriteriaId": "04777C26-F1B8-4B91-AF11-C06302CBB496"}]}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/themeisle-companion/tags/2.10.33/vendor/codeinwp/elementor-extra-widgets/widgets/elementor/posts-grid.php#L1464", "source": "security@wordfence.com", "tags": ["Product"]}, {"url": "https://plugins.trac.wordpress.org/browser/themeisle-companion/tags/2.10.33/vendor/codeinwp/elementor-extra-widgets/widgets/elementor/services.php#L639", "source": "security@wordfence.com", "tags": ["Product"]}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3055876%40themeisle-companion&new=3055876%40themeisle-companion&sfp_email=&sfph_mail=", "source": "security@wordfence.com", "tags": ["Patch"]}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3058970%40themeisle-companion&new=3058970%40themeisle-companion&sfp_email=&sfph_mail=#file16", "source": "security@wordfence.com", "tags": ["Patch"]}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1bd0f172-2cd3-4839-9df9-64475554d3b2?source=cve", "source": "security@wordfence.com", "tags": ["Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-4313", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-22T02:15:45.143", "lastModified": "2024-06-24T20:01:09.330", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "The Table Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018_id\u2019 parameter in all versions up to, and including, 2.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento Table Addons para Elementor para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s del par\u00e1metro '_id' en todas las versiones hasta la 2.1.2 incluida debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.3, "impactScore": 2.7}, {"source": "security@wordfence.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fusionplugin:table_addons_for_elementor:*:*:*:*:*:wordpress:*:*", "versionEndExcluding": "2.1.3", "matchCriteriaId": "2942151B-DE3F-45E7-AC13-FF14520DFAD6"}]}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/table-addons-for-elementor/trunk/includes/class-table-addons-for-elementor-widget.php#L637", "source": "security@wordfence.com", "tags": ["Product"]}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3104753%40table-addons-for-elementor&new=3104753%40table-addons-for-elementor&sfp_email=&sfph_mail=#file57", "source": "security@wordfence.com", "tags": ["Patch"]}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ddbb4bcf-daf7-4ae3-8f42-fce5f1d2c279?source=cve", "source": "security@wordfence.com", "tags": ["Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-5346", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-22T02:15:45.340", "lastModified": "2024-06-24T20:00:59.240", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "The Flatsome theme for WordPress is vulnerable to Stored Cross-Site Scripting via the UX Countdown, Video Button, UX Video, UX Slider, UX Sidebar, and UX Payment Icons shortcodes in all versions up to, and including, 3.18.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El tema Flatsome para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s de los c\u00f3digos cortos de cuenta regresiva de UX, bot\u00f3n de video, video de UX, control deslizante de UX, barra lateral de UX e \u00edconos de pago de UX en todas las versiones hasta la 3.18.7 incluida debido a insuficiencia sanitizaci\u00f3n de entrada y escape de salida en atributos proporcionados por el usuario. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.3, "impactScore": 2.7}, {"source": "security@wordfence.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:uxthemes:flatsome:*:*:*:*:*:wordpress:*:*", "versionEndExcluding": "3.19.0", "matchCriteriaId": "2D056EF3-206D-4DF8-99A0-52E514872751"}]}]}], "references": [{"url": "https://themeforest.net/item/flatsome-multipurpose-responsive-woocommerce-theme/5484319#item-description__change-log", "source": "security@wordfence.com", "tags": ["Release Notes"]}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/11d4c028-94c1-4b78-92f8-0f3303725651?source=cve", "source": "security@wordfence.com", "tags": ["Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-5791", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-22T02:15:45.523", "lastModified": "2024-06-24T20:00:46.390", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wp_id' parameter in all versions up to, and including, 4.4.2 due to missing authorization checks on processAction function, as well as insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a wp-admin dashboard."}, {"lang": "es", "value": "El complemento Online Booking & Scheduling Calendar for WordPress by vcita para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s del par\u00e1metro 'wp_id' en todas las versiones hasta la 4.4.2 incluida debido a la falta de controles de autorizaci\u00f3n en la funci\u00f3n ProcessAction, as\u00ed como como una higienizaci\u00f3n insuficiente de los insumos y fugas de productos. Esto hace posible que atacantes no autenticados inyecten scripts web arbitrarios que se ejecutar\u00e1n cada vez que un usuario acceda a un panel de administraci\u00f3n de wp."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, {"source": "security@wordfence.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 2.7}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:vcita:online_booking_\\&_scheduling_calendar_for_wordpress_by_vcita:*:*:*:*:*:wordpress:*:*", "versionEndExcluding": "4.4.3", "matchCriteriaId": "6D841E0E-5D9D-4B92-971B-553D8BA51178"}]}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/meeting-scheduler-by-vcita/tags/4.4.2/vcita-api-functions.php#L40", "source": "security@wordfence.com", "tags": ["Product"]}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c033171a-d81f-4cae-830b-8bdc4017b85e?source=cve", "source": "security@wordfence.com", "tags": ["Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-5965", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-22T04:15:12.460", "lastModified": "2024-06-24T20:00:37.057", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "The Mosaic theme for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018link\u2019 parameter within the theme's Button shortcode in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El tema Mosaic para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s del par\u00e1metro 'enlace' dentro del c\u00f3digo abreviado del bot\u00f3n del tema en todas las versiones hasta la 1.7.1 incluida debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes. Esto hace posible que atacantes autenticados, con acceso de nivel de Colaborador y superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.3, "impactScore": 2.7}, {"source": "security@wordfence.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wildweblab:mosaic:*:*:*:*:*:wordpress:*:*", "versionEndIncluding": "1.7.1", "matchCriteriaId": "EFB0B5ED-441C-44F1-858C-2D232DC302DA"}]}]}], "references": [{"url": "https://themes.trac.wordpress.org/browser/mosaic/1.7.1/shortcodes.php#L165", "source": "security@wordfence.com", "tags": ["Product"]}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6921da1b-e63d-479a-9786-9b1bd8201d69?source=cve", "source": "security@wordfence.com", "tags": ["Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-5966", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-22T04:15:12.940", "lastModified": "2024-06-24T20:00:23.970", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "The Grey Opaque theme for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018url\u2019 parameter within the theme's Download-Button shortcode in all versions up to, and including, 2.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El tema Gray Opaque para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s del par\u00e1metro 'url' dentro del c\u00f3digo abreviado del bot\u00f3n de descarga del tema en todas las versiones hasta la 2.0.1 incluida debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes. Esto hace posible que atacantes autenticados, con acceso de nivel de Colaborador y superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.3, "impactScore": 2.7}, {"source": "security@wordfence.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:grey_opaque_project:grey_opaque:*:*:*:*:*:wordpress:*:*", "versionEndIncluding": "2.0.1", "matchCriteriaId": "06AD1620-70FD-4A3D-B282-45853A41A694"}]}]}], "references": [{"url": "https://themes.trac.wordpress.org/browser/grey-opaque/2.0.1/functions-shortcodes.php#L34", "source": "security@wordfence.com", "tags": ["Product"]}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2f4888e1-98b3-48d9-a2d8-416eae447a32?source=cve", "source": "security@wordfence.com", "tags": ["Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-21514", "sourceIdentifier": "report@snyk.io", "published": "2024-06-22T05:15:09.637", "lastModified": "2024-06-24T19:59:16.767", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "This affects versions of the package opencart/opencart from 0.0.0. An SQL Injection issue was identified in the Divido payment extension for OpenCart, which is included by default in version 3.0.3.9. As an anonymous unauthenticated user, if the Divido payment module is installed (it does not have to be enabled), it is possible to exploit SQL injection to gain unauthorised access to the backend database. For any site which is vulnerable, any unauthenticated user could exploit this to dump the entire OpenCart database, including customer PII data."}, {"lang": "es", "value": "Esto afecta a las versiones del paquete opencart/opencart desde 0.0.0. Se identific\u00f3 un problema de inyecci\u00f3n SQL en la extensi\u00f3n de pago Divido para OpenCart, que se incluye de forma predeterminada en la versi\u00f3n 3.0.3.9. Como usuario an\u00f3nimo no autenticado, si el m\u00f3dulo de pago Divido est\u00e1 instalado (no es necesario habilitarlo), es posible aprovechar la inyecci\u00f3n SQL para obtener acceso no autorizado a la base de datos backend. Para cualquier sitio que sea vulnerable, cualquier usuario no autenticado podr\u00eda aprovechar esto para volcar toda la base de datos de OpenCart, incluidos los datos de PII del cliente."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, {"source": "report@snyk.io", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.4, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.2}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}, {"source": "report@snyk.io", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:opencart:opencart:3.0.3.9:*:*:*:*:*:*:*", "matchCriteriaId": "FFAF17FE-8983-4CE6-BCFE-A6AA865E8FE2"}]}]}], "references": [{"url": "https://github.com/opencart/opencart/blob/3.0.3.9/upload/catalog/model/extension/payment/divido.php%23L114", "source": "report@snyk.io", "tags": ["Product"]}, {"url": "https://github.com/opencart/opencart/commit/46bd5f5a8056ff9aad0aa7d71729c4cf593d67e2", "source": "report@snyk.io", "tags": ["Patch"]}, {"url": "https://security.snyk.io/vuln/SNYK-PHP-OPENCARTOPENCART-7266565", "source": "report@snyk.io", "tags": ["Exploit", "Patch", "Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-21515", "sourceIdentifier": "report@snyk.io", "published": "2024-06-22T05:15:10.730", "lastModified": "2024-06-24T19:58:28.987", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "This affects versions of the package opencart/opencart from 4.0.0.0. A reflected XSS issue was identified in the filename parameter of the admin tool/log route. An attacker could obtain a user's token by tricking the user to click on a maliciously crafted URL. The user is then prompted to login and redirected again upon authentication with the payload automatically executing. If the attacked user has admin privileges, this vulnerability could be used as the start of a chain of exploits like Zip Slip or arbitrary file write vulnerabilities in the admin functionality.\r\r**Notes:**\r\r1) This is only exploitable if the attacker knows the name or path of the admin directory. The name of the directory is \"admin\" by default but there is a pop-up in the dashboard warning users to rename it.\r\r2) The fix for this vulnerability is incomplete. The redirect is removed so that it is not possible for an attacker to control the redirect post admin login anymore, but it is still possible to exploit this issue in admin if the user is authenticated as an admin already."}, {"lang": "es", "value": "Esto afecta a las versiones del paquete opencart/opencart desde 4.0.0.0. Se identific\u00f3 un problema XSS reflejado en el par\u00e1metro de nombre de archivo de la herramienta de administraci\u00f3n/ruta de registro. Un atacante podr\u00eda obtener el token de un usuario enga\u00f1\u00e1ndolo para que haga clic en una URL creada con fines malintencionados. Luego se solicita al usuario que inicie sesi\u00f3n y se le redirige nuevamente tras la autenticaci\u00f3n y la carga \u00fatil se ejecuta autom\u00e1ticamente. Si el usuario atacado tiene privilegios de administrador, esta vulnerabilidad podr\u00eda usarse como el inicio de una cadena de exploits como Zip Slip o vulnerabilidades de escritura de archivos arbitrarios en la funcionalidad de administraci\u00f3n. **Notas:** 1) Esto solo se puede explotar si el atacante conoce el nombre o la ruta del directorio de administraci\u00f3n. El nombre del directorio es \"admin\" de forma predeterminada, pero hay una ventana emergente en el panel que advierte a los usuarios que le cambien el nombre. 2) La soluci\u00f3n para esta vulnerabilidad est\u00e1 incompleta. El redireccionamiento se elimina para que un atacante ya no pueda controlar el inicio de sesi\u00f3n del administrador posterior al redireccionamiento, pero a\u00fan es posible explotar este problema en el administrador si el usuario ya est\u00e1 autenticado como administrador."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.6, "impactScore": 2.7}, {"source": "report@snyk.io", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.6, "impactScore": 2.5}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}, {"source": "report@snyk.io", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:opencart:opencart:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0.0.0", "matchCriteriaId": "60390C89-394D-4A4E-BD1C-C91F57B73CFD"}]}]}], "references": [{"url": "https://github.com/opencart/opencart/commit/c546199e8f100c1f3797a7a9d3cf4db1887399a2", "source": "report@snyk.io", "tags": ["Patch"]}, {"url": "https://security.snyk.io/vuln/SNYK-PHP-OPENCARTOPENCART-7266573", "source": "report@snyk.io", "tags": ["Exploit", "Patch", "Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-21516", "sourceIdentifier": "report@snyk.io", "published": "2024-06-22T05:15:10.967", "lastModified": "2024-06-24T19:57:38.197", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "This affects versions of the package opencart/opencart from 4.0.0.0. A reflected XSS issue was identified in the directory parameter of admin common/filemanager.list route. An attacker could obtain a user's token by tricking the user to click on a maliciously crafted URL. The user is then prompted to login and redirected again upon authentication with the payload automatically executing. If the attacked user has admin privileges, this vulnerability could be used as the start of a chain of exploits like Zip Slip or arbitrary file write vulnerabilities in the admin functionality.\r\r**Notes:**\r\r1) This is only exploitable if the attacker knows the name or path of the admin directory. The name of the directory is \"admin\" by default but there is a pop-up in the dashboard warning users to rename it.\r\r2) The fix for this vulnerability is incomplete. The redirect is removed so that it is not possible for an attacker to control the redirect post admin login anymore, but it is still possible to exploit this issue in admin if the user is authenticated as an admin already."}, {"lang": "es", "value": "Esto afecta a las versiones del paquete opencart/opencart desde 4.0.0.0. Se identific\u00f3 un problema XSS reflejado en el par\u00e1metro de directorio de la ruta admin common/filemanager.list. Un atacante podr\u00eda obtener el token de un usuario enga\u00f1\u00e1ndolo para que haga clic en una URL creada con fines malintencionados. Luego se solicita al usuario que inicie sesi\u00f3n y se le redirige nuevamente tras la autenticaci\u00f3n y la carga \u00fatil se ejecuta autom\u00e1ticamente. Si el usuario atacado tiene privilegios de administrador, esta vulnerabilidad podr\u00eda usarse como el inicio de una cadena de exploits como Zip Slip o vulnerabilidades de escritura de archivos arbitrarios en la funcionalidad de administraci\u00f3n. **Notas:** 1) Esto solo se puede explotar si el atacante conoce el nombre o la ruta del directorio de administraci\u00f3n. El nombre del directorio es \"admin\" de forma predeterminada, pero hay una ventana emergente en el panel que advierte a los usuarios que le cambien el nombre. 2) La soluci\u00f3n para esta vulnerabilidad est\u00e1 incompleta. El redireccionamiento se elimina para que un atacante ya no pueda controlar el inicio de sesi\u00f3n del administrador posterior al redireccionamiento, pero a\u00fan es posible explotar este problema en el administrador si el usuario ya est\u00e1 autenticado como administrador."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.6, "impactScore": 2.7}, {"source": "report@snyk.io", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.6, "impactScore": 2.5}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}, {"source": "report@snyk.io", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:opencart:opencart:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0.0.0", "matchCriteriaId": "60390C89-394D-4A4E-BD1C-C91F57B73CFD"}]}]}], "references": [{"url": "https://github.com/opencart/opencart/commit/c546199e8f100c1f3797a7a9d3cf4db1887399a2", "source": "report@snyk.io", "tags": ["Patch"]}, {"url": "https://security.snyk.io/vuln/SNYK-PHP-OPENCARTOPENCART-7266576", "source": "report@snyk.io", "tags": ["Exploit", "Patch", "Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-21517", "sourceIdentifier": "report@snyk.io", "published": "2024-06-22T05:15:11.173", "lastModified": "2024-06-24T19:56:45.167", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "This affects versions of the package opencart/opencart from 4.0.0.0. A reflected XSS issue was identified in the redirect parameter of customer account/login route. An attacker can inject arbitrary HTML and Javascript into the page response. As this vulnerability is present in the account functionality it could be used to target and attack customers of the OpenCart shop.\r\r**Notes:**\r\r1) The fix for this vulnerability is incomplete"}, {"lang": "es", "value": "Esto afecta a las versiones del paquete opencart/opencart desde 4.0.0.0. Se identific\u00f3 un problema de XSS reflejado en el par\u00e1metro de redireccionamiento de la cuenta del cliente/ruta de inicio de sesi\u00f3n. Un atacante puede inyectar HTML y Javascript arbitrarios en la respuesta de la p\u00e1gina. Como esta vulnerabilidad est\u00e1 presente en la funcionalidad de la cuenta, podr\u00eda usarse para apuntar y atacar a los clientes de la tienda OpenCart. **Notas:** 1) La soluci\u00f3n para esta vulnerabilidad est\u00e1 incompleta"}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, {"source": "report@snyk.io", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.6, "impactScore": 2.5}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}, {"source": "report@snyk.io", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:opencart:opencart:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0.0.0", "matchCriteriaId": "60390C89-394D-4A4E-BD1C-C91F57B73CFD"}]}]}], "references": [{"url": "https://github.com/opencart/opencart/commit/0fd1ee4b6c94366bf3e5d3831a8336f3275d1860", "source": "report@snyk.io", "tags": ["Patch"]}, {"url": "https://security.snyk.io/vuln/SNYK-PHP-OPENCARTOPENCART-7266577", "source": "report@snyk.io", "tags": ["Exploit", "Patch", "Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-21518", "sourceIdentifier": "report@snyk.io", "published": "2024-06-22T05:15:11.403", "lastModified": "2024-06-24T19:56:14.723", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "This affects versions of the package opencart/opencart from 4.0.0.0. A Zip Slip issue was identified via the marketplace installer due to improper sanitization of the target path, allowing files within a malicious archive to traverse the filesystem and be extracted to arbitrary locations. An attacker can create arbitrary files in the web root of the application and overwrite other existing files by exploiting this vulnerability."}, {"lang": "es", "value": "Esto afecta a las versiones del paquete opencart/opencart desde 4.0.0.0. Se identific\u00f3 un problema de Zip Slip a trav\u00e9s del instalador del mercado debido a una sanitizaci\u00f3n inadecuada de la ruta de destino, lo que permite que los archivos dentro de un archivo malicioso atraviesen el sistema de archivos y se extraigan a ubicaciones arbitrarias. Un atacante puede crear archivos arbitrarios en la ra\u00edz web de la aplicaci\u00f3n y sobrescribir otros archivos existentes aprovechando esta vulnerabilidad."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}, {"source": "report@snyk.io", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}, {"source": "report@snyk.io", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-29"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:opencart:opencart:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0.0.0", "matchCriteriaId": "60390C89-394D-4A4E-BD1C-C91F57B73CFD"}]}]}], "references": [{"url": "https://github.com/opencart/opencart/blob/04c1724370ab02967d3b4f668c1b67771ecf1ff4/upload/admin/controller/marketplace/installer.php%23L383C1-L383C1", "source": "report@snyk.io", "tags": ["Patch"]}, {"url": "https://security.snyk.io/vuln/SNYK-PHP-OPENCARTOPENCART-7266578", "source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-21519", "sourceIdentifier": "report@snyk.io", "published": "2024-06-22T05:15:11.620", "lastModified": "2024-06-24T19:55:07.760", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "This affects versions of the package opencart/opencart from 4.0.0.0. An Arbitrary File Creation issue was identified via the database restoration functionality. By injecting PHP code into the database, an attacker with admin privileges can create a backup file with an arbitrary filename (including the extension), within /system/storage/backup.\r\r**Note:**\r\rIt is less likely for the created file to be available within the web root, as part of the security recommendations for the application suggest moving the storage path outside of the web root."}, {"lang": "es", "value": "Esto afecta a las versiones del paquete opencart/opencart desde 4.0.0.0. Se identific\u00f3 un problema de creaci\u00f3n arbitraria de archivos mediante la funcionalidad de restauraci\u00f3n de la base de datos. Al inyectar c\u00f3digo PHP en la base de datos, un atacante con privilegios de administrador puede crear un archivo de copia de seguridad con un nombre de archivo arbitrario (incluida la extensi\u00f3n), dentro de /system/storage/backup. **Nota:** Es menos probable que el archivo creado est\u00e9 disponible en la ra\u00edz web, ya que parte de las recomendaciones de seguridad para la aplicaci\u00f3n sugieren mover la ruta de almacenamiento fuera de la ra\u00edz web."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}, {"source": "report@snyk.io", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 0.7, "impactScore": 5.9}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"source": "report@snyk.io", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:opencart:opencart:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0.0.0", "matchCriteriaId": "60390C89-394D-4A4E-BD1C-C91F57B73CFD"}]}]}], "references": [{"url": "https://github.com/opencart/opencart/blob/master/upload/admin/controller/tool/upload.php%23L353", "source": "report@snyk.io", "tags": ["Broken Link"]}, {"url": "https://security.snyk.io/vuln/SNYK-PHP-OPENCARTOPENCART-7266579", "source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-4874", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-22T05:15:11.837", "lastModified": "2024-06-24T19:41:12.293", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "The Bricks Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.8 via the postId parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify posts and pages created by other users including admins. As a requirement for this, an admin would have to enable access to the editor specifically for such a user or enable it for all users with a certain user account type."}, {"lang": "es", "value": "El complemento Bricks Builder para WordPress es vulnerable a Insecure Direct Object Reference en todas las versiones hasta la 1.9.8 incluida a trav\u00e9s del par\u00e1metro postId debido a la falta de validaci\u00f3n en una clave controlada por el usuario. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, modifiquen publicaciones y p\u00e1ginas creadas por otros usuarios, incluidos los administradores. Como requisito para esto, un administrador tendr\u00eda que habilitar el acceso al editor espec\u00edficamente para dicho usuario o habilitarlo para todos los usuarios con un determinado tipo de cuenta de usuario."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, {"source": "security@wordfence.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-639"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:bricksbuilder:bricks:*:*:*:*:*:wordpress:*:*", "versionEndExcluding": "1.9.9", "matchCriteriaId": "07E03076-E07E-4943-A79F-E3FD5CE283E0"}]}]}], "references": [{"url": "https://bricksbuilder.io/release/bricks-1-9-9/#access-control-fix-for-user-role-contributor", "source": "security@wordfence.com", "tags": ["Release Notes"]}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6d63e898-43e5-42b5-96b6-1453352e0cae?source=cve", "source": "security@wordfence.com", "tags": ["Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-3593", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-22T06:15:09.683", "lastModified": "2024-06-24T12:57:36.513", "vulnStatus": "Undergoing Analysis", "descriptions": [{"lang": "en", "value": "The UberMenu plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.3. This is due to missing or incorrect nonce validation on the ubermenu_delete_all_item_settings and ubermenu_reset_settings functions. This makes it possible for unauthenticated attackers to delete and reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El complemento UberMenu para WordPress es vulnerable a Cross-Site Request Forgery en todas las versiones hasta la 3.8.3 incluida. Esto se debe a una validaci\u00f3n nonce faltante o incorrecta en las funciones ubermenu_delete_all_item_settings y ubermenu_reset_settings. Esto hace posible que atacantes no autenticados eliminen y restablezcan la configuraci\u00f3n del complemento mediante una solicitud falsificada, siempre que puedan enga\u00f1ar al administrador del sitio para que realice una acci\u00f3n como hacer clic en un enlace."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 7.2, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 2.7}]}, "references": [{"url": "https://codecanyon.net/item/ubermenu-wordpress-mega-menu-plugin/154703", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/621ef583-bf99-4b81-ae9c-b4f1c86b86aa?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-4940", "sourceIdentifier": "security@huntr.dev", "published": "2024-06-22T06:15:11.137", "lastModified": "2024-06-24T12:57:36.513", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "An open redirect vulnerability exists in the gradio-app/gradio, affecting the latest version. The vulnerability allows an attacker to redirect users to arbitrary websites, which can be exploited for phishing attacks, Cross-site Scripting (XSS), Server-Side Request Forgery (SSRF), amongst others. This issue is due to improper validation of user-supplied input in the handling of URLs. Attackers can exploit this vulnerability by crafting a malicious URL that, when processed by the application, redirects the user to an attacker-controlled web page."}, {"lang": "es", "value": "Existe una vulnerabilidad de redireccionamiento abierto en gradio-app/gradio, que afecta a la \u00faltima versi\u00f3n. La vulnerabilidad permite a un atacante redirigir a los usuarios a sitios web arbitrarios, que pueden explotarse para ataques de phishing, Cross-Site Scripting (XSS) y Server-Side Request Forgery (SSRF), entre otros. Este problema se debe a una validaci\u00f3n inadecuada de la entrada proporcionada por el usuario en el manejo de las URL. Los atacantes pueden aprovechar esta vulnerabilidad creando una URL maliciosa que, cuando la aplicaci\u00f3n la procesa, redirige al usuario a una p\u00e1gina web controlada por el atacante."}], "metrics": {"cvssMetricV30": [{"source": "security@huntr.dev", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "security@huntr.dev", "type": "Primary", "description": [{"lang": "en", "value": "CWE-601"}]}], "references": [{"url": "https://huntr.com/bounties/35aaea93-6895-4f03-9c1b-cd992665aa60", "source": "security@huntr.dev"}]}}, {"cve": {"id": "CVE-2024-5596", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-22T06:15:11.470", "lastModified": "2024-06-24T12:57:36.513", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The ARMember Premium plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.7. This is due to incorrectly implemented nonce validation function on multiple functions. This makes it possible for unauthenticated attackers to modify, or delete user meta and plugin options which can lead to limited privilege escalation."}, {"lang": "es", "value": "El complemento ARMember Premium para WordPress es vulnerable a Cross-Site Request Forgery en versiones hasta la 6.7 incluida. Esto se debe a una funci\u00f3n de validaci\u00f3n nonce implementada incorrectamente en m\u00faltiples funciones. Esto hace posible que atacantes no autenticados modifiquen o eliminen metaopciones y complementos del usuario, lo que puede conducir a una escalada de privilegios limitada."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 3.4}]}, "references": [{"url": "https://codecanyon.net/item/armember-complete-wordpress-membership-system/17785056", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3e55591e-c1e9-4667-b04f-4956d2f37d51?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-38379", "sourceIdentifier": "security@apache.org", "published": "2024-06-22T09:15:09.577", "lastModified": "2024-06-24T12:57:36.513", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Apache Allura's neighborhood settings are vulnerable to a stored XSS attack.\u00a0 Only neighborhood admins can access these settings, so the scope of risk is limited to configurations where neighborhood admins are not fully trusted.\n\nThis issue affects Apache Allura: from 1.4.0 through 1.17.0.\n\nUsers are recommended to upgrade to version 1.17.1, which fixes the issue.\n\n"}, {"lang": "es", "value": "La configuraci\u00f3n del vecindario de Apache Allura es vulnerable a un ataque XSS almacenado. Solo los administradores de vecindario pueden acceder a estas configuraciones, por lo que el alcance del riesgo se limita a configuraciones en las que no se conf\u00eda plenamente en los administradores de vecindario. Este problema afecta a Apache Allura: desde 1.4.0 hasta 1.17.0. Se recomienda a los usuarios actualizar a la versi\u00f3n 1.17.1, que soluciona el problema."}], "metrics": {}, "weaknesses": [{"source": "security@apache.org", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://lists.apache.org/thread/2lb6vp00sj2b2snpmhff5lyortxjsnrp", "source": "security@apache.org"}]}}, {"cve": {"id": "CVE-2024-6251", "sourceIdentifier": "cna@vuldb.com", "published": "2024-06-22T12:15:09.923", "lastModified": "2024-06-24T12:57:36.513", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability, which was classified as problematic, was found in playSMS 1.4.3. Affected is an unknown function of the file /index.php?app=main&inc=feature_phonebook&op=phonebook_list of the component New Phonebook Handler. The manipulation of the argument name/email leads to basic cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-269418 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Una vulnerabilidad fue encontrada en playSMS 1.4.3 y clasificada como problem\u00e1tica. Una funci\u00f3n desconocida del archivo /index.php?app=main&inc=feature_phonebook&op=phonebook_list del componente New Phonebook Handler es afectada por esta vulnerabilidad. La manipulaci\u00f3n del argumento nombre/correo electr\u00f3nico conduce a Cross-Site Scripting b\u00e1sicas. Es posible lanzar el ataque de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. VDB-269418 es el identificador asignado a esta vulnerabilidad. NOTA: Se contact\u00f3 primeramente con el proveedor sobre esta divulgaci\u00f3n, pero no respondi\u00f3 de ninguna manera."}], "metrics": {"cvssMetricV31": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 2.4, "baseSeverity": "LOW"}, "exploitabilityScore": 0.9, "impactScore": 1.4}], "cvssMetricV2": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "MULTIPLE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 3.3}, "baseSeverity": "LOW", "exploitabilityScore": 6.4, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "cna@vuldb.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-80"}]}], "references": [{"url": "https://vuldb.com/?ctiid.269418", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.269418", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.355495", "source": "cna@vuldb.com"}]}}, {"cve": {"id": "CVE-2024-6252", "sourceIdentifier": "cna@vuldb.com", "published": "2024-06-22T12:15:11.160", "lastModified": "2024-06-26T19:15:14.383", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability has been found in Zorlan SkyCaiji up to 2.8 and classified as problematic. Affected by this vulnerability is an unknown functionality of the component Task Handler. The manipulation of the argument onerror leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-269419."}, {"lang": "es", "value": "Una vulnerabilidad fue encontrada en Zorlan SkyCaiji hasta 2.8 y clasificada como problem\u00e1tica. Una funci\u00f3n desconocida del componente Task Handler es afectada por esta vulnerabilidad. La manipulaci\u00f3n del argumento onerror conduce a Cross-Site Scripting. El ataque se puede lanzar de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. El identificador asociado de esta vulnerabilidad es VDB-269419."}], "metrics": {"cvssMetricV31": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 2.4, "baseSeverity": "LOW"}, "exploitabilityScore": 0.9, "impactScore": 1.4}], "cvssMetricV2": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "MULTIPLE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 3.3}, "baseSeverity": "LOW", "exploitabilityScore": 6.4, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "cna@vuldb.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://fushuling.com/index.php/2024/06/13/test2/", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.269419", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.269419", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.355783", "source": "cna@vuldb.com"}]}}, {"cve": {"id": "CVE-2024-6253", "sourceIdentifier": "cna@vuldb.com", "published": "2024-06-22T14:15:09.673", "lastModified": "2024-06-25T18:15:12.000", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability was found in itsourcecode Online Food Ordering System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /purchase.php. The manipulation of the argument customer leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-269420."}, {"lang": "es", "value": "Una vulnerabilidad fue encontrada en itsourcecode Online Food Ordering System 1.0 y clasificada como cr\u00edtica. Una funci\u00f3n desconocida del archivo /purchase.php es afectada por esta vulnerabilidad. La manipulaci\u00f3n del argumento cliente conduce a la inyecci\u00f3n SQL. El ataque puede lanzarse de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. El identificador de esta vulnerabilidad es VDB-269420."}], "metrics": {"cvssMetricV31": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.4}], "cvssMetricV2": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "cna@vuldb.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://github.com/Desenchanted/cve/issues/1", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.269420", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.269420", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.361840", "source": "cna@vuldb.com"}]}}, {"cve": {"id": "CVE-2024-5443", "sourceIdentifier": "security@huntr.dev", "published": "2024-06-22T17:15:34.410", "lastModified": "2024-06-24T12:57:36.513", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "CVE-2024-4320 describes a vulnerability in the parisneo/lollms software, specifically within the `ExtensionBuilder().build_extension()` function. The vulnerability arises from the `/mount_extension` endpoint, where a path traversal issue allows attackers to navigate beyond the intended directory structure. This is facilitated by the `data.category` and `data.folder` parameters accepting empty strings (`\"\"`), which, due to inadequate input sanitization, can lead to the construction of a `package_path` that points to the root directory. Consequently, if an attacker can create a `config.yaml` file in a controllable path, this path can be appended to the `extensions` list and trigger the execution of `__init__.py` in the current directory, leading to remote code execution. The vulnerability affects versions up to 5.9.0, and has been addressed in version 9.8."}, {"lang": "es", "value": "CVE-2024-4320 describe una vulnerabilidad en el software parisneo/lollms, espec\u00edficamente dentro de la funci\u00f3n `ExtensionBuilder().build_extension()`. La vulnerabilidad surge del endpoint `/mount_extension`, donde un problema de path traversal permite a los atacantes navegar m\u00e1s all\u00e1 de la estructura de directorios prevista. Esto se ve facilitado por los par\u00e1metros `data.category` y `data.folder` que aceptan cadenas vac\u00edas (`\"\"`), lo que, debido a una sanitizaci\u00f3n de entrada inadecuada, puede conducir a la construcci\u00f3n de un `package_path` que apunte al directorio ra\u00edz. En consecuencia, si un atacante puede crear un archivo `config.yaml` en una ruta controlable, esta ruta puede agregarse a la lista de `extensiones` y desencadenar la ejecuci\u00f3n de `__init__.py` en el directorio actual, lo que lleva a la ejecuci\u00f3n remota de c\u00f3digo. La vulnerabilidad afecta a las versiones hasta la 5.9.0 y se solucion\u00f3 en la versi\u00f3n 9.8."}], "metrics": {"cvssMetricV30": [{"source": "security@huntr.dev", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "security@huntr.dev", "type": "Primary", "description": [{"lang": "en", "value": "CWE-29"}]}], "references": [{"url": "https://github.com/parisneo/lollms/commit/2d0c4e76be93195836ecd0948027e791b8a2626f", "source": "security@huntr.dev"}, {"url": "https://huntr.com/bounties/db52848a-4dbe-4110-a981-03739834bf45", "source": "security@huntr.dev"}]}}, {"cve": {"id": "CVE-2024-38319", "sourceIdentifier": "psirt@us.ibm.com", "published": "2024-06-22T19:15:09.070", "lastModified": "2024-06-24T12:57:36.513", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "IBM Security SOAR 51.0.2.0 could allow an authenticated user to execute malicious code loaded from a specially crafted script.  IBM X-Force ID:  294830."}, {"lang": "es", "value": "IBM Security SOAR 51.0.2.0 podr\u00eda permitir que un usuario autenticado ejecute c\u00f3digo malicioso cargado desde un script especialmente manipulado. ID de IBM X-Force: 294830."}], "metrics": {"cvssMetricV31": [{"source": "psirt@us.ibm.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH"}, "exploitabilityScore": 1.6, "impactScore": 5.9}]}, "weaknesses": [{"source": "psirt@us.ibm.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/294830", "source": "psirt@us.ibm.com"}, {"url": "https://www.ibm.com/support/pages/node/7158261", "source": "psirt@us.ibm.com"}]}}, {"cve": {"id": "CVE-2024-6266", "sourceIdentifier": "cna@vuldb.com", "published": "2024-06-23T03:15:51.817", "lastModified": "2024-06-24T12:57:36.513", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability classified as critical has been found in Pear Admin Boot up to 2.0.2. Affected is an unknown function of the file /system/dictData/loadDictItem. The manipulation leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-269478 is the identifier assigned to this vulnerability."}, {"lang": "es", "value": "Una vulnerabilidad ha sido encontrada en Pear Admin Boot hasta 2.0.2 y clasificada como cr\u00edtica. Una funci\u00f3n desconocida del archivo /system/dictData/loadDictItem es afectada por esta vulnerabilidad. La manipulaci\u00f3n conduce a la inyecci\u00f3n de SQL. Es posible lanzar el ataque de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. VDB-269478 es el identificador asignado a esta vulnerabilidad."}], "metrics": {"cvssMetricV31": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 3.4}], "cvssMetricV2": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 6.5}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "cna@vuldb.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://gitee.com/pear-admin/Pear-Admin-Boot/issues/IA5K2M", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.269478", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.269478", "source": "cna@vuldb.com"}]}}, {"cve": {"id": "CVE-2024-6267", "sourceIdentifier": "cna@vuldb.com", "published": "2024-06-23T06:15:09.633", "lastModified": "2024-06-24T15:15:12.093", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability classified as problematic was found in SourceCodester Service Provider Management System 1.0. Affected by this vulnerability is an unknown functionality of the file system_info/index.php of the component System Info Page. The manipulation of the argument System Name/System Short Name leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-269479."}, {"lang": "es", "value": "Una vulnerabilidad fue encontrada en SourceCodester Service Provider Management System 1.0 y clasificada como problem\u00e1tica. Una funci\u00f3n desconocida del archivo system_info/index.php del componente System Info Page es afectada por esta vulnerabilidad. La manipulaci\u00f3n del argumento Nombre del sistema/Nombre corto del sistema conduce a Cross-Site Scripting. El ataque se puede lanzar de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. El identificador asociado de esta vulnerabilidad es VDB-269479."}], "metrics": {"cvssMetricV31": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 2.4, "baseSeverity": "LOW"}, "exploitabilityScore": 0.9, "impactScore": 1.4}], "cvssMetricV2": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "MULTIPLE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 3.3}, "baseSeverity": "LOW", "exploitabilityScore": 6.4, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "cna@vuldb.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://docs.google.com/document/d/1upC4101Ob9UW7fGC_valsEa45Q5xuBgcKZhs1Q-WoBM/edit?usp=sharing", "source": "cna@vuldb.com"}, {"url": "https://github.com/sgr-xd/CVEs/blob/main/CVE-2024-6267.md", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.269479", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.269479", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.362661", "source": "cna@vuldb.com"}]}}, {"cve": {"id": "CVE-2024-6268", "sourceIdentifier": "cna@vuldb.com", "published": "2024-06-23T10:15:09.753", "lastModified": "2024-06-26T20:15:16.893", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability, which was classified as critical, has been found in lahirudanushka School Management System 1.0.0/1.0.1. Affected by this issue is some unknown functionality of the file login.php of the component Login Page. The manipulation of the argument email leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-269480."}, {"lang": "es", "value": "Una vulnerabilidad fue encontrada en lahirudanushka School Management System 1.0.0/1.0.1 y clasificada como cr\u00edtica. Una funci\u00f3n desconocida del archivo login.php del componente Login Page es afectada por esta vulnerabilidad. La manipulaci\u00f3n del argumento email conduce a la inyecci\u00f3n de SQL. El ataque puede lanzarse de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. El identificador de esta vulnerabilidad es VDB-269480."}], "metrics": {"cvssMetricV31": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.4}], "cvssMetricV2": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "cna@vuldb.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://github.com/lahirudanushka/School-Management-System---PHP-MySQL/issues/2", "source": "cna@vuldb.com"}, {"url": "https://powerful-bulb-c36.notion.site/SQL-injection-to-authorization-bypass-af95fa2c72b84b4297e3d61c17cd7cdb?pvs=4", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.269480", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.269480", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.362805", "source": "cna@vuldb.com"}]}}, {"cve": {"id": "CVE-2024-6269", "sourceIdentifier": "cna@vuldb.com", "published": "2024-06-23T12:15:09.710", "lastModified": "2024-06-26T19:15:14.483", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability has been found in Ruijie RG-UAC 1.0 and classified as critical. This vulnerability affects the function get_ip.addr_details of the file /view/vpn/autovpn/sxh_vpnlic.php of the component HTTP POST Request Handler. The manipulation of the argument indevice leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-269482 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Una vulnerabilidad ha sido encontrada en Ruijie RG-UAC 1.0 y clasificada como cr\u00edtica. Esta vulnerabilidad afecta a la funci\u00f3n get_ip.addr_details del archivo /view/vpn/autovpn/sxh_vpnlic.php del componente HTTP POST Request Handler. La manipulaci\u00f3n del argumento en dispositivo conduce a la inyecci\u00f3n de comando. El ataque se puede iniciar de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. VDB-269482 es el identificador asignado a esta vulnerabilidad. NOTA: Se contact\u00f3 primeramente con el proveedor sobre esta divulgaci\u00f3n, pero no respondi\u00f3 de ninguna manera. "}], "metrics": {"cvssMetricV31": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 4.7, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.2, "impactScore": 3.4}], "cvssMetricV2": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "MULTIPLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 5.8}, "baseSeverity": "MEDIUM", "exploitabilityScore": 6.4, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "cna@vuldb.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-77"}]}], "references": [{"url": "https://github.com/charliecatsec/cve1/issues/1", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.269482", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.269482", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.358202", "source": "cna@vuldb.com"}]}}, {"cve": {"id": "CVE-2024-4841", "sourceIdentifier": "security@huntr.dev", "published": "2024-06-23T15:15:09.233", "lastModified": "2024-06-24T12:57:36.513", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A Path Traversal vulnerability exists in the parisneo/lollms-webui, specifically within the 'add_reference_to_local_mode' function due to the lack of input sanitization. This vulnerability affects versions v9.6 to the latest. By exploiting this vulnerability, an attacker can predict the folders, subfolders, and files present on the victim's computer. The vulnerability is present in the way the application handles the 'path' parameter in HTTP requests to the '/add_reference_to_local_model' endpoint."}, {"lang": "es", "value": "Existe una vulnerabilidad de Path Traversal en parisneo/lollms-webui, espec\u00edficamente dentro de la funci\u00f3n 'add_reference_to_local_mode' debido a la falta de sanitizaci\u00f3n de entrada. Esta vulnerabilidad afecta a las versiones v9.6 hasta la \u00faltima. Al explotar esta vulnerabilidad, un atacante puede predecir las carpetas, subcarpetas y archivos presentes en la computadora de la v\u00edctima. La vulnerabilidad est\u00e1 presente en la forma en que la aplicaci\u00f3n maneja el par\u00e1metro 'ruta' en las solicitudes HTTP al endpoint '/add_reference_to_local_model'."}], "metrics": {"cvssMetricV30": [{"source": "security@huntr.dev", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 4.0, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.5, "impactScore": 1.4}]}, "weaknesses": [{"source": "security@huntr.dev", "type": "Primary", "description": [{"lang": "en", "value": "CWE-29"}]}], "references": [{"url": "https://huntr.com/bounties/740dda3e-7104-4ccf-9ac4-8870e4d6d602", "source": "security@huntr.dev"}]}}, {"cve": {"id": "CVE-2024-39331", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-23T22:15:09.370", "lastModified": "2024-06-24T12:57:36.513", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In Emacs before 29.4, org-link-expand-abbrev in lisp/ol.el expands a %(...) link abbrev even when it specifies an unsafe function, such as shell-command-to-string. This affects Org Mode before 9.7.5."}, {"lang": "es", "value": "En Emacs anterior a 29.4, org-link-expand-abbrev en lisp/ol.el expande una abreviatura de enlace %(...) incluso cuando especifica una funci\u00f3n no segura, como shell-command-to-string. Esto afecta al modo de organizaci\u00f3n anterior a 9.7.5."}], "metrics": {}, "references": [{"url": "https://git.savannah.gnu.org/cgit/emacs.git/tree/etc/NEWS?h=emacs-29", "source": "cve@mitre.org"}, {"url": "https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=f4cc61636947b5c2f0afc67174dd369fe3277aa8", "source": "cve@mitre.org"}, {"url": "https://list.orgmode.org/87sex5gdqc.fsf%40localhost/", "source": "cve@mitre.org"}, {"url": "https://lists.gnu.org/archive/html/info-gnu-emacs/2024-06/msg00000.html", "source": "cve@mitre.org"}, {"url": "https://news.ycombinator.com/item?id=40768225", "source": "cve@mitre.org"}, {"url": "https://www.openwall.com/lists/oss-security/2024/06/23/1", "source": "cve@mitre.org"}, {"url": "https://www.openwall.com/lists/oss-security/2024/06/23/2", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-6273", "sourceIdentifier": "cna@vuldb.com", "published": "2024-06-23T22:15:09.490", "lastModified": "2024-06-25T13:15:50.403", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability was found in SourceCodester Clinic Queuing System 1.0. It has been declared as problematic. Affected by this vulnerability is the function save_patient of the file patient_side.php. The manipulation of the argument Full Name/Contact/Address leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-269485 was assigned to this vulnerability."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en SourceCodester Clinic Queuing System 1.0. Ha sido declarada problem\u00e1tica. La funci\u00f3n save_patient del archivopatient_side.php es afectada por esta vulnerabilidad. La manipulaci\u00f3n del argumento Nombre completo/Contacto/Direcci\u00f3n conduce a Cross-Site Scripting. El ataque se puede lanzar de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. A esta vulnerabilidad se le asign\u00f3 el identificador VDB-269485."}], "metrics": {"cvssMetricV31": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 1.4}], "cvssMetricV2": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 5.0}, "baseSeverity": "MEDIUM", "exploitabilityScore": 10.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "cna@vuldb.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://docs.google.com/document/d/14ExrgXqPQlgvjw2poqNzYzAOi-C5tda-XBJF513yzag/edit?usp=sharing", "source": "cna@vuldb.com"}, {"url": "https://github.com/sgr-xd/CVEs/blob/main/CVE-2024-6273.md", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.269485", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.269485", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.362873", "source": "cna@vuldb.com"}]}}, {"cve": {"id": "CVE-2024-39334", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-23T23:15:09.387", "lastModified": "2024-06-24T12:57:36.513", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "MENDELSON AS4 before 2024 B376 has a client-side vulnerability when a trading partner provides prepared XML data. When a victim opens the details of this transaction in the client, files can be written to the computer on which the client process is running. (The server process is not affected.)"}, {"lang": "es", "value": "MENDELSON AS4 antes de 2024 B376 tiene una vulnerabilidad del lado del cliente cuando un socio comercial proporciona datos XML preparados. Cuando una v\u00edctima abre los detalles de esta transacci\u00f3n en el cliente, se pueden escribir archivos en la computadora en la que se ejecuta el proceso del cliente. (El proceso del servidor no se ve afectado)."}], "metrics": {}, "references": [{"url": "https://mendelson-e-c.com/node/27845", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-39337", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-24T00:15:09.577", "lastModified": "2024-06-24T12:57:36.513", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Click Studios Passwordstate Core before 9.8 build 9858 allows Authentication Bypass."}, {"lang": "es", "value": "Click Studios Passwordstate Core anterior a la versi\u00f3n 9.8 build 9858 permite la omisi\u00f3n de autenticaci\u00f3n."}], "metrics": {}, "references": [{"url": "https://www.clickstudios.com.au/passwordstate-changelog.aspx", "source": "cve@mitre.org"}, {"url": "https://www.clickstudios.com.au/security/advisories/", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-3121", "sourceIdentifier": "security@huntr.dev", "published": "2024-06-24T00:15:09.680", "lastModified": "2024-06-24T12:57:36.513", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A remote code execution vulnerability exists in the create_conda_env function of the parisneo/lollms repository, version 5.9.0. The vulnerability arises from the use of shell=True in the subprocess.Popen function, which allows an attacker to inject arbitrary commands by manipulating the env_name and python_version parameters. This issue could lead to a serious security breach as demonstrated by the ability to execute the 'whoami' command among potentially other harmful commands."}, {"lang": "es", "value": "Existe una vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo en la funci\u00f3n create_conda_env del repositorio parisneo/lollms, versi\u00f3n 5.9.0. La vulnerabilidad surge del uso de shell=True en la funci\u00f3n subprocess.Popen, que permite a un atacante inyectar comandos arbitrarios manipulando los par\u00e1metros env_name y python_version. Este problema podr\u00eda provocar una grave violaci\u00f3n de la seguridad, como lo demuestra la capacidad de ejecutar el comando \"whoami\" entre otros comandos potencialmente da\u00f1inos."}], "metrics": {"cvssMetricV30": [{"source": "security@huntr.dev", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 0.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "security@huntr.dev", "type": "Primary", "description": [{"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "https://huntr.com/bounties/db57c343-9b80-4c1c-9ab0-9eef92c9b27b", "source": "security@huntr.dev"}]}}, {"cve": {"id": "CVE-2024-6274", "sourceIdentifier": "cna@vuldb.com", "published": "2024-06-24T02:15:53.827", "lastModified": "2024-06-24T12:57:36.513", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability classified as critical has been found in lahirudanushka School Management System 1.0.0/1.0.1. This affects an unknown part of the file /attendancelist.php of the component Attendance Report Page. The manipulation of the argument aid leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-269487."}, {"lang": "es", "value": "Una vulnerabilidad ha sido encontrada en lahirudanushka School Management System 1.0.0/1.0.1 y clasificada como cr\u00edtica. Una parte desconocida del archivo /attendancelist.php del componente Attendance Report Page afecta a una parte desconocida. La manipulaci\u00f3n del argumento ayuda conduce a la inyecci\u00f3n de SQL. Es posible iniciar el ataque de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. El identificador asociado de esta vulnerabilidad es VDB-269487."}], "metrics": {"cvssMetricV31": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 4.7, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.2, "impactScore": 3.4}], "cvssMetricV2": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "MULTIPLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 5.8}, "baseSeverity": "MEDIUM", "exploitabilityScore": 6.4, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "cna@vuldb.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://powerful-bulb-c36.notion.site/sql-injection-1-6b3c66351180485ea764561a47239907", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.269487", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.269487", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.362872", "source": "cna@vuldb.com"}]}}, {"cve": {"id": "CVE-2024-6275", "sourceIdentifier": "cna@vuldb.com", "published": "2024-06-24T02:15:54.140", "lastModified": "2024-06-25T16:15:25.923", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability classified as critical was found in lahirudanushka School Management System 1.0.0/1.0.1. This vulnerability affects unknown code of the file parent.php of the component Parent Page. The manipulation of the argument update leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-269488."}, {"lang": "es", "value": "Una vulnerabilidad fue encontrada en lahirudanushka School Management System 1.0.0/1.0.1 y clasificada como cr\u00edtica. Esta vulnerabilidad afecta a un c\u00f3digo desconocido del archivo parent.php del componente Parent Page. La manipulaci\u00f3n de la actualizaci\u00f3n del argumento conduce a la inyecci\u00f3n de SQL. El ataque se puede iniciar de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. El identificador de esta vulnerabilidad es VDB-269488."}], "metrics": {"cvssMetricV31": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 4.7, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.2, "impactScore": 3.4}], "cvssMetricV2": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "MULTIPLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 5.8}, "baseSeverity": "MEDIUM", "exploitabilityScore": 6.4, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "cna@vuldb.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://powerful-bulb-c36.notion.site/sql-injection-2-bd75eb9250214c2e95e57965d9ea392a", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.269488", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.269488", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.362876", "source": "cna@vuldb.com"}]}}, {"cve": {"id": "CVE-2024-6276", "sourceIdentifier": "cna@vuldb.com", "published": "2024-06-24T02:15:54.410", "lastModified": "2024-06-24T15:15:12.200", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability, which was classified as critical, has been found in lahirudanushka School Management System 1.0.0/1.0.1. This issue affects some unknown processing of the file teacher.php of the component Teacher Page. The manipulation of the argument update leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-269489 was assigned to this vulnerability."}, {"lang": "es", "value": "Una vulnerabilidad fue encontrada en lahirudanushka School Management System 1.0.0/1.0.1 y clasificada como cr\u00edtica. Este problema afecta un procesamiento desconocido del archivo profesor.php del componente P\u00e1gina del Profesor. La manipulaci\u00f3n de la actualizaci\u00f3n del argumento conduce a la inyecci\u00f3n de SQL. El ataque puede iniciarse de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. A esta vulnerabilidad se le asign\u00f3 el identificador VDB-269489."}], "metrics": {"cvssMetricV31": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 4.7, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.2, "impactScore": 3.4}], "cvssMetricV2": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "MULTIPLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 5.8}, "baseSeverity": "MEDIUM", "exploitabilityScore": 6.4, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "cna@vuldb.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://powerful-bulb-c36.notion.site/sql-injection-3-52ce387faca74869b441eb1bf4cec27a", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.269489", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.269489", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.362877", "source": "cna@vuldb.com"}]}}, {"cve": {"id": "CVE-2024-4499", "sourceIdentifier": "security@huntr.dev", "published": "2024-06-24T03:15:09.797", "lastModified": "2024-06-24T12:57:36.513", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A Cross-Site Request Forgery (CSRF) vulnerability exists in the XTTS server of parisneo/lollms version 9.6 due to a lax CORS policy. The vulnerability allows attackers to perform unauthorized actions by tricking a user into visiting a malicious webpage, which can then trigger arbitrary LoLLMS-XTTS API requests. This issue can lead to the reading and writing of audio files and, when combined with other vulnerabilities, could allow for the reading of arbitrary files on the system and writing files outside the permitted audio file location."}, {"lang": "es", "value": "Existe una vulnerabilidad de Cross-Site Request Forgery (CSRF) en el servidor XTTS de parisneo/lollms versi\u00f3n 9.6 debido a una pol\u00edtica CORS laxa. La vulnerabilidad permite a los atacantes realizar acciones no autorizadas enga\u00f1ando a un usuario para que visite una p\u00e1gina web maliciosa, lo que luego puede desencadenar solicitudes arbitrarias de la API LoLLMS-XTTS. Este problema puede provocar la lectura y escritura de archivos de audio y, cuando se combina con otras vulnerabilidades, podr\u00eda permitir la lectura de archivos arbitrarios en el sistema y la escritura de archivos fuera de la ubicaci\u00f3n permitida para archivos de audio."}], "metrics": {"cvssMetricV30": [{"source": "security@huntr.dev", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 4.7}]}, "weaknesses": [{"source": "security@huntr.dev", "type": "Primary", "description": [{"lang": "en", "value": "CWE-352"}]}], "references": [{"url": "https://huntr.com/bounties/336cd0eb-eb47-450d-9b2c-9332f69af65a", "source": "security@huntr.dev"}]}}, {"cve": {"id": "CVE-2024-6277", "sourceIdentifier": "cna@vuldb.com", "published": "2024-06-24T03:15:10.027", "lastModified": "2024-06-24T15:15:12.297", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability, which was classified as critical, was found in lahirudanushka School Management System 1.0.0/1.0.1. Affected is an unknown function of the file student.php of the component Student Page. The manipulation of the argument update leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-269490 is the identifier assigned to this vulnerability."}, {"lang": "es", "value": "Una vulnerabilidad fue encontrada en lahirudanushka School Management System 1.0.0/1.0.1 y clasificada como cr\u00edtica. Una funci\u00f3n desconocida del archivo Student.php del componente Student Page es afectada por esta vulnerabilidad. La manipulaci\u00f3n de la actualizaci\u00f3n del argumento conduce a la inyecci\u00f3n de SQL. Es posible lanzar el ataque de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. VDB-269490 es el identificador asignado a esta vulnerabilidad."}], "metrics": {"cvssMetricV31": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 4.7, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.2, "impactScore": 3.4}], "cvssMetricV2": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "MULTIPLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 5.8}, "baseSeverity": "MEDIUM", "exploitabilityScore": 6.4, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "cna@vuldb.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://powerful-bulb-c36.notion.site/sql-injection-4-a2545288ad9244009ff1097df19ee635", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.269490", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.269490", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.362882", "source": "cna@vuldb.com"}]}}, {"cve": {"id": "CVE-2024-6278", "sourceIdentifier": "cna@vuldb.com", "published": "2024-06-24T03:15:10.290", "lastModified": "2024-06-24T14:15:13.293", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability has been found in lahirudanushka School Management System 1.0.0/1.0.1 and classified as critical. Affected by this vulnerability is an unknown functionality of the file subject.php of the component Subject Page. The manipulation of the argument update leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-269491."}, {"lang": "es", "value": "Una vulnerabilidad ha sido encontrada en lahirudanushka School Management System 1.0.0/1.0.1 y clasificada como cr\u00edtica. Una funci\u00f3n desconocida del archivo subject.php del componente Subject Page es afectada por esta vulnerabilidad. La manipulaci\u00f3n de la actualizaci\u00f3n del argumento conduce a la inyecci\u00f3n de SQL. El ataque se puede lanzar de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. El identificador asociado de esta vulnerabilidad es VDB-269491."}], "metrics": {"cvssMetricV31": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 4.7, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.2, "impactScore": 3.4}], "cvssMetricV2": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "MULTIPLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 5.8}, "baseSeverity": "MEDIUM", "exploitabilityScore": 6.4, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "cna@vuldb.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://powerful-bulb-c36.notion.site/sql-injection-5-f0e968979e3c47049ed5965ca3a7ed7e", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.269491", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.269491", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.362883", "source": "cna@vuldb.com"}]}}, {"cve": {"id": "CVE-2024-6279", "sourceIdentifier": "cna@vuldb.com", "published": "2024-06-24T03:15:10.573", "lastModified": "2024-06-26T20:15:17.003", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability was found in lahirudanushka School Management System 1.0.0/1.0.1 and classified as critical. Affected by this issue is some unknown functionality of the file examresults-par.php of the component Exam Results Page. The manipulation of the argument sid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-269492."}, {"lang": "es", "value": "Una vulnerabilidad fue encontrada en lahirudanushka School Management System 1.0.0/1.0.1 y clasificada como cr\u00edtica. Una funci\u00f3n desconocida del archivo examresults-par.php del componente Exam Results Page es afectada por esta vulnerabilidad. La manipulaci\u00f3n del argumento sid conduce a la inyecci\u00f3n de SQL. El ataque puede lanzarse de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. El identificador de esta vulnerabilidad es VDB-269492."}], "metrics": {"cvssMetricV31": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 3.4}], "cvssMetricV2": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 6.5}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "cna@vuldb.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://powerful-bulb-c36.notion.site/sql-injection-6-cb069f55445545e19212a7b1ae489a72", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.269492", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.269492", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.362886", "source": "cna@vuldb.com"}]}}, {"cve": {"id": "CVE-2024-6280", "sourceIdentifier": "cna@vuldb.com", "published": "2024-06-24T03:15:10.847", "lastModified": "2024-06-24T12:57:36.513", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability was found in SourceCodester Simple Online Bidding System 1.0. It has been classified as critical. This affects an unknown part of the file /admin/ajax.php?action=save_settings. The manipulation of the argument img leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-269493 was assigned to this vulnerability."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en SourceCodester Simple Online Bidding System 1.0. Ha sido clasificada como cr\u00edtica. Esto afecta a una parte desconocida del archivo /admin/ajax.php?action=save_settings. La manipulaci\u00f3n del argumento img conduce a una carga sin restricciones. Es posible iniciar el ataque de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. A esta vulnerabilidad se le asign\u00f3 el identificador VDB-269493."}], "metrics": {"cvssMetricV31": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 3.4}], "cvssMetricV2": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 6.5}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "cna@vuldb.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://github.com/Isfulou/cve/blob/main/upload.md", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.269493", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.269493", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.363054", "source": "cna@vuldb.com"}]}}, {"cve": {"id": "CVE-2024-4899", "sourceIdentifier": "contact@wpscan.com", "published": "2024-06-24T06:15:11.307", "lastModified": "2024-06-24T12:57:36.513", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The SEOPress  WordPress plugin before 7.8 does not sanitise and escape some of its Post settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks."}, {"lang": "es", "value": "El complemento SEOPress WordPress anterior a 7.8 no sanitiza ni escapa a algunas de sus configuraciones de publicaci\u00f3n, lo que podr\u00eda permitir a usuarios con altos privilegios, como los contribuyentes, realizar ataques de Cross-Site Scripting Almacenado."}], "metrics": {}, "references": [{"url": "https://wpscan.com/vulnerability/15346ae9-9a29-4968-a6a9-81d1116ac448/", "source": "contact@wpscan.com"}]}}, {"cve": {"id": "CVE-2024-4900", "sourceIdentifier": "contact@wpscan.com", "published": "2024-06-24T06:15:11.423", "lastModified": "2024-06-24T12:57:36.513", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The SEOPress  WordPress plugin before 7.8 does not validate and escape one of its Post settings, which could allow contributor and above role to perform Open redirect attacks against any user viewing a malicious post"}, {"lang": "es", "value": "El complemento SEOPress WordPress anterior a 7.8 no valida ni escapa a una de sus configuraciones de publicaci\u00f3n, lo que podr\u00eda permitir que el colaborador y el rol superior realicen ataques de redireccionamiento abierto contra cualquier usuario que vea una publicaci\u00f3n maliciosa."}], "metrics": {}, "references": [{"url": "https://wpscan.com/vulnerability/a56ad272-e2ed-4064-9b5d-114a834dd8b3/", "source": "contact@wpscan.com"}]}}, {"cve": {"id": "CVE-2024-24550", "sourceIdentifier": "vulnerability@ncsc.ch", "published": "2024-06-24T07:15:13.580", "lastModified": "2024-06-24T12:57:36.513", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A security vulnerability has been identified in Bludit, allowing attackers with knowledge of the API token to upload arbitrary files through the File API which leads to arbitrary code execution on the server. This vulnerability arises from improper handling of file uploads, enabling malicious actors to upload and execute PHP files."}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad de seguridad en Bludit, que permite a atacantes con conocimiento del token API cargar archivos arbitrarios a trav\u00e9s de File API, lo que conduce a la ejecuci\u00f3n de c\u00f3digo arbitrario en el servidor. Esta vulnerabilidad surge del manejo inadecuado de la carga de archivos, lo que permite a actores malintencionados cargar y ejecutar archivos PHP."}], "metrics": {}, "weaknesses": [{"source": "vulnerability@ncsc.ch", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}, {"lang": "en", "value": "CWE-502"}, {"lang": "en", "value": "CWE-77"}]}], "references": [{"url": "https://www.redguard.ch/blog/2024/06/20/security-advisory-bludit/", "source": "vulnerability@ncsc.ch"}]}}, {"cve": {"id": "CVE-2024-24551", "sourceIdentifier": "vulnerability@ncsc.ch", "published": "2024-06-24T07:15:14.760", "lastModified": "2024-06-24T12:57:36.513", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A security vulnerability has been identified in Bludit, allowing authenticated attackers to execute arbitrary code through the Image API. This vulnerability arises from improper handling of file uploads, enabling malicious actors to upload and execute PHP files."}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad de seguridad en Bludit, que permite a atacantes autenticados ejecutar c\u00f3digo arbitrario a trav\u00e9s de Image API. Esta vulnerabilidad surge del manejo inadecuado de la carga de archivos, lo que permite a actores malintencionados cargar y ejecutar archivos PHP."}], "metrics": {}, "weaknesses": [{"source": "vulnerability@ncsc.ch", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}, {"lang": "en", "value": "CWE-502"}, {"lang": "en", "value": "CWE-77"}]}], "references": [{"url": "https://www.redguard.ch/blog/2024/06/20/security-advisory-bludit/", "source": "vulnerability@ncsc.ch"}]}}, {"cve": {"id": "CVE-2024-24552", "sourceIdentifier": "vulnerability@ncsc.ch", "published": "2024-06-24T07:15:14.903", "lastModified": "2024-06-24T12:57:36.513", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A session fixation vulnerability in Bludit allows an attacker to bypass the server's authentication if they can trick an administrator or any other user into authorizing a session ID of their choosing."}, {"lang": "es", "value": "Una vulnerabilidad de fijaci\u00f3n de sesi\u00f3n en Bludit permite a un atacante eludir la autenticaci\u00f3n del servidor si puede enga\u00f1ar a un administrador o cualquier otro usuario para que autorice una ID de sesi\u00f3n de su elecci\u00f3n."}], "metrics": {}, "weaknesses": [{"source": "vulnerability@ncsc.ch", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-384"}]}], "references": [{"url": "https://www.redguard.ch/blog/2024/06/20/security-advisory-bludit/", "source": "vulnerability@ncsc.ch"}]}}, {"cve": {"id": "CVE-2024-24553", "sourceIdentifier": "vulnerability@ncsc.ch", "published": "2024-06-24T07:15:15.063", "lastModified": "2024-06-24T12:57:36.513", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Bludit uses the SHA-1 hashing algorithm to compute password hashes. Thus, attackers could determine cleartext passwords with brute-force attacks due to the inherent speed of SHA-1. In addition, the salt that is computed by Bludit is generated with a non-cryptographically secure function."}, {"lang": "es", "value": "Bludit utiliza el algoritmo hash SHA-1 para calcular hashes de contrase\u00f1as. Por lo tanto, los atacantes podr\u00edan determinar contrase\u00f1as de texto sin cifrar con ataques de fuerza bruta debido a la velocidad inherente de SHA-1. Adem\u00e1s, la sal que calcula Bludit se genera con una funci\u00f3n no criptogr\u00e1ficamente segura."}], "metrics": {}, "weaknesses": [{"source": "vulnerability@ncsc.ch", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-916"}]}], "references": [{"url": "https://www.redguard.ch/blog/2024/06/20/security-advisory-bludit/", "source": "vulnerability@ncsc.ch"}]}}, {"cve": {"id": "CVE-2024-4460", "sourceIdentifier": "security@huntr.dev", "published": "2024-06-24T07:15:15.400", "lastModified": "2024-06-24T12:57:36.513", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A denial of service (DoS) vulnerability exists in zenml-io/zenml version 0.56.3 due to improper handling of line feed (`\\n`) characters in component names. When a low-privileged user adds a component through the API endpoint `api/v1/workspaces/default/components` with a name containing a `\\n` character, it leads to uncontrolled resource consumption. This vulnerability results in the inability of users to add new components in certain categories (e.g., 'Image Builder') and to register new stacks through the UI, thereby degrading the user experience and potentially rendering the ZenML Dashboard unusable. The issue does not affect component addition through the Web UI, as `\\n` characters are properly escaped in that context. The vulnerability was tested on ZenML running in Docker, and it was observed in both Firefox and Chrome browsers."}, {"lang": "es", "value": "Existe una vulnerabilidad de denegaci\u00f3n de servicio (DoS) en zenml-io/zenml versi\u00f3n 0.56.3 debido al manejo inadecuado de los caracteres de avance de l\u00ednea (`\\n`) en los nombres de los componentes. Cuando un usuario con pocos privilegios agrega un componente a trav\u00e9s del endpoint API `api/v1/workspaces/default/components` con un nombre que contiene un car\u00e1cter `\\n`, genera un consumo incontrolado de recursos. Esta vulnerabilidad da como resultado la incapacidad de los usuarios para agregar nuevos componentes en ciertas categor\u00edas (por ejemplo, 'Creador de im\u00e1genes') y registrar nuevas pilas a trav\u00e9s de la interfaz de usuario, lo que degrada la experiencia del usuario y potencialmente inutiliza el panel ZenML. El problema no afecta la adici\u00f3n de componentes a trav\u00e9s de la interfaz de usuario web, ya que los caracteres `\\n` se escapan correctamente en ese contexto. La vulnerabilidad se prob\u00f3 en ZenML ejecut\u00e1ndose en Docker y se observ\u00f3 en los navegadores Firefox y Chrome."}], "metrics": {"cvssMetricV30": [{"source": "security@huntr.dev", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "security@huntr.dev", "type": "Primary", "description": [{"lang": "en", "value": "CWE-400"}]}], "references": [{"url": "https://github.com/zenml-io/zenml/commit/164cc09032060bbfc17e9dbd62c13efd5ff5771b", "source": "security@huntr.dev"}, {"url": "https://huntr.com/bounties/a387c935-b970-44d7-bddc-71c1c90aa2de", "source": "security@huntr.dev"}]}}, {"cve": {"id": "CVE-2024-24554", "sourceIdentifier": "vulnerability@ncsc.ch", "published": "2024-06-24T08:15:09.130", "lastModified": "2024-06-24T12:57:36.513", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Bludit uses predictable methods in combination with the MD5 hashing algorithm to generate sensitive tokens such as the API token and the user token. This allows attackers to authenticate against the Bludit API."}, {"lang": "es", "value": "Bludit utiliza m\u00e9todos predecibles en combinaci\u00f3n con el algoritmo hash MD5 para generar tokens confidenciales, como el token API y el token de usuario. Esto permite a los atacantes autenticarse en la API de Bludit."}], "metrics": {}, "weaknesses": [{"source": "vulnerability@ncsc.ch", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-338"}]}], "references": [{"url": "https://www.redguard.ch/blog/2024/06/20/security-advisory-bludit/", "source": "vulnerability@ncsc.ch"}]}}, {"cve": {"id": "CVE-2024-27136", "sourceIdentifier": "security@apache.org", "published": "2024-06-24T08:15:09.297", "lastModified": "2024-06-24T12:57:36.513", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "XSS in Upload page in Apache JSPWiki 2.12.1 and priors allows the attacker to execute javascript in the victim's browser and get some sensitive information about the victim.  Apache JSPWiki users should upgrade to 2.12.2 or later. "}, {"lang": "es", "value": "XSS en la p\u00e1gina de carga en Apache JSPWiki 2.12.1 y versiones anteriores permite al atacante ejecutar javascript en el navegador de la v\u00edctima y obtener informaci\u00f3n confidencial sobre la v\u00edctima. Los usuarios de Apache JSPWiki deben actualizar a 2.12.2 o posterior."}], "metrics": {}, "weaknesses": [{"source": "security@apache.org", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2024-27136", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread/gfms8gbncqqkj52p861b8fnsypwsl1d5", "source": "security@apache.org"}]}}, {"cve": {"id": "CVE-2024-36495", "sourceIdentifier": "551230f0-3615-47bd-b7cc-93e92e730bbf", "published": "2024-06-24T09:15:09.730", "lastModified": "2024-06-25T06:15:10.057", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The application Faronics WINSelect (Standard + Enterprise)\u00a0saves its configuration in an encrypted file on the file system\u00a0which \"Everyone\" has read and write access to, path to file:\n\n\n\nC:\\ProgramData\\WINSelect\\WINSelect.wsd\n\nThe path for\u00a0the affected WINSelect Enterprise\u00a0configuration file is:\n\nC:\\ProgramData\\Faronics\\StorageSpace\\WS\\WINSelect.wsd"}, {"lang": "es", "value": "La aplicaci\u00f3n Faronics WINSelect (Standard + Enterprise) guarda su configuraci\u00f3n en un archivo cifrado en el sistema de archivos al que \"Todos\" tiene acceso de lectura y escritura, ruta al archivo: C:\\ProgramData\\WINSelect\\WINSelect.wsd La ruta del archivo afectado El archivo de configuraci\u00f3n de WINSelect Enterprise es: C:\\ProgramData\\Faronics\\StorageSpace\\WS\\WINSelect.wsd"}], "metrics": {}, "weaknesses": [{"source": "551230f0-3615-47bd-b7cc-93e92e730bbf", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-276"}]}], "references": [{"url": "http://seclists.org/fulldisclosure/2024/Jun/12", "source": "551230f0-3615-47bd-b7cc-93e92e730bbf"}, {"url": "https://r.sec-consult.com/winselect", "source": "551230f0-3615-47bd-b7cc-93e92e730bbf"}, {"url": "https://www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes", "source": "551230f0-3615-47bd-b7cc-93e92e730bbf"}]}}, {"cve": {"id": "CVE-2024-36496", "sourceIdentifier": "551230f0-3615-47bd-b7cc-93e92e730bbf", "published": "2024-06-24T09:15:09.860", "lastModified": "2024-06-25T06:15:11.413", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The configuration file is encrypted with a static key derived from a \nstatic five-character password which allows an attacker to decrypt this \nfile.\u00a0The application hashes this five-character password with \nthe outdated and broken MD5 algorithm (no salt) and uses the first five \nbytes as the key for RC4. The configuration file is then encrypted with \nthese parameters."}, {"lang": "es", "value": "El archivo de configuraci\u00f3n est\u00e1 cifrado con una clave est\u00e1tica derivada de una contrase\u00f1a est\u00e1tica de cinco caracteres que permite a un atacante descifrar este archivo. La aplicaci\u00f3n codifica esta contrase\u00f1a de cinco caracteres con el algoritmo MD5 obsoleto y roto (sin semilla) y utiliza los primeros cinco bytes como clave para RC4. Luego, el archivo de configuraci\u00f3n se cifra con estos par\u00e1metros."}], "metrics": {}, "weaknesses": [{"source": "551230f0-3615-47bd-b7cc-93e92e730bbf", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-798"}]}], "references": [{"url": "http://seclists.org/fulldisclosure/2024/Jun/12", "source": "551230f0-3615-47bd-b7cc-93e92e730bbf"}, {"url": "https://r.sec-consult.com/winselect", "source": "551230f0-3615-47bd-b7cc-93e92e730bbf"}, {"url": "https://www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes", "source": "551230f0-3615-47bd-b7cc-93e92e730bbf"}]}}, {"cve": {"id": "CVE-2024-36497", "sourceIdentifier": "551230f0-3615-47bd-b7cc-93e92e730bbf", "published": "2024-06-24T09:15:09.973", "lastModified": "2024-06-25T06:15:11.513", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The decrypted configuration file contains the password in cleartext \nwhich is used to configure WINSelect. It can be used to remove the \nexisting restrictions and disable WINSelect entirely."}, {"lang": "es", "value": "El archivo de configuraci\u00f3n descifrado contiene la contrase\u00f1a en texto plano que se utiliza para configurar WINSelect. Se puede utilizar para eliminar las restricciones existentes y desactivar WINSelect por completo."}], "metrics": {}, "weaknesses": [{"source": "551230f0-3615-47bd-b7cc-93e92e730bbf", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-312"}]}], "references": [{"url": "http://seclists.org/fulldisclosure/2024/Jun/12", "source": "551230f0-3615-47bd-b7cc-93e92e730bbf"}, {"url": "https://r.sec-consult.com/winselect", "source": "551230f0-3615-47bd-b7cc-93e92e730bbf"}, {"url": "https://www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes", "source": "551230f0-3615-47bd-b7cc-93e92e730bbf"}]}}, {"cve": {"id": "CVE-2024-4754", "sourceIdentifier": "iletisim@usom.gov.tr", "published": "2024-06-24T09:15:10.083", "lastModified": "2024-06-24T12:57:36.513", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Next4Biz CRM & BPM Software Business Process Manangement (BPM) allows Stored XSS.This issue affects Business Process Manangement (BPM): from 6.6.4.4 before 6.6.4.5."}, {"lang": "es", "value": "La vulnerabilidad de neutralizaci\u00f3n inadecuada de la entrada durante la generaci\u00f3n de p\u00e1ginas web ('Cross-site Scripting') en el software Next4Biz CRM y BPM Business Process Manangement (BPM) permite XSS Almacenado. Este problema afecta a Business Process Manangement (BPM): desde 6.6.4.4 antes de 6.6. 4.5."}], "metrics": {"cvssMetricV31": [{"source": "iletisim@usom.gov.tr", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "iletisim@usom.gov.tr", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://www.usom.gov.tr/bildirim/tr-24-0739", "source": "iletisim@usom.gov.tr"}]}}, {"cve": {"id": "CVE-2024-5683", "sourceIdentifier": "iletisim@usom.gov.tr", "published": "2024-06-24T09:15:10.347", "lastModified": "2024-06-24T12:57:36.513", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in Next4Biz CRM & BPM Software Business Process Manangement (BPM) allows Remote Code Inclusion.This issue affects Business Process Manangement (BPM): from 6.6.4.4 before 6.6.4.5."}, {"lang": "es", "value": "La vulnerabilidad de control inadecuado de generaci\u00f3n de c\u00f3digo (\"inyecci\u00f3n de c\u00f3digo\") en Next4Biz CRM y BPM Software Business Process Manangement (BPM) permite la inclusi\u00f3n remota de c\u00f3digo. Este problema afecta a Business Process Manangement (BPM): desde 6.6.4.4 antes de 6.6.4.5."}], "metrics": {"cvssMetricV31": [{"source": "iletisim@usom.gov.tr", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "iletisim@usom.gov.tr", "type": "Primary", "description": [{"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "https://www.usom.gov.tr/bildirim/tr-24-0739", "source": "iletisim@usom.gov.tr"}]}}, {"cve": {"id": "CVE-2024-29868", "sourceIdentifier": "security@apache.org", "published": "2024-06-24T10:15:09.387", "lastModified": "2024-06-24T12:57:36.513", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Apache StreamPipes\u00a0user self-registration and password recovery mechanism.\nThis allows an attacker to guess the recovery token in a reasonable time and thereby to take over the attacked user's account.\nThis issue affects Apache StreamPipes: from 0.69.0 through 0.93.0.\n\nUsers are recommended to upgrade to version 0.95.0, which fixes the issue.\n\n"}, {"lang": "es", "value": "Uso de la vulnerabilidad del generador de n\u00fameros pseudoaleatorios (PRNG) criptogr\u00e1ficamente d\u00e9bil en el mecanismo de autorregistro de usuarios y recuperaci\u00f3n de contrase\u00f1as de Apache StreamPipes. Esto permite a un atacante adivinar el token de recuperaci\u00f3n en un tiempo razonable y as\u00ed hacerse cargo de la cuenta del usuario atacado. Este problema afecta a Apache StreamPipes: desde 0.69.0 hasta 0.93.0. Se recomienda a los usuarios actualizar a la versi\u00f3n 0.95.0, que soluciona el problema."}], "metrics": {}, "weaknesses": [{"source": "security@apache.org", "type": "Primary", "description": [{"lang": "en", "value": "CWE-338"}]}], "references": [{"url": "https://lists.apache.org/thread/g7t7zctvq2fysrw1x17flnc12592nhx7", "source": "security@apache.org"}]}}, {"cve": {"id": "CVE-2024-6160", "sourceIdentifier": "cvd@cert.pl", "published": "2024-06-24T10:15:10.277", "lastModified": "2024-06-24T12:57:36.513", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "SQL Injection vulnerability in MegaBIP software allows attacker to disclose the contents of the database, obtain session cookies or modify the content of pages.\u00a0This issue affects MegaBIP software versions through 5.12.1."}, {"lang": "es", "value": "La vulnerabilidad de inyecci\u00f3n SQL en el software MegaBIP permite a un atacante revelar el contenido de la base de datos, obtener cookies de sesi\u00f3n o modificar el contenido de las p\u00e1ginas. Este problema afecta a las versiones del software MegaBIP hasta la 5.12.1."}], "metrics": {}, "weaknesses": [{"source": "cvd@cert.pl", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://cert.pl/en/posts/2024/06/CVE-2024-6160/", "source": "cvd@cert.pl"}, {"url": "https://cert.pl/posts/2024/06/CVE-2024-6160/", "source": "cvd@cert.pl"}, {"url": "https://megabip.pl/", "source": "cvd@cert.pl"}, {"url": "https://www.gov.pl/web/cyfryzacja/rekomendacja-pelnomocnika-rzadu-ds-cyberbezpieczenstwa-dotyczaca-biuletynow-informacji-publicznej", "source": "cvd@cert.pl"}]}}, {"cve": {"id": "CVE-2024-36038", "sourceIdentifier": "0fc0942c-577d-436f-ae8e-945763c79b02", "published": "2024-06-24T12:15:09.630", "lastModified": "2024-06-24T12:57:36.513", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Zoho ManageEngine ITOM products versions from\u00a0128234 to 128248 are affected by the stored cross-site scripting vulnerability in the proxy server option."}, {"lang": "es", "value": "Las versiones de los productos Zoho ManageEngine ITOM de 128234 a 128248 se ven afectadas por la vulnerabilidad de cross-site scripting almacenado en la opci\u00f3n de servidor proxy."}], "metrics": {"cvssMetricV31": [{"source": "0fc0942c-577d-436f-ae8e-945763c79b02", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.1, "impactScore": 4.2}]}, "weaknesses": [{"source": "0fc0942c-577d-436f-ae8e-945763c79b02", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://www.manageengine.com/itom/advisory/cve-2024-36038.html", "source": "0fc0942c-577d-436f-ae8e-945763c79b02"}]}}, {"cve": {"id": "CVE-2024-37089", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-24T12:15:09.940", "lastModified": "2024-06-24T12:57:36.513", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in StylemixThemes Consulting Elementor Widgets allows PHP Local File Inclusion.This issue affects Consulting Elementor Widgets: from n/a through 1.3.0."}, {"lang": "es", "value": "La limitaci\u00f3n inadecuada de un nombre de ruta a una vulnerabilidad de directorio restringido (\"Path Traversal\") en StylemixThemes Consulting Elementor Widgets permite la inclusi\u00f3n de archivos locales PHP. Este problema afecta a Consulting Elementor Widgets: desde n/a hasta 1.3.0."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 2.2, "impactScore": 6.0}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/consulting-elementor-widgets/wordpress-consulting-elementor-widgets-plugin-1-3-0-unauthenticated-local-file-inclusion-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2024-37091", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-24T12:15:10.170", "lastModified": "2024-06-24T12:57:36.513", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in StylemixThemes Consulting Elementor Widgets allows OS Command Injection.This issue affects Consulting Elementor Widgets: from n/a through 1.3.0."}, {"lang": "es", "value": "La neutralizaci\u00f3n inadecuada de elementos especiales utilizados en una vulnerabilidad de comando (\"Inyecci\u00f3n de comando\") en StylemixThemes Consulting Elementor Widgets permite la inyecci\u00f3n de comandos del sistema operativo. Este problema afecta a Consulting Elementor Widgets: desde n/a hasta 1.3.0."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.1, "impactScore": 6.0}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-77"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/consulting-elementor-widgets/wordpress-consulting-elementor-widgets-plugin-1-3-0-remote-code-execution-rce-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2024-37092", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-24T13:15:10.010", "lastModified": "2024-06-24T19:26:54.367", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in StylemixThemes Consulting Elementor Widgets allows PHP Local File Inclusion.This issue affects Consulting Elementor Widgets: from n/a through 1.3.0."}, {"lang": "es", "value": "La limitaci\u00f3n inadecuada de un nombre de ruta a una vulnerabilidad de directorio restringido (\"Path Traversal\") en StylemixThemes Consulting Elementor Widgets permite la inclusi\u00f3n de archivos locales PHP. Este problema afecta a Consulting Elementor Widgets: desde n/a hasta 1.3.0."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.5, "baseSeverity": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 6.0}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/consulting-elementor-widgets/wordpress-consulting-elementor-widgets-plugin-1-3-0-local-file-inclusion-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2024-37107", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-24T13:15:10.247", "lastModified": "2024-06-24T19:26:54.367", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Improper Privilege Management vulnerability in Membership Software WishList Member X allows Privilege Escalation.This issue affects WishList Member X: from n/a through 3.25.1."}, {"lang": "es", "value": "Vulnerabilidad de gesti\u00f3n de privilegios inadecuada en el software de membres\u00eda WishList Member X permite la escalada de privilegios. Este problema afecta a WishList Member X: desde n/a hasta 3.25.1."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-269"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/wishlist-member-x/wordpress-wishlist-member-x-plugin-3-25-1-authenticated-privilege-escalation-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2024-37109", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-24T13:15:10.483", "lastModified": "2024-06-24T19:26:47.037", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in Membership Software WishList Member X allows Code Injection.This issue affects WishList Member X: from n/a through 3.25.1."}, {"lang": "es", "value": "Vulnerabilidad de control inadecuado de la generaci\u00f3n de c\u00f3digo (\"inyecci\u00f3n de c\u00f3digo\") en el software de membres\u00eda WishList Member X permite la inyecci\u00f3n de c\u00f3digo. Este problema afecta a WishList Member X: desde n/a hasta 3.25.1."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.1, "impactScore": 6.0}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/wishlist-member-x/wordpress-wishlist-member-x-plugin-3-25-1-authenticated-arbitrary-php-code-execution-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2024-37111", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-24T13:15:10.720", "lastModified": "2024-06-24T19:26:47.037", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Membership Software WishList Member X.This issue affects WishList Member X: from n/a through 3.25.1."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en el software de membres\u00eda WishList Member X. Este problema afecta a WishList Member X: desde n/a hasta 3.25.1."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/wishlist-member-x/wordpress-wishlist-member-x-plugin-3-25-1-unauthenticated-denial-of-service-attack-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2024-37228", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-24T13:15:10.947", "lastModified": "2024-06-24T19:26:47.037", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in InstaWP Team InstaWP Connect allows Code Injection.This issue affects InstaWP Connect: from n/a through 0.1.0.38."}, {"lang": "es", "value": "La vulnerabilidad de control inadecuado de la generaci\u00f3n de c\u00f3digo (\"inyecci\u00f3n de c\u00f3digo\") en InstaWP Team InstaWP Connect permite la inyecci\u00f3n de c\u00f3digo. Este problema afecta a InstaWP Connect: desde n/a hasta 0.1.0.38."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 6.0}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-38-arbitrary-file-upload-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2024-37231", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-24T13:15:11.177", "lastModified": "2024-06-24T19:26:47.037", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Salon Booking System Salon booking system allows File Manipulation.This issue affects Salon booking system: from n/a through 9.9."}, {"lang": "es", "value": "Limitaci\u00f3n inadecuada de un nombre de ruta a una vulnerabilidad de directorio restringido (\"Path Traversal\") en Salon Booking System Salon booking system permite la manipulaci\u00f3n de archivos. Este problema afecta a Salon booking system: desde n/a hasta 9.9."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 4.0}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/salon-booking-system/wordpress-salon-booking-system-plugin-9-9-arbitrary-file-deletion-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2024-37233", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-24T13:15:11.400", "lastModified": "2024-06-24T19:26:47.037", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Improper Authentication vulnerability in Play.Ht allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Play.Ht: from n/a through 3.6.4."}, {"lang": "es", "value": "Una vulnerabilidad de autenticaci\u00f3n incorrecta en Play.Ht permite acceder a funciones que no est\u00e1n correctamente restringidas por las ACL. Este problema afecta a Play.Ht: desde n/a hasta 3.6.4."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-287"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/play-ht/wordpress-play-ht-plugin-3-6-4-broken-access-control-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2024-3264", "sourceIdentifier": "iletisim@usom.gov.tr", "published": "2024-06-24T13:15:11.627", "lastModified": "2024-06-24T19:26:47.037", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Use of a Broken or Risky Cryptographic Algorithm vulnerability in Mia Technology Inc. Mia-Med Health Aplication allows Signature Spoofing by Improper Validation.This issue affects Mia-Med Health Aplication: before 1.0.14."}, {"lang": "es", "value": "Uso de una vulnerabilidad de algoritmo criptogr\u00e1fico roto o riesgoso en Mia Technology Inc. Mia-Med Health Aplication permite la falsificaci\u00f3n de firmas mediante una validaci\u00f3n inadecuada. Este problema afecta a Mia-Med Health Aplication: antes de la versi\u00f3n 1.0.14."}], "metrics": {"cvssMetricV31": [{"source": "iletisim@usom.gov.tr", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "iletisim@usom.gov.tr", "type": "Primary", "description": [{"lang": "en", "value": "CWE-327"}]}], "references": [{"url": "https://www.usom.gov.tr/bildirim/tr-24-0765", "source": "iletisim@usom.gov.tr"}]}}, {"cve": {"id": "CVE-2024-4839", "sourceIdentifier": "security@huntr.dev", "published": "2024-06-24T13:15:11.900", "lastModified": "2024-06-24T19:26:47.037", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A Cross-Site Request Forgery (CSRF) vulnerability exists in the 'Servers Configurations' function of the parisneo/lollms-webui, versions 9.6 to the latest. The affected functions include Elastic search Service (under construction), XTTS service, Petals service, vLLM service, and Motion Ctrl service, which lack CSRF protection. This vulnerability allows attackers to deceive users into unwittingly installing the XTTS service among other packages by submitting a malicious installation request. Successful exploitation results in attackers tricking users into performing actions without their consent."}, {"lang": "es", "value": "Existe una vulnerabilidad de Cross-Site Request Forgery (CSRF) en la funci\u00f3n 'Configuraciones de servidores' de parisneo/lollms-webui, versiones 9.6 a la \u00faltima. Las funciones afectadas incluyen el servicio de b\u00fasqueda el\u00e1stica (en construcci\u00f3n), el servicio XTTS, el servicio Petals, el servicio vLLM y el servicio Motion Ctrl, que carecen de protecci\u00f3n CSRF. Esta vulnerabilidad permite a los atacantes enga\u00f1ar a los usuarios para que instalen involuntariamente el servicio XTTS entre otros paquetes enviando una solicitud de instalaci\u00f3n maliciosa. La explotaci\u00f3n exitosa da como resultado que los atacantes enga\u00f1en a los usuarios para que realicen acciones sin su consentimiento."}], "metrics": {"cvssMetricV30": [{"source": "security@huntr.dev", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 4.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "security@huntr.dev", "type": "Primary", "description": [{"lang": "en", "value": "CWE-352"}]}], "references": [{"url": "https://huntr.com/bounties/dcfc5a07-0427-42b5-a623-8d943873d7ff", "source": "security@huntr.dev"}]}}, {"cve": {"id": "CVE-2024-5862", "sourceIdentifier": "iletisim@usom.gov.tr", "published": "2024-06-24T13:15:12.120", "lastModified": "2024-06-24T19:26:47.037", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Improper Restriction of Excessive Authentication Attempts vulnerability in Mia Technology Inc. Mia-Med Health Aplication allows Interface Manipulation.This issue affects Mia-Med Health Aplication: before 1.0.14."}, {"lang": "es", "value": "Vulnerabilidad de restricci\u00f3n inadecuada de intentos de autenticaci\u00f3n excesivos en Mia Technology Inc. Mia-Med Health Aplication permite la manipulaci\u00f3n de la interfaz. Este problema afecta a Mia-Med Health Aplication: antes de la versi\u00f3n 1.0.14."}], "metrics": {"cvssMetricV31": [{"source": "iletisim@usom.gov.tr", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "iletisim@usom.gov.tr", "type": "Primary", "description": [{"lang": "en", "value": "CWE-307"}]}], "references": [{"url": "https://www.usom.gov.tr/bildirim/tr-24-0765", "source": "iletisim@usom.gov.tr"}]}}, {"cve": {"id": "CVE-2024-32936", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-24T14:15:11.600", "lastModified": "2024-06-24T19:26:47.037", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: ti: j721e-csi2rx: Fix races while restarting DMA\n\nAfter the frame is submitted to DMA, it may happen that the submitted\nlist is not updated soon enough, and the DMA callback is triggered\nbefore that.\n\nThis can lead to kernel crashes, so move everything in a single\nlock/unlock section to prevent such races."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: media: ti: j721e-csi2rx: corrige ejecuciones al reiniciar DMA Despu\u00e9s de que el marco se env\u00eda a DMA, puede suceder que la lista enviada no se actualice lo suficientemente pronto y la devoluci\u00f3n de llamada de DMA se activa antes de eso. Esto puede provocar fallos del kernel, as\u00ed que mueva todo a una \u00fanica secci\u00f3n de bloqueo/desbloqueo para evitar este tipo de ejecuciones."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/80a8b92950f8ee96582dba6187e3c2deca3569ea", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ad79c9ecea5baa7b4f19677e4b1c881ed89b0c3b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-33278", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-24T14:15:11.687", "lastModified": "2024-06-24T19:26:47.037", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Buffer Overflow vulnerability in ASUS router RT-AX88U with firmware versions v3.0.0.4.388_24198 allows a remote attacker to execute arbitrary code via the connection_state_machine due to improper length validation for the cookie field."}, {"lang": "es", "value": "Vulnerabilidad de desbordamiento de b\u00fafer en el enrutador ASUS RT-AX88U con versiones de firmware v3.0.0.4.388_24198 permite a un atacante remoto ejecutar c\u00f3digo arbitrario a trav\u00e9s de Connection_state_machine debido a una validaci\u00f3n de longitud incorrecta para el campo de cookies."}], "metrics": {}, "references": [{"url": "https://gist.github.com/viktoredstrom/cd2580fb0e93e47133b2998553b0a52f", "source": "cve@mitre.org"}, {"url": "https://www.asus.com/content/asus-product-security-advisory/", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-33847", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-24T14:15:11.803", "lastModified": "2024-06-24T19:26:47.037", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: compress: don't allow unaligned truncation on released compress inode\n\nf2fs image may be corrupted after below testcase:\n- mkfs.f2fs -O extra_attr,compression -f /dev/vdb\n- mount /dev/vdb /mnt/f2fs\n- touch /mnt/f2fs/file\n- f2fs_io setflags compression /mnt/f2fs/file\n- dd if=/dev/zero of=/mnt/f2fs/file bs=4k count=4\n- f2fs_io release_cblocks /mnt/f2fs/file\n- truncate -s 8192 /mnt/f2fs/file\n- umount /mnt/f2fs\n- fsck.f2fs /dev/vdb\n\n[ASSERT] (fsck_chk_inode_blk:1256)  --> ino: 0x5 has i_blocks: 0x00000002, but has 0x3 blocks\n[FSCK] valid_block_count matching with CP             [Fail] [0x4, 0x5]\n[FSCK] other corrupted bugs                           [Fail]\n\nThe reason is: partial truncation assume compressed inode has reserved\nblocks, after partial truncation, valid block count may change w/o\n.i_blocks and .total_valid_block_count update, result in corruption.\n\nThis patch only allow cluster size aligned truncation on released\ncompress inode for fixing."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: f2fs: comprimir: no permitir el truncamiento no alineado en el inodo comprimido liberado. La imagen f2fs puede estar da\u00f1ada despu\u00e9s del siguiente caso de prueba: - mkfs.f2fs -O extra_attr,compression -f /dev/vdb - montar /dev/vdb /mnt/f2fs - tocar /mnt/f2fs/file - f2fs_io setflags compresi\u00f3n /mnt/f2fs/file - dd if=/dev/zero of=/mnt/f2fs/file bs=4k count=4 - f2fs_io release_cblocks /mnt/f2fs/file - truncate -s 8192 /mnt/f2fs/file - umount /mnt/f2fs - fsck.f2fs /dev/vdb [ASSERT] (fsck_chk_inode_blk:1256) --> ino: 0x5 tiene i_blocks : 0x00000002, pero tiene bloques 0x3 [FSCK] valid_block_count que coincide con CP [Falla] [0x4, 0x5] [FSCK] otros errores corruptos [Falla] La raz\u00f3n es: truncamiento parcial se supone que el inodo comprimido tiene bloques reservados, despu\u00e9s del truncamiento parcial, bloque v\u00e1lido El recuento puede cambiar sin la actualizaci\u00f3n de .i_blocks y .total_valid_block_count, lo que provoca corrupci\u00f3n. Este parche solo permite el truncamiento alineado con el tama\u00f1o del cl\u00faster en el inodo comprimido liberado para su reparaci\u00f3n."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/29ed2b5dd521ce7c5d8466cd70bf0cc9d07afeee", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3ccf5210dc941a7aa0180596ac021568be4d35ec", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5268241b41b1c5d0acca75e9b97d4fd719251c8c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8acae047215024d1ac499b3c8337ef1b952f160b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9f9341064a9b5246a32a7fe56b9f80c6f7f3c62d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b8962cf98595d1ec62f40f23667de830567ec8bc", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-34027", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-24T14:15:11.887", "lastModified": "2024-06-24T19:26:47.037", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: compress: fix to cover {reserve,release}_compress_blocks() w/ cp_rwsem lock\n\nIt needs to cover {reserve,release}_compress_blocks() w/ cp_rwsem lock\nto avoid racing with checkpoint, otherwise, filesystem metadata including\nblkaddr in dnode, inode fields and .total_valid_block_count may be\ncorrupted after SPO case."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: f2fs: compress: correcci\u00f3n para cubrir {reserve,release}_compress_blocks() con bloqueo cp_rwsem Necesita cubrir {reserve,release}_compress_blocks() con bloqueo cp_rwsem para evitar ejecuciones con el punto de control; de lo contrario, los metadatos del sistema de archivos, incluido blkaddr en dnode, los campos de inodo y .total_valid_block_count, pueden da\u00f1arse despu\u00e9s del caso SPO."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/0a4ed2d97cb6d044196cc3e726b6699222b41019", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/329edb7c9e3b6ca27e6ca67ab1cdda1740fb3a2b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5d47d63883735718825ca2efc4fca6915469774f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/69136304fd144144a4828c7b7b149d0f80321ba4", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a6e1f7744e9b84f86a629a76024bba8468aa153b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b5bac43875aa27ec032dbbb86173baae6dce6182", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-34030", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-24T14:15:11.977", "lastModified": "2024-06-24T19:26:47.037", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: of_property: Return error for int_map allocation failure\n\nReturn -ENOMEM from of_pci_prop_intr_map() if kcalloc() fails to prevent a\nNULL pointer dereference in this case.\n\n[bhelgaas: commit log]"}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: PCI: of_property: error de devoluci\u00f3n por falla de asignaci\u00f3n de int_map Devuelve -ENOMEM de of_pci_prop_intr_map() si kcalloc() no logra evitar una desreferencia de puntero NULL en este caso. [bhelgaas: registro de confirmaci\u00f3n]"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/598e4a37a2f8da9144ba1fab04320c32169b6d0d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b5f31d1470c4fdfae368feeb389768ba8d24fb34", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e6f7d27df5d208b50cae817a91d128fb434bb12c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-35247", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-24T14:15:12.050", "lastModified": "2024-06-24T19:26:47.037", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfpga: region: add owner module and take its refcount\n\nThe current implementation of the fpga region assumes that the low-level\nmodule registers a driver for the parent device and uses its owner pointer\nto take the module's refcount. This approach is problematic since it can\nlead to a null pointer dereference while attempting to get the region\nduring programming if the parent device does not have a driver.\n\nTo address this problem, add a module owner pointer to the fpga_region\nstruct and use it to take the module's refcount. Modify the functions for\nregistering a region to take an additional owner module parameter and\nrename them to avoid conflicts. Use the old function names for helper\nmacros that automatically set the module that registers the region as the\nowner. This ensures compatibility with existing low-level control modules\nand reduces the chances of registering a region without setting the owner.\n\nAlso, update the documentation to keep it consistent with the new interface\nfor registering an fpga region."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: fpga: regi\u00f3n: agrega el m\u00f3dulo propietario y toma su recuento. La implementaci\u00f3n actual de la regi\u00f3n fpga supone que el m\u00f3dulo de bajo nivel registra un controlador para el dispositivo principal y utiliza su puntero de propietario para tomar el recuento del m\u00f3dulo. Este enfoque es problem\u00e1tico ya que puede provocar una desreferencia del puntero nulo al intentar obtener la regi\u00f3n durante la programaci\u00f3n si el dispositivo principal no tiene un controlador. Para solucionar este problema, agregue un puntero de propietario de m\u00f3dulo a la estructura fpga_region y util\u00edcelo para obtener el recuento del m\u00f3dulo. Modifique las funciones para registrar una regi\u00f3n para tomar un par\u00e1metro de m\u00f3dulo de propietario adicional y cambiarles el nombre para evitar conflictos. Utilice los nombres de funciones antiguos para las macros auxiliares que configuran autom\u00e1ticamente el m\u00f3dulo que registra la regi\u00f3n como propietario. Esto garantiza la compatibilidad con los m\u00f3dulos de control de bajo nivel existentes y reduce las posibilidades de registrar una regi\u00f3n sin configurar el propietario. Adem\u00e1s, actualice la documentaci\u00f3n para que sea coherente con la nueva interfaz para registrar una regi\u00f3n fpga."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/2279c09c36165ccded4d506d11a7714e13b56019", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/26e6e25d742e29885cf44274fcf6b744366c4702", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4d7d12b643c00e7eea51b49a60a2ead182633ec8", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/75a001914a8d2ccdcbe4b8cc7e94ac71d0e66093", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9b4eee8572dcf82b2ed17d9a328c7fb87df2f0e8", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b7c0e1ecee403a43abc89eb3e75672b01ff2ece9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-36479", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-24T14:15:12.157", "lastModified": "2024-06-24T19:26:47.037", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfpga: bridge: add owner module and take its refcount\n\nThe current implementation of the fpga bridge assumes that the low-level\nmodule registers a driver for the parent device and uses its owner pointer\nto take the module's refcount. This approach is problematic since it can\nlead to a null pointer dereference while attempting to get the bridge if\nthe parent device does not have a driver.\n\nTo address this problem, add a module owner pointer to the fpga_bridge\nstruct and use it to take the module's refcount. Modify the function for\nregistering a bridge to take an additional owner module parameter and\nrename it to avoid conflicts. Use the old function name for a helper macro\nthat automatically sets the module that registers the bridge as the owner.\nThis ensures compatibility with existing low-level control modules and\nreduces the chances of registering a bridge without setting the owner.\n\nAlso, update the documentation to keep it consistent with the new interface\nfor registering an fpga bridge.\n\nOther changes: opportunistically move put_device() from __fpga_bridge_get()\nto fpga_bridge_get() and of_fpga_bridge_get() to improve code clarity since\nthe bridge device is taken in these functions."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: fpga: puente: agrega el m\u00f3dulo propietario y toma su recuento. La implementaci\u00f3n actual del puente fpga supone que el m\u00f3dulo de bajo nivel registra un controlador para el dispositivo principal y utiliza su puntero de propietario para tomar el recuento del m\u00f3dulo. Este enfoque es problem\u00e1tico ya que puede provocar una desreferencia del puntero nulo al intentar obtener el puente si el dispositivo principal no tiene un controlador. Para solucionar este problema, agregue un puntero de propietario de m\u00f3dulo a la estructura fpga_bridge y util\u00edcelo para tomar el recuento del m\u00f3dulo. Modifique la funci\u00f3n para registrar un puente para tomar un par\u00e1metro de m\u00f3dulo propietario adicional y cambiarle el nombre para evitar conflictos. Utilice el nombre de funci\u00f3n anterior para una macro auxiliar que configura autom\u00e1ticamente el m\u00f3dulo que registra el puente como propietario. Esto garantiza la compatibilidad con los m\u00f3dulos de control de bajo nivel existentes y reduce las posibilidades de registrar un puente sin configurar el propietario. Adem\u00e1s, actualice la documentaci\u00f3n para que sea coherente con la nueva interfaz para registrar un puente fpga. Otros cambios: mueva de manera oportunista put_device() de __fpga_bridge_get() a fpga_bridge_get() y of_fpga_bridge_get() para mejorar la claridad del c\u00f3digo ya que el dispositivo puente se toma en estas funciones."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/1da11f822042eb6ef4b6064dc048f157a7852529", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/6896b6b2e2d9ec4e1b0acb4c1698a75a4b34d125", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d7c4081c54a1d4068de9440957303a76f9e5c95b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-37021", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-24T14:15:12.237", "lastModified": "2024-06-24T19:26:47.037", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfpga: manager: add owner module and take its refcount\n\nThe current implementation of the fpga manager assumes that the low-level\nmodule registers a driver for the parent device and uses its owner pointer\nto take the module's refcount. This approach is problematic since it can\nlead to a null pointer dereference while attempting to get the manager if\nthe parent device does not have a driver.\n\nTo address this problem, add a module owner pointer to the fpga_manager\nstruct and use it to take the module's refcount. Modify the functions for\nregistering the manager to take an additional owner module parameter and\nrename them to avoid conflicts. Use the old function names for helper\nmacros that automatically set the module that registers the manager as the\nowner. This ensures compatibility with existing low-level control modules\nand reduces the chances of registering a manager without setting the owner.\n\nAlso, update the documentation to keep it consistent with the new interface\nfor registering an fpga manager.\n\nOther changes: opportunistically move put_device() from __fpga_mgr_get() to\nfpga_mgr_get() and of_fpga_mgr_get() to improve code clarity since the\nmanager device is taken in these functions."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: fpga: manager: agrega el m\u00f3dulo propietario y toma su recuento. La implementaci\u00f3n actual del administrador fpga supone que el m\u00f3dulo de bajo nivel registra un controlador para el dispositivo principal y usa su puntero de propietario para tomar el recuento del m\u00f3dulo. Este enfoque es problem\u00e1tico ya que puede provocar una desreferencia del puntero nulo al intentar obtener el administrador si el dispositivo principal no tiene un controlador. Para solucionar este problema, agregue un puntero de propietario de m\u00f3dulo a la estructura fpga_manager y util\u00edcelo para tomar el recuento del m\u00f3dulo. Modifique las funciones para registrar el administrador para tomar un par\u00e1metro de m\u00f3dulo de propietario adicional y cambiarles el nombre para evitar conflictos. Utilice los nombres de funciones antiguos para las macros auxiliares que configuran autom\u00e1ticamente el m\u00f3dulo que registra al administrador como propietario. Esto garantiza la compatibilidad con los m\u00f3dulos de control de bajo nivel existentes y reduce las posibilidades de registrar un administrador sin configurar el propietario. Adem\u00e1s, actualice la documentaci\u00f3n para que sea coherente con la nueva interfaz para registrar un administrador fpga. Otros cambios: mueva de manera oportunista put_device() de __fpga_mgr_get() a fpga_mgr_get() y of_fpga_mgr_get() para mejorar la claridad del c\u00f3digo ya que el dispositivo administrador se toma en estas funciones."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/2da62a139a6221a345db4eb9f4f1c4b0937c89ad", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4d4d2d4346857bf778fafaa97d6f76bb1663e3c9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/62ac496a01c9337a11362cea427038ba621ca9eb", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-37026", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-24T14:15:12.307", "lastModified": "2024-06-24T19:26:47.037", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Only use reserved BCS instances for usm migrate exec queue\n\nThe GuC context scheduling queue is 2 entires deep, thus it is possible\nfor a migration job to be stuck behind a fault if migration exec queue\nshares engines with user jobs. This can deadlock as the migrate exec\nqueue is required to service page faults. Avoid deadlock by only using\nreserved BCS instances for usm migrate exec queue.\n\n(cherry picked from commit 04f4a70a183a688a60fe3882d6e4236ea02cfc67)"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/xe: solo use instancias BCS reservadas para la cola ejecutiva de migraci\u00f3n de usm. La cola de programaci\u00f3n de contexto GuC tiene 2 enteros de profundidad, por lo tanto, es posible que un trabajo de migraci\u00f3n quede atascado detr\u00e1s de una falla si la cola ejecutiva de migraci\u00f3n comparte motores con los trabajos de los usuarios. Esto puede bloquearse ya que se requiere la cola de ejecuci\u00f3n de migraci\u00f3n para solucionar los errores de la p\u00e1gina. Evite el punto muerto utilizando \u00fanicamente instancias BCS reservadas para la cola ejecutiva de migraci\u00f3n de usm. (cereza escogida del commit 04f4a70a183a688a60fe3882d6e4236ea02cfc67)"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/92deed4a9bfd9ef187764225bba530116c49e15c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c8ea2c31f5ea437199b239d76ad5db27343edb0c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-37825", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-24T14:15:12.430", "lastModified": "2024-06-24T19:26:47.037", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "An issue in EnvisionWare Computer Access & Reservation Control SelfCheck v1.0 (fixed in OneStop 3.2.0.27184 Hotfix May 2024) allows unauthenticated attackers on the same network to perform a directory traversal."}, {"lang": "es", "value": "Un problema en EnvisionWare Computer Access & Reservation Control SelfCheck v1.0 (solucionado en OneStop 3.2.0.27184 Hotfix de mayo de 2024) permite a atacantes no autenticados en la misma red realizar un directory traversal."}], "metrics": {}, "references": [{"url": "https://gist.github.com/J0rdanis99/74ae1ee2f9777cdd1c9756f958064d7c", "source": "cve@mitre.org"}, {"url": "https://www.envisionware.com/?lang=au", "source": "cve@mitre.org"}, {"url": "https://www.envisionware.com/pcres/?lang=au", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-38384", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-24T14:15:12.547", "lastModified": "2024-06-24T19:26:47.037", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-cgroup: fix list corruption from reorder of WRITE ->lqueued\n\n__blkcg_rstat_flush() can be run anytime, especially when blk_cgroup_bio_start\nis being executed.\n\nIf WRITE of `->lqueued` is re-ordered with READ of 'bisc->lnode.next' in\nthe loop of __blkcg_rstat_flush(), `next_bisc` can be assigned with one\nstat instance being added in blk_cgroup_bio_start(), then the local\nlist in __blkcg_rstat_flush() could be corrupted.\n\nFix the issue by adding one barrier."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: blk-cgroup: corrupci\u00f3n de la lista de arreglos debido al reordenamiento de WRITE ->lqueued __blkcg_rstat_flush() se puede ejecutar en cualquier momento, especialmente cuando se est\u00e1 ejecutando blk_cgroup_bio_start. Si la ESCRITURA de `->lqueued` se reordena con la READ de 'bisc->lnode.next' en el bucle de __blkcg_rstat_flush(), se puede asignar `next_bisc` agregando una instancia de estad\u00edstica en blk_cgroup_bio_start(), entonces el La lista local en __blkcg_rstat_flush() podr\u00eda estar da\u00f1ada. Solucione el problema agregando una barrera."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/714e59b5456e4d6e4295a9968c564abe193f461c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/785298ab6b802afa75089239266b6bbea590809c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d0aac2363549e12cc79b8e285f13d5a9f42fd08e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38663", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-24T14:15:12.630", "lastModified": "2024-06-24T19:26:47.037", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-cgroup: fix list corruption from resetting io stat\n\nSince commit 3b8cc6298724 (\"blk-cgroup: Optimize blkcg_rstat_flush()\"),\neach iostat instance is added to blkcg percpu list, so blkcg_reset_stats()\ncan't reset the stat instance by memset(), otherwise the llist may be\ncorrupted.\n\nFix the issue by only resetting the counter part."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: blk-cgroup: corrige la corrupci\u00f3n de la lista al restablecer io stat Desde el commit 3b8cc6298724 (\"blk-cgroup: Optimizar blkcg_rstat_flush()\"), cada instancia de iostat se agrega a la lista de percpu de blkcg, por lo que blkcg_reset_stats() no puede restablecer la instancia de estad\u00edsticas mediante memset(); de lo contrario, la lista puede estar da\u00f1ada. Solucione el problema reiniciando solo la contraparte."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/6da6680632792709cecf2b006f2fe3ca7857e791", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/89bb36c72e1951843f9e04dc84412e31fcc849a9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d4a60298ac34f027a09f8f893fdbd9e06279bb24", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38664", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-24T14:15:12.707", "lastModified": "2024-06-26T13:52:23.033", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: zynqmp_dpsub: Always register bridge\n\nWe must always register the DRM bridge, since zynqmp_dp_hpd_work_func\ncalls drm_bridge_hpd_notify, which in turn expects hpd_mutex to be\ninitialized. We do this before zynqmp_dpsub_drm_init since that calls\ndrm_bridge_attach. This fixes the following lockdep warning:\n\n[   19.217084] ------------[ cut here ]------------\n[   19.227530] DEBUG_LOCKS_WARN_ON(lock->magic != lock)\n[   19.227768] WARNING: CPU: 0 PID: 140 at kernel/locking/mutex.c:582 __mutex_lock+0x4bc/0x550\n[   19.241696] Modules linked in:\n[   19.244937] CPU: 0 PID: 140 Comm: kworker/0:4 Not tainted 6.6.20+ #96\n[   19.252046] Hardware name: xlnx,zynqmp (DT)\n[   19.256421] Workqueue: events zynqmp_dp_hpd_work_func\n[   19.261795] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[   19.269104] pc : __mutex_lock+0x4bc/0x550\n[   19.273364] lr : __mutex_lock+0x4bc/0x550\n[   19.277592] sp : ffffffc085c5bbe0\n[   19.281066] x29: ffffffc085c5bbe0 x28: 0000000000000000 x27: ffffff88009417f8\n[   19.288624] x26: ffffff8800941788 x25: ffffff8800020008 x24: ffffffc082aa3000\n[   19.296227] x23: ffffffc080d90e3c x22: 0000000000000002 x21: 0000000000000000\n[   19.303744] x20: 0000000000000000 x19: ffffff88002f5210 x18: 0000000000000000\n[   19.311295] x17: 6c707369642e3030 x16: 3030613464662072 x15: 0720072007200720\n[   19.318922] x14: 0000000000000000 x13: 284e4f5f4e524157 x12: 0000000000000001\n[   19.326442] x11: 0001ffc085c5b940 x10: 0001ff88003f388b x9 : 0001ff88003f3888\n[   19.334003] x8 : 0001ff88003f3888 x7 : 0000000000000000 x6 : 0000000000000000\n[   19.341537] x5 : 0000000000000000 x4 : 0000000000001668 x3 : 0000000000000000\n[   19.349054] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffffff88003f3880\n[   19.356581] Call trace:\n[   19.359160]  __mutex_lock+0x4bc/0x550\n[   19.363032]  mutex_lock_nested+0x24/0x30\n[   19.367187]  drm_bridge_hpd_notify+0x2c/0x6c\n[   19.371698]  zynqmp_dp_hpd_work_func+0x44/0x54\n[   19.376364]  process_one_work+0x3ac/0x988\n[   19.380660]  worker_thread+0x398/0x694\n[   19.384736]  kthread+0x1bc/0x1c0\n[   19.388241]  ret_from_fork+0x10/0x20\n[   19.392031] irq event stamp: 183\n[   19.395450] hardirqs last  enabled at (183): [] finish_task_switch.isra.0+0xa8/0x2d4\n[   19.405140] hardirqs last disabled at (182): [] __schedule+0x714/0xd04\n[   19.413612] softirqs last  enabled at (114): [] srcu_invoke_callbacks+0x158/0x23c\n[   19.423128] softirqs last disabled at (110): [] srcu_invoke_callbacks+0x158/0x23c\n[   19.432614] ---[ end trace 0000000000000000 ]---\n\n(cherry picked from commit 61ba791c4a7a09a370c45b70a81b8c7d4cf6b2ae)"}, {"lang": "es", "value": "En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: drm: zynqmp_dpsub: Registrar siempre puente Siempre debemos registrar el puente DRM, ya que zynqmp_dp_hpd_work_func llama a drm_bridge_hpd_notify, que a su vez espera que hpd_mutex se inicialice. Hacemos esto antes de zynqmp_dpsub_drm_init ya que llama a drm_bridge_attach. Esto corrige la siguiente advertencia de bloqueo: [19.217084] ------------[ cortar aqu\u00ed ]------------ [ 19.227530] DEBUG_LOCKS_WARN_ON(lock->magic != lock ) [ 19.227768] ADVERTENCIA: CPU: 0 PID: 140 en kernel/locking/mutex.c:582 __mutex_lock+0x4bc/0x550 [ 19.241696] M\u00f3dulos vinculados en: [ 19.244937] CPU: 0 PID: 140 Comm: kworker/0:4 No contaminado 6.6.20+ #96 [19.252046] Nombre de hardware: xlnx,zynqmp (DT) [19.256421] Cola de trabajo: eventos zynqmp_dp_hpd_work_func [19.261795] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS PE=-- ) [ 19.269104] pc : __mutex_lock+0x4bc/0x550 [ 19.273364] lr : __mutex_lock+0x4bc/0x550 [ 19.277592] sp : ffffffc085c5bbe0 [ 19.281066] x29: ffffffc085c5bbe0 8: 0000000000000000 x27: ffffff88009417f8 [ 19.288624] x26: ffffff8800941788 x25: ffffff8800020008 x24: ffffffc082aa3000 [ 19.296227] x23: ffffffc080d90e3c x22: 0000000000000002 x21: 00000000000000000 [ 19.303744] x20: 0000000000000000 x19: ffffff88002f5210 x18: 0000000000000000 [ 19.311295] x17: 6c707369642e3030 x16: 3030613464662072 x15: 0720072007200720 [ 19.318922] 4: 0000000000000000 x13: 284e4f5f4e524157 x12: 0000000000000001 [ 19.326442] x11: 0001ffc085c5b940 x10: 0001ff88003f388b x9: 0001ff88003f3888 [19.334003] x8: 0001ff88003f3888 x7: 0000000000000000 x6 : 0000000000000000 [ 19.341537] x5 : 0000000000000000 x4 : 0000000000001668 x3 : 0000000000000000 [ 19.349054] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffffff88003f3880 [ 19.356581] Seguimiento de llamadas: [ 19.359160] __mutex_lock+0x4bc/0x550 [ 19.363032] mutex_lock_nested+0x24/0x30 [ 19.367187] drm_bridge_hpd_notify+0x2c/0x6c [ zynqmp_dp_hpd_work_func +0x44/0x54 [ 19.376364] proceso_un_trabajo+0x3ac/0x988 [ 19.380660] hilo_trabajador+0x398/ 0x694 [19.384736] kthread+0x1bc/0x1c0 [19.388241] ret_from_fork+0x10/0x20 [19.392031] sello de evento irq: 183 [19.395450] hardirqs habilitado por \u00faltima vez en (183): [] terminar_task_switch.isra.0+0xa8/0x2d4 [ 19.405140] hardirqs deshabilitado por \u00faltima vez en (182): [] __schedule+0x714/0xd04 [ 19.413612] softirqs habilitado por \u00faltima vez en (114): [] srcu_invoke_callbacks+0x158/0x23c 19.423128] softirqs se deshabilit\u00f3 por \u00faltima vez en ( 110): [] srcu_invoke_callbacks+0x158/0x23c [ 19.432614] ---[ end trace 0000000000000000 ]--- (seleccionado de el commit 61ba791c4a7a09a370c45b70a81b8c7d4 cf6b2ae)"}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-667"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.2", "matchCriteriaId": "108695B6-7133-4B6C-80AF-0F66880FE858"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6", "versionEndExcluding": "6.6.33", "matchCriteriaId": "53BC60D9-65A5-4D8F-96C8-149F09214DBD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9", "versionEndExcluding": "6.9.4", "matchCriteriaId": "A500F935-F0ED-4DC7-AD02-9D7C365D13AE"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.10.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "C40DD2D9-90E3-4E95-9F1A-E7C680F11F2A"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/603661357056b5e5ba6d86f505fbc936eff396ba", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"]}, {"url": "https://git.kernel.org/stable/c/6ead3eccf67bc8318b1ce95ed879b2cc05b4fce9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"]}, {"url": "https://git.kernel.org/stable/c/be3f3042391d061cfca2bd22630e0d101acea5fc", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"]}]}}, {"cve": {"id": "CVE-2024-38667", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-24T14:15:12.790", "lastModified": "2024-06-26T13:53:56.883", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: prevent pt_regs corruption for secondary idle threads\n\nTop of the kernel thread stack should be reserved for pt_regs. However\nthis is not the case for the idle threads of the secondary boot harts.\nTheir stacks overlap with their pt_regs, so both may get corrupted.\n\nSimilar issue has been fixed for the primary hart, see c7cdd96eca28\n(\"riscv: prevent stack corruption by reserving task_pt_regs(p) early\").\nHowever that fix was not propagated to the secondary harts. The problem\nhas been noticed in some CPU hotplug tests with V enabled. The function\nsmp_callin stored several registers on stack, corrupting top of pt_regs\nstructure including status field. As a result, kernel attempted to save\nor restore inexistent V context."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: riscv: evita la corrupci\u00f3n de pt_regs para subprocesos inactivos secundarios La parte superior de la pila de subprocesos del kernel debe reservarse para pt_regs. Sin embargo, este no es el caso de los subprocesos inactivos de los corazones de arranque secundarios. Sus pilas se superponen con sus pt_regs, por lo que ambos pueden corromperse. Se ha solucionado un problema similar para el coraz\u00f3n principal; consulte c7cdd96eca28 (\"riscv: evite la corrupci\u00f3n de la pila reservando task_pt_regs(p) anticipadamente\"). Sin embargo, esa soluci\u00f3n no se propag\u00f3 a los corazones secundarios. El problema se ha observado en algunas pruebas de conexi\u00f3n en caliente de CPU con V habilitado. La funci\u00f3n smp_callin almacen\u00f3 varios registros en la pila, corrompiendo la parte superior de la estructura pt_regs, incluido el campo de estado. Como resultado, el kernel intent\u00f3 guardar o restaurar el contexto V inexistente."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.7", "matchCriteriaId": "C3821E00-CCBB-4CD4-AD2C-D47DFF2F5A34"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1", "versionEndExcluding": "6.1.93", "matchCriteriaId": "7446FC33-DC4F-4D31-94B5-FB577CFA66F4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6", "versionEndExcluding": "6.6.33", "matchCriteriaId": "53BC60D9-65A5-4D8F-96C8-149F09214DBD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9", "versionEndExcluding": "6.9.4", "matchCriteriaId": "A500F935-F0ED-4DC7-AD02-9D7C365D13AE"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.10.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "C40DD2D9-90E3-4E95-9F1A-E7C680F11F2A"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/0c1f28c32a194303da630fca89481334b9547b80", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"]}, {"url": "https://git.kernel.org/stable/c/3090c06d50eaa91317f84bf3eac4c265e6cb8d44", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"]}, {"url": "https://git.kernel.org/stable/c/a638b0461b58aa3205cd9d5f14d6f703d795b4af", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"]}, {"url": "https://git.kernel.org/stable/c/ea22d4195cca13d5fdbc4d6555a2dfb8a7867a9e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"]}]}}, {"cve": {"id": "CVE-2024-39291", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-24T14:15:12.863", "lastModified": "2024-06-26T14:03:13.437", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix buffer size in gfx_v9_4_3_init_ cp_compute_microcode() and rlc_microcode()\n\nThe function gfx_v9_4_3_init_microcode in gfx_v9_4_3.c was generating\nabout potential truncation of output when using the snprintf function.\nThe issue was due to the size of the buffer 'ucode_prefix' being too\nsmall to accommodate the maximum possible length of the string being\nwritten into it.\n\nThe string being written is \"amdgpu/%s_mec.bin\" or \"amdgpu/%s_rlc.bin\",\nwhere %s is replaced by the value of 'chip_name'. The length of this\nstring without the %s is 16 characters. The warning message indicated\nthat 'chip_name' could be up to 29 characters long, resulting in a total\nof 45 characters, which exceeds the buffer size of 30 characters.\n\nTo resolve this issue, the size of the 'ucode_prefix' buffer has been\nreduced from 30 to 15. This ensures that the maximum possible length of\nthe string being written into the buffer will not exceed its size, thus\npreventing potential buffer overflow and truncation issues.\n\nFixes the below with gcc W=1:\ndrivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c: In function \u2018gfx_v9_4_3_early_init\u2019:\ndrivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c:379:52: warning: \u2018%s\u2019 directive output may be truncated writing up to 29 bytes into a region of size 23 [-Wformat-truncation=]\n  379 |         snprintf(fw_name, sizeof(fw_name), \"amdgpu/%s_rlc.bin\", chip_name);\n      |                                                    ^~\n......\n  439 |         r = gfx_v9_4_3_init_rlc_microcode(adev, ucode_prefix);\n      |                                                 ~~~~~~~~~~~~\ndrivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c:379:9: note: \u2018snprintf\u2019 output between 16 and 45 bytes into a destination of size 30\n  379 |         snprintf(fw_name, sizeof(fw_name), \"amdgpu/%s_rlc.bin\", chip_name);\n      |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\ndrivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c:413:52: warning: \u2018%s\u2019 directive output may be truncated writing up to 29 bytes into a region of size 23 [-Wformat-truncation=]\n  413 |         snprintf(fw_name, sizeof(fw_name), \"amdgpu/%s_mec.bin\", chip_name);\n      |                                                    ^~\n......\n  443 |         r = gfx_v9_4_3_init_cp_compute_microcode(adev, ucode_prefix);\n      |                                                        ~~~~~~~~~~~~\ndrivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c:413:9: note: \u2018snprintf\u2019 output between 16 and 45 bytes into a destination of size 30\n  413 |         snprintf(fw_name, sizeof(fw_name), \"amdgpu/%s_mec.bin\", chip_name);\n      |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: drm/amdgpu: corrigi\u00f3 el tama\u00f1o del b\u00fafer en gfx_v9_4_3_init_ cp_compute_microcode() y rlc_microcode() La funci\u00f3n gfx_v9_4_3_init_microcode en gfx_v9_4_3.c generaba un posible truncamiento de la salida al usar la funci\u00f3n snprintf. El problema se deb\u00eda a que el tama\u00f1o del b\u00fafer 'ucode_prefix' era demasiado peque\u00f1o para acomodar la longitud m\u00e1xima posible de la cadena que se estaba escribiendo en \u00e9l. La cadena que se est\u00e1 escribiendo es \"amdgpu/%s_mec.bin\" o \"amdgpu/%s_rlc.bin\", donde %s se reemplaza por el valor de 'chip_name'. La longitud de esta cadena sin %s es de 16 caracteres. El mensaje de advertencia indicaba que 'chip_name' pod\u00eda tener hasta 29 caracteres, lo que daba como resultado un total de 45 caracteres, lo que supera el tama\u00f1o del b\u00fafer de 30 caracteres. Para resolver este problema, el tama\u00f1o del b\u00fafer 'ucode_prefix' se ha reducido de 30 a 15. Esto garantiza que la longitud m\u00e1xima posible de la cadena que se escribe en el b\u00fafer no exceder\u00e1 su tama\u00f1o, evitando as\u00ed posibles problemas de desbordamiento y truncamiento del b\u00fafer. . Corrige lo siguiente con gcc W=1: drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c: En funci\u00f3n 'gfx_v9_4_3_early_init': drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c:379:52: advertencia: ' La salida de la directiva de %s puede truncarse escribiendo hasta 29 bytes en una regi\u00f3n de tama\u00f1o 23 [-Wformat-truncation=] 379 | snprintf(fw_name, sizeof(fw_name), \"amdgpu/%s_rlc.bin\", chip_name); | ^~ ...... 439 | r = gfx_v9_4_3_init_rlc_microcode(adev, ucode_prefix); | ~~~~~~~~~~~~ drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c:379:9: nota: 'snprintf' genera entre 16 y 45 bytes en un destino de tama\u00f1o 30 379 | snprintf(fw_name, sizeof(fw_name), \"amdgpu/%s_rlc.bin\", chip_name); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~ drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c:413:52: advertencia: la salida de la directiva '%s' puede truncarse escribiendo hasta 29 bytes en una regi\u00f3n de tama\u00f1o 23 [-Wformat-truncation=] 413 | snprintf(fw_name, sizeof(fw_name), \"amdgpu/%s_mec.bin\", chip_name); | ^~ ...... 443 | r = gfx_v9_4_3_init_cp_compute_microcode(adev, ucode_prefix); | ~~~~~~~~~~~~ drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c:413:9: nota: 'snprintf' genera entre 16 y 45 bytes en un destino de tama\u00f1o 30 413 | snprintf(fw_name, sizeof(fw_name), \"amdgpu/%s_mec.bin\", chip_name); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~"}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-120"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.5", "matchCriteriaId": "98C491C7-598A-4D36-BA4F-3505A5727ED1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6", "versionEndExcluding": "6.6.33", "matchCriteriaId": "53BC60D9-65A5-4D8F-96C8-149F09214DBD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9", "versionEndExcluding": "6.9.4", "matchCriteriaId": "A500F935-F0ED-4DC7-AD02-9D7C365D13AE"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.10.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "C40DD2D9-90E3-4E95-9F1A-E7C680F11F2A"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/19bd9537b6bc1c882df25206c15917214d8e9460", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"]}, {"url": "https://git.kernel.org/stable/c/acce6479e30f73ab0872e93a75aed1fb791d04ec", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"]}, {"url": "https://git.kernel.org/stable/c/f1b6a016dfa45cedc080d36fa5d6f22237d80e8b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"]}]}}, {"cve": {"id": "CVE-2024-39292", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-24T14:15:12.943", "lastModified": "2024-06-26T14:05:24.507", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\num: Add winch to winch_handlers before registering winch IRQ\n\nRegistering a winch IRQ is racy, an interrupt may occur before the winch is\nadded to the winch_handlers list.\n\nIf that happens, register_winch_irq() adds to that list a winch that is\nscheduled to be (or has already been) freed, causing a panic later in\nwinch_cleanup().\n\nAvoid the race by adding the winch to the winch_handlers list before\nregistering the IRQ, and rolling back if um_request_irq() fails."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: um: Agregar cabrestante a winch_handlers antes de registrar la IRQ del cabrestante Registrar una IRQ del cabrestante es picante, puede ocurrir una interrupci\u00f3n antes de que el cabrestante se agregue a la lista de winch_handlers. Si eso sucede, Register_winch_irq() agrega a esa lista un cabrestante que est\u00e1 programado para ser liberado (o que ya ha sido) liberado, causando p\u00e1nico m\u00e1s adelante en winch_cleanup(). Evite la ejecuci\u00f3n agregando el cabrestante a la lista winch_handlers antes de registrar la IRQ y retrocediendo si um_request_irq() falla."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-415"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.6.23", "matchCriteriaId": "CE323F46-5BE8-40FC-B564-B21ADE5D4DC6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19", "versionEndExcluding": "4.19.316", "matchCriteriaId": "34445C8D-D7E6-4796-B792-C9257E89257B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4", "versionEndExcluding": "5.4.278", "matchCriteriaId": "8E2371B0-4787-4038-B526-021D4CF93B31"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10", "versionEndExcluding": "5.10.219", "matchCriteriaId": "5311C980-4CDF-4C10-8875-F04ED0F03398"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "5.15.161", "matchCriteriaId": "E2AB5A01-EFFD-4A24-8CCB-4A016C8C4BB3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1", "versionEndExcluding": "6.1.93", "matchCriteriaId": "7446FC33-DC4F-4D31-94B5-FB577CFA66F4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6", "versionEndExcluding": "6.6.33", "matchCriteriaId": "53BC60D9-65A5-4D8F-96C8-149F09214DBD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9", "versionEndExcluding": "6.9.4", "matchCriteriaId": "A500F935-F0ED-4DC7-AD02-9D7C365D13AE"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.10.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "C40DD2D9-90E3-4E95-9F1A-E7C680F11F2A"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/0c02d425a2fbe52643a5859a779db0329e7dddd4", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"]}, {"url": "https://git.kernel.org/stable/c/31960d991e43c8d6dc07245f19fc13398e90ead2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"]}, {"url": "https://git.kernel.org/stable/c/351d1a64544944b44732f6a64ed65573b00b9e14", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"]}, {"url": "https://git.kernel.org/stable/c/434a06c38ee1217a8baa0dd7c37cc85d50138fb0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"]}, {"url": "https://git.kernel.org/stable/c/66ea9a7c6824821476914bed21a476cd20094f33", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"]}, {"url": "https://git.kernel.org/stable/c/73b8e21f76c7dda4905655d2e2c17dc5a73b87f1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"]}, {"url": "https://git.kernel.org/stable/c/a0fbbd36c156b9f7b2276871d499c9943dfe5101", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"]}, {"url": "https://git.kernel.org/stable/c/dc1ff95602ee908fcd7d8acee7a0dadb61b1a0c0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"]}]}}, {"cve": {"id": "CVE-2024-4748", "sourceIdentifier": "cvd@cert.pl", "published": "2024-06-24T14:15:13.030", "lastModified": "2024-06-26T14:07:47.567", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "The CRUDDIY project is vulnerable to shell command injection via sending a crafted POST request to the application server.\u00a0\nThe exploitation risk is limited since CRUDDIY is meant to be launched locally. Nevertheless, a user with the project running on their computer might visit a website which would send such a malicious request to the locally launched server."}, {"lang": "es", "value": "El proyecto CRUDDIY es vulnerable a la inyecci\u00f3n de comandos de shell mediante el env\u00edo de una solicitud POST manipulada al servidor de aplicaciones. El riesgo de explotaci\u00f3n es limitado ya que CRUDDIY debe lanzarse localmente. Sin embargo, un usuario con el proyecto ejecut\u00e1ndose en su computadora podr\u00eda visitar un sitio web que enviar\u00eda una solicitud maliciosa al servidor iniciado localmente."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, {"source": "cvd@cert.pl", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-78"}]}, {"source": "cvd@cert.pl", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-77"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:j11g:cruddiy:*:*:*:*:*:*:*:*", "versionEndIncluding": "202312.1", "matchCriteriaId": "A5908333-F478-4071-A90D-BEC428110174"}]}]}], "references": [{"url": "https://cert.pl/en/posts/2024/06/CVE-2024-4748", "source": "cvd@cert.pl", "tags": ["Third Party Advisory"]}, {"url": "https://cert.pl/posts/2024/06/CVE-2024-4748", "source": "cvd@cert.pl", "tags": ["Third Party Advisory"]}, {"url": "https://github.com/jan-vandenberg/cruddiy/issues/67", "source": "cvd@cert.pl", "tags": ["Issue Tracking"]}]}}, {"cve": {"id": "CVE-2024-33687", "sourceIdentifier": "vultures@jpcert.or.jp", "published": "2024-06-24T15:15:11.590", "lastModified": "2024-06-26T14:12:50.130", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "Insufficient verification of data authenticity issue exists in NJ Series CPU Unit all versions and NX Series CPU Unit all versions. If a user program in the affected product is altered, the product may not be able to detect the alteration."}, {"lang": "es", "value": "Existe un problema de verificaci\u00f3n insuficiente de la autenticidad de los datos en todas las versiones de la CPU serie NJ y en todas las versiones de la CPU serie NX. Si se modifica un programa de usuario en el producto afectado, es posible que el producto no pueda detectar la alteraci\u00f3n."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-345"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:omron:nj101-1000_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "B7F48F82-0457-4C2A-86A2-3E23B03C54C8"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:omron:nj101-1000:-:*:*:*:*:*:*:*", "matchCriteriaId": "E5A77DA0-B22A-4C26-8E64-6F272CD420A3"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:omron:nj101-1020_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "5080EE99-F7FA-4B09-8F98-A7D99D9FEB4D"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:omron:nj101-1020:-:*:*:*:*:*:*:*", "matchCriteriaId": "8A75CF5D-0ADE-448E-BF3C-8E2C268EE1BD"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:omron:nj101-9000_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "20DA6B5C-BEF1-4B54-90FC-29A4844A93B3"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:omron:nj101-9000:-:*:*:*:*:*:*:*", "matchCriteriaId": "E3883A8C-C4EC-45F0-B164-0BADFF91E361"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:omron:nj101-9020_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "EF714AA6-6329-45ED-B470-EA843D3021DF"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:omron:nj101-9020:-:*:*:*:*:*:*:*", "matchCriteriaId": "8696CE8A-C041-4EED-888B-36F2E499E67A"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:omron:nj301-1100_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "8E0D3610-E91F-407A-BBF9-AE38F1587C84"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:omron:nj301-1100:-:*:*:*:*:*:*:*", "matchCriteriaId": "6D92B425-000A-4A85-820E-E16B8AFF06B8"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:omron:nj301-1200_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "E1922748-E966-4EA6-9E18-C9CD0B0EF377"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:omron:nj301-1200:-:*:*:*:*:*:*:*", "matchCriteriaId": "3D279907-5CF4-416F-BE78-300FD52B5B2D"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:omron:nj501-1300_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "EADFDCF4-5A4A-4997-912A-84719A42566A"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:omron:nj501-1300:-:*:*:*:*:*:*:*", "matchCriteriaId": "2917E7F0-DAA8-4D3B-A5E4-FB0ACAEF02C5"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:omron:nj501-1320_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "E3111B8D-1AE3-444F-9CAF-52DCDE83839B"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:omron:nj501-1320:-:*:*:*:*:*:*:*", "matchCriteriaId": "69D21068-A51D-48B2-BF17-68BC61737EBC"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:omron:nj501-1340_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "77EA35C3-7330-4C24-B5BF-9ACCB21C5B97"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:omron:nj501-1340:-:*:*:*:*:*:*:*", "matchCriteriaId": "1B381AE4-A769-403A-97FA-14FA5F8122CC"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:omron:nj501-140_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "F90CA15C-80F2-473C-B39C-09A21A3A7105"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:omron:nj501-140:-:*:*:*:*:*:*:*", "matchCriteriaId": "E4824951-49CB-4E85-A736-28A72C514FB3"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:omron:nj501-1400_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "1535738D-3EDC-4D69-82F5-D4116BD65019"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:omron:nj501-1400:-:*:*:*:*:*:*:*", "matchCriteriaId": "E25F4D25-6ED0-41DD-B202-98F75FA092CD"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:omron:nj501-1420_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "3F991704-F704-4758-999C-3C228B5E5295"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:omron:nj501-1420:-:*:*:*:*:*:*:*", "matchCriteriaId": "148C6AE8-1480-4822-8E0B-1E8575246878"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:omron:nj501-1500_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "0356B5FF-5263-41CF-8B9B-F28445E97391"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:omron:nj501-1500:-:*:*:*:*:*:*:*", "matchCriteriaId": "DD281699-D123-4301-9EDF-4BE249E24FF8"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:omron:nj501-1520_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "658B14C7-4DEB-4EE5-BB9A-71FCE52EC298"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:omron:nj501-1520:-:*:*:*:*:*:*:*", "matchCriteriaId": "CBBE1648-D428-4A43-831D-AB3AF3F05739"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:omron:nj501-4300_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "206C4DDA-753A-4584-9762-ECBDB378335E"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:omron:nj501-4300:-:*:*:*:*:*:*:*", "matchCriteriaId": "EB77802D-96CB-49DB-A912-9DB901130F08"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:omron:nj501-4310_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "8E31DA56-8DB7-4B8B-B699-C7656F89ED70"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:omron:nj501-4310:-:*:*:*:*:*:*:*", "matchCriteriaId": "0FDF3ECD-A475-44D1-BF08-B1D60F33D163"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:omron:nj501-4320_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "42EA2073-E34D-48A2-9AA7-02C247F2F356"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:omron:nj501-4320:-:*:*:*:*:*:*:*", "matchCriteriaId": "060083B0-E9E5-4694-94AB-3517B4B6E0C2"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:omron:nj501-4400_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "3F3A7B0C-E7F3-416F-A0B0-233FEC0F4F89"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:omron:nj501-4400:-:*:*:*:*:*:*:*", "matchCriteriaId": "8D53224A-F4AE-42D5-9CE6-C46892BD658D"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:omron:nj501-4500_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "F45D16ED-5CC7-4B06-9FEA-57F42B8B9E93"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:omron:nj501-4500:-:*:*:*:*:*:*:*", "matchCriteriaId": "7E8F99DC-4992-4141-AD76-B8A0A690AD4D"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:omron:nj501-5300_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "B6243AD3-C075-4BD5-ABB2-4B7E2D389267"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:omron:nj501-5300:-:*:*:*:*:*:*:*", "matchCriteriaId": "1FEF30DD-FCF0-499E-B5C2-4184C9A7E9D8"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:omron:nj501-5300-1_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "452BC347-5D07-43B5-87A2-C0BB498A288A"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:omron:nj501-5300-1:-:*:*:*:*:*:*:*", "matchCriteriaId": "D5EC53CE-17CD-428E-A750-A323BF5F0ABE"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:omron:nj501-r300_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "C6968524-3D63-49F5-A318-8AC62049FB4B"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:omron:nj501-r300:-:*:*:*:*:*:*:*", "matchCriteriaId": "A8A4809E-770F-4D7B-A532-37160D8A3943"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:omron:nj501-r320_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "4143EFEF-1B06-4C12-BED5-D86915DD62F6"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:omron:nj501-r320:-:*:*:*:*:*:*:*", "matchCriteriaId": "32E135F9-CB75-49AF-B7C3-25E8EA3AB991"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:omron:nj501-r400_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "BD74F929-989C-4DA4-B39D-BBC54529F241"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:omron:nj501-r400:-:*:*:*:*:*:*:*", "matchCriteriaId": "5A453709-E9EE-4DD8-8638-04752B9DFB0C"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:omron:nj501-r420_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "EAA2B390-49D8-4F03-8AA0-1847CE7108A4"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:omron:nj501-r420:-:*:*:*:*:*:*:*", "matchCriteriaId": "C264C95F-F8CE-4EC1-B5A5-71998F0A75C3"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:omron:nj501-r500_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "E1707EFC-D40B-4B27-9FDF-91FC25CD19D9"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:omron:nj501-r500:-:*:*:*:*:*:*:*", "matchCriteriaId": "9A1BA508-3DBE-46C4-B72C-312AC3403C27"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:omron:nj501-r520_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "1EE8A270-ED27-4629-9786-AAD103F55C03"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:omron:nj501-r520:-:*:*:*:*:*:*:*", "matchCriteriaId": "36BDD615-7933-4EF5-B2E5-68EB4FA776B7"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:omron:nj-pa3001_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "DC9C8F30-E7D4-41C4-8385-CBE00F507FC4"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:omron:nj-pa3001:-:*:*:*:*:*:*:*", "matchCriteriaId": "97E4422C-0758-4A41-B3C9-FB239E3440B6"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:omron:nj-pd3001_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "76159124-1CE9-4908-BC95-F9186638C6E1"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:omron:nj-pd3001:-:*:*:*:*:*:*:*", "matchCriteriaId": "377396A7-4CDD-4768-AA23-A0B063962CC7"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:omron:nx102-1000_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "CBB54650-6133-4FA4-A3B1-EDB0B90C18AB"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:omron:nx102-1000:-:*:*:*:*:*:*:*", "matchCriteriaId": "D01F33E2-E10C-4B3F-9326-7022924423DB"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:omron:nx102-1020_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "B91214D1-290D-4199-B02A-387B9771E8EC"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:omron:nx102-1020:-:*:*:*:*:*:*:*", "matchCriteriaId": "B1A91E22-8F08-4470-BC4A-14D25A827607"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:omron:nx102-1100_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "8C5123EE-2568-42B2-88CC-3DF44DE92C53"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:omron:nx102-1100:-:*:*:*:*:*:*:*", "matchCriteriaId": "A1E68759-07B1-4F7B-8EF8-0429C8CFCAAF"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:omron:nx102-1120_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "7D19E1D1-215B-4ADF-BABA-9407B7C9081B"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:omron:nx102-1120:-:*:*:*:*:*:*:*", "matchCriteriaId": "E72347A8-8725-4DAB-9D2C-609072A4E904"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:omron:nx102-1200_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "A9741D38-910E-4FEB-B843-19A70C44ECE2"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:omron:nx102-1200:-:*:*:*:*:*:*:*", "matchCriteriaId": "D8A6528B-2160-4CE4-88B2-EC69DB5797B4"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:omron:nx102-1220_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "929EDFEF-F348-4071-AB5F-03FDAE0C5D9C"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:omron:nx102-1220:-:*:*:*:*:*:*:*", "matchCriteriaId": "FE463BB1-BE67-4D80-8FE7-85F960945AF5"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:omron:nx102-9000_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "C80B82AF-14CC-4053-B9DC-D6F85A6A7AD8"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:omron:nx102-9000:-:*:*:*:*:*:*:*", "matchCriteriaId": "0A9DDB7B-213B-41F3-ABC0-23A4834C3449"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:omron:nx102-9020_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "35FBF42A-F83D-4D91-9DAC-EE7E6D87A40D"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:omron:nx102-9020:-:*:*:*:*:*:*:*", "matchCriteriaId": "34CE73C8-BF67-4BC3-81B2-275393441C91"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:omron:nx1p2-1040dt_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "773B8213-8022-4072-BCA2-1523932F6406"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:omron:nx1p2-1040dt:-:*:*:*:*:*:*:*", "matchCriteriaId": "A7EF898A-8273-4044-8F4B-B2082294749F"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:omron:nx1p2-1040dt1_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "D41CB601-640B-467A-A0CD-CB148E60BECD"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:omron:nx1p2-1040dt1:-:*:*:*:*:*:*:*", "matchCriteriaId": "B8DD457B-3E36-4C10-B34F-21CD0B931459"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:omron:nx1p2-1140dt_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "4892B707-7300-4D9C-B0EE-8555B8CA0BE0"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:omron:nx1p2-1140dt:-:*:*:*:*:*:*:*", "matchCriteriaId": "BFF59B0A-C08C-4D56-B301-631DD155BEF4"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:omron:nx1p2-1140dt1_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "2DE9D5AD-FD32-4A6D-8803-DD42F4AEDC26"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:omron:nx1p2-1140dt1:-:*:*:*:*:*:*:*", "matchCriteriaId": "63EEFB13-8B20-4A42-8511-98C4C8E045FA"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:omron:nx1p2-9024dt_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "8CE55F43-8915-44DF-9D6D-60A5E641CA40"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:omron:nx1p2-9024dt:-:*:*:*:*:*:*:*", "matchCriteriaId": "4B1E7DBC-6211-4503-9154-D0BD0FA3BE95"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:omron:nx1p2-9024dt1_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "98C8A4BF-EC67-45DC-A5C5-B64E913DDB59"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:omron:nx1p2-9024dt1:-:*:*:*:*:*:*:*", "matchCriteriaId": "F193D7DE-97C1-4883-871D-78AC7FCB9B14"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:omron:nx1w-adb21_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "A52D6BFF-B924-4906-9EBD-5361FE1A31C3"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:omron:nx1w-adb21:-:*:*:*:*:*:*:*", "matchCriteriaId": "148C75FA-08F5-401A-B4E9-989ED80AF3EC"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:omron:nx1w-cif01_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "48B718F4-D890-4805-A96E-F6744BBFEE51"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:omron:nx1w-cif01:-:*:*:*:*:*:*:*", "matchCriteriaId": "C9E45E4A-447D-4DE9-AC15-50BD2DEC5AAB"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:omron:nx1w-cif11_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "A878E8B7-F395-4291-8C0D-9C679C5763D9"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:omron:nx1w-cif11:-:*:*:*:*:*:*:*", "matchCriteriaId": "DA6772B4-5B9D-4642-9DA6-5595C92895C4"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:omron:nx1w-cif12_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "986EFF21-3FEE-498B-9BBC-0554904EC32F"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:omron:nx1w-cif12:-:*:*:*:*:*:*:*", "matchCriteriaId": "BD3B3071-1C48-4AD0-9C82-59A16F52944D"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:omron:nx1w-dab21v_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "59CCAD9B-BF84-4BDE-A010-6FEA8E02BC1E"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:omron:nx1w-dab21v:-:*:*:*:*:*:*:*", "matchCriteriaId": "BA779FC7-7C37-411C-BFD3-EE9B87E8D861"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:omron:nx1w-mab221_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "68F200C5-CA76-414E-B31B-5A3B45005B40"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:omron:nx1w-mab221:-:*:*:*:*:*:*:*", "matchCriteriaId": "48E3688A-B3EE-441E-A16A-52FC683D4F1D"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:omron:nx701-1600_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "65BBD8C2-05CD-4D95-8868-FC950B3C5EB3"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:omron:nx701-1600:-:*:*:*:*:*:*:*", "matchCriteriaId": "A613C260-184B-4131-B2EC-656D8322F86B"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:omron:nx701-1620_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "C7722B2B-C42E-4DE6-A5EF-93F58407F81C"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:omron:nx701-1620:-:*:*:*:*:*:*:*", "matchCriteriaId": "210D7FA7-18A3-45B7-976B-9DEDC59294C7"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:omron:nx701-1700_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "1ED4966C-750E-4B50-AA1E-DCC510E27BB0"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:omron:nx701-1700:-:*:*:*:*:*:*:*", "matchCriteriaId": "753A218D-C738-42E5-B523-ED7CACCAEC82"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:omron:nx701-1720_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "979C93C8-F43B-466D-B85C-50C96B6A1420"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:omron:nx701-1720:-:*:*:*:*:*:*:*", "matchCriteriaId": "2434BE7E-3E5D-48A9-838C-BCC6055135F9"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:omron:nx701-z600_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "CAE54224-E502-43DC-8598-E8D1AB9DDD82"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:omron:nx701-z600:-:*:*:*:*:*:*:*", "matchCriteriaId": "90B7C106-4C14-4C0A-BA78-9A3DD63EF576"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:omron:nx701-z700_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "28A3BECD-254C-4E01-8B43-3FDFDCFCE8F5"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:omron:nx701-z700:-:*:*:*:*:*:*:*", "matchCriteriaId": "36F25E10-A76C-4A16-B72B-4B9E572EDBAB"}]}]}], "references": [{"url": "https://jvn.jp/en/vu/JVNVU92504444/", "source": "vultures@jpcert.or.jp", "tags": ["Third Party Advisory"]}, {"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2024-004_en.pdf", "source": "vultures@jpcert.or.jp", "tags": ["Vendor Advisory"]}]}}, {"cve": {"id": "CVE-2024-6285", "sourceIdentifier": "cve@asrg.io", "published": "2024-06-24T16:15:10.763", "lastModified": "2024-06-26T14:24:38.113", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "Integer Underflow (Wrap or Wraparound) vulnerability in Renesas arm-trusted-firmware.\nAn integer underflow in image range check calculations could lead to bypassing address restrictions and loading of images to unallowed addresses."}, {"lang": "es", "value": "Vulnerabilidad de desbordamiento de enteros (Wrap o Wraparound) en Renesas arm-trusted-firmware. Un desbordamiento insuficiente de enteros en los c\u00e1lculos de verificaci\u00f3n del rango de im\u00e1genes podr\u00eda provocar que se eludan las restricciones de direcciones y se carguen im\u00e1genes en direcciones no permitidas."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 0.8, "impactScore": 5.9}, {"source": "cve@asrg.io", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH"}, "exploitabilityScore": 0.8, "impactScore": 6.0}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-191"}]}, {"source": "cve@asrg.io", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-191"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:renesas:rcar_gen3:v2.5:*:*:*:*:*:*:*", "matchCriteriaId": "61D55B7B-8BDE-4855-914D-62371B0354CC"}]}]}], "references": [{"url": "https://asrg.io/security-advisories/cve-2024-6285/", "source": "cve@asrg.io", "tags": ["Third Party Advisory"]}, {"url": "https://github.com/renesas-rcar/arm-trusted-firmware/commit/b596f580637bae919b0ac3a5471422a1f756db3b", "source": "cve@asrg.io", "tags": ["Patch"]}]}}, {"cve": {"id": "CVE-2024-6287", "sourceIdentifier": "cve@asrg.io", "published": "2024-06-24T16:15:11.003", "lastModified": "2024-06-26T14:36:08.507", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "Incorrect Calculation vulnerability in Renesas arm-trusted-firmware allows Local Execution of Code.\n\n\nWhen checking whether a new image invades/overlaps with a previously loaded image the code neglects to consider a few cases. that could An attacker to bypass memory range restriction and overwrite an already loaded image partly or completely, which could result in code execution and bypass of secure boot."}, {"lang": "es", "value": "La vulnerabilidad de c\u00e1lculo incorrecto en Renesas arm-trusted-firmware permite la ejecuci\u00f3n local de c\u00f3digo. Al comprobar si una nueva imagen invade/se superpone con una imagen previamente cargada, el c\u00f3digo omite considerar algunos casos. Esto podr\u00eda permitir a un atacante eludir la restricci\u00f3n del rango de memoria y sobrescribir parcial o completamente una imagen ya cargada, lo que podr\u00eda provocar la ejecuci\u00f3n del c\u00f3digo y la omisi\u00f3n del arranque seguro."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, {"source": "cve@asrg.io", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH"}, "exploitabilityScore": 0.8, "impactScore": 6.0}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-682"}]}, {"source": "cve@asrg.io", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-682"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:renesas:rcar_gen3:v2.5:*:*:*:*:*:*:*", "matchCriteriaId": "61D55B7B-8BDE-4855-914D-62371B0354CC"}]}]}], "references": [{"url": "https://asrg.io/security-advisories/cve-2024-6287/", "source": "cve@asrg.io", "tags": ["Third Party Advisory"]}, {"url": "https://github.com/renesas-rcar/arm-trusted-firmware/commit/954d488a9798f8fda675c6b57c571b469b298f04", "source": "cve@asrg.io", "tags": ["Patch"]}]}}, {"cve": {"id": "CVE-2024-33879", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-24T17:15:10.257", "lastModified": "2024-06-26T14:40:53.927", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "An issue was discovered in VirtoSoftware Virto Bulk File Download 5.5.44 for SharePoint 2019. The Virto.SharePoint.FileDownloader/Api/Download.ashx isCompleted method allows arbitrary file download and deletion via absolute path traversal in the path parameter."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en VirtoSoftware Virto Bulk File Download 5.5.44 para SharePoint 2019. El m\u00e9todo Virto.SharePoint.FileDownloader/Api/Download.ashx isCompleted permite la descarga y eliminaci\u00f3n de archivos arbitrarios mediante un path traversal absoluto en el par\u00e1metro de ruta."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:virtosoftware:sharepoint_bulk_file_download:5.5.44:*:*:*:*:*:*:*", "matchCriteriaId": "C9E9B4C5-A977-4024-B206-BF9FC7262B1D"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*", "matchCriteriaId": "6122D014-5BF1-4AF4-8B4D-80205ED7785E"}]}]}], "references": [{"url": "https://docs.virtosoftware.com/v/virto-security-frequently-asked-questions-faq", "source": "cve@mitre.org", "tags": ["Product"]}, {"url": "https://download.virtosoftware.com/Manuals/nu_ncsc_virto_one_bulk_file_download_v5.4.4_pt_disclosure.pdf", "source": "cve@mitre.org", "tags": ["Product"]}]}}, {"cve": {"id": "CVE-2024-33880", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-24T17:15:10.353", "lastModified": "2024-06-26T14:42:00.533", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "An issue was discovered in VirtoSoftware Virto Bulk File Download 5.5.44 for SharePoint 2019. It discloses full pathnames via Virto.SharePoint.FileDownloader/Api/Download.ashx?action=archive."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en VirtoSoftware Virto Bulk File Download 5.5.44 para SharePoint 2019. Revela nombres de ruta completos a trav\u00e9s de Virto.SharePoint.FileDownloader/Api/Download.ashx?action=archive."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:virtosoftware:sharepoint_bulk_file_download:5.5.44:*:*:*:*:*:*:*", "matchCriteriaId": "C9E9B4C5-A977-4024-B206-BF9FC7262B1D"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*", "matchCriteriaId": "6122D014-5BF1-4AF4-8B4D-80205ED7785E"}]}]}], "references": [{"url": "https://docs.virtosoftware.com/v/virto-security-frequently-asked-questions-faq>%3B", "source": "cve@mitre.org", "tags": ["Broken Link"]}, {"url": "https://download.virtosoftware.com/Manuals/nu_ncsc_virto_one_bulk_file_download_v5.4.4_pt_disclosure.pdf", "source": "cve@mitre.org", "tags": ["Product"]}]}}, {"cve": {"id": "CVE-2024-33881", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-24T17:15:10.447", "lastModified": "2024-06-26T14:42:27.170", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "An issue was discovered in VirtoSoftware Virto Bulk File Download 5.5.44 for SharePoint 2019. The Virto.SharePoint.FileDownloader/Api/Download.ashx isCompleted method allows an NTLMv2 hash leak via a UNC share pathname in the path parameter."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en VirtoSoftware Virto Bulk File Download 5.5.44 para SharePoint 2019. El m\u00e9todo Virto.SharePoint.FileDownloader/Api/Download.ashx isCompleted permite una fuga de hash NTLMv2 a trav\u00e9s de un nombre de ruta compartido UNC en el par\u00e1metro de ruta."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:virtosoftware:sharepoint_bulk_file_download:5.5.44:*:*:*:*:*:*:*", "matchCriteriaId": "C9E9B4C5-A977-4024-B206-BF9FC7262B1D"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*", "matchCriteriaId": "6122D014-5BF1-4AF4-8B4D-80205ED7785E"}]}]}], "references": [{"url": "https://docs.virtosoftware.com/v/virto-security-frequently-asked-questions-faq", "source": "cve@mitre.org", "tags": ["Product"]}, {"url": "https://download.virtosoftware.com/Manuals/nu_ncsc_virto_one_bulk_file_download_v5.4.4_pt_disclosure.pdf", "source": "cve@mitre.org", "tags": ["Product"]}]}}, {"cve": {"id": "CVE-2024-38369", "sourceIdentifier": "security-advisories@github.com", "published": "2024-06-24T17:15:10.593", "lastModified": "2024-06-26T14:47:05.077", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The content of a document included using `{{include reference=\"targetdocument\"/}}` is executed with the right of the includer and not with the right of its author. This means that any user able to modify the target document can impersonate the author of the content which used the `include` macro. This vulnerability has been patched in XWiki 15.0 RC1 by making the default behavior safe.\n"}, {"lang": "es", "value": "XWiki Platform es una plataforma wiki gen\u00e9rica que ofrece servicios de ejecuci\u00f3n para aplicaciones creadas sobre ella. El contenido de un documento incluido usando `{{include reference=\"targetdocument\"/}}` se ejecuta con el derecho del incluidor y no con el derecho de su autor. Esto significa que cualquier usuario capaz de modificar el documento de destino puede hacerse pasar por el autor del contenido que utiliz\u00f3 la macro \"incluir\". Esta vulnerabilidad se ha solucionado en XWiki 15.0 RC1 haciendo que el comportamiento predeterminado sea seguro."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, {"source": "security-advisories@github.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.1, "impactScore": 6.0}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-863"}]}, {"source": "security-advisories@github.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.5", "versionEndExcluding": "15.0", "matchCriteriaId": "62462FC0-CC07-40F4-8DBE-9C12BBF4F99C"}]}]}], "references": [{"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qcj3-wpgm-qpxh", "source": "security-advisories@github.com", "tags": ["Vendor Advisory"]}]}}, {"cve": {"id": "CVE-2024-38373", "sourceIdentifier": "security-advisories@github.com", "published": "2024-06-24T17:15:10.830", "lastModified": "2024-06-26T15:02:05.100", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "FreeRTOS-Plus-TCP is a lightweight TCP/IP stack for FreeRTOS. FreeRTOS-Plus-TCP versions 4.0.0 through 4.1.0 contain a buffer over-read issue in the DNS Response Parser when parsing domain names in a DNS response. A carefully crafted DNS response with domain name length value greater than the actual domain name length, could cause the parser to read beyond the DNS response buffer. This issue affects applications using DNS functionality of the FreeRTOS-Plus-TCP stack. Applications that do not use DNS functionality are not affected, even when the DNS functionality is enabled. This vulnerability has been patched in version 4.1.1."}, {"lang": "es", "value": "FreeRTOS-Plus-TCP es una pila TCP/IP ligera para FreeRTOS. Las versiones 4.0.0 a 4.1.0 de FreeRTOS-Plus-TCP contienen un problema de sobrelectura del b\u00fafer en el analizador de respuesta DNS al analizar nombres de dominio en una respuesta DNS. Una respuesta DNS cuidadosamente manipulada con un valor de longitud del nombre de dominio mayor que la longitud real del nombre de dominio podr\u00eda hacer que el analizador lea m\u00e1s all\u00e1 del b\u00fafer de respuesta DNS. Este problema afecta a las aplicaciones que utilizan la funcionalidad DNS de la pila FreeRTOS-Plus-TCP. Las aplicaciones que no utilizan la funcionalidad DNS no se ven afectadas, incluso cuando la funcionalidad DNS est\u00e1 habilitada. Esta vulnerabilidad ha sido parcheada en la versi\u00f3n 4.1.1."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.2}, {"source": "security-advisories@github.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.1, "impactScore": 5.8}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}, {"source": "security-advisories@github.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-126"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:amazon:freertos-plus-tcp:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0.0", "versionEndExcluding": "4.1.1", "matchCriteriaId": "17A4C4F8-3EC2-422D-BAC6-224E3FC2DEE5"}]}]}], "references": [{"url": "https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/releases/tag/V4.1.1", "source": "security-advisories@github.com", "tags": ["Release Notes"]}, {"url": "https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/security/advisories/GHSA-ppcp-rg65-58mv", "source": "security-advisories@github.com", "tags": ["Vendor Advisory"]}]}}, {"cve": {"id": "CVE-2024-6104", "sourceIdentifier": "security@hashicorp.com", "published": "2024-06-24T17:15:11.087", "lastModified": "2024-06-26T17:19:40.850", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7."}, {"lang": "es", "value": "go-retryablehttp anterior a 0.7.7 no sanitizaba las URL al escribirlas en su archivo de registro. Esto podr\u00eda llevar a que go-retryablehttp escriba credenciales de autenticaci\u00f3n b\u00e1sicas HTTP confidenciales en su archivo de registro. Esta vulnerabilidad, CVE-2024-6104, se solucion\u00f3 en go-retryablehttp 0.7.7."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.8, "impactScore": 3.6}, {"source": "security@hashicorp.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 6.0, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.5, "impactScore": 4.0}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-532"}]}, {"source": "security@hashicorp.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-532"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:hashicorp:retryablehttp:*:*:*:*:*:go:*:*", "versionEndExcluding": "0.7.7", "matchCriteriaId": "0FCBD41E-84B7-4720-A6EA-9A617EEC3F30"}]}]}], "references": [{"url": "https://discuss.hashicorp.com/c/security", "source": "security@hashicorp.com", "tags": ["Vendor Advisory"]}]}}, {"cve": {"id": "CVE-2023-49793", "sourceIdentifier": "security-advisories@github.com", "published": "2024-06-24T18:15:10.437", "lastModified": "2024-06-26T17:39:59.163", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Zip files uploaded to the server endpoint of `CodeChecker store` are not properly sanitized. An attacker, using a path traversal attack, can load and display files on the machine of `CodeChecker server`. The vulnerable endpoint is `/Default/v6.53/CodeCheckerService@massStoreRun`. The path traversal vulnerability allows reading data on the machine of the `CodeChecker server`, with the same permission level as the `CodeChecker server`.\nThe attack requires a user account on the `CodeChecker server`, with permission to store to a server, and view the stored report. This vulnerability has been patched in version 6.23."}, {"lang": "es", "value": "CodeChecker es una herramienta de an\u00e1lisis, una base de datos de defectos y una extensi\u00f3n de visor para Clang Static Analyzer y Clang Tidy. Los archivos zip cargados en el extremo del servidor de \"CodeChecker store\" no se sanitizan adecuadamente. Un atacante, utilizando un ataque de path traversal, puede cargar y mostrar archivos en la m\u00e1quina del \"servidor CodeChecker\". El endpoint vulnerable es `/Default/v6.53/CodeCheckerService@massStoreRun`. La vulnerabilidad de path traversal permite leer datos en la m\u00e1quina del \"servidor CodeChecker\", con el mismo nivel de permiso que el \"servidor CodeChecker\". El ataque requiere una cuenta de usuario en el \"servidor CodeChecker\", con permiso para almacenar en un servidor y ver el informe almacenado. Esta vulnerabilidad ha sido parcheada en la versi\u00f3n 6.23."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 3.6}, {"source": "security-advisories@github.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}, {"source": "security-advisories@github.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ericsson:codechecker:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.23.0", "matchCriteriaId": "10E6338B-8ABE-4FD0-9EBE-DF267A26982B"}]}]}], "references": [{"url": "https://github.com/Ericsson/codechecker/commit/46bada41e32f3ba0f6011d5c556b579f6dddf07a", "source": "security-advisories@github.com", "tags": ["Patch"]}, {"url": "https://github.com/Ericsson/codechecker/security/advisories/GHSA-h26w-r4m5-8rrf", "source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"]}]}}, {"cve": {"id": "CVE-2021-45785", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-24T19:15:11.700", "lastModified": "2024-06-26T17:42:23.627", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "TruDesk Help Desk/Ticketing Solution v1.1.11 is vulnerable to a Cross-Site Request Forgery (CSRF) attack which would allow an attacker to restart the server, causing a DoS attack. The attacker must craft a webpage that would perform a GET request to the /api/v1/admin/restart endpoint, then the victim (who has sufficient privileges), would visit the page and the server restart would begin. The attacker must know the full URL that TruDesk is on in order to craft the webpage."}, {"lang": "es", "value": "TruDesk Help Desk/Ticketing Solution v1.1.11 es vulnerable a un ataque de Cross-Site Request Forgery (CSRF) que permitir\u00eda a un atacante reiniciar el servidor, provocando un ataque DoS. El atacante debe crear una p\u00e1gina web que realice una solicitud GET al endpoint /api/v1/admin/restart, luego la v\u00edctima (que tiene privilegios suficientes) visitar\u00e1 la p\u00e1gina y comenzar\u00e1 el reinicio del servidor. El atacante debe conocer la URL completa en la que se encuentra TruDesk para poder crear la p\u00e1gina web."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-352"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:trudesk_project:trudesk:1.1.11:*:*:*:*:*:*:*", "matchCriteriaId": "B4C2D13A-912B-437C-BFA5-573732BD4A44"}]}]}], "references": [{"url": "https://1d8.github.io/cves/cve_2021_45785/", "source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"]}]}}, {"cve": {"id": "CVE-2024-37677", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-24T19:15:15.527", "lastModified": "2024-06-26T17:43:11.407", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "An issue in Shenzhen Weitillage Industrial Co., Ltd the access management specialist V6.62.51215 allows a remote attacker to obtain sensitive information."}, {"lang": "es", "value": "Un problema en Shenzhen Weitillage Industrial Co., Ltd, el especialista en gesti\u00f3n de acceso V6.62.51215 permite a un atacante remoto obtener informaci\u00f3n confidencial."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:access_management_specialist_project:access_management_specialist:6.62.51215:*:*:*:*:*:*:*", "matchCriteriaId": "5551F46C-46C5-4CA4-A02E-AEEBF3A5CFE4"}]}]}], "references": [{"url": "https://github.com/dabaizhizhu/123/issues/2", "source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking"]}]}}, {"cve": {"id": "CVE-2024-37679", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-24T19:15:15.617", "lastModified": "2024-06-26T17:48:30.970", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "Cross Site Scripting vulnerability in Hangzhou Meisoft Information Technology Co., Ltd. Finesoft v.8.0 and before allows a remote attacker to execute arbitrary code via a crafted script to the login.jsp parameter."}, {"lang": "es", "value": "Vulnerabilidad de Cross Site Scripting en Hangzhou Meisoft Information Technology Co., Ltd. Finesoft v.8.0 y anteriores permite a un atacante remoto ejecutar c\u00f3digo arbitrario a trav\u00e9s de un script manipulado para el par\u00e1metro login.jsp."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:finesoft_project:finesoft:*:*:*:*:*:*:*:*", "versionEndIncluding": "8.0", "matchCriteriaId": "70E70792-37E9-43F6-9270-957A167C57CF"}]}]}], "references": [{"url": "https://github.com/dabaizhizhu/123/issues/4", "source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking"]}]}}, {"cve": {"id": "CVE-2024-37680", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-24T19:15:15.697", "lastModified": "2024-06-26T17:48:43.950", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "Hangzhou Meisoft Information Technology Co., Ltd. FineSoft <=8.0 is affected by Cross Site Scripting (XSS) which allows remote attackers to execute arbitrary code. Enter any account and password, click Login, the page will report an error, and a controllable parameter will appear at the URL:weburl."}, {"lang": "es", "value": "Hangzhou Meisoft Information Technology Co., Ltd. FineSoft <=8.0 se ve afectado por Cross Site Scripting (XSS) que permite a atacantes remotos ejecutar c\u00f3digo arbitrario. Ingrese cualquier cuenta y contrase\u00f1a, haga clic en Iniciar sesi\u00f3n, la p\u00e1gina informar\u00e1 un error y aparecer\u00e1 un par\u00e1metro controlable en la URL: weburl."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:finesoft_project:finesoft:*:*:*:*:*:*:*:*", "versionEndIncluding": "8.0", "matchCriteriaId": "70E70792-37E9-43F6-9270-957A167C57CF"}]}]}], "references": [{"url": "https://github.com/dabaizhizhu/123/issues/5", "source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking"]}]}}, {"cve": {"id": "CVE-2024-37732", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-24T19:15:15.780", "lastModified": "2024-06-26T17:49:36.837", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "Cross Site Scripting vulnerability in Anchor CMS v.0.12.7 allows a remote attacker to execute arbitrary code via a crafted .pdf file."}, {"lang": "es", "value": "Vulnerabilidad de Cross Site Scripting en Anchor CMS v.0.12.7 permite a un atacante remoto ejecutar c\u00f3digo arbitrario a trav\u00e9s de un archivo .pdf manipulado."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:anchorcms:anchor_cms:0.12.7:*:*:*:*:*:*:*", "matchCriteriaId": "5436E346-1B14-4626-8E46-FC260CFE9885"}]}]}], "references": [{"url": "https://gitee.com/Aa272899/CHG-sec/issues/I9UO7X", "source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking"]}]}}, {"cve": {"id": "CVE-2024-34312", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-24T20:15:10.480", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Virtual Programming Lab for Moodle up to v4.2.3 was discovered to contain a cross-site scripting (XSS) vulnerability via the component vplide.js."}, {"lang": "es", "value": "Se descubri\u00f3 que Virtual Programming Lab para Moodle hasta v4.2.3 contiene una vulnerabilidad de Cross Site Scripting (XSS) a trav\u00e9s del componente vplide.js."}], "metrics": {}, "references": [{"url": "https://github.com/vincentscode/CVE-2024-34312", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-34313", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-24T20:15:10.573", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "An issue in VPL Jail System up to v4.0.2 allows attackers to execute a directory traversal via a crafted request to a public endpoint."}, {"lang": "es", "value": "Un problema en VPL Jail System hasta v4.0.2 permite a los atacantes ejecutar un directory traversal a trav\u00e9s de una solicitud manipulada a un endpoint p\u00fablico."}], "metrics": {}, "references": [{"url": "https://github.com/vincentscode/CVE-2024-34313", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-37678", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-24T20:15:10.660", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Cross Site Scripting vulnerability in Hangzhou Meisoft Information Technology Co., Ltd. Finesoft v.8.0 and before allows a remote attacker to execute arbitrary code via a crafted script."}, {"lang": "es", "value": "Vulnerabilidad de Cross Site Scripting en Hangzhou Meisoft Information Technology Co., Ltd. Finesoft v.8.0 y anteriores permite a un atacante remoto ejecutar c\u00f3digo arbitrario a trav\u00e9s de un script manipulado."}], "metrics": {}, "references": [{"url": "https://github.com/dabaizhizhu/123/issues/3", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-37681", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-24T20:15:10.810", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "An issue the background management system of Shanxi Internet Chuangxiang Technology Co., Ltd v1.0.1 allows a remote attacker to cause a denial of service via the index.html component."}, {"lang": "es", "value": "Un problema del sistema de gesti\u00f3n en segundo plano de Shanxi Internet Chuangxiang Technology Co., Ltd v1.0.1 permite que un atacante remoto provoque una denegaci\u00f3n de servicio a trav\u00e9s del componente index.html."}], "metrics": {}, "references": [{"url": "https://github.com/dabaizhizhu/123/issues/6", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2023-45196", "sourceIdentifier": "9119a7d8-5eab-497f-8521-727c672e3725", "published": "2024-06-24T21:15:25.630", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Adminer and AdminerEvo allow an unauthenticated remote attacker to cause a denial of service by connecting to an attacker-controlled service that responds with HTTP redirects. The denial of service is subject to PHP configuration limits.\u00a0Adminer is no longer supported, but this issue was fixed in AdminerEvo version 4.8.4."}, {"lang": "es", "value": "Adminer y AdminerEvo permiten que un atacante remoto no autenticado provoque una denegaci\u00f3n de servicio al conectarse a un servicio controlado por el atacante que responde con redirecciones HTTP. La denegaci\u00f3n de servicio est\u00e1 sujeta a los l\u00edmites de configuraci\u00f3n de PHP. Adminer ya no es compatible, pero este problema se solucion\u00f3 en AdminerEvo versi\u00f3n 4.8.4."}], "metrics": {}, "weaknesses": [{"source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}]}], "references": [{"url": "https://github.com/adminerevo/adminerevo/pull/102/commits/23e7cdc0a32b3739e13d19ae504be0fe215142b6", "source": "9119a7d8-5eab-497f-8521-727c672e3725"}]}}, {"cve": {"id": "CVE-2024-37759", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-24T21:15:25.940", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "DataGear v5.0.0 and earlier was discovered to contain a SpEL (Spring Expression Language) expression injection vulnerability via the Data Viewing interface."}, {"lang": "es", "value": "Se descubri\u00f3 que DataGear v5.0.0 y versiones anteriores conten\u00edan una vulnerabilidad de inyecci\u00f3n de expresi\u00f3n SpEL (Spring Expression Language) a trav\u00e9s de la interfaz de visualizaci\u00f3n de datos."}], "metrics": {}, "references": [{"url": "https://github.com/crumbledwall/CVE-2024-37759_PoC", "source": "cve@mitre.org"}, {"url": "https://github.com/datageartech/datagear/issues/32", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-38892", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-24T21:15:26.050", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "An issue in Wavlink WN551K1 allows a remote attacker to obtain sensitive information via the ExportAllSettings.sh component."}, {"lang": "es", "value": "Un problema en Wavlink WN551K1 permite a un atacante remoto obtener informaci\u00f3n confidencial a trav\u00e9s del componente ExportAllSettings.sh."}], "metrics": {}, "references": [{"url": "https://github.com/s4ndw1ch136/IOT-vuln-reports/blob/main/Wavlink/WN551K1/ExportLogs.sh/README.md", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-38894", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-24T21:15:26.137", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "WAVLINK WN551K1 found a command injection vulnerability through the IP parameter of /cgi-bin/touchlist_sync.cgi."}, {"lang": "es", "value": "WAVLINK WN551K1 encontr\u00f3 una vulnerabilidad de inyecci\u00f3n de comandos a trav\u00e9s del par\u00e1metro IP de /cgi-bin/touchlist_sync.cgi."}], "metrics": {}, "references": [{"url": "https://github.com/s4ndw1ch136/IOT-vuln-reports/blob/main/Wavlink/WN551K1/touchlist_sync.cgi/README.md", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-38895", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-24T21:15:26.213", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "WAVLINK WN551K1'live_mfg.shtml enables attackers to obtain sensitive router information."}, {"lang": "es", "value": "WAVLINK WN551K1'live_mfg.shtml permite a los atacantes obtener informaci\u00f3n confidencial del enrutador."}], "metrics": {}, "references": [{"url": "https://github.com/s4ndw1ch136/IOT-vuln-reports/tree/main/Wavlink/WN551K1/live_mfg.shtml", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-38896", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-24T21:15:26.293", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "WAVLINK WN551K1 found a command injection vulnerability through the start_hour parameter of /cgi-bin/nightled.cgi."}, {"lang": "es", "value": "WAVLINK WN551K1 encontr\u00f3 una vulnerabilidad de inyecci\u00f3n de comandos a trav\u00e9s del par\u00e1metro start_hour de /cgi-bin/nightled.cgi."}], "metrics": {}, "references": [{"url": "https://github.com/s4ndw1ch136/IOT-vuln-reports/tree/main/Wavlink/WN551K1/nightled.cgi", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-38897", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-24T21:15:26.377", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "WAVLINK WN551K1'live_check.shtml enables attackers to obtain sensitive router information."}, {"lang": "es", "value": "WAVLINK WN551K1'live_check.shtml permite a los atacantes obtener informaci\u00f3n confidencial del enrutador."}], "metrics": {}, "references": [{"url": "https://github.com/s4ndw1ch136/IOT-vuln-reports/blob/main/Wavlink/WN551K1/live_check.shtml/README.md", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-38902", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-24T21:15:26.457", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "H3C Magic R230 V100R002 was discovered to contain a hardcoded password vulnerability in /etc/shadow, which allows attackers to log in as root."}, {"lang": "es", "value": "Se descubri\u00f3 que H3C Magic R230 V100R002 contiene una vulnerabilidad de contrase\u00f1a codificada en /etc/shadow, que permite a los atacantes iniciar sesi\u00f3n como root."}], "metrics": {}, "references": [{"url": "https://github.com/s4ndw1ch136/IOT-vuln-reports/blob/main/H3C/Magic%20R230/hardcode/README.md", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-38903", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-24T21:15:26.543", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "H3C Magic R230 V100R002's udpserver opens port 9034, allowing attackers to execute arbitrary commands."}, {"lang": "es", "value": "El udpserver del H3C Magic R230 V100R002 abre el puerto 9034, lo que permite a los atacantes ejecutar comandos arbitrarios."}], "metrics": {}, "references": [{"url": "https://github.com/s4ndw1ch136/IOT-vuln-reports/blob/main/H3C/Magic%20R230/UDPserver_97F/README.md", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2023-45195", "sourceIdentifier": "9119a7d8-5eab-497f-8521-727c672e3725", "published": "2024-06-24T22:15:10.060", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Adminer and AdminerEvo are vulnerable to SSRF via database connection fields. This could allow an unauthenticated remote attacker to enumerate or access systems the attacker would not otherwise have access to.\u00a0Adminer is no longer supported, but this issue was fixed in AdminerEvo version 4.8.4."}, {"lang": "es", "value": "Adminer y AdminerEvo son vulnerables a SSRF a trav\u00e9s de campos de conexi\u00f3n de base de datos. Esto podr\u00eda permitir que un atacante remoto no autenticado enumere o acceda a sistemas a los que de otra manera el atacante no tendr\u00eda acceso. Adminer ya no es compatible, pero este problema se solucion\u00f3 en AdminerEvo versi\u00f3n 4.8.4."}], "metrics": {}, "weaknesses": [{"source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "https://github.com/adminerevo/adminerevo/pull/102/commits/18f3167bbcbec3bc746f62db72e016aa99144efc", "source": "9119a7d8-5eab-497f-8521-727c672e3725"}]}}, {"cve": {"id": "CVE-2024-33898", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-24T22:15:10.207", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Axiros AXESS Auto Configuration Server (ACS) 4.x and 5.0.0 has Incorrect Access Control. An authorization bypass allows remote attackers to achieve unauthenticated remote code execution."}, {"lang": "es", "value": "El servidor de configuraci\u00f3n autom\u00e1tica (ACS) de Axiros AXESS 4.x y 5.0.0 tiene un control de acceso incorrecto. Una omisi\u00f3n de autorizaci\u00f3n permite a atacantes remotos lograr la ejecuci\u00f3n remota de c\u00f3digo no autenticado."}], "metrics": {}, "references": [{"url": "https://www.axiros.com/2024/03/vulnerability-in-axusermanager", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-34991", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-24T22:15:10.290", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the module \"Axepta\" (axepta) before 1.3.4 from Quadra Informatique for PrestaShop, a guest can download partial credit card information (expiry date) / postal address / email / etc. without restriction due to a lack of permissions control."}, {"lang": "es", "value": "En el m\u00f3dulo \"Axepta\" (axepta) anterior a 1.3.4 de Quadra Informatique para PrestaShop, un invitado puede descargar informaci\u00f3n parcial de la tarjeta de cr\u00e9dito (fecha de vencimiento) / direcci\u00f3n postal / correo electr\u00f3nico / etc. sin restricciones debido a la falta de control de permisos."}], "metrics": {}, "references": [{"url": "https://security.friendsofpresta.org/modules/2024/06/20/axepta.html", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-36682", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-24T22:15:10.377", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the module \"Theme settings\" (pk_themesettings) <= 1.8.8 from Promokit.eu for PrestaShop, a guest can download all email collected while SHOP is in maintenance mode. Due to a lack of permissions control, a guest can access the txt file which collect email when maintenance is enable which can lead to leak of personal information."}, {"lang": "es", "value": "En el m\u00f3dulo \"Configuraci\u00f3n del tema\" (pk_themesettings) <= 1.8.8 de Promokit.eu para PrestaShop, un invitado puede descargar todos los correos electr\u00f3nicos recopilados mientras SHOP est\u00e1 en modo de mantenimiento. Debido a la falta de control de permisos, un invitado puede acceder al archivo de texto que recopila el correo electr\u00f3nico cuando el mantenimiento est\u00e1 habilitado, lo que puede provocar una filtraci\u00f3n de informaci\u00f3n personal."}], "metrics": {}, "references": [{"url": "https://security.friendsofpresta.org/modules/2024/06/20/pk_themesettings.html", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-6290", "sourceIdentifier": "chrome-cve-admin@google.com", "published": "2024-06-24T22:15:10.460", "lastModified": "2024-06-27T03:15:51.093", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Use after free in Dawn in Google Chrome prior to 126.0.6478.126 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)"}, {"lang": "es", "value": " Use after free en Dawn en Google Chrome anterior a 126.0.6478.126 permit\u00eda a un atacante remoto explotar potencialmente la corrupci\u00f3n del mont\u00f3n a trav\u00e9s de una p\u00e1gina HTML manipulada. (Severidad de seguridad de Chrome: alta)"}], "metrics": {}, "weaknesses": [{"source": "chrome-cve-admin@google.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-416"}]}], "references": [{"url": "https://chromereleases.googleblog.com/2024/06/stable-channel-update-for-desktop_24.html", "source": "chrome-cve-admin@google.com"}, {"url": "https://issues.chromium.org/issues/342428008", "source": "chrome-cve-admin@google.com"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T6OJ65HWXYSYMH55VDO6N36EOZFUNL4O/", "source": "chrome-cve-admin@google.com"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WHV5WTU27YOIBIM2CON42SHWY6J2HPRS/", "source": "chrome-cve-admin@google.com"}]}}, {"cve": {"id": "CVE-2024-6291", "sourceIdentifier": "chrome-cve-admin@google.com", "published": "2024-06-24T22:15:10.577", "lastModified": "2024-06-27T03:15:51.167", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Use after free in Swiftshader in Google Chrome prior to 126.0.6478.126 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)"}, {"lang": "es", "value": "Use after free en Swiftshader en Google Chrome anterior a 126.0.6478.126 permit\u00eda a un atacante remoto explotar potencialmente la corrupci\u00f3n del mont\u00f3n a trav\u00e9s de una p\u00e1gina HTML manipulada. (Severidad de seguridad de Chrome: alta)"}], "metrics": {}, "weaknesses": [{"source": "chrome-cve-admin@google.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-416"}]}], "references": [{"url": "https://chromereleases.googleblog.com/2024/06/stable-channel-update-for-desktop_24.html", "source": "chrome-cve-admin@google.com"}, {"url": "https://issues.chromium.org/issues/40942995", "source": "chrome-cve-admin@google.com"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T6OJ65HWXYSYMH55VDO6N36EOZFUNL4O/", "source": "chrome-cve-admin@google.com"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WHV5WTU27YOIBIM2CON42SHWY6J2HPRS/", "source": "chrome-cve-admin@google.com"}]}}, {"cve": {"id": "CVE-2024-6292", "sourceIdentifier": "chrome-cve-admin@google.com", "published": "2024-06-24T22:15:10.660", "lastModified": "2024-06-27T03:15:51.230", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Use after free in Dawn in Google Chrome prior to 126.0.6478.126 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)"}, {"lang": "es", "value": " Use after free en Dawn en Google Chrome anterior a 126.0.6478.126 permit\u00eda a un atacante remoto explotar potencialmente la corrupci\u00f3n del mont\u00f3n a trav\u00e9s de una p\u00e1gina HTML manipulada. (Severidad de seguridad de Chrome: alta)"}], "metrics": {}, "weaknesses": [{"source": "chrome-cve-admin@google.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-416"}]}], "references": [{"url": "https://chromereleases.googleblog.com/2024/06/stable-channel-update-for-desktop_24.html", "source": "chrome-cve-admin@google.com"}, {"url": "https://issues.chromium.org/issues/342545100", "source": "chrome-cve-admin@google.com"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T6OJ65HWXYSYMH55VDO6N36EOZFUNL4O/", "source": "chrome-cve-admin@google.com"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WHV5WTU27YOIBIM2CON42SHWY6J2HPRS/", "source": "chrome-cve-admin@google.com"}]}}, {"cve": {"id": "CVE-2024-6293", "sourceIdentifier": "chrome-cve-admin@google.com", "published": "2024-06-24T22:15:10.740", "lastModified": "2024-06-27T03:15:51.293", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Use after free in Dawn in Google Chrome prior to 126.0.6478.126 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)"}, {"lang": "es", "value": "Use after free en Dawn en Google Chrome anterior a 126.0.6478.126 permit\u00eda a un atacante remoto explotar potencialmente la corrupci\u00f3n del mont\u00f3n a trav\u00e9s de una p\u00e1gina HTML manipulada. (Severidad de seguridad de Chrome: alta)"}], "metrics": {}, "weaknesses": [{"source": "chrome-cve-admin@google.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-416"}]}], "references": [{"url": "https://chromereleases.googleblog.com/2024/06/stable-channel-update-for-desktop_24.html", "source": "chrome-cve-admin@google.com"}, {"url": "https://issues.chromium.org/issues/345993680", "source": "chrome-cve-admin@google.com"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T6OJ65HWXYSYMH55VDO6N36EOZFUNL4O/", "source": "chrome-cve-admin@google.com"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WHV5WTU27YOIBIM2CON42SHWY6J2HPRS/", "source": "chrome-cve-admin@google.com"}]}}, {"cve": {"id": "CVE-2023-50029", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-24T23:15:10.157", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "PHP Injection vulnerability in the module \"M4 PDF Extensions\" (m4pdf) up to version 3.3.2 from PrestaAddons for PrestaShop allows attackers to run arbitrary code via the M4PDF::saveTemplate() method."}, {"lang": "es", "value": "Vulnerabilidad de inyecci\u00f3n de PHP en el m\u00f3dulo \"M4 PDF Extensions\" (m4pdf) hasta la versi\u00f3n 3.3.2 de PrestaAddons para PrestaShop permite a los atacantes ejecutar c\u00f3digo de su elecci\u00f3n a trav\u00e9s del m\u00e9todo M4PDF::saveTemplate()."}], "metrics": {}, "references": [{"url": "https://security.friendsofpresta.org/modules/2024/06/20/m4pdf.html", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-22168", "sourceIdentifier": "psirt@wdc.com", "published": "2024-06-24T23:15:10.417", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A Cross-Site Scripting (XSS) vulnerability on the My Cloud, My Cloud Home, SanDisk ibi, and WD Cloud web apps was found which could allow an attacker to redirect the user to a crafted domain and reset their credentials, or to execute arbitrary client-side code in the user\u2019s browser session to carry out malicious activities.The web apps for these devices have been automatically updated to resolve this vulnerability and improve the security of your devices and data."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad de Cross Site Scripting (XSS) en las aplicaciones web My Cloud, My Cloud Home, SanDisk ibi y WD Cloud que podr\u00eda permitir a un atacante redirigir al usuario a un dominio manipulado y restablecer sus credenciales, o ejecutar acciones arbitrarias. c\u00f3digo del lado del cliente en la sesi\u00f3n del navegador del usuario para llevar a cabo actividades maliciosas. Las aplicaciones web para estos dispositivos se han actualizado autom\u00e1ticamente para resolver esta vulnerabilidad y mejorar la seguridad de sus dispositivos y datos."}], "metrics": {}, "weaknesses": [{"source": "psirt@wdc.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://www.westerndigital.com/support/product-security/wdc-24003-western-digital-my-cloud-os-5-my-cloud-home-sandisk-ibi-and-wd-cloud-web-app-update", "source": "psirt@wdc.com"}]}}, {"cve": {"id": "CVE-2024-34988", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-24T23:15:10.527", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "SQL injection vulnerability in the module \"Complete for Create a Quote in Frontend + Backend Pro\" (askforaquotemodul) <= 1.0.51 from Buy Addons for PrestaShop allows attackers to view sensitive information and cause other impacts via methods `AskforaquotemodulcustomernewquoteModuleFrontController::run()`, `AskforaquotemoduladdproductnewquoteModuleFrontController::run()`, `AskforaquotemodulCouponcodeModuleFrontController::run()`, `AskforaquotemodulgetshippingcostModuleFrontController::run()`, `AskforaquotemodulgetstateModuleFrontController::run().`"}, {"lang": "es", "value": "Vulnerabilidad de inyecci\u00f3n SQL en el m\u00f3dulo \"Completo para crear una cotizaci\u00f3n en Frontend + Backend Pro\" (askforaquotemodul) <= 1.0.51 de Comprar complementos para PrestaShop permite a atacantes ver informaci\u00f3n confidencial y causar otros impactos a trav\u00e9s de los m\u00e9todos `AskforaquotemodulcustomernewquoteModuleFrontController::run() `, `AskforaquotemoduladdproductnewquoteModuleFrontController::run()`, `AskforaquotemodulCouponcodeModuleFrontController::run()`, `AskforaquotemodulgetshippingcostModuleFrontController::run()`, `AskforaquotemodulgetstateModuleFrontController::run().`"}], "metrics": {}, "references": [{"url": "https://security.friendsofpresta.org/modules/2024/06/20/askforaquotemodul.html", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-34992", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-24T23:15:10.613", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "SQL Injection vulnerability in the module \"Help Desk - Customer Support Management System\" (helpdesk) up to version 2.4.0 from FME Modules for PrestaShop allows attackers to obtain sensitive information and cause other impacts via 'Tickets::getsearchedtickets()'"}, {"lang": "es", "value": "Vulnerabilidad de inyecci\u00f3n SQL en el m\u00f3dulo \"Help Desk - Customer Support Management System\" (servicio de ayuda) hasta la versi\u00f3n 2.4.0 de los m\u00f3dulos FME para PrestaShop permite a atacantes obtener informaci\u00f3n sensible y causar otros impactos a trav\u00e9s de 'Tickets::getsearchedtickets()'"}], "metrics": {}, "references": [{"url": "https://security.friendsofpresta.org/modules/2024/06/20/helpdesk.html", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-36681", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-24T23:15:10.690", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "SQL Injection vulnerability in the module \"Isotope\" (pk_isotope) <=1.7.3 from Promokit.eu for PrestaShop allows attackers to obtain sensitive information and cause other impacts via `pk_isotope::saveData` and `pk_isotope::removeData` methods."}, {"lang": "es", "value": "Vulnerabilidad de inyecci\u00f3n SQL en el m\u00f3dulo \"Isotope\" (pk_isotope) <=1.7.3 de Promokit.eu para PrestaShop permite a atacantes obtener informaci\u00f3n confidencial y causar otros impactos a trav\u00e9s de los m\u00e9todos `pk_isotope::saveData` y `pk_isotope::removeData`."}], "metrics": {}, "references": [{"url": "https://security.friendsofpresta.org/modules/2024/06/20/pk_isotope.html", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-36683", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-24T23:15:10.773", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "SQL injection vulnerability in the module \"Products Alert\" (productsalert) before 1.7.4 from Smart Modules for PrestaShop allows attackers to obtain sensitive information and cause other impacts via the ProductsAlertAjaxProcessModuleFrontController::initContent method."}, {"lang": "es", "value": "Vulnerabilidad de inyecci\u00f3n SQL en el m\u00f3dulo \"Products Alert\" (productsalert) anterior a 1.7.4 de Smart Modules para PrestaShop permite a atacantes obtener informaci\u00f3n confidencial y causar otros impactos a trav\u00e9s del m\u00e9todo ProductsAlertAjaxProcessModuleFrontController::initContent."}], "metrics": {}, "references": [{"url": "https://security.friendsofpresta.org/modules/2024/06/20/productsalert.html", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2023-6198", "sourceIdentifier": "security@baicells.com", "published": "2024-06-25T02:15:10.347", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Use of Hard-coded Credentials vulnerability in Baicells Snap Router BaiCE_BMI on EP3011 (User Passwords modules) allows unauthorized access to the device."}, {"lang": "es", "value": "El uso de la vulnerabilidad de credenciales codificadas en Baicells Snap Router BaiCE_BMI en EP3011 (m\u00f3dulos de Contrase\u00f1as de usuario) permite el acceso no autorizado al dispositivo."}], "metrics": {"cvssMetricV31": [{"source": "security@baicells.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "LOW", "baseScore": 9.3, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 4.7}]}, "weaknesses": [{"source": "security@baicells.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-798"}]}], "references": [{"url": "https://www.baicells.com", "source": "security@baicells.com"}]}}, {"cve": {"id": "CVE-2024-22385", "sourceIdentifier": "hirt@hitachi.co.jp", "published": "2024-06-25T02:15:10.583", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Incorrect Default Permissions vulnerability in Hitachi Storage Provider for VMware vCenter allows local users to read and write specific files.This issue affects Hitachi Storage Provider for VMware vCenter: from 3.1.0 before 3.7.4."}, {"lang": "es", "value": "La vulnerabilidad de permisos predeterminados incorrectos en Hitachi Storage Provider para VMware vCenter permite a los usuarios locales leer y escribir archivos espec\u00edficos. Este problema afecta a Hitachi Storage Provider para VMware vCenter: desde 3.1.0 antes de 3.7.4."}], "metrics": {"cvssMetricV31": [{"source": "hirt@hitachi.co.jp", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 4.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "hirt@hitachi.co.jp", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-276"}]}], "references": [{"url": "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2024-129/index.html", "source": "hirt@hitachi.co.jp"}]}}, {"cve": {"id": "CVE-2024-23140", "sourceIdentifier": "psirt@autodesk.com", "published": "2024-06-25T02:15:10.940", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A maliciously crafted 3DM and MODEL file, when parsed in opennurbs.dll and atf_api.dll through Autodesk applications, can force an Out-of-Bound Read. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process."}, {"lang": "es", "value": "Un archivo 3DM y MODEL creado con fines malintencionados, cuando se analiza en opennurbs.dll y atf_api.dll mediante aplicaciones de Autodesk, puede forzar una lectura fuera de los l\u00edmites. Un actor malintencionado puede aprovechar esta vulnerabilidad para provocar un bloqueo, leer datos confidenciales o ejecutar c\u00f3digo arbitrario en el contexto del proceso actual."}], "metrics": {}, "weaknesses": [{"source": "psirt@autodesk.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}]}], "references": [{"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0009", "source": "psirt@autodesk.com"}]}}, {"cve": {"id": "CVE-2024-23141", "sourceIdentifier": "psirt@autodesk.com", "published": "2024-06-25T02:15:11.030", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A maliciously crafted MODEL file, when parsed in libodxdll through Autodesk applications, can cause a double free. This vulnerability, along with other vulnerabilities, can lead to code execution in the current process."}, {"lang": "es", "value": "Un archivo MODEL creado con fines malintencionados, cuando se analiza en libodxdll a trav\u00e9s de aplicaciones de Autodesk, puede provocar una doble liberaci\u00f3n. Esta vulnerabilidad, junto con otras vulnerabilidades, puede provocar la ejecuci\u00f3n de c\u00f3digo en el proceso actual."}], "metrics": {}, "weaknesses": [{"source": "psirt@autodesk.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-415"}]}], "references": [{"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0009", "source": "psirt@autodesk.com"}]}}, {"cve": {"id": "CVE-2024-23142", "sourceIdentifier": "psirt@autodesk.com", "published": "2024-06-25T02:15:11.123", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A maliciously crafted CATPART, STP, and MODEL file, when parsed in atf_dwg_consumer.dll, rose_x64_vc15.dll and libodxdll through Autodesk applications, can cause a use-after-free vulnerability. This vulnerability, along with other vulnerabilities, can lead to code execution in the current process."}, {"lang": "es", "value": "Un archivo CATPART, STP y MODEL creado con fines malintencionados, cuando se analiza en atf_dwg_consumer.dll, rose_x64_vc15.dll y libodxdll a trav\u00e9s de aplicaciones de Autodesk, puede provocar una vulnerabilidad de use-after-free. Esta vulnerabilidad, junto con otras vulnerabilidades, puede provocar la ejecuci\u00f3n de c\u00f3digo en el proceso actual."}], "metrics": {}, "weaknesses": [{"source": "psirt@autodesk.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-416"}]}], "references": [{"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0009", "source": "psirt@autodesk.com"}]}}, {"cve": {"id": "CVE-2024-23143", "sourceIdentifier": "psirt@autodesk.com", "published": "2024-06-25T02:15:11.203", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A maliciously crafted 3DM, MODEL and X_B file, when parsed in ASMkern229A.dll and ASMBASE229A.dll through Autodesk applications, can force an Out-of-Bound Read and/or Out-of-Bound Write. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process."}, {"lang": "es", "value": "Un archivo 3DM, MODEL y X_B creado con fines malintencionados, cuando se analiza en ASMkern229A.dll y ASMBASE229A.dll a trav\u00e9s de aplicaciones de Autodesk, puede forzar una lectura fuera de los l\u00edmites y/o una escritura fuera de los l\u00edmites. Un actor malintencionado puede aprovechar esta vulnerabilidad para provocar un bloqueo, leer datos confidenciales o ejecutar c\u00f3digo arbitrario en el contexto del proceso actual."}], "metrics": {}, "weaknesses": [{"source": "psirt@autodesk.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}, {"lang": "en", "value": "CWE-787"}]}], "references": [{"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0009", "source": "psirt@autodesk.com"}]}}, {"cve": {"id": "CVE-2024-23144", "sourceIdentifier": "psirt@autodesk.com", "published": "2024-06-25T02:15:11.293", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A maliciously crafted CATPART file, when parsed in CC5Dll.dll and ASMBASE228A.dll through Autodesk applications, can force an Out-of-Bound Write. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process."}, {"lang": "es", "value": "Un archivo CATPART creado con fines malintencionados, cuando se analiza en CC5Dll.dll y ASMBASE228A.dll mediante aplicaciones de Autodesk, puede forzar una escritura fuera de los l\u00edmites. Un actor malintencionado puede aprovechar esta vulnerabilidad para provocar un bloqueo, leer datos confidenciales o ejecutar c\u00f3digo arbitrario en el contexto del proceso actual."}], "metrics": {}, "weaknesses": [{"source": "psirt@autodesk.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-787"}]}], "references": [{"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0009", "source": "psirt@autodesk.com"}]}}, {"cve": {"id": "CVE-2024-6294", "sourceIdentifier": "twcert@cert.org.tw", "published": "2024-06-25T02:15:11.657", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "udn News Android APP stores the user session in logcat file when user log into the APP. A malicious APP or an attacker with physical access to the Android device can retrieve this session and use it to log into the news APP and other services provided by udn."}, {"lang": "es", "value": "La aplicaci\u00f3n para Android udn News almacena la sesi\u00f3n del usuario en el archivo logcat cuando el usuario inicia sesi\u00f3n en la aplicaci\u00f3n. Una APP maliciosa o un atacante con acceso f\u00edsico al dispositivo Android puede recuperar esta sesi\u00f3n y utilizarla para iniciar sesi\u00f3n en la APP de noticias y otros servicios proporcionados por la udn."}], "metrics": {"cvssMetricV31": [{"source": "twcert@cert.org.tw", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 3.9, "baseSeverity": "LOW"}, "exploitabilityScore": 0.3, "impactScore": 3.6}]}, "weaknesses": [{"source": "twcert@cert.org.tw", "type": "Primary", "description": [{"lang": "en", "value": "CWE-200"}]}], "references": [{"url": "https://www.twcert.org.tw/en/cp-139-7893-43ecd-2.html", "source": "twcert@cert.org.tw"}, {"url": "https://www.twcert.org.tw/tw/cp-132-7892-aafd2-1.html", "source": "twcert@cert.org.tw"}]}}, {"cve": {"id": "CVE-2023-5038", "sourceIdentifier": "fc9afe74-3f80-4fb7-a313-e6f036a89882", "published": "2024-06-25T03:15:09.737", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "badmonkey, a Security Researcher has found a flaw that allows for a unauthenticated DoS attack on the camera. An attacker runs a crafted URL, nobody can access the web management page of the camera. and must manually restart the device or re-power it. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds."}, {"lang": "es", "value": "badmonkey, un investigador de seguridad ha encontrado una falla que permite un ataque DoS no autenticado en la c\u00e1mara. Un atacante ejecuta una URL manipulada y nadie puede acceder a la p\u00e1gina de administraci\u00f3n web de la c\u00e1mara y debe reiniciar manualmente el dispositivo o volver a encenderlo. El fabricante ha publicado un parche de firmware para la falla; consulte el informe del fabricante para obtener detalles y workarounds."}], "metrics": {}, "weaknesses": [{"source": "fc9afe74-3f80-4fb7-a313-e6f036a89882", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-248"}, {"lang": "en", "value": "CWE-703"}]}], "references": [{"url": "https://www.hanwhavision.com/wp-content/uploads/2024/06/Camera-Vulnerability-Report-CVE-2023-5037-5038.pdf", "source": "fc9afe74-3f80-4fb7-a313-e6f036a89882"}]}}, {"cve": {"id": "CVE-2024-23145", "sourceIdentifier": "psirt@autodesk.com", "published": "2024-06-25T03:15:10.000", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A maliciously crafted PRT file, when parsed in opennurbs.dll through Autodesk applications, can force an Out-of-Bound Read. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process."}, {"lang": "es", "value": "Un archivo PRT creado con fines malintencionados, cuando se analiza en opennurbs.dll a trav\u00e9s de aplicaciones de Autodesk, puede forzar una lectura fuera de los l\u00edmites. Un actor malintencionado puede aprovechar esta vulnerabilidad para provocar un bloqueo, leer datos confidenciales o ejecutar c\u00f3digo arbitrario en el contexto del proceso actual."}], "metrics": {}, "weaknesses": [{"source": "psirt@autodesk.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}]}], "references": [{"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0009", "source": "psirt@autodesk.com"}]}}, {"cve": {"id": "CVE-2024-23146", "sourceIdentifier": "psirt@autodesk.com", "published": "2024-06-25T03:15:10.093", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A maliciously crafted X_B and X_T file, when parsed in pskernel.DLL through Autodesk applications, can force an Out-of-Bound Write. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process."}, {"lang": "es", "value": "Un archivo X_B y X_T creado con fines malintencionados, cuando se analiza en pskernel.DLL a trav\u00e9s de aplicaciones de Autodesk, puede forzar una escritura fuera de los l\u00edmites. Un actor malintencionado puede aprovechar esta vulnerabilidad para provocar un bloqueo, leer datos confidenciales o ejecutar c\u00f3digo arbitrario en el contexto del proceso actual."}], "metrics": {}, "weaknesses": [{"source": "psirt@autodesk.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-787"}]}], "references": [{"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0009", "source": "psirt@autodesk.com"}]}}, {"cve": {"id": "CVE-2024-23147", "sourceIdentifier": "psirt@autodesk.com", "published": "2024-06-25T03:15:10.190", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A maliciously crafted CATPART, X_B and STEP, when parsed in ASMKERN228A.dll and ASMKERN229A.dll through Autodesk applications, can lead to a memory corruption vulnerability by write access violation. This vulnerability, in conjunction with other vulnerabilities, can lead to code execution in the context of the current process."}, {"lang": "es", "value": "Un CATPART, X_B y STEP creados con fines malintencionados, cuando se analizan en ASMKERN228A.dll y ASMKERN229A.dll a trav\u00e9s de aplicaciones de Autodesk, pueden provocar una vulnerabilidad de corrupci\u00f3n de memoria por infracci\u00f3n de acceso de escritura. Esta vulnerabilidad, junto con otras vulnerabilidades, puede provocar la ejecuci\u00f3n de c\u00f3digo en el contexto del proceso actual."}], "metrics": {}, "weaknesses": [{"source": "psirt@autodesk.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}]}], "references": [{"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0009", "source": "psirt@autodesk.com"}]}}, {"cve": {"id": "CVE-2024-23148", "sourceIdentifier": "psirt@autodesk.com", "published": "2024-06-25T03:15:10.283", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A maliciously crafted CATPRODUCT file, when parsed in CC5Dll.dll through Autodesk applications, can lead to a memory corruption vulnerability by write access violation. This vulnerability, in conjunction with other vulnerabilities, can lead to code execution in the context of the current process."}, {"lang": "es", "value": "Un archivo CATPRODUCT creado con fines malintencionados, cuando se analiza en CC5Dll.dll a trav\u00e9s de aplicaciones de Autodesk, puede provocar una vulnerabilidad de corrupci\u00f3n de memoria por infracci\u00f3n de acceso de escritura. Esta vulnerabilidad, junto con otras vulnerabilidades, puede provocar la ejecuci\u00f3n de c\u00f3digo en el contexto del proceso actual."}], "metrics": {}, "weaknesses": [{"source": "psirt@autodesk.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}]}], "references": [{"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0009", "source": "psirt@autodesk.com"}]}}, {"cve": {"id": "CVE-2024-23149", "sourceIdentifier": "psirt@autodesk.com", "published": "2024-06-25T03:15:10.370", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A maliciously crafted SLDDRW file, when parsed in ODXSW_DLL.dll through Autodesk applications, can force an Out-of-Bound Read. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process."}, {"lang": "es", "value": "Un archivo SLDDRW creado con fines malintencionados, cuando se analiza en ODXSW_DLL.dll a trav\u00e9s de aplicaciones de Autodesk, puede forzar una lectura fuera de los l\u00edmites. Un actor malintencionado puede aprovechar esta vulnerabilidad para provocar un bloqueo, leer datos confidenciales o ejecutar c\u00f3digo arbitrario en el contexto del proceso actual."}], "metrics": {}, "weaknesses": [{"source": "psirt@autodesk.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}]}], "references": [{"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0009", "source": "psirt@autodesk.com"}]}}, {"cve": {"id": "CVE-2024-37000", "sourceIdentifier": "psirt@autodesk.com", "published": "2024-06-25T03:15:10.463", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A maliciously crafted X_B file, when parsed in pskernel.DLL through Autodesk applications, can lead to a memory corruption vulnerability by write access violation. This vulnerability, in conjunction with other vulnerabilities, can lead to code execution in the context of the current process."}, {"lang": "es", "value": "Un archivo X_B creado con fines malintencionados, cuando se analiza en pskernel.DLL a trav\u00e9s de aplicaciones de Autodesk, puede provocar una vulnerabilidad de corrupci\u00f3n de memoria por infracci\u00f3n de acceso de escritura. Esta vulnerabilidad, junto con otras vulnerabilidades, puede provocar la ejecuci\u00f3n de c\u00f3digo en el contexto del proceso actual."}], "metrics": {}, "weaknesses": [{"source": "psirt@autodesk.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}]}], "references": [{"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0009", "source": "psirt@autodesk.com"}]}}, {"cve": {"id": "CVE-2024-37001", "sourceIdentifier": "psirt@autodesk.com", "published": "2024-06-25T03:15:10.553", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "[A maliciously crafted 3DM file, when parsed in opennurbs.dll through Autodesk applications, can be used to cause a Heap-based Overflow. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process."}, {"lang": "es", "value": "[Un archivo 3DM creado con fines malintencionados, cuando se analiza en opennurbs.dll a trav\u00e9s de aplicaciones de Autodesk, se puede utilizar para provocar un desbordamiento basado en mont\u00f3n. Un actor malintencionado puede aprovechar esta vulnerabilidad para provocar un bloqueo, leer datos confidenciales o ejecutar c\u00f3digo arbitrario en el contexto del proceso actual."}], "metrics": {}, "weaknesses": [{"source": "psirt@autodesk.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-122"}]}], "references": [{"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0009", "source": "psirt@autodesk.com"}]}}, {"cve": {"id": "CVE-2024-37002", "sourceIdentifier": "psirt@autodesk.com", "published": "2024-06-25T03:15:10.647", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A maliciously crafted MODEL file, when parsed in ASMkern229A.dllthrough Autodesk applications, can be used to uninitialized variables. This vulnerability, along with other vulnerabilities, could lead to code execution in the current process."}, {"lang": "es", "value": "Un archivo MODEL creado con fines malintencionados, cuando se analiza en ASMkern229A.dll a trav\u00e9s de aplicaciones de Autodesk, se puede utilizar para variables no inicializadas. Esta vulnerabilidad, junto con otras vulnerabilidades, podr\u00eda provocar la ejecuci\u00f3n de c\u00f3digo en el proceso actual."}], "metrics": {}, "weaknesses": [{"source": "psirt@autodesk.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-457"}]}], "references": [{"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0009", "source": "psirt@autodesk.com"}]}}, {"cve": {"id": "CVE-2024-6295", "sourceIdentifier": "twcert@cert.org.tw", "published": "2024-06-25T03:15:10.740", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "udn News Android APP stores the unencrypted user session in the local database when user log into the application. A malicious APP or an attacker with physical access to the Android device can retrieve this session and use it to log into the news APP and other services provided by udn."}, {"lang": "es", "value": "La aplicaci\u00f3n para Android udn News almacena la sesi\u00f3n del usuario sin cifrar en la base de datos local cuando el usuario inicia sesi\u00f3n en la aplicaci\u00f3n. Una APP maliciosa o un atacante con acceso f\u00edsico al dispositivo Android puede recuperar esta sesi\u00f3n y utilizarla para iniciar sesi\u00f3n en la APP de noticias y otros servicios proporcionados por la udn."}], "metrics": {"cvssMetricV31": [{"source": "twcert@cert.org.tw", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 3.9, "baseSeverity": "LOW"}, "exploitabilityScore": 0.3, "impactScore": 3.6}]}, "weaknesses": [{"source": "twcert@cert.org.tw", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-922"}]}], "references": [{"url": "https://www.twcert.org.tw/en/cp-139-7895-80dac-2.html", "source": "twcert@cert.org.tw"}, {"url": "https://www.twcert.org.tw/tw/cp-132-7894-aebd8-1.html", "source": "twcert@cert.org.tw"}]}}, {"cve": {"id": "CVE-2024-23150", "sourceIdentifier": "psirt@autodesk.com", "published": "2024-06-25T04:15:11.803", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A maliciously crafted PRT file, when parsed in odxug_dll.dll through Autodesk applications, can force an Out-of-Bounds Write. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process."}, {"lang": "es", "value": "Un archivo PRT creado con fines malintencionados, cuando se analiza en odxug_dll.dll a trav\u00e9s de aplicaciones de Autodesk, puede forzar una escritura fuera de los l\u00edmites. Un actor malintencionado puede aprovechar esta vulnerabilidad para provocar un bloqueo, leer datos confidenciales o ejecutar c\u00f3digo arbitrario en el contexto del proceso actual."}], "metrics": {}, "weaknesses": [{"source": "psirt@autodesk.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-787"}]}], "references": [{"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0010", "source": "psirt@autodesk.com"}]}}, {"cve": {"id": "CVE-2024-23151", "sourceIdentifier": "psirt@autodesk.com", "published": "2024-06-25T04:15:12.567", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A maliciously crafted 3DM file, when parsed in ASMkern229A.dll through Autodesk applications, can force an Out-of-Bounds Write. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process."}, {"lang": "es", "value": "Un archivo 3DM creado con fines malintencionados, cuando se analiza en ASMkern229A.dll a trav\u00e9s de aplicaciones de Autodesk, puede forzar una escritura fuera de los l\u00edmites. Un actor malintencionado puede aprovechar esta vulnerabilidad para provocar un bloqueo, leer datos confidenciales o ejecutar c\u00f3digo arbitrario en el contexto del proceso actual."}], "metrics": {}, "weaknesses": [{"source": "psirt@autodesk.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-787"}]}], "references": [{"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0010", "source": "psirt@autodesk.com"}]}}, {"cve": {"id": "CVE-2024-23152", "sourceIdentifier": "psirt@autodesk.com", "published": "2024-06-25T04:15:12.770", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A maliciously crafted 3DM file, when parsed in opennurbs.dll through Autodesk applications, can force an Out-of-Bounds Read. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process."}, {"lang": "es", "value": "Un archivo 3DM creado con fines malintencionados, cuando se analiza en opennurbs.dll a trav\u00e9s de aplicaciones de Autodesk, puede forzar una lectura fuera de los l\u00edmites. Un actor malintencionado puede aprovechar esta vulnerabilidad para provocar un bloqueo, leer datos confidenciales o ejecutar c\u00f3digo arbitrario en el contexto del proceso actual."}], "metrics": {}, "weaknesses": [{"source": "psirt@autodesk.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}]}], "references": [{"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0010", "source": "psirt@autodesk.com"}]}}, {"cve": {"id": "CVE-2024-23153", "sourceIdentifier": "psirt@autodesk.com", "published": "2024-06-25T04:15:12.953", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A maliciously crafted MODEL file, when parsed in libodx.dll through Autodesk applications, can force an Out-of-Bounds Read. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process."}, {"lang": "es", "value": "Un archivo MODEL creado con fines malintencionados, cuando se analiza en libodx.dll a trav\u00e9s de aplicaciones de Autodesk, puede forzar una lectura fuera de los l\u00edmites. Un actor malintencionado puede aprovechar esta vulnerabilidad para provocar un bloqueo, leer datos confidenciales o ejecutar c\u00f3digo arbitrario en el contexto del proceso actual."}], "metrics": {}, "weaknesses": [{"source": "psirt@autodesk.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}]}], "references": [{"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0010", "source": "psirt@autodesk.com"}]}}, {"cve": {"id": "CVE-2024-23154", "sourceIdentifier": "psirt@autodesk.com", "published": "2024-06-25T04:15:13.153", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A maliciously crafted SLDPRT file, when parsed in ODXSW_DLL.dll through Autodesk applications, can be used to cause a Heap-based Overflow. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process."}, {"lang": "es", "value": "Un archivo SLDPRT creado con fines malintencionados, cuando se analiza en ODXSW_DLL.dll a trav\u00e9s de aplicaciones de Autodesk, se puede utilizar para provocar un desbordamiento basado en mont\u00f3n. Un actor malintencionado puede aprovechar esta vulnerabilidad para provocar un bloqueo, leer datos confidenciales o ejecutar c\u00f3digo arbitrario en el contexto del proceso actual."}], "metrics": {}, "weaknesses": [{"source": "psirt@autodesk.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-122"}]}], "references": [{"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0010", "source": "psirt@autodesk.com"}]}}, {"cve": {"id": "CVE-2024-23155", "sourceIdentifier": "psirt@autodesk.com", "published": "2024-06-25T04:15:13.330", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A maliciously crafted MODEL file, when parsed in atf_asm_interface.dll through Autodesk applications, can be used to cause a Heap-based Buffer Overflow. A malicious actor can leverage this vulnerability to cause a crash or execute arbitrary code in the context of the current process."}, {"lang": "es", "value": "Un archivo MODEL creado con fines malintencionados, cuando se analiza en atf_asm_interface.dll a trav\u00e9s de aplicaciones de Autodesk, se puede utilizar para provocar un desbordamiento de b\u00fafer basado en mont\u00f3n. Un actor malintencionado puede aprovechar esta vulnerabilidad para provocar un bloqueo o ejecutar c\u00f3digo arbitrario en el contexto del proceso actual."}], "metrics": {}, "weaknesses": [{"source": "psirt@autodesk.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-122"}]}], "references": [{"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0010", "source": "psirt@autodesk.com"}]}}, {"cve": {"id": "CVE-2024-23156", "sourceIdentifier": "psirt@autodesk.com", "published": "2024-06-25T04:15:13.450", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A maliciously crafted 3DM file, when parsed in opennurbs.dll and ASMkern229A.dll through Autodesk applications, can lead to a memory corruption vulnerability by write access violation. This vulnerability, along with other vulnerabilities, can lead to code execution in the current process."}, {"lang": "es", "value": "Un archivo 3DM creado con fines malintencionados, cuando se analiza en opennurbs.dll y ASMkern229A.dll a trav\u00e9s de aplicaciones de Autodesk, puede provocar una vulnerabilidad de corrupci\u00f3n de memoria por infracci\u00f3n de acceso de escritura. Esta vulnerabilidad, junto con otras vulnerabilidades, puede provocar la ejecuci\u00f3n de c\u00f3digo en el proceso actual."}], "metrics": {}, "weaknesses": [{"source": "psirt@autodesk.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}]}], "references": [{"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0010", "source": "psirt@autodesk.com"}]}}, {"cve": {"id": "CVE-2024-23157", "sourceIdentifier": "psirt@autodesk.com", "published": "2024-06-25T04:15:13.723", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A maliciously crafted SLDASM or SLDPRT file, when parsed in ODXSW_DLL.dll through Autodesk applications, can lead to a memory corruption vulnerability by write access violation. This vulnerability, along with other vulnerabilities, can lead to code execution in the current process."}, {"lang": "es", "value": "Un archivo SLDASM o SLDPRT creado con fines malintencionados, cuando se analiza en ODXSW_DLL.dll a trav\u00e9s de aplicaciones de Autodesk, puede provocar una vulnerabilidad de corrupci\u00f3n de memoria por infracci\u00f3n de acceso de escritura. Esta vulnerabilidad, junto con otras vulnerabilidades, puede provocar la ejecuci\u00f3n de c\u00f3digo en el proceso actual."}], "metrics": {}, "weaknesses": [{"source": "psirt@autodesk.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}]}], "references": [{"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0010", "source": "psirt@autodesk.com"}]}}, {"cve": {"id": "CVE-2024-23158", "sourceIdentifier": "psirt@autodesk.com", "published": "2024-06-25T04:15:14.007", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A maliciously crafted IGES file, when parsed in ASMImport229A.dll through Autodesk applications, can be used to cause a use-after-free vulnerability. A malicious actor can leverage this vulnerability to cause a crash or execute arbitrary code in the context of the current process."}, {"lang": "es", "value": "Un archivo IGES creado con fines malintencionados, cuando se analiza en ASMImport229A.dll a trav\u00e9s de aplicaciones de Autodesk, puede usarse para provocar una vulnerabilidad de use-after-free. Un actor malintencionado puede aprovechar esta vulnerabilidad para provocar un bloqueo o ejecutar c\u00f3digo arbitrario en el contexto del proceso actual."}], "metrics": {}, "weaknesses": [{"source": "psirt@autodesk.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-416"}]}], "references": [{"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0010", "source": "psirt@autodesk.com"}]}}, {"cve": {"id": "CVE-2024-23159", "sourceIdentifier": "psirt@autodesk.com", "published": "2024-06-25T04:15:14.203", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A maliciously crafted STP file, when parsed in stp_aim_x64_vc15d.dll through Autodesk applications, can be used to uninitialized variables. This vulnerability, along with other vulnerabilities, can lead to code execution in the current process."}, {"lang": "es", "value": "Un archivo STP creado con fines malintencionados, cuando se analiza en stp_aim_x64_vc15d.dll a trav\u00e9s de aplicaciones de Autodesk, se puede utilizar para variables no inicializadas. Esta vulnerabilidad, junto con otras vulnerabilidades, puede provocar la ejecuci\u00f3n de c\u00f3digo en el proceso actual."}], "metrics": {}, "weaknesses": [{"source": "psirt@autodesk.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-457"}]}], "references": [{"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0010", "source": "psirt@autodesk.com"}]}}, {"cve": {"id": "CVE-2024-32855", "sourceIdentifier": "security_alert@emc.com", "published": "2024-06-25T04:15:14.600", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Dell Client Platform BIOS contains an Out-of-bounds Write vulnerability in an externally developed component. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Information tampering."}, {"lang": "es", "value": "Dell Client Platform BIOS contiene una vulnerabilidad de escritura fuera de los l\u00edmites en un componente desarrollado externamente. Un atacante con privilegios elevados y acceso local podr\u00eda explotar esta vulnerabilidad, lo que provocar\u00eda una manipulaci\u00f3n de la informaci\u00f3n."}], "metrics": {"cvssMetricV31": [{"source": "security_alert@emc.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 3.8, "baseSeverity": "LOW"}, "exploitabilityScore": 0.3, "impactScore": 3.4}]}, "weaknesses": [{"source": "security_alert@emc.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "references": [{"url": "https://www.dell.com/support/kbdoc/en-us/000225627/dsa-2024-123", "source": "security_alert@emc.com"}]}}, {"cve": {"id": "CVE-2024-36999", "sourceIdentifier": "psirt@autodesk.com", "published": "2024-06-25T04:15:15.147", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A maliciously crafted 3DM file, when parsed in opennurbs.dll through Autodesk applications, can force an Out-of-Bounds Write. A malicious actor can leverage this vulnerability to cause a crash, write sensitive data, or execute arbitrary code in the context of the current process."}, {"lang": "es", "value": "Un archivo 3DM creado con fines malintencionados, cuando se analiza en opennurbs.dll a trav\u00e9s de aplicaciones de Autodesk, puede forzar una escritura fuera de los l\u00edmites. Un actor malintencionado puede aprovechar esta vulnerabilidad para provocar un bloqueo, escribir datos confidenciales o ejecutar c\u00f3digo arbitrario en el contexto del proceso actual."}], "metrics": {}, "weaknesses": [{"source": "psirt@autodesk.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-787"}]}], "references": [{"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0010", "source": "psirt@autodesk.com"}]}}, {"cve": {"id": "CVE-2024-37003", "sourceIdentifier": "psirt@autodesk.com", "published": "2024-06-25T04:15:15.370", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A maliciously crafted DWG and SLDPRT file, when parsed in opennurbs.dll and ODXSW_DLL.dll through Autodesk applications, can be used to cause a Stack-based Overflow. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process."}, {"lang": "es", "value": "Un archivo DWG y SLDPRT creado con fines malintencionados, cuando se analiza en opennurbs.dll y ODXSW_DLL.dll a trav\u00e9s de aplicaciones de Autodesk, se puede utilizar para provocar un desbordamiento basado en pila. Un actor malintencionado puede aprovechar esta vulnerabilidad para provocar un bloqueo, leer datos confidenciales o ejecutar c\u00f3digo arbitrario en el contexto del proceso actual."}], "metrics": {}, "weaknesses": [{"source": "psirt@autodesk.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-121"}]}], "references": [{"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0009", "source": "psirt@autodesk.com"}]}}, {"cve": {"id": "CVE-2024-37004", "sourceIdentifier": "psirt@autodesk.com", "published": "2024-06-25T04:15:15.567", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A maliciously crafted SLDPRT file, when parsed in ASMKERN229A.dll through Autodesk applications, can cause a use-after-free vulnerability. This vulnerability, along with other vulnerabilities, could lead to code execution in the current process."}, {"lang": "es", "value": "Un archivo SLDPRT creado con fines malintencionados, cuando se analiza en ASMKERN229A.dll a trav\u00e9s de aplicaciones de Autodesk, puede provocar una vulnerabilidad de use-after-free. Esta vulnerabilidad, junto con otras vulnerabilidades, podr\u00eda provocar la ejecuci\u00f3n de c\u00f3digo en el proceso actual."}], "metrics": {}, "weaknesses": [{"source": "psirt@autodesk.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-416"}]}], "references": [{"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0009", "source": "psirt@autodesk.com"}]}}, {"cve": {"id": "CVE-2024-37005", "sourceIdentifier": "psirt@autodesk.com", "published": "2024-06-25T04:15:15.890", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A maliciously crafted X_B and X_T file, when parsed in pskernel.DLL through Autodesk applications, can force an Out-of-Bound Read. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process."}, {"lang": "es", "value": "Un archivo X_B y X_T creado con fines malintencionados, cuando se analiza en pskernel.DLL a trav\u00e9s de aplicaciones de Autodesk, puede forzar una lectura fuera de los l\u00edmites. Un actor malintencionado puede aprovechar esta vulnerabilidad para provocar un bloqueo, leer datos confidenciales o ejecutar c\u00f3digo arbitrario en el contexto del proceso actual."}], "metrics": {}, "weaknesses": [{"source": "psirt@autodesk.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}]}], "references": [{"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0009", "source": "psirt@autodesk.com"}]}}, {"cve": {"id": "CVE-2024-37006", "sourceIdentifier": "psirt@autodesk.com", "published": "2024-06-25T04:15:16.053", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A maliciously crafted CATPRODUCT file, when parsed in CC5Dll.dll through Autodesk applications, can lead to a memory corruption vulnerability by write access violation. This vulnerability, in conjunction with other vulnerabilities, can lead to code execution in the context of the current process."}, {"lang": "es", "value": "Un archivo CATPRODUCT creado con fines malintencionados, cuando se analiza en CC5Dll.dll a trav\u00e9s de aplicaciones de Autodesk, puede provocar una vulnerabilidad de corrupci\u00f3n de memoria por infracci\u00f3n de acceso de escritura. Esta vulnerabilidad, junto con otras vulnerabilidades, puede provocar la ejecuci\u00f3n de c\u00f3digo en el contexto del proceso actual."}], "metrics": {}, "weaknesses": [{"source": "psirt@autodesk.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}]}], "references": [{"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0009", "source": "psirt@autodesk.com"}]}}, {"cve": {"id": "CVE-2024-37007", "sourceIdentifier": "psirt@autodesk.com", "published": "2024-06-25T04:15:16.170", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A maliciously crafted X_B and X_T file, when parsed in pskernel.DLL through Autodesk applications, can cause a use-after-free vulnerability. This vulnerability, along with other vulnerabilities, could lead to code execution in the current process."}, {"lang": "es", "value": "Un archivo X_B y X_T creado con fines malintencionados, cuando se analiza en pskernel.DLL a trav\u00e9s de aplicaciones de Autodesk, puede provocar una vulnerabilidad de use-after-free. Esta vulnerabilidad, junto con otras vulnerabilidades, podr\u00eda provocar la ejecuci\u00f3n de c\u00f3digo en el proceso actual."}], "metrics": {}, "weaknesses": [{"source": "psirt@autodesk.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-416"}]}], "references": [{"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0010", "source": "psirt@autodesk.com"}]}}, {"cve": {"id": "CVE-2024-4196", "sourceIdentifier": "securityalerts@avaya.com", "published": "2024-06-25T04:15:16.580", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "An improper input validation vulnerability  was discovered in Avaya IP Office that could allow remote command or code execution via a specially crafted web request to the Web Control component. Affected versions include all versions prior to 11.1.3.1."}, {"lang": "es", "value": "Se descubri\u00f3 una vulnerabilidad de validaci\u00f3n de entrada incorrecta en Avaya IP Office que podr\u00eda permitir la ejecuci\u00f3n remota de comandos o c\u00f3digos a trav\u00e9s de una solicitud web especialmente manipulada al componente de control web. Las versiones afectadas incluyen todas las versiones anteriores a la 11.1.3.1."}], "metrics": {"cvssMetricV31": [{"source": "securityalerts@avaya.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 6.0}]}, "weaknesses": [{"source": "securityalerts@avaya.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}]}], "references": [{"url": "https://download.avaya.com/css/public/documents/101090768", "source": "securityalerts@avaya.com"}]}}, {"cve": {"id": "CVE-2024-4197", "sourceIdentifier": "securityalerts@avaya.com", "published": "2024-06-25T04:15:17.007", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "An unrestricted\u00a0file upload vulnerability in Avaya IP Office\u00a0was discovered that could allow remote command or code execution via the One-X component. Affected versions include all versions prior to 11.1.3.1."}, {"lang": "es", "value": "Se descubri\u00f3 una vulnerabilidad de carga de archivos sin restricciones en Avaya IP Office que podr\u00eda permitir la ejecuci\u00f3n remota de comandos o c\u00f3digos a trav\u00e9s del componente One-X. Las versiones afectadas incluyen todas las versiones anteriores a la 11.1.3.1."}], "metrics": {"cvssMetricV31": [{"source": "securityalerts@avaya.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.1, "impactScore": 6.0}]}, "weaknesses": [{"source": "securityalerts@avaya.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://download.avaya.com/css/public/documents/101090768", "source": "securityalerts@avaya.com"}]}}, {"cve": {"id": "CVE-2024-6297", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-25T04:15:17.400", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Several plugins for WordPress hosted on WordPress.org have been compromised and injected with malicious PHP scripts. A malicious threat actor compromised the source code of various plugins and injected code that exfiltrates database credentials and is used to create new, malicious, administrator users and send that data back to a server. Currently, not all plugins have been patched and we strongly recommend uninstalling the plugins for the time being and running a complete malware scan."}, {"lang": "es", "value": "Varios complementos para WordPress alojados en WordPress.org se han visto comprometidos y se les han inyectado scripts PHP maliciosos. Un actor de amenaza malicioso comprometi\u00f3 el c\u00f3digo fuente de varios complementos e inyect\u00f3 c\u00f3digo que extrae las credenciales de la base de datos y se utiliza para crear nuevos usuarios administradores maliciosos y enviar esos datos a un servidor. Actualmente, no todos los complementos han sido parcheados y recomendamos encarecidamente desinstalarlos por el momento y ejecutar un an\u00e1lisis completo de malware."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 6.0}]}, "references": [{"url": "https://plugins.trac.wordpress.org/browser/blaze-widget/trunk/blaze_widget.php", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/contact-form-7-multi-step-addon/trunk/trx-contact-form-7-multi-step-addon.php", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/simply-show-hooks/trunk/index.php", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/social-warfare/tags/4.4.6.4/trunk/social-warfare.php#L54", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/social-warfare/tags/4.4.6.4/trunk/social-warfare.php#L583", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/wrapper-link-elementor/trunk/wrapper.php?rev=3106508", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/changeset/3105893/", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3106042%40social-warfare&new=3106042%40social-warfare&sfp_email=&sfph_mail=", "source": "security@wordfence.com"}, {"url": "https://wordpress.org/support/topic/a-security-message-from-the-plugin-review-team/", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/56d24bc8-4a1a-4e60-aec5-960703a6058a?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-4757", "sourceIdentifier": "contact@wpscan.com", "published": "2024-06-25T06:15:11.607", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The Logo Manager For Enamad WordPress plugin through 0.7.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack"}, {"lang": "es", "value": "El complemento Logo Manager For Enamad WordPress hasta la versi\u00f3n 0.7.0 no tiene verificaci\u00f3n CSRF en algunos lugares y le falta sanitizaci\u00f3n y escape, lo que podr\u00eda permitir a los atacantes hacer que el administrador que haya iniciado sesi\u00f3n agregue payloads XSS almacenados a trav\u00e9s de un ataque CSRF."}], "metrics": {}, "references": [{"url": "https://wpscan.com/vulnerability/b54b55e0-b184-4c90-ba94-feda0997bf2a/", "source": "contact@wpscan.com"}]}}, {"cve": {"id": "CVE-2024-4759", "sourceIdentifier": "contact@wpscan.com", "published": "2024-06-25T06:15:11.727", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The Mime Types Extended WordPress plugin through 0.11 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads."}, {"lang": "es", "value": "El complemento Mime Types Extended WordPress hasta la versi\u00f3n 0.11 no sanitiza los archivos SVG cargados, lo que podr\u00eda permitir a los usuarios con un rol tan bajo como Autor cargar un SVG malicioso que contenga payloads XSS."}], "metrics": {}, "references": [{"url": "https://wpscan.com/vulnerability/1c7547fa-539a-4890-a94d-c57b3d025507/", "source": "contact@wpscan.com"}]}}, {"cve": {"id": "CVE-2024-5431", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-25T06:15:11.800", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The WPCafe \u2013 Online Food Ordering, Restaurant Menu, Delivery, and Reservations for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.2.25 via the reservation_extra_field shortcode parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to include remote files on the server, potentially resulting in code execution"}, {"lang": "es", "value": "El complemento WPCafe \u2013 Online Food Ordering, Restaurant Menu, Delivery, and Reservations for WooCommerce para WordPress es vulnerable a la inclusi\u00f3n de archivos locales en todas las versiones hasta la 2.2.25 incluida a trav\u00e9s del par\u00e1metro de c\u00f3digo corto reservation_extra_field. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, incluyan archivos remotos en el servidor, lo que podr\u00eda resultar en la ejecuci\u00f3n de c\u00f3digo."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "references": [{"url": "https://plugins.trac.wordpress.org/browser/wp-cafe/tags/2.2.25/core/shortcodes/views/reservation/reservation-form-template.php#L178", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5c5e7ed1-7eb8-4ce7-9dd6-0f7937b6f671?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-3249", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-25T07:15:45.323", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The Zita Elementor Site Library plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the import_xml_data, xml_data_import, import_option_data, import_widgets, and import_customizer_settings functions in all versions up to, and including, 1.6.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to create pages, update certain options, including WooCommerce page titles and Elementor settings, import widgets, and update the plugin's customizer settings and the WordPress custom CSS. NOTE: This vulnerability was partially fixed in version 1.6.2."}, {"lang": "es", "value": "El complemento Zita Elementor Site Library para WordPress es vulnerable a modificaciones no autorizadas de datos debido a una falta de verificaci\u00f3n de capacidad en las funciones import_xml_data, xml_data_import, import_option_data, import_widgets e import_customizer_settings en todas las versiones hasta la 1.6.2 incluida. Esto hace posible que atacantes autenticados, con acceso de nivel de suscriptor y superior, creen p\u00e1ginas, actualicen ciertas opciones, incluidos los t\u00edtulos de las p\u00e1ginas de WooCommerce y la configuraci\u00f3n de Elementor, importen widgets y actualicen la configuraci\u00f3n del personalizador del complemento y el CSS personalizado de WordPress. NOTA: Esta vulnerabilidad se solucion\u00f3 parcialmente en la versi\u00f3n 1.6.2."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3100431/zita-site-library", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/changeset/3105478/zita-site-library", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/62bc3794-a2c2-4c1a-b1c9-2be6e2526635?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-34141", "sourceIdentifier": "psirt@adobe.com", "published": "2024-06-25T09:15:56.807", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Adobe Experience Manager versions 6.5.20 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim\u2019s browser when they browse to the page containing the vulnerable field."}, {"lang": "es", "value": "Las versiones 6.5.20 y anteriores de Adobe Experience Manager se ven afectadas por una vulnerabilidad de Cross Site Scripting (XSS) almacenado que podr\u00eda ser aprovechada por un atacante con pocos privilegios para inyectar scripts maliciosos en campos de formulario vulnerables. Se puede ejecutar JavaScript malicioso en el navegador de la v\u00edctima cuando navega a la p\u00e1gina que contiene el campo vulnerable."}], "metrics": {"cvssMetricV31": [{"source": "psirt@adobe.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "psirt@adobe.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://helpx.adobe.com/security/products/experience-manager/apsb24-28.html", "source": "psirt@adobe.com"}]}}, {"cve": {"id": "CVE-2024-34142", "sourceIdentifier": "psirt@adobe.com", "published": "2024-06-25T09:15:57.130", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Adobe Experience Manager versions 6.5.20 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim\u2019s browser when they browse to the page containing the vulnerable field."}, {"lang": "es", "value": "Las versiones 6.5.20 y anteriores de Adobe Experience Manager se ven afectadas por una vulnerabilidad de Cross Site Scripting (XSS) almacenado que podr\u00eda ser aprovechada por un atacante con pocos privilegios para inyectar scripts maliciosos en campos de formulario vulnerables. Se puede ejecutar JavaScript malicioso en el navegador de la v\u00edctima cuando navega a la p\u00e1gina que contiene el campo vulnerable."}], "metrics": {"cvssMetricV31": [{"source": "psirt@adobe.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "psirt@adobe.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://helpx.adobe.com/security/products/experience-manager/apsb24-28.html", "source": "psirt@adobe.com"}]}}, {"cve": {"id": "CVE-2024-4638", "sourceIdentifier": "psirt@moxa.com", "published": "2024-06-25T09:15:57.413", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "OnCell G3470A-LTE Series firmware versions v1.7.7 and prior have been identified as vulnerable due to a lack of neutralized inputs in the web key upload function. An attacker could modify the intended commands sent to target functions, which could cause malicious users to execute unauthorized commands."}, {"lang": "es", "value": "Las versiones de firmware de la serie OnCell G3470A-LTE v1.7.7 y anteriores han sido identificadas como vulnerables debido a la falta de entradas neutralizadas en la funci\u00f3n de carga de clave web. Un atacante podr\u00eda modificar los comandos previstos enviados a las funciones de destino, lo que podr\u00eda provocar que usuarios malintencionados ejecuten comandos no autorizados."}], "metrics": {"cvssMetricV31": [{"source": "psirt@moxa.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "psirt@moxa.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-77"}]}], "references": [{"url": "https://www.moxa.com/en/support/product-support/security-advisory/mpsa-242550-oncell-g3470a-lte-series-multiple-web-application-vulnerabilities", "source": "psirt@moxa.com"}]}}, {"cve": {"id": "CVE-2024-6028", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-25T09:15:57.760", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The Quiz Maker plugin for WordPress is vulnerable to time-based SQL Injection via the 'ays_questions' parameter in all versions up to, and including, 6.5.8.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.  This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}, {"lang": "es", "value": "El complemento Quiz Maker para WordPress es vulnerable a la inyecci\u00f3n SQL basada en tiempo a trav\u00e9s del par\u00e1metro 'ays_questions' en todas las versiones hasta la 6.5.8.3 incluida debido a un escape insuficiente en el par\u00e1metro proporcionado por el usuario y a la falta de preparaci\u00f3n suficiente en el SQL existente. consulta. Esto hace posible que atacantes no autenticados agreguen consultas SQL adicionales a consultas ya existentes que pueden usarse para extraer informaci\u00f3n confidencial de la base de datos."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "references": [{"url": "https://plugins.trac.wordpress.org/browser/quiz-maker/tags/6.5.7.5/public/class-quiz-maker-public.php#L4904", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/quiz-maker/tags/6.5.7.5/public/class-quiz-maker-public.php#L6901", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/changeset/3103402/quiz-maker/tags/6.5.8.2/public/class-quiz-maker-public.php?old=3102679&old_path=quiz-maker%2Ftags%2F6.5.8.1%2Fpublic%2Fclass-quiz-maker-public.php", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/changeset/3105555/quiz-maker/tags/6.5.8.4/public/class-quiz-maker-public.php?old=3104323&old_path=quiz-maker%2Ftags%2F6.5.8.3%2Fpublic%2Fclass-quiz-maker-public.php", "source": "security@wordfence.com"}, {"url": "https://wordpress.org/plugins/quiz-maker/#developers", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ab340c65-35eb-4a85-8150-3119b46c7f35?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-4639", "sourceIdentifier": "psirt@moxa.com", "published": "2024-06-25T10:15:19.897", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "OnCell G3470A-LTE Series firmware versions v1.7.7 and prior have been identified as vulnerable due to a lack of neutralized inputs in IPSec configuration. An attacker could modify the intended commands sent to target functions, which could cause malicious users to execute unauthorized commands."}, {"lang": "es", "value": "Las versiones de firmware de la serie OnCell G3470A-LTE v1.7.7 y anteriores han sido identificadas como vulnerables debido a la falta de entradas neutralizadas en la configuraci\u00f3n IPSec. Un atacante podr\u00eda modificar los comandos previstos enviados a las funciones de destino, lo que podr\u00eda provocar que usuarios malintencionados ejecuten comandos no autorizados."}], "metrics": {"cvssMetricV31": [{"source": "psirt@moxa.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "psirt@moxa.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-77"}]}], "references": [{"url": "https://www.moxa.com/en/support/product-support/security-advisory/mpsa-242550-oncell-g3470a-lte-series-multiple-web-application-vulnerabilities", "source": "psirt@moxa.com"}]}}, {"cve": {"id": "CVE-2024-4640", "sourceIdentifier": "psirt@moxa.com", "published": "2024-06-25T10:15:20.780", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "OnCell G3470A-LTE Series firmware versions v1.7.7 and prior have been identified as vulnerable due to missing bounds checking on buffer operations. An attacker could write past the boundaries of allocated buffer regions in memory, causing a program crash."}, {"lang": "es", "value": "Las versiones de firmware de la serie OnCell G3470A-LTE v1.7.7 y anteriores se han identificado como vulnerables debido a la falta de verificaci\u00f3n de los l\u00edmites en las operaciones del b\u00fafer. Un atacante podr\u00eda escribir m\u00e1s all\u00e1 de los l\u00edmites de las regiones del b\u00fafer asignadas en la memoria, provocando un bloqueo del programa."}], "metrics": {"cvssMetricV31": [{"source": "psirt@moxa.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "psirt@moxa.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-120"}]}], "references": [{"url": "https://www.moxa.com/en/support/product-support/security-advisory/mpsa-242550-oncell-g3470a-lte-series-multiple-web-application-vulnerabilities", "source": "psirt@moxa.com"}]}}, {"cve": {"id": "CVE-2024-4641", "sourceIdentifier": "psirt@moxa.com", "published": "2024-06-25T10:15:21.000", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "OnCell G3470A-LTE Series firmware versions v1.7.7 and prior have been identified as vulnerable due to accepting a format string from an external source as an argument. An attacker could modify an externally controlled format string to cause a memory leak and denial of service."}, {"lang": "es", "value": "Las versiones de firmware de la serie OnCell G3470A-LTE v1.7.7 y anteriores se han identificado como vulnerables debido a que aceptan una cadena de formato de una fuente externa como argumento. Un atacante podr\u00eda modificar una cadena de formato controlada externamente para provocar una p\u00e9rdida de memoria y una denegaci\u00f3n de servicio."}], "metrics": {"cvssMetricV31": [{"source": "psirt@moxa.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 3.4}]}, "weaknesses": [{"source": "psirt@moxa.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-134"}]}], "references": [{"url": "https://www.moxa.com/en/support/product-support/security-advisory/mpsa-242550-oncell-g3470a-lte-series-multiple-web-application-vulnerabilities", "source": "psirt@moxa.com"}]}}, {"cve": {"id": "CVE-2024-5216", "sourceIdentifier": "security@huntr.dev", "published": "2024-06-25T11:15:50.193", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability in mintplex-labs/anything-llm allows for a Denial of Service (DoS) condition due to uncontrolled resource consumption. Specifically, the issue arises from the application's failure to limit the size of usernames, enabling attackers to create users with excessively bulky texts in the username field. This exploit results in the user management panel becoming unresponsive, preventing administrators from performing critical user management actions such as editing, suspending, or deleting users. The impact of this vulnerability includes administrative paralysis, compromised security, and operational disruption, as it allows malicious users to perpetuate their presence within the system indefinitely, undermines the system's security posture, and degrades overall system performance."}, {"lang": "es", "value": "Una vulnerabilidad en mintplex-labs/anything-llm permite una condici\u00f3n de Denegaci\u00f3n de Servicio (DoS) debido al consumo incontrolado de recursos. Espec\u00edficamente, el problema surge porque la aplicaci\u00f3n no limita el tama\u00f1o de los nombres de usuario, lo que permite a los atacantes crear usuarios con textos excesivamente voluminosos en el campo de nombre de usuario. Este exploit hace que el panel de administraci\u00f3n de usuarios deje de responder, lo que impide que los administradores realicen acciones cr\u00edticas de administraci\u00f3n de usuarios, como editar, suspender o eliminar usuarios. El impacto de esta vulnerabilidad incluye par\u00e1lisis administrativa, seguridad comprometida e interrupci\u00f3n operativa, ya que permite a los usuarios malintencionados perpetuar su presencia dentro del sistema indefinidamente, socava la postura de seguridad del sistema y degrada el rendimiento general del sistema."}], "metrics": {"cvssMetricV30": [{"source": "security@huntr.dev", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "security@huntr.dev", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}]}], "references": [{"url": "https://github.com/mintplex-labs/anything-llm/commit/3ef009de73c837f9025df8bba62572885c70c72f", "source": "security@huntr.dev"}, {"url": "https://huntr.com/bounties/8ec14991-ee35-493d-a8d3-21a1cfd57869", "source": "security@huntr.dev"}]}}, {"cve": {"id": "CVE-2024-6305", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-25T11:15:50.420", "lastModified": "2024-06-25T17:15:11.020", "vulnStatus": "Rejected", "descriptions": [{"lang": "en", "value": "Rejected reason: **REJECT** Accidental Reservation making this a duplicate. Please use CVE-2024-31111."}], "metrics": {}, "references": []}}, {"cve": {"id": "CVE-2024-6306", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-25T11:15:50.623", "lastModified": "2024-06-25T17:15:11.107", "vulnStatus": "Rejected", "descriptions": [{"lang": "en", "value": "Rejected reason: **REJECT** Accidental Reservation making this a duplicate. Please use CVE-2024-32111."}], "metrics": {}, "references": []}}, {"cve": {"id": "CVE-2024-6307", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-25T11:15:50.820", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "WordPress Core is vulnerable to Stored Cross-Site Scripting via the HTML API in various versions up to 6.5.5 due to insufficient input sanitization and output escaping on URLs. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "WordPress Core es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s de la API HTML en varias versiones hasta la 6.5.5 debido a una sanitizaci\u00f3n de entrada insuficiente y a un escape de salida en las URL. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "references": [{"url": "https://core.trac.wordpress.org/changeset/58472", "source": "security@wordfence.com"}, {"url": "https://core.trac.wordpress.org/changeset/58473", "source": "security@wordfence.com"}, {"url": "https://wordpress.org/news/2024/06/wordpress-6-5-5/", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bc0d36f8-6569-49a1-b722-5cf57c4bb32a?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-28831", "sourceIdentifier": "security@checkmk.com", "published": "2024-06-25T12:15:09.490", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Stored XSS in some confirmation pop-ups in Checkmk before versions 2.3.0p7 and 2.2.0p28 allows Checkmk users to execute arbitrary scripts by injecting HTML elements into some user input fields that are shown in a confirmation pop-up."}, {"lang": "es", "value": "El XSS almacenado en algunas ventanas emergentes de confirmaci\u00f3n en Checkmk antes de las versiones 2.3.0p7 y 2.2.0p28 permite a los usuarios de Checkmk ejecutar scripts arbitrarios inyectando elementos HTML en algunos campos de entrada del usuario que se muestran en una ventana emergente de confirmaci\u00f3n."}], "metrics": {"cvssMetricV31": [{"source": "security@checkmk.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "security@checkmk.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-80"}]}], "references": [{"url": "https://checkmk.com/werk/17025", "source": "security@checkmk.com"}]}}, {"cve": {"id": "CVE-2024-28832", "sourceIdentifier": "security@checkmk.com", "published": "2024-06-25T12:15:09.713", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Stored XSS in the Crash Report page in Checkmk before versions 2.3.0p7, 2.2.0p28, 2.1.0p45, and 2.0.0 (EOL) allows users with permission to change Global Settings to execute arbitrary scripts by injecting HTML elements into the Crash Report URL in the Global Settings."}, {"lang": "es", "value": "XSS almacenado en la p\u00e1gina Informe de fallos en Checkmk antes de las versiones 2.3.0p7, 2.2.0p28, 2.1.0p45 y 2.0.0 (EOL) permite a los usuarios con permiso para cambiar la configuraci\u00f3n global para ejecutar scripts arbitrarios inyectando elementos HTML en la URL del informe de fallos en la configuraci\u00f3n global."}], "metrics": {"cvssMetricV31": [{"source": "security@checkmk.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.7, "impactScore": 2.7}]}, "weaknesses": [{"source": "security@checkmk.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-80"}]}], "references": [{"url": "https://checkmk.com/werk/17024", "source": "security@checkmk.com"}]}}, {"cve": {"id": "CVE-2024-31111", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-25T13:15:49.383", "lastModified": "2024-06-25T18:50:42.040", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Automattic WordPress allows Stored XSS.This issue affects WordPress: from 6.5 through 6.5.4, from 6.4 through 6.4.4, from 6.3 through 6.3.4, from 6.2 through 6.2.5, from 6.1 through 6.1.6, from 6.0 through 6.0.8, from 5.9 through 5.9.9."}, {"lang": "es", "value": "La vulnerabilidad de neutralizaci\u00f3n inadecuada de la entrada durante la generaci\u00f3n de p\u00e1ginas web (XSS o 'Cross-site Scripting') en Automattic WordPress permite almacenar XSS. Este problema afecta a WordPress: de 6.5 a 6.5.4, de 6.4 a 6.4.4, de 6.3 a 6.3. 4, del 6.2 al 6.2.5, del 6.1 al 6.1.6, del 6.0 al 6.0.8, del 5.9 al 5.9.9."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.3, "impactScore": 3.7}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/wordpress/wordpress-wordpress-core-core-6-5-5-cross-site-scripting-xss-via-template-part-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}, {"url": "https://wordpress.org/news/2024/06/wordpress-6-5-5/", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2024-4846", "sourceIdentifier": "security@devolutions.net", "published": "2024-06-25T13:15:50.120", "lastModified": "2024-06-25T18:50:42.040", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Authentication bypass in the 2FA feature in Devolutions Server 2024.1.14.0 and earlier allows an authenticated attacker to authenticate to another user without being asked for the 2FA via another browser tab."}, {"lang": "es", "value": "La omisi\u00f3n de autenticaci\u00f3n en la funci\u00f3n 2FA en Devolutions Server 2024.1.14.0 y versiones anteriores permite a un atacante autenticado autenticarse ante otro usuario sin que se le solicite la 2FA a trav\u00e9s de otra pesta\u00f1a del navegador."}], "metrics": {}, "references": [{"url": "https://devolutions.net/security/advisories/DEVO-2024-0009", "source": "security@devolutions.net"}]}}, {"cve": {"id": "CVE-2024-5261", "sourceIdentifier": "security@documentfoundation.org", "published": "2024-06-25T13:15:50.220", "lastModified": "2024-06-25T18:50:42.040", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Improper Certificate Validation vulnerability in LibreOffice \"LibreOfficeKit\" mode disables TLS certification verification\n\nLibreOfficeKit can be used for accessing LibreOffice functionality \nthrough C/C++. Typically this is used by third party components to reuse\n LibreOffice as a library to convert, view or otherwise interact with \ndocuments.\n\nLibreOffice internally makes use of \"curl\" to fetch remote resources such as images hosted on webservers.\n\nIn\n affected versions of LibreOffice, when used in LibreOfficeKit mode \nonly, then curl's TLS certification verification was disabled \n(CURLOPT_SSL_VERIFYPEER of false)\n\nIn the fixed versions curl operates in LibreOfficeKit mode the same as in standard mode with CURLOPT_SSL_VERIFYPEER of true.\n\nThis issue affects LibreOffice before version 24.2.4."}, {"lang": "es", "value": "Vulnerabilidad de validaci\u00f3n de certificado incorrecta en el modo \"LibreOfficeKit\" de LibreOffice deshabilita la verificaci\u00f3n de certificaci\u00f3n TLS. LibreOfficeKit se puede utilizar para acceder a la funcionalidad de LibreOffice a trav\u00e9s de C/C++. Normalmente, esto lo utilizan componentes de terceros para reutilizar LibreOffice como librer\u00eda para convertir, ver o interactuar con documentos. LibreOffice utiliza internamente \"curl\" para recuperar recursos remotos, como im\u00e1genes alojadas en servidores web. En las versiones afectadas de LibreOffice, cuando se usaba solo en modo LibreOfficeKit, la verificaci\u00f3n de certificaci\u00f3n TLS de curl estaba deshabilitada (CURLOPT_SSL_VERIFYPEER de falso). En las versiones fijas, curl opera en modo LibreOfficeKit de la misma manera que en el modo est\u00e1ndar con CURLOPT_SSL_VERIFYPEER de verdadero. Este problema afecta a LibreOffice antes de la versi\u00f3n 24.2.4."}], "metrics": {}, "weaknesses": [{"source": "security@documentfoundation.org", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-295"}]}], "references": [{"url": "https://www.libreoffice.org/about-us/security/advisories/cve-2024-5261", "source": "security@documentfoundation.org"}]}}, {"cve": {"id": "CVE-2024-6299", "sourceIdentifier": "cve@gitlab.com", "published": "2024-06-25T13:15:50.587", "lastModified": "2024-06-25T18:50:42.040", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Lack of consideration of key expiry when validating signatures in Conduit, allowing an attacker which has compromised an expired key to forge requests as the remote server, as well as PDUs with timestamps past the expiry date"}, {"lang": "es", "value": "Falta de consideraci\u00f3n de la caducidad de la clave al validar firmas en Conduit, lo que permite a un atacante que ha comprometido una clave caducada falsificar solicitudes como servidor remoto, as\u00ed como PDU con marcas de tiempo posteriores a la fecha de caducidad."}], "metrics": {"cvssMetricV31": [{"source": "cve@gitlab.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.2, "impactScore": 2.5}]}, "weaknesses": [{"source": "cve@gitlab.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-324"}]}], "references": [{"url": "https://conduit.rs/changelog/#v0-8-0-2024-06-12", "source": "cve@gitlab.com"}, {"url": "https://gitlab.com/famedly/conduit/-/releases/v0.8.0", "source": "cve@gitlab.com"}]}}, {"cve": {"id": "CVE-2024-6300", "sourceIdentifier": "cve@gitlab.com", "published": "2024-06-25T13:15:50.847", "lastModified": "2024-06-25T18:50:42.040", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Incomplete cleanup when performing redactions in Conduit, allowing an attacker to check whether certain strings were present in the PDU before redaction"}, {"lang": "es", "value": "Limpieza incompleta al realizar redacciones en Conduit, lo que permite a un atacante verificar si ciertas cadenas estaban presentes en la PDU antes de la redacci\u00f3n"}], "metrics": {"cvssMetricV31": [{"source": "cve@gitlab.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW"}, "exploitabilityScore": 2.2, "impactScore": 1.4}]}, "weaknesses": [{"source": "cve@gitlab.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-459"}]}], "references": [{"url": "https://conduit.rs/changelog/#v0-8-0-2024-06-12", "source": "cve@gitlab.com"}, {"url": "https://gitlab.com/famedly/conduit/-/releases/v0.8.0", "source": "cve@gitlab.com"}]}}, {"cve": {"id": "CVE-2024-6301", "sourceIdentifier": "cve@gitlab.com", "published": "2024-06-25T13:15:51.077", "lastModified": "2024-06-25T18:50:42.040", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Lack of validation of origin in federation API in Conduit, allowing any remote server to impersonate any user from any server in most EDUs"}, {"lang": "es", "value": "Falta de validaci\u00f3n de origen en la API de federaci\u00f3n en Conduit, lo que permite que cualquier servidor remoto se haga pasar por cualquier usuario de cualquier servidor en la mayor\u00eda de las EDU."}], "metrics": {"cvssMetricV31": [{"source": "cve@gitlab.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "cve@gitlab.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-346"}]}], "references": [{"url": "https://conduit.rs/changelog/#v0-8-0-2024-06-12", "source": "cve@gitlab.com"}, {"url": "https://gitlab.com/famedly/conduit/-/releases/v0.8.0", "source": "cve@gitlab.com"}]}}, {"cve": {"id": "CVE-2024-6302", "sourceIdentifier": "cve@gitlab.com", "published": "2024-06-25T13:15:51.313", "lastModified": "2024-06-25T18:50:42.040", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Lack of privilege checking when processing a redaction in Conduit versions v0.6.0 and lower, allowing a local user to redact any message from users on the same server, given that they are able to send redaction events."}, {"lang": "es", "value": "Falta de verificaci\u00f3n de privilegios al procesar una redacci\u00f3n en las versiones de Conduit v0.6.0 e inferiores, lo que permite a un usuario local redactar cualquier mensaje de los usuarios en el mismo servidor, dado que pueden enviar eventos de redacci\u00f3n."}], "metrics": {"cvssMetricV31": [{"source": "cve@gitlab.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "cve@gitlab.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-280"}]}], "references": [{"url": "https://conduit.rs/changelog/#v0-7-0-2024-04-25", "source": "cve@gitlab.com"}, {"url": "https://gitlab.com/famedly/conduit/-/releases/v0.7.0", "source": "cve@gitlab.com"}]}}, {"cve": {"id": "CVE-2024-6303", "sourceIdentifier": "cve@gitlab.com", "published": "2024-06-25T13:15:51.550", "lastModified": "2024-06-25T18:50:42.040", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Missing authorization in Client-Server API in Conduit <=0.7.0, allowing for any alias to be removed and added to another room, which can be used for privilege escalation by moving the #admins alias to a room which they control, allowing them to run commands resetting passwords, siging json with the server's key, deactivating users, and more"}, {"lang": "es", "value": "Falta autorizaci\u00f3n en la API Cliente-Servidor en Conduit <=0.7.0, lo que permite eliminar cualquier alias y agregarlo a otra sala, que se puede usar para escalar privilegios moviendo el alias #admins a una sala que ellos controlan, lo que les permite para ejecutar comandos que restablecen contrase\u00f1as, firman json con la clave del servidor, desactivan usuarios y m\u00e1s"}], "metrics": {"cvssMetricV31": [{"source": "cve@gitlab.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.1, "impactScore": 6.0}]}, "weaknesses": [{"source": "cve@gitlab.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://conduit.rs/changelog/#v0-8-0-2024-06-12", "source": "cve@gitlab.com"}, {"url": "https://gitlab.com/famedly/conduit/-/releases/v0.8.0", "source": "cve@gitlab.com"}]}}, {"cve": {"id": "CVE-2024-21827", "sourceIdentifier": "talos-cna@cisco.com", "published": "2024-06-25T14:15:10.940", "lastModified": "2024-06-25T18:50:42.040", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A leftover debug code vulnerability exists in the cli_server debug functionality of Tp-Link ER7206 Omada Gigabit VPN Router 1.4.1 Build 20240117 Rel.57421. A specially crafted series of network requests can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger this vulnerability."}, {"lang": "es", "value": "Existe una vulnerabilidad de c\u00f3digo de depuraci\u00f3n sobrante en la funcionalidad de depuraci\u00f3n cli_server del enrutador VPN Tp-Link ER7206 Omada Gigabit 1.4.1 Build 20240117 Rel.57421. Una serie de solicitudes de red especialmente manipuladas pueden provocar la ejecuci\u00f3n de comandos arbitrarios. Un atacante puede enviar una secuencia de solicitudes para desencadenar esta vulnerabilidad."}], "metrics": {"cvssMetricV31": [{"source": "talos-cna@cisco.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "talos-cna@cisco.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-489"}]}], "references": [{"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2024-1947", "source": "talos-cna@cisco.com"}]}}, {"cve": {"id": "CVE-2024-32111", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-25T14:15:11.630", "lastModified": "2024-06-25T18:50:42.040", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Automattic WordPress allows Relative Path Traversal.This issue affects WordPress: from 6.5 through 6.5.4, from 6.4 through 6.4.4, from 6.3 through 6.3.4, from 6.2 through 6.2.5, from 6.1 through 6.1.6, from 6.0 through 6.0.8, from 5.9 through 5.9.9, from 5.8 through 5.8.9, from 5.7 through 5.7.11, from 5.6 through 5.6.13, from 5.5 through 5.5.14, from 5.4 through 5.4.15, from 5.3 through 5.3.17, from 5.2 through 5.2.20, from 5.1 through 5.1.18, from 5.0 through 5.0.21, from 4.9 through 4.9.25, from 4.8 through 4.8.24, from 4.7 through 4.7.28, from 4.6 through 4.6.28, from 4.5 through 4.5.31, from 4.4 through 4.4.32, from 4.3 through 4.3.33, from 4.2 through 4.2.37, from 4.1 through 4.1.40."}, {"lang": "es", "value": "La limitaci\u00f3n inadecuada de un nombre de ruta a una vulnerabilidad de directorio restringido (\"Path Traversal\") en Automattic WordPress permite un Path Traversal relativo. Este problema afecta a WordPress: de 6.5 a 6.5.4, de 6.4 a 6.4.4, de 6.3 a 6.3.4, de 6.2 a 6.2.5, de 6.1 a 6.1.6, de 6.0 a 6.0.8, de 5.9 a 5.9.9, de 5.8 a 5.8.9, de 5.7 a 5.7.11, de 5.6 a 5.6.13, de 5.5 al 5.5.14, del 5.4 al 5.4.15, del 5.3 al 5.3.17, del 5.2 al 5.2.20, del 5.1 al 5.1.18, del 5.0 al 5.0.21, del 4.9 al 4.9.25, del 4.8 hasta 4.8.24, desde 4.7 hasta 4.7.28, desde 4.6 hasta 4.6.28, desde 4.5 hasta 4.5.31, desde 4.4 hasta 4.4.32, desde 4.3 hasta 4.3.33, desde 4.2 hasta 4.2.37, desde 4.1 hasta 4.1.40."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 5.0, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.6, "impactScore": 3.4}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/wordpress/wordpress-core-6-5-5-contributor-arbitrary-html-file-read-windows-only-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}, {"url": "https://wordpress.org/news/2024/06/wordpress-6-5-5/", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2024-38951", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-25T14:15:12.403", "lastModified": "2024-06-25T18:50:42.040", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A buffer overflow in PX4-Autopilot v1.12.3 allows attackers to cause a Denial of Service (DoS) via a crafted MavLink message."}, {"lang": "es", "value": "Un desbordamiento de b\u00fafer en PX4-Autopilot v1.12.3 permite a los atacantes provocar una denegaci\u00f3n de servicio (DoS) a trav\u00e9s de un mensaje MavLink manipulado."}], "metrics": {}, "references": [{"url": "https://github.com/PX4/PX4-Autopilot/issues/23251", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-38952", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-25T14:15:12.517", "lastModified": "2024-06-25T18:50:42.040", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "PX4-Autopilot v1.14.3 was discovered to contain a buffer overflow via the topic_name parameter at /logger/logged_topics.cpp."}, {"lang": "es", "value": "Se descubri\u00f3 que PX4-Autopilot v1.14.3 conten\u00eda un desbordamiento del b\u00fafer a trav\u00e9s del par\u00e1metro topic_name en /logger/logged_topics.cpp."}], "metrics": {}, "references": [{"url": "https://github.com/PX4/PX4-Autopilot/blob/main/src/modules/logger/logged_topics.cpp#L440", "source": "cve@mitre.org"}, {"url": "https://github.com/PX4/PX4-Autopilot/blob/main/src/modules/logger/logged_topics.cpp#L561", "source": "cve@mitre.org"}, {"url": "https://github.com/PX4/PX4-Autopilot/issues/23258", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-5451", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-25T14:15:12.777", "lastModified": "2024-06-25T18:50:42.040", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The The7 \u2014 Website and eCommerce Builder for WordPress theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'url' attribute within the plugin's Icon and Heading widgets in all versions up to, and including, 11.13.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El tema The7 \u2014 Website and eCommerce Builder for WordPress para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s del atributo 'url' dentro de los widgets de icono y encabezado del complemento en todas las versiones hasta la 11.13.0 incluida debido a una sanitizaci\u00f3n de entrada insuficiente y la salida se escapa en los atributos proporcionados por el usuario. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "references": [{"url": "https://the7.io/changelog/", "source": "security@wordfence.com"}, {"url": "https://themeforest.net/item/the7-responsive-multipurpose-wordpress-theme/5556590", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c4555cd1-5ae5-42b3-938f-ffce5ba4fe56?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2021-4440", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-25T15:15:11.137", "lastModified": "2024-06-25T18:50:42.040", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/xen: Drop USERGS_SYSRET64 paravirt call\n\ncommit afd30525a659ac0ae0904f0cb4a2ca75522c3123 upstream.\n\nUSERGS_SYSRET64 is used to return from a syscall via SYSRET, but\na Xen PV guest will nevertheless use the IRET hypercall, as there\nis no sysret PV hypercall defined.\n\nSo instead of testing all the prerequisites for doing a sysret and\nthen mangling the stack for Xen PV again for doing an iret just use\nthe iret exit from the beginning.\n\nThis can easily be done via an ALTERNATIVE like it is done for the\nsysenter compat case already.\n\nIt should be noted that this drops the optimization in Xen for not\nrestoring a few registers when returning to user mode, but it seems\nas if the saved instructions in the kernel more than compensate for\nthis drop (a kernel build in a Xen PV guest was slightly faster with\nthis patch applied).\n\nWhile at it remove the stale sysret32 remnants.\n\n  [ pawan: Brad Spengler and Salvatore Bonaccorso \n\t   reported a problem with the 5.10 backport commit edc702b4a820\n\t   (\"x86/entry_64: Add VERW just before userspace transition\").\n\n\t   When CONFIG_PARAVIRT_XXL=y, CLEAR_CPU_BUFFERS is not executed in\n\t   syscall_return_via_sysret path as USERGS_SYSRET64 is runtime\n\t   patched to:\n\n\t.cpu_usergs_sysret64    = { 0x0f, 0x01, 0xf8,\n\t\t\t\t    0x48, 0x0f, 0x07 }, // swapgs; sysretq\n\n\t   which is missing CLEAR_CPU_BUFFERS. It turns out dropping\n\t   USERGS_SYSRET64 simplifies the code, allowing CLEAR_CPU_BUFFERS\n\t   to be explicitly added to syscall_return_via_sysret path. Below\n\t   is with CONFIG_PARAVIRT_XXL=y and this patch applied:\n\n\t   syscall_return_via_sysret:\n\t   ...\n\t   <+342>:   swapgs\n\t   <+345>:   xchg   %ax,%ax\n\t   <+347>:   verw   -0x1a2(%rip)  <------\n\t   <+354>:   sysretq\n  ]"}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: x86/xen: elimine el commit de llamada paravirt USERGS_SYSRET64 afd30525a659ac0ae0904f0cb4a2ca75522c3123 en sentido ascendente. USERGS_SYSRET64 se usa para regresar de una llamada al sistema a trav\u00e9s de SYSRET, pero un invitado Xen PV usar\u00e1 la hiperllamada IRET, ya que no hay ninguna hiperllamada PV sysret definida. Entonces, en lugar de probar todos los requisitos previos para hacer un sysret y luego alterar la pila para Xen PV nuevamente para hacer un iret, simplemente use la salida iret desde el principio. Esto se puede hacer f\u00e1cilmente a trav\u00e9s de una ALTERNATIVA como ya se hace para el caso de compatibilidad con sysenter. Cabe se\u00f1alar que esto reduce la optimizaci\u00f3n en Xen para no restaurar algunos registros al regresar al modo de usuario, pero parece que las instrucciones guardadas en el kernel compensan con creces esta ca\u00edda (una compilaci\u00f3n del kernel en un invitado Xen PV fue un poco m\u00e1s r\u00e1pido con este parche aplicado). Mientras lo hace, elimine los restos obsoletos de sysret32. [pawan: Brad Spengler y Salvatore Bonaccorso  informaron de un problema con el commit del backport 5.10 edc702b4a820 (\"x86/entry_64: Agregar VERW justo antes de la transici\u00f3n del espacio de usuario\"). Cuando CONFIG_PARAVIRT_XXL=y, CLEAR_CPU_BUFFERS no se ejecuta en la ruta syscall_return_via_sysret ya que USERGS_SYSRET64 est\u00e1 parcheado en tiempo de ejecuci\u00f3n para: .cpu_usergs_sysret64 = { 0x0f, 0x01, 0xf8, 0x48, 0x0f, 0x07 }, // swapgs; sysretq al que le falta CLEAR_CPU_BUFFERS. Resulta que eliminar USERGS_SYSRET64 simplifica el c\u00f3digo, permitiendo que CLEAR_CPU_BUFFERS se agregue expl\u00edcitamente a la ruta syscall_return_via_sysret. A continuaci\u00f3n se muestra CONFIG_PARAVIRT_XXL=y y se aplic\u00f3 este parche: syscall_return_via_sysret: ... <+342>: swapgs <+345>: xchg %ax,%ax <+347>: verw -0x1a2(%rip) <---- -- <+354>: sysretq ]"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/1424ab4bb386df9cc590c73afa55f13e9b00dea2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2022-48772", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-25T15:15:11.233", "lastModified": "2024-06-25T18:50:42.040", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: lgdt3306a: Add a check against null-pointer-def\n\nThe driver should check whether the client provides the platform_data.\n\nThe following log reveals it:\n\n[   29.610324] BUG: KASAN: null-ptr-deref in kmemdup+0x30/0x40\n[   29.610730] Read of size 40 at addr 0000000000000000 by task bash/414\n[   29.612820] Call Trace:\n[   29.613030]  \n[   29.613201]  dump_stack_lvl+0x56/0x6f\n[   29.613496]  ? kmemdup+0x30/0x40\n[   29.613754]  print_report.cold+0x494/0x6b7\n[   29.614082]  ? kmemdup+0x30/0x40\n[   29.614340]  kasan_report+0x8a/0x190\n[   29.614628]  ? kmemdup+0x30/0x40\n[   29.614888]  kasan_check_range+0x14d/0x1d0\n[   29.615213]  memcpy+0x20/0x60\n[   29.615454]  kmemdup+0x30/0x40\n[   29.615700]  lgdt3306a_probe+0x52/0x310\n[   29.616339]  i2c_device_probe+0x951/0xa90"}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: medio: lgdt3306a: agregue una verificaci\u00f3n contra null-pointer-def. El controlador debe verificar si el cliente proporciona platform_data. El siguiente registro lo revela: [29.610324] ERROR: KASAN: null-ptr-deref en kmemdup+0x30/0x40 [29.610730] Lectura del tama\u00f1o 40 en la direcci\u00f3n 00000000000000000 por tarea bash/414 [29.612820] Seguimiento de llamadas: [29.613030] k > [29.613201] dump_stack_lvl+0x56/0x6f [29.613496]? kmemdup+0x30/0x40 [ 29.613754] print_report.cold+0x494/0x6b7 [ 29.614082] ? kmemdup+0x30/0x40 [ 29.614340] kasan_report+0x8a/0x190 [ 29.614628] ? kmemdup+0x30/0x40 [ 29.614888] kasan_check_range+0x14d/0x1d0 [ 29.615213] memcpy+0x20/0x60 [ 29.615454] kmemdup+0x30/0x40 [ 29.615700] lgdt3306a_probe+0x5 2/0x310 [29.616339] i2c_device_probe+0x951/0xa90"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/526238d32c3acc3d597fd8c9a34652bfe9086cea", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7d12e918f2994c883f41f22552a61b9310fa1e87", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8915dcd29a82096acacf54364a8425363782aea0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8e1e00718d0d9dd83337300572561e30b9c0d115", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b479fd59a1f4a342b69fce34f222d93bf791dca4", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c1115ddbda9c930fba0fdd062e7a8873ebaf898d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d082757b8359201c3864323cea4b91ea30a1e676", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2023-37541", "sourceIdentifier": "psirt@hcl.com", "published": "2024-06-25T15:15:11.363", "lastModified": "2024-06-25T18:50:42.040", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "HCL Connections contains a broken access control vulnerability that may allow unauthorized user to update data in certain scenarios."}, {"lang": "es", "value": "HCL Connections contiene una vulnerabilidad de control de acceso rota que puede permitir que usuarios no autorizados actualicen datos en ciertos escenarios."}], "metrics": {"cvssMetricV31": [{"source": "psirt@hcl.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW"}, "exploitabilityScore": 2.1, "impactScore": 1.4}]}, "references": [{"url": "https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0114156", "source": "psirt@hcl.com"}]}}, {"cve": {"id": "CVE-2024-37078", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-25T15:15:12.287", "lastModified": "2024-06-25T18:50:42.040", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix potential kernel bug due to lack of writeback flag waiting\n\nDestructive writes to a block device on which nilfs2 is mounted can cause\na kernel bug in the folio/page writeback start routine or writeback end\nroutine (__folio_start_writeback in the log below):\n\n kernel BUG at mm/page-writeback.c:3070!\n Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI\n ...\n RIP: 0010:__folio_start_writeback+0xbaa/0x10e0\n Code: 25 ff 0f 00 00 0f 84 18 01 00 00 e8 40 ca c6 ff e9 17 f6 ff ff\n  e8 36 ca c6 ff 4c 89 f7 48 c7 c6 80 c0 12 84 e8 e7 b3 0f 00 90 <0f>\n  0b e8 1f ca c6 ff 4c 89 f7 48 c7 c6 a0 c6 12 84 e8 d0 b3 0f 00\n ...\n Call Trace:\n  \n  nilfs_segctor_do_construct+0x4654/0x69d0 [nilfs2]\n  nilfs_segctor_construct+0x181/0x6b0 [nilfs2]\n  nilfs_segctor_thread+0x548/0x11c0 [nilfs2]\n  kthread+0x2f0/0x390\n  ret_from_fork+0x4b/0x80\n  ret_from_fork_asm+0x1a/0x30\n  \n\nThis is because when the log writer starts a writeback for segment summary\nblocks or a super root block that use the backing device's page cache, it\ndoes not wait for the ongoing folio/page writeback, resulting in an\ninconsistent writeback state.\n\nFix this issue by waiting for ongoing writebacks when putting\nfolios/pages on the backing device into writeback state."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: nilfs2: corrige un posible error en el kernel debido a la falta de indicador de escritura reescrita en espera Las escrituras destructivas en un dispositivo de bloque en el que est\u00e1 montado nilfs2 pueden causar un error en el kernel en la rutina de inicio de reescritura de folio/p\u00e1gina o Rutina de fin de reescritura (__folio_start_writeback en el registro a continuaci\u00f3n): \u00a1ERROR del kernel en mm/page-writeback.c:3070! Vaya: c\u00f3digo de operaci\u00f3n no v\u00e1lido: 0000 [#1] PREEMPT SMP KASAN PTI... RIP: 0010:__folio_start_writeback+0xbaa/0x10e0 C\u00f3digo: 25 ff 0f 00 00 0f 84 18 01 00 00 e8 40 ca c6 ff e9 17 f6 ff ff e8 36 ca c6 ff 4c 89 f7 48 c7 c6 80 c0 12 84 e8 e7 b3 0f 00 90 <0f> 0b e8 1f ca c6 ff 4c 89 f7 48 c7 c6 a0 c6 12 84 e8 d0 b3 0f 00 ... Seguimiento de llamadas:  nilfs_segctor_do_construct+0x4654/0x69d0 [nilfs2] nilfs_segctor_construct+0x181/0x6b0 [nilfs2] nilfs_segctor_thread+0x548/0x11c0 [nilfs2] kthread+0x2f0/0x390 ret_from_fork+0x4b/0x 80 ret_from_fork_asm+0x1a/0x30  Esto se debe a que cuando el escritor de registros inicia una reescritura para bloques de resumen de segmentos o un bloque s\u00faper ra\u00edz que utiliza la cach\u00e9 de p\u00e1gina del dispositivo de respaldo, no espera la reescritura en curso de folios/p\u00e1ginas, lo que genera un estado de reescritura inconsistente. Solucione este problema esperando las reescrituras en curso al poner las publicaciones/p\u00e1ginas en el dispositivo de respaldo en estado de reescritura."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/1f3bff69f1214fe03a02bc650d5bbfaa6e65ae7d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/271dcd977ccda8c7a26e360425ae7b4db7d2ecc0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/614d397be0cf43412b3f94a0f6460eddced8ce92", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a4ca369ca221bb7e06c725792ac107f0e48e82e7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-37085", "sourceIdentifier": "security@vmware.com", "published": "2024-06-25T15:15:12.377", "lastModified": "2024-06-25T18:50:42.040", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "VMware ESXi contains an authentication bypass vulnerability.\u00a0A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously  configured to use AD for user management https://blogs.vmware.com/vsphere/2012/09/joining-vsphere-hosts-to-active-directory.html  by re-creating the configured AD group ('ESXi Admins' by default) after it was deleted from AD."}, {"lang": "es", "value": "VMware ESXi contiene una vulnerabilidad de omisi\u00f3n de autenticaci\u00f3n. Un actor malicioso con suficientes permisos de Active Directory (AD) puede obtener acceso completo a un host ESXi que se configur\u00f3 previamente para usar AD para la administraci\u00f3n de usuarios https://blogs.vmware.com/vsphere/2012/09/joining-vsphere-hosts -to-active-directory.html recreando el grupo de AD configurado ('Administradores de ESXi' de forma predeterminada) despu\u00e9s de eliminarlo de AD."}], "metrics": {"cvssMetricV31": [{"source": "security@vmware.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 0.9, "impactScore": 5.9}]}, "references": [{"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505", "source": "security@vmware.com"}]}}, {"cve": {"id": "CVE-2024-37086", "sourceIdentifier": "security@vmware.com", "published": "2024-06-25T15:15:12.570", "lastModified": "2024-06-25T18:50:42.040", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "VMware ESXi contains an out-of-bounds read vulnerability.\u00a0A\n malicious actor with local administrative privileges on a virtual \nmachine with an existing snapshot may trigger an out-of-bounds read \nleading to a denial-of-service condition of the host."}, {"lang": "es", "value": "VMware ESXi contiene una vulnerabilidad de lectura fuera de los l\u00edmites. Un actor malintencionado con privilegios administrativos locales en una m\u00e1quina virtual con una instant\u00e1nea existente puede desencadenar una lectura fuera de los l\u00edmites que provoque una condici\u00f3n de denegaci\u00f3n de servicio del host."}], "metrics": {"cvssMetricV31": [{"source": "security@vmware.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.5, "impactScore": 4.2}]}, "references": [{"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505", "source": "security@vmware.com"}]}}, {"cve": {"id": "CVE-2024-37087", "sourceIdentifier": "security@vmware.com", "published": "2024-06-25T15:15:12.767", "lastModified": "2024-06-25T18:50:42.040", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The vCenter Server contains a denial-of-service vulnerability.\u00a0A malicious actor with network access to vCenter Server may create a denial-of-service condition."}, {"lang": "es", "value": "vCenter Server contiene una vulnerabilidad de denegaci\u00f3n de servicio. Un actor malintencionado con acceso a la red de vCenter Server puede crear una condici\u00f3n de denegaci\u00f3n de servicio."}], "metrics": {"cvssMetricV31": [{"source": "security@vmware.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "references": [{"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505", "source": "security@vmware.com"}]}}, {"cve": {"id": "CVE-2024-37354", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-25T15:15:13.177", "lastModified": "2024-06-25T18:50:42.040", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix crash on racing fsync and size-extending write into prealloc\n\nWe have been seeing crashes on duplicate keys in\nbtrfs_set_item_key_safe():\n\n  BTRFS critical (device vdb): slot 4 key (450 108 8192) new key (450 108 8192)\n  ------------[ cut here ]------------\n  kernel BUG at fs/btrfs/ctree.c:2620!\n  invalid opcode: 0000 [#1] PREEMPT SMP PTI\n  CPU: 0 PID: 3139 Comm: xfs_io Kdump: loaded Not tainted 6.9.0 #6\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014\n  RIP: 0010:btrfs_set_item_key_safe+0x11f/0x290 [btrfs]\n\nWith the following stack trace:\n\n  #0  btrfs_set_item_key_safe (fs/btrfs/ctree.c:2620:4)\n  #1  btrfs_drop_extents (fs/btrfs/file.c:411:4)\n  #2  log_one_extent (fs/btrfs/tree-log.c:4732:9)\n  #3  btrfs_log_changed_extents (fs/btrfs/tree-log.c:4955:9)\n  #4  btrfs_log_inode (fs/btrfs/tree-log.c:6626:9)\n  #5  btrfs_log_inode_parent (fs/btrfs/tree-log.c:7070:8)\n  #6  btrfs_log_dentry_safe (fs/btrfs/tree-log.c:7171:8)\n  #7  btrfs_sync_file (fs/btrfs/file.c:1933:8)\n  #8  vfs_fsync_range (fs/sync.c:188:9)\n  #9  vfs_fsync (fs/sync.c:202:9)\n  #10 do_fsync (fs/sync.c:212:9)\n  #11 __do_sys_fdatasync (fs/sync.c:225:9)\n  #12 __se_sys_fdatasync (fs/sync.c:223:1)\n  #13 __x64_sys_fdatasync (fs/sync.c:223:1)\n  #14 do_syscall_x64 (arch/x86/entry/common.c:52:14)\n  #15 do_syscall_64 (arch/x86/entry/common.c:83:7)\n  #16 entry_SYSCALL_64+0xaf/0x14c (arch/x86/entry/entry_64.S:121)\n\nSo we're logging a changed extent from fsync, which is splitting an\nextent in the log tree. But this split part already exists in the tree,\ntriggering the BUG().\n\nThis is the state of the log tree at the time of the crash, dumped with\ndrgn (https://github.com/osandov/drgn/blob/main/contrib/btrfs_tree.py)\nto get more details than btrfs_print_leaf() gives us:\n\n  >>> print_extent_buffer(prog.crashed_thread().stack_trace()[0][\"eb\"])\n  leaf 33439744 level 0 items 72 generation 9 owner 18446744073709551610\n  leaf 33439744 flags 0x100000000000000\n  fs uuid e5bd3946-400c-4223-8923-190ef1f18677\n  chunk uuid d58cb17e-6d02-494a-829a-18b7d8a399da\n          item 0 key (450 INODE_ITEM 0) itemoff 16123 itemsize 160\n                  generation 7 transid 9 size 8192 nbytes 8473563889606862198\n                  block group 0 mode 100600 links 1 uid 0 gid 0 rdev 0\n                  sequence 204 flags 0x10(PREALLOC)\n                  atime 1716417703.220000000 (2024-05-22 15:41:43)\n                  ctime 1716417704.983333333 (2024-05-22 15:41:44)\n                  mtime 1716417704.983333333 (2024-05-22 15:41:44)\n                  otime 17592186044416.000000000 (559444-03-08 01:40:16)\n          item 1 key (450 INODE_REF 256) itemoff 16110 itemsize 13\n                  index 195 namelen 3 name: 193\n          item 2 key (450 XATTR_ITEM 1640047104) itemoff 16073 itemsize 37\n                  location key (0 UNKNOWN.0 0) type XATTR\n                  transid 7 data_len 1 name_len 6\n                  name: user.a\n                  data a\n          item 3 key (450 EXTENT_DATA 0) itemoff 16020 itemsize 53\n                  generation 9 type 1 (regular)\n                  extent data disk byte 303144960 nr 12288\n                  extent data offset 0 nr 4096 ram 12288\n                  extent compression 0 (none)\n          item 4 key (450 EXTENT_DATA 4096) itemoff 15967 itemsize 53\n                  generation 9 type 2 (prealloc)\n                  prealloc data disk byte 303144960 nr 12288\n                  prealloc data offset 4096 nr 8192\n          item 5 key (450 EXTENT_DATA 8192) itemoff 15914 itemsize 53\n                  generation 9 type 2 (prealloc)\n                  prealloc data disk byte 303144960 nr 12288\n                  prealloc data offset 8192 nr 4096\n  ...\n\nSo the real problem happened earlier: notice that items 4 (4k-12k) and 5\n(8k-12k) overlap. Both are prealloc extents. Item 4 straddles i_size and\nitem 5 starts at i_size.\n\nHere is the state of \n---truncated---"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: btrfs: corrige el fallo en fsync de ejecuci\u00f3ns y escritura de extensi\u00f3n de tama\u00f1o en prealloc. Hemos estado viendo fallos en claves duplicadas en btrfs_set_item_key_safe(): BTRFS cr\u00edtico (dispositivo vdb): clave de ranura 4 ( 450 108 8192) nueva clave (450 108 8192) ------------[ cortar aqu\u00ed ]------------ ERROR del kernel en fs/btrfs/ctree.c: 2620! c\u00f3digo de operaci\u00f3n no v\u00e1lido: 0000 [#1] PREEMPT SMP PTI CPU: 0 PID: 3139 Comm: xfs_io Kdump: cargado No contaminado 6.9.0 #6 Nombre de hardware: PC est\u00e1ndar QEMU (i440FX + PIIX, 1996), BIOS 1.16.3-2 .fc40 01/04/2014 RIP: 0010:btrfs_set_item_key_safe+0x11f/0x290 [btrfs] Con el siguiente seguimiento de pila: #0 btrfs_set_item_key_safe (fs/btrfs/ctree.c:2620:4) #1 btrfs_drop_extents (fs/btrfs/file .c:411:4) #2 log_one_extent (fs/btrfs/tree-log.c:4732:9) #3 btrfs_log_changed_extents (fs/btrfs/tree-log.c:4955:9) #4 btrfs_log_inode (fs/btrfs /tree-log.c:6626:9) #5 btrfs_log_inode_parent (fs/btrfs/tree-log.c:7070:8) #6 btrfs_log_dentry_safe (fs/btrfs/tree-log.c:7171:8) #7 btrfs_sync_file (fs/btrfs/file.c:1933:8) #8 vfs_fsync_range (fs/sync.c:188:9) #9 vfs_fsync (fs/sync.c:202:9) #10 do_fsync (fs/sync.c :212:9) #11 __do_sys_fdatasync (fs/sync.c:225:9) #12 __se_sys_fdatasync (fs/sync.c:223:1) #13 __x64_sys_fdatasync (fs/sync.c:223:1) #14 do_syscall_x64 (arch/x86/entry/common.c:52:14) #15 do_syscall_64 (arch/x86/entry/common.c:83:7) #16 Entry_SYSCALL_64+0xaf/0x14c (arch/x86/entry/entry_64.S :121) As\u00ed que estamos registrando una extensi\u00f3n modificada desde fsync, que es dividir una extensi\u00f3n en el \u00e1rbol de registro. Pero esta parte dividida ya existe en el \u00e1rbol, lo que activa el ERROR(). Este es el estado del \u00e1rbol de registro en el momento del bloqueo, descargado con drgn (https://github.com/osandov/drgn/blob/main/contrib/btrfs_tree.py) para obtener m\u00e1s detalles de los que proporciona btrfs_print_leaf() nosotros: >>> print_extent_buffer(prog.crashed_thread().stack_trace()[0][\"eb\"]) hoja 33439744 elementos de nivel 0 72 generaci\u00f3n 9 propietario 18446744073709551610 hoja 33439744 banderas 0x100000000000000 fs uuid 00c-4223-8923-190ef1f18677 fragmento uuid d58cb17e-6d02-494a-829a-18b7d8a399da clave del elemento 0 (450 INODE_ITEM 0) itemoff 16123 tama\u00f1o del elemento 160 generaci\u00f3n 7 transid 9 tama\u00f1o 8192 nbytes 8473563889606862198 grupo de bloques 0 modo 100600 enlaces 1 uid 0 gid 0 rdev 0 secuencia 204 banderas 0x10(PREALLOC ) atime 1716417703.220000000 (2024-05-22 15:41:43) ctime 1716417704.983333333 (2024-05-22 15:41:44) mtime 1716417704.983333333 (2024-05-2) 2 15:41:44) otime 17592186044416.000000000 (559444-03- 08 01:40:16) clave del elemento 1 (450 INODE_REF 256) itemoff 16110 tama\u00f1o del elemento 13 \u00edndice 195 namelen 3 nombre: 193 clave del elemento 2 (450 XATTR_ITEM 1640047104) itemoff 16073 tama\u00f1o del elemento 37 clave de ubicaci\u00f3n (0 UNKNOWN.0 0) tipo XATTR transid 7 data_len 1 name_len 6 nombre: usuario.a datos a elemento 3 clave (450 EXTENT_DATA 0) itemoff 16020 tama\u00f1o de elemento 53 generaci\u00f3n 9 tipo 1 (normal) byte de disco de datos de extensi\u00f3n 303144960 nr 12288 desplazamiento de datos de extensi\u00f3n 0 nr 4096 ram 12288 compresi\u00f3n de extensi\u00f3n 0 ( ninguno) clave del elemento 4 (450 EXTENT_DATA 4096) itemoff 15967 tama\u00f1o del elemento 53 generaci\u00f3n 9 tipo 2 (preasignaci\u00f3n) byte de disco de datos de preasignaci\u00f3n 303144960 nr 12288 compensaci\u00f3n de datos de preasignaci\u00f3n 4096 nr 8192 clave del elemento 5 (450 EXTENT_DATA 8192) itemoff 15914 tama\u00f1o del elemento 53 generaci\u00f3n 9 tipo 2 (preasignaci\u00f3n) byte de disco de datos de preasignaci\u00f3n 303144960 nr 12288 desplazamiento de datos de preasignaci\u00f3n 8192 nr 4096 ... Entonces, el verdadero problema ocurri\u00f3 antes: observe que los elementos 4 (4k-12k) y 5 (8k-12k) se superponen. Ambas son extensiones de preasignaci\u00f3n. El elemento 4 abarca i_size y el elemento 5 comienza en i_size. Aqu\u00ed est\u00e1 el estado de ---truncado---"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/1ff2bd566fbcefcb892be85c493bdb92b911c428", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3d08c52ba1887a1ff9c179d4b6a18b427bcb2097", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9d274c19a71b3a276949933859610721a453946b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f4e5ed974876c14d3623e04dc43d3e3281bc6011", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38306", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-25T15:15:13.367", "lastModified": "2024-06-25T18:50:42.040", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: protect folio::private when attaching extent buffer folios\n\n[BUG]\nSince v6.8 there are rare kernel crashes reported by various people,\nthe common factor is bad page status error messages like this:\n\n  BUG: Bad page state in process kswapd0  pfn:d6e840\n  page: refcount:0 mapcount:0 mapping:000000007512f4f2 index:0x2796c2c7c\n  pfn:0xd6e840\n  aops:btree_aops ino:1\n  flags: 0x17ffffe0000008(uptodate|node=0|zone=2|lastcpupid=0x3fffff)\n  page_type: 0xffffffff()\n  raw: 0017ffffe0000008 dead000000000100 dead000000000122 ffff88826d0be4c0\n  raw: 00000002796c2c7c 0000000000000000 00000000ffffffff 0000000000000000\n  page dumped because: non-NULL mapping\n\n[CAUSE]\nCommit 09e6cef19c9f (\"btrfs: refactor alloc_extent_buffer() to\nallocate-then-attach method\") changes the sequence when allocating a new\nextent buffer.\n\nPreviously we always called grab_extent_buffer() under\nmapping->i_private_lock, to ensure the safety on modification on\nfolio::private (which is a pointer to extent buffer for regular\nsectorsize).\n\nThis can lead to the following race:\n\nThread A is trying to allocate an extent buffer at bytenr X, with 4\n4K pages, meanwhile thread B is trying to release the page at X + 4K\n(the second page of the extent buffer at X).\n\n           Thread A                |                 Thread B\n-----------------------------------+-------------------------------------\n                                   | btree_release_folio()\n\t\t\t\t   | | This is for the page at X + 4K,\n\t\t\t\t   | | Not page X.\n\t\t\t\t   | |\nalloc_extent_buffer()              | |- release_extent_buffer()\n|- filemap_add_folio() for the     | |  |- atomic_dec_and_test(eb->refs)\n|  page at bytenr X (the first     | |  |\n|  page).                          | |  |\n|  Which returned -EEXIST.         | |  |\n|                                  | |  |\n|- filemap_lock_folio()            | |  |\n|  Returned the first page locked. | |  |\n|                                  | |  |\n|- grab_extent_buffer()            | |  |\n|  |- atomic_inc_not_zero()        | |  |\n|  |  Returned false               | |  |\n|  |- folio_detach_private()       | |  |- folio_detach_private() for X\n|     |- folio_test_private()      | |     |- folio_test_private()\n      |  Returned true             | |     |  Returned true\n      |- folio_put()               |       |- folio_put()\n\nNow there are two puts on the same folio at folio X, leading to refcount\nunderflow of the folio X, and eventually causing the BUG_ON() on the\npage->mapping.\n\nThe condition is not that easy to hit:\n\n- The release must be triggered for the middle page of an eb\n  If the release is on the same first page of an eb, page lock would kick\n  in and prevent the race.\n\n- folio_detach_private() has a very small race window\n  It's only between folio_test_private() and folio_clear_private().\n\nThat's exactly when mapping->i_private_lock is used to prevent such race,\nand commit 09e6cef19c9f (\"btrfs: refactor alloc_extent_buffer() to\nallocate-then-attach method\") screwed that up.\n\nAt that time, I thought the page lock would kick in as\nfilemap_release_folio() also requires the page to be locked, but forgot\nthe filemap_release_folio() only locks one page, not all pages of an\nextent buffer.\n\n[FIX]\nMove all the code requiring i_private_lock into\nattach_eb_folio_to_filemap(), so that everything is done with proper\nlock protection.\n\nFurthermore to prevent future problems, add an extra\nlockdep_assert_locked() to ensure we're holding the proper lock.\n\nTo reproducer that is able to hit the race (takes a few minutes with\ninstrumented code inserting delays to alloc_extent_buffer()):\n\n  #!/bin/sh\n  drop_caches () {\n\t  while(true); do\n\t\t  echo 3 > /proc/sys/vm/drop_caches\n\t\t  echo 1 > /proc/sys/vm/compact_memory\n\t  done\n  }\n\n  run_tar () {\n\t  while(true); do\n\t\t  for x in `seq 1 80` ; do\n\t\t\t  tar cf /dev/zero /mnt > /dev/null &\n\t\t  done\n\t\t  wait\n\t  done\n  }\n\n  mkfs.btrfs -f -d single -m single\n---truncated---"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: btrfs: proteger folio::privado al adjuntar folios de b\u00fafer de extensi\u00f3n [ERROR] Desde la versi\u00f3n 6.8, varias personas reportan fallas raras del kernel, el factor com\u00fan son mensajes de error de estado incorrecto de la p\u00e1gina as\u00ed: ERROR: Estado incorrecto de la p\u00e1gina en el proceso kswapd0 pfn:d6e840 p\u00e1gina: refcount:0 mapcount:0 mapeo:000000007512f4f2 index:0x2796c2c7c pfn:0xd6e840 aops:btree_aops ino:1 flags: 0x17ffffe0000008(uptodate|node=0|zone= 2 |lastcpupid=0x3fffff) tipo de p\u00e1gina: 0xffffffff() raw: 0017ffffe0000008 dead000000000100 dead000000000122 ffff88826d0be4c0 raw: 00000002796c2c7c 0000000000000000 0000 0000ffffffff 0000000000000000 p\u00e1gina volcada porque: mapeo no NULL [CAUSA] Commit 09e6cef19c9f (\"btrfs: refactor alloc_extent_buffer() para asignar el m\u00e9todo luego adjuntar \") cambia la secuencia al asignar un nuevo b\u00fafer de extensi\u00f3n. Anteriormente siempre llam\u00e1bamos a grab_extent_buffer() en mapeo->i_private_lock, para garantizar la seguridad en la modificaci\u00f3n en folio::private (que es un puntero al b\u00fafer de extensi\u00f3n para el tama\u00f1o de sector normal). Esto puede llevar a la siguiente ejecuci\u00f3n: el subproceso A est\u00e1 intentando asignar un b\u00fafer de extensi\u00f3n en el bytenr X, con 4 p\u00e1ginas de 4K, mientras que el subproceso B est\u00e1 intentando liberar la p\u00e1gina en X + 4K (la segunda p\u00e1gina del b\u00fafer de extensi\u00f3n en X) . Hilo A | Hilo B -----------------------------------+------------ ------------------------- | btree_release_folio() | | Esto es para la p\u00e1gina en X + 4K, | | No la p\u00e1gina X. | | alloc_extent_buffer() | |- release_extent_buffer() |- filemap_add_folio() para el | | |- atomic_dec_and_test(eb->refs) | p\u00e1gina en bytenr X (la primera | | | | p\u00e1gina). | | | | Que devolvi\u00f3 -EEXIST. | | | | | | | |- filemap_lock_folio() | | | | Devolvi\u00f3 la primera p\u00e1gina bloqueada. | | | | | | | |- grab_extent_buffer() | | | | |- atomic_inc_not_zero() | | | | | Devuelto falso | | | | |- folio_detach_private() | | |- folio_detach_private() para X | |- folio_test_private() | | |- folio_test_private() | Devuelto verdadero | | | Devuelto verdadero |- folio_put() | |- folio_put() Ahora hay dos opciones de venta en el mismo folio en el folio X, lo que provoca un recuento insuficiente del folio X y, finalmente, provoca el error BUG_ON() en la p\u00e1gina->mapeo. La condici\u00f3n no es tan f\u00e1cil de cumplir: - La publicaci\u00f3n debe activarse para la p\u00e1gina intermedia de un eb. Si la publicaci\u00f3n est\u00e1 en la misma primera p\u00e1gina de un eb, el bloqueo de p\u00e1gina se activar\u00eda e impedir\u00eda la ejecuci\u00f3n. - folio_detach_private() tiene una ventana de ejecuci\u00f3n muy peque\u00f1a. Es solo entre folio_test_private() y folio_clear_private(). Eso es exactamente cuando se usa mapeo->i_private_lock para evitar dicha ejecuci\u00f3n, y la confirmaci\u00f3n 09e6cef19c9f (\"btrfs: refactor alloc_extent_buffer() para asignar-luego-adjuntar m\u00e9todo\") arruin\u00f3 eso. En ese momento, pens\u00e9 que el bloqueo de p\u00e1gina se activar\u00eda ya que filemap_release_folio() tambi\u00e9n requiere que la p\u00e1gina est\u00e9 bloqueada, pero olvid\u00e9 que filemap_release_folio() solo bloquea una p\u00e1gina, no todas las p\u00e1ginas de un b\u00fafer de extensi\u00f3n. [FIX] Mueva todo el c\u00f3digo que requiere i_private_lock a adjunto_eb_folio_to_filemap(), para que todo se haga con la protecci\u00f3n de bloqueo adecuada. Adem\u00e1s, para evitar problemas futuros, agregue un lockdep_assert_locked() adicional para garantizar que mantenemos el bloqueo adecuado. Para el reproductor que puede iniciar la ejecuci\u00f3n (tarda unos minutos con el c\u00f3digo instrumentado insertando retrasos en alloc_extent_buffer()): #!/bin/sh drop_caches () { while(true); hacer echo 3 > /proc/sys/vm/drop_caches echo 1 > /proc/sys/vm/compact_memory hecho } run_tar () { while(true); hacer para x en `seq 1 80`; hacer tar cf /dev/zero /mnt > /dev/null & hecho esperar hecho } mkfs.btrfs -f -d single -m single ---truncado---"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/952f048eb901881a7cc6f7c1368b53cd386ead7b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f3a5367c679d31473d3fbb391675055b4792c309", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38385", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-25T15:15:13.487", "lastModified": "2024-06-25T18:50:42.040", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngenirq/irqdesc: Prevent use-after-free in irq_find_at_or_after()\n\nirq_find_at_or_after() dereferences the interrupt descriptor which is\nreturned by mt_find() while neither holding sparse_irq_lock nor RCU read\nlock, which means the descriptor can be freed between mt_find() and the\ndereference:\n\n    CPU0                            CPU1\n    desc = mt_find()\n                                    delayed_free_desc(desc)\n    irq_desc_get_irq(desc)\n\nThe use-after-free is reported by KASAN:\n\n    Call trace:\n     irq_get_next_irq+0x58/0x84\n     show_stat+0x638/0x824\n     seq_read_iter+0x158/0x4ec\n     proc_reg_read_iter+0x94/0x12c\n     vfs_read+0x1e0/0x2c8\n\n    Freed by task 4471:\n     slab_free_freelist_hook+0x174/0x1e0\n     __kmem_cache_free+0xa4/0x1dc\n     kfree+0x64/0x128\n     irq_kobj_release+0x28/0x3c\n     kobject_put+0xcc/0x1e0\n     delayed_free_desc+0x14/0x2c\n     rcu_do_batch+0x214/0x720\n\nGuard the access with a RCU read lock section."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: genirq/irqdesc: Impide el use-after-free en irq_find_at_or_after() irq_find_at_or_after() elimina la referencia al descriptor de interrupci\u00f3n que devuelve mt_find() mientras no mantiene sparse_irq_lock ni el bloqueo de lectura de RCU, lo que significa que el descriptor se puede liberar entre mt_find() y la desreferencia: CPU0 CPU1 desc = mt_find() delay_free_desc(desc) irq_desc_get_irq(desc) KASAN informa el use-after-free: Rastreo de llamadas: irq_get_next_irq+0x58/0x84 show_stat+ 0x638/0x824 seq_read_iter+0x158/0x4ec proc_reg_read_iter+0x94/0x12c vfs_read+0x1e0/0x2c8 Liberado por la tarea 4471: slab_free_freelist_hook+0x174/0x1e0 __kmem_cache_free+0xa4/0x1dc x64/0x128 irq_kobj_release+0x28/0x3c kobject_put+0xcc/0x1e0 retardado_free_desc+ 0x14/0x2c rcu_do_batch+0x214/0x720 Protege el acceso con una secci\u00f3n de bloqueo de lectura de RCU."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/1c7891812d85500ae2ca4051fa5683fcf29930d8", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b84a8aba806261d2f759ccedf4a2a6a80a5e55ba", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d084aa022f84319f8079e30882cbcbc026af9f21", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-38661", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-25T15:15:13.630", "lastModified": "2024-06-25T18:50:42.040", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/ap: Fix crash in AP internal function modify_bitmap()\n\nA system crash like this\n\n  Failing address: 200000cb7df6f000 TEID: 200000cb7df6f403\n  Fault in home space mode while using kernel ASCE.\n  AS:00000002d71bc007 R3:00000003fe5b8007 S:000000011a446000 P:000000015660c13d\n  Oops: 0038 ilc:3 [#1] PREEMPT SMP\n  Modules linked in: mlx5_ib ...\n  CPU: 8 PID: 7556 Comm: bash Not tainted 6.9.0-rc7 #8\n  Hardware name: IBM 3931 A01 704 (LPAR)\n  Krnl PSW : 0704e00180000000 0000014b75e7b606 (ap_parse_bitmap_str+0x10e/0x1f8)\n  R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3\n  Krnl GPRS: 0000000000000001 ffffffffffffffc0 0000000000000001 00000048f96b75d3\n  000000cb00000100 ffffffffffffffff ffffffffffffffff 000000cb7df6fce0\n  000000cb7df6fce0 00000000ffffffff 000000000000002b 00000048ffffffff\n  000003ff9b2dbc80 200000cb7df6fcd8 0000014bffffffc0 000000cb7df6fbc8\n  Krnl Code: 0000014b75e7b5fc: a7840047            brc     8,0000014b75e7b68a\n  0000014b75e7b600: 18b2                lr      %r11,%r2\n  #0000014b75e7b602: a7f4000a            brc     15,0000014b75e7b616\n  >0000014b75e7b606: eb22d00000e6        laog    %r2,%r2,0(%r13)\n  0000014b75e7b60c: a7680001            lhi     %r6,1\n  0000014b75e7b610: 187b                lr      %r7,%r11\n  0000014b75e7b612: 84960021            brxh    %r9,%r6,0000014b75e7b654\n  0000014b75e7b616: 18e9                lr      %r14,%r9\n  Call Trace:\n  [<0000014b75e7b606>] ap_parse_bitmap_str+0x10e/0x1f8\n  ([<0000014b75e7b5dc>] ap_parse_bitmap_str+0xe4/0x1f8)\n  [<0000014b75e7b758>] apmask_store+0x68/0x140\n  [<0000014b75679196>] kernfs_fop_write_iter+0x14e/0x1e8\n  [<0000014b75598524>] vfs_write+0x1b4/0x448\n  [<0000014b7559894c>] ksys_write+0x74/0x100\n  [<0000014b7618a440>] __do_syscall+0x268/0x328\n  [<0000014b761a3558>] system_call+0x70/0x98\n  INFO: lockdep is turned off.\n  Last Breaking-Event-Address:\n  [<0000014b75e7b636>] ap_parse_bitmap_str+0x13e/0x1f8\n  Kernel panic - not syncing: Fatal exception: panic_on_oops\n\noccured when /sys/bus/ap/a[pq]mask was updated with a relative mask value\n(like +0x10-0x12,+60,-90) with one of the numeric values exceeding INT_MAX.\n\nThe fix is simple: use unsigned long values for the internal variables. The\ncorrect checks are already in place in the function but a simple int for\nthe internal variables was used with the possibility to overflow."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: s390/ap: Se corrigi\u00f3 el fallo en la funci\u00f3n interna del AP modificar_bitmap() Un fallo del sistema como este Direcci\u00f3n de error: 200000cb7df6f000 TEID: 200000cb7df6f403 Fallo en el modo de espacio de inicio al usar el kernel ASCE. AS:00000002d71bc007 R3:00000003fe5b8007 S:000000011a446000 P:000000015660c13d Ups: 0038 ilc:3 [#1] M\u00f3dulos SMP PREEMPT vinculados en: mlx5_ib... CPU: 8 PID: 7556 Comm: bash No contaminado 6.9.0-rc7 #8 Nombre de hardware: IBM 3931 A01 704 (LPAR) Krnl PSW: 0704e00180000000 0000014b75e7b606 (ap_parse_bitmap_str+0x10e/0x1f8) R:0 T:1 IO:1 EX:1 Clave:0 M:1 W:0 P:0 AS:3 CC :2 PM:0 RI:0 EA:3 Krnl GPRS: 0000000000000001 ffffffffffffffc0 000000000000001 00000048f96b75d3 000000cb00000100 ffffffffffffffff ffffffffffffffff 000000cb7 df6fce0 000000cb7df6fce0 00000000ffffffff 000000000000002b 00000048ffffffff 000003ff9b2dbc80 200000cb7df6fcd8 0000014bffffffc0 000000cb7df6fbc8 K C\u00f3digo rnl: 0000014b75e7b5fc: a7840047 brc 8,0000014b75e7b68a 0000014b75e7b600: 18b2 lr %r11,%r2 # 0000014b75e7b602: a7f4000a brc 15,0000014b75e7b616 >0000014b75e7b606: eb22d00000e6 laog %r2,%r2,0(%r13) 0000014b75e7b60c: a7680001 l hola %r6,1 0000014b75e7b610: 187b lr %r7,%r11 0000014b75e7b612: 84960021 brxh %r9,%r6, 0000014b75e7b654 0000014b75e7b616: 18e9 lr %r14,%r9 Seguimiento de llamadas: [<0000014b75e7b606>] ap_parse_bitmap_str+0x10e/0x1f8 ([<0000014b75e7b5dc>] bitmap_str+0xe4/0x1f8) [<0000014b75e7b758>] apmask_store+0x68/0x140 [<0000014b75679196>] kernfs_fop_write_iter+0x14e/0x1e8 [<0000014b75598524>] vfs_write+0x1b4/0x448 [<0000014b7559894c>] ksys_write+0x74/0x100 [<0000014b7618a440>] syscall+0x268/0x328 [<0000014b761a3558>] system_call+0x70/0x98 INFORMACI\u00d3N: lockdep est\u00e1 activado apagado. \u00daltima direcci\u00f3n del \u00faltimo evento de \u00faltima hora: [<0000014b75e7b636>] ap_parse_bitmap_str+0x13e/0x1f8 P\u00e1nico del kernel: no se sincroniza: Excepci\u00f3n fatal: p\u00e1nico_on_oops ocurri\u00f3 cuando /sys/bus/ap/a[pq]mask se actualiz\u00f3 con un valor de m\u00e1scara relativo (como +0x10-0x12,+60,-90) con uno de los valores num\u00e9ricos que excede INT_MAX. La soluci\u00f3n es simple: use valores largos sin signo para las variables internas. Las comprobaciones correctas ya est\u00e1n implementadas en la funci\u00f3n, pero se us\u00f3 un int simple para las variables internas con posibilidad de desbordamiento."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/2062e3f1f2374102f8014d7ca286b9aa527bd558", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4c0bfb4e867c1ec6616a5049bd3618021e127056", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/67011123453b91ec03671d40712fa213e94a01b9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7360cef95aa1ea2b5efb7b5e2ed32e941664e1f0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7c72af16abf2ec7520407098360bbba312289e05", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7dabe54a016defe11bb2a278cd9f1ff6db3feba6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8c5f5911c1b13170d3404eb992c6a0deaa8d81ad", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d4f9d5a99a3fd1b1c691b7a1a6f8f3f25f4116c9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-39276", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-25T15:15:13.903", "lastModified": "2024-06-25T18:50:42.040", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix mb_cache_entry's e_refcnt leak in ext4_xattr_block_cache_find()\n\nSyzbot reports a warning as follows:\n\n============================================\nWARNING: CPU: 0 PID: 5075 at fs/mbcache.c:419 mb_cache_destroy+0x224/0x290\nModules linked in:\nCPU: 0 PID: 5075 Comm: syz-executor199 Not tainted 6.9.0-rc6-gb947cc5bf6d7\nRIP: 0010:mb_cache_destroy+0x224/0x290 fs/mbcache.c:419\nCall Trace:\n \n ext4_put_super+0x6d4/0xcd0 fs/ext4/super.c:1375\n generic_shutdown_super+0x136/0x2d0 fs/super.c:641\n kill_block_super+0x44/0x90 fs/super.c:1675\n ext4_kill_sb+0x68/0xa0 fs/ext4/super.c:7327\n[...]\n============================================\n\nThis is because when finding an entry in ext4_xattr_block_cache_find(), if\next4_sb_bread() returns -ENOMEM, the ce's e_refcnt, which has already grown\nin the __entry_find(), won't be put away, and eventually trigger the above\nissue in mb_cache_destroy() due to reference count leakage.\n\nSo call mb_cache_entry_put() on the -ENOMEM error branch as a quick fix."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ext4: soluciona la fuga de e_refcnt de mb_cache_entry en ext4_xattr_block_cache_find() Syzbot informa una advertencia de la siguiente manera: ======================= ======================= ADVERTENCIA: CPU: 0 PID: 5075 en fs/mbcache.c:419 mb_cache_destroy+0x224/0x290 M\u00f3dulos vinculados en: CPU: 0 PID: 5075 Comm: syz-executor199 No contaminado 6.9.0-rc6-gb947cc5bf6d7 RIP: 0010:mb_cache_destroy+0x224/0x290 fs/mbcache.c:419 Seguimiento de llamadas:  ext4_put_super+0x6d4/0xcd0 fs/ext4/super .c:1375 generic_shutdown_super+0x136/0x2d0 fs/super.c:641 kill_block_super+0x44/0x90 fs/super.c:1675 ext4_kill_sb+0x68/0xa0 fs/ext4/super.c:7327 [...] === ========================================= Esto se debe a que al encontrar una entrada en ext4_xattr_block_cache_find (), si ext4_sb_bread() devuelve -ENOMEM, el e_refcnt del ce, que ya ha crecido en __entry_find(), no se guardar\u00e1 y, eventualmente, desencadenar\u00e1 el problema anterior en mb_cache_destroy() debido a una fuga del recuento de referencias. Entonces llame a mb_cache_entry_put() en la rama de error -ENOMEM como soluci\u00f3n r\u00e1pida."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/0c0b4a49d3e7f49690a6827a41faeffad5df7e21", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/681ff9a09accd8a4379f8bd30b7a1641ee19bb3e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/76dc776153a47372719d664e0fc50d6355791abb", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/896a7e7d0d555ad8b2b46af0c2fa7de7467f9483", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9ad75e78747b5a50dc5a52f0f8e92e920a653f16", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a95df6f04f2c37291adf26a74205cde0314d4577", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b37c0edef4e66fb21a2fbc211471195a383e5ab8", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e941b712e758f615d311946bf98216e79145ccd9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-39293", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-25T15:15:13.993", "lastModified": "2024-06-25T18:50:42.040", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"xsk: Support redirect to any socket bound to the same umem\"\n\nThis reverts commit 2863d665ea41282379f108e4da6c8a2366ba66db.\n\nThis patch introduced a potential kernel crash when multiple napi instances\nredirect to the same AF_XDP socket. By removing the queue_index check, it is\npossible for multiple napi instances to access the Rx ring at the same time,\nwhich will result in a corrupted ring state which can lead to a crash when\nflushing the rings in __xsk_flush(). This can happen when the linked list of\nsockets to flush gets corrupted by concurrent accesses. A quick and small fix\nis not possible, so let us revert this for now."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: Revertir \"xsk: admite redirecci\u00f3n a cualquier socket vinculado al mismo umem\". Esto revierte el commit 2863d665ea41282379f108e4da6c8a2366ba66db. Este parche introdujo un posible fallo del kernel cuando varias instancias de napi se redirigen al mismo socket AF_XDP. Al eliminar la verificaci\u00f3n queue_index, es posible que varias instancias de napi accedan al anillo Rx al mismo tiempo, lo que resultar\u00e1 en un estado de anillo corrupto que puede provocar un bloqueo al vaciar los anillos en __xsk_flush(). Esto puede suceder cuando la lista vinculada de sockets para vaciar se corrompe por accesos simult\u00e1neos. No es posible una soluci\u00f3n r\u00e1pida y peque\u00f1a, as\u00ed que revirtamos esto por ahora."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/19cb40b1064566ea09538289bfcf5bc7ecb9b6f5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7fcf26b315bbb728036da0862de6b335da83dff2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-39296", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-25T15:15:14.070", "lastModified": "2024-06-25T18:50:42.040", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: fix oops during rmmod\n\n\"rmmod bonding\" causes an oops ever since commit cc317ea3d927 (\"bonding:\nremove redundant NULL check in debugfs function\").  Here are the relevant\nfunctions being called:\n\nbonding_exit()\n  bond_destroy_debugfs()\n    debugfs_remove_recursive(bonding_debug_root);\n    bonding_debug_root = NULL; <--------- SET TO NULL HERE\n  bond_netlink_fini()\n    rtnl_link_unregister()\n      __rtnl_link_unregister()\n        unregister_netdevice_many_notify()\n          bond_uninit()\n            bond_debug_unregister()\n              (commit removed check for bonding_debug_root == NULL)\n              debugfs_remove()\n              simple_recursive_removal()\n                down_write() -> OOPS\n\nHowever, reverting the bad commit does not solve the problem completely\nbecause the original code contains a race that could cause the same\noops, although it was much less likely to be triggered unintentionally:\n\nCPU1\n  rmmod bonding\n    bonding_exit()\n      bond_destroy_debugfs()\n        debugfs_remove_recursive(bonding_debug_root);\n\nCPU2\n  echo -bond0 > /sys/class/net/bonding_masters\n    bond_uninit()\n      bond_debug_unregister()\n        if (!bonding_debug_root)\n\nCPU1\n        bonding_debug_root = NULL;\n\nSo do NOT revert the bad commit (since the removed checks were racy\nanyway), and instead change the order of actions taken during module\nremoval.  The same oops can also happen if there is an error during\nmodule init, so apply the same fix there."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: vinculaci\u00f3n: corrige errores durante rmmod \"rmmod bonding\" provoca un error desde el commit cc317ea3d927 (\"uni\u00f3n: elimina la comprobaci\u00f3n NULL redundante en la funci\u00f3n debugfs\"). Aqu\u00ed est\u00e1n las funciones relevantes que se llaman: bonding_exit() bond_destroy_debugfs() debugfs_remove_recursive(bonding_debug_root); bonding_debug_root = NULL; <--------- ESTABLECER EN NULL AQU\u00cd bond_netlink_fini() rtnl_link_unregister() __rtnl_link_unregister() unregister_netdevice_many_notify() bond_uninit() bond_debug_unregister() (confirmar verificaci\u00f3n eliminada para bonding_debug_root == NULL) debugfs_remove() simple_recursive_removal() down_write( ) -> OOPS Sin embargo, revertir el compromiso incorrecto no resuelve el problema por completo porque el c\u00f3digo original contiene una ejecuci\u00f3n que podr\u00eda causar el mismo error, aunque era mucho menos probable que se activara involuntariamente: CPU1 rmmod bonding bonding_exit() bond_destroy_debugfs() debugfs_remove_recursive(bonding_debug_root); CPU2 echo -bond0 > /sys/class/net/bonding_masters bond_uninit() bond_debug_unregister() if (!bonding_debug_root) CPU1 bonding_debug_root = NULL; Por lo tanto, NO revierta la confirmaci\u00f3n incorrecta (ya que las comprobaciones eliminadas eran picantes de todos modos) y, en su lugar, cambie el orden de las acciones tomadas durante la eliminaci\u00f3n del m\u00f3dulo. Lo mismo tambi\u00e9n puede suceder si hay un error durante el inicio del m\u00f3dulo, as\u00ed que aplique la misma soluci\u00f3n all\u00ed."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/a45835a0bb6ef7d5ddbc0714dd760de979cb6ece", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/cf48aee81103ca06d09d73d33fb72f1191069aa6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f07224c16678a8af54ddc059b3d2d51885d7f35e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-39298", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-25T15:15:14.160", "lastModified": "2024-06-25T18:50:42.040", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/memory-failure: fix handling of dissolved but not taken off from buddy pages\n\nWhen I did memory failure tests recently, below panic occurs:\n\npage: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8cee00\nflags: 0x6fffe0000000000(node=1|zone=2|lastcpupid=0x7fff)\nraw: 06fffe0000000000 dead000000000100 dead000000000122 0000000000000000\nraw: 0000000000000000 0000000000000009 00000000ffffffff 0000000000000000\npage dumped because: VM_BUG_ON_PAGE(!PageBuddy(page))\n------------[ cut here ]------------\nkernel BUG at include/linux/page-flags.h:1009!\ninvalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nRIP: 0010:__del_page_from_free_list+0x151/0x180\nRSP: 0018:ffffa49c90437998 EFLAGS: 00000046\nRAX: 0000000000000035 RBX: 0000000000000009 RCX: ffff8dd8dfd1c9c8\nRDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff8dd8dfd1c9c0\nRBP: ffffd901233b8000 R08: ffffffffab5511f8 R09: 0000000000008c69\nR10: 0000000000003c15 R11: ffffffffab5511f8 R12: ffff8dd8fffc0c80\nR13: 0000000000000001 R14: ffff8dd8fffc0c80 R15: 0000000000000009\nFS:  00007ff916304740(0000) GS:ffff8dd8dfd00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000055eae50124c8 CR3: 00000008479e0000 CR4: 00000000000006f0\nCall Trace:\n \n __rmqueue_pcplist+0x23b/0x520\n get_page_from_freelist+0x26b/0xe40\n __alloc_pages_noprof+0x113/0x1120\n __folio_alloc_noprof+0x11/0xb0\n alloc_buddy_hugetlb_folio.isra.0+0x5a/0x130\n __alloc_fresh_hugetlb_folio+0xe7/0x140\n alloc_pool_huge_folio+0x68/0x100\n set_max_huge_pages+0x13d/0x340\n hugetlb_sysctl_handler_common+0xe8/0x110\n proc_sys_call_handler+0x194/0x280\n vfs_write+0x387/0x550\n ksys_write+0x64/0xe0\n do_syscall_64+0xc2/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7ff916114887\nRSP: 002b:00007ffec8a2fd78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 000055eae500e350 RCX: 00007ff916114887\nRDX: 0000000000000004 RSI: 000055eae500e390 RDI: 0000000000000003\nRBP: 000055eae50104c0 R08: 0000000000000000 R09: 000055eae50104c0\nR10: 0000000000000077 R11: 0000000000000246 R12: 0000000000000004\nR13: 0000000000000004 R14: 00007ff916216b80 R15: 00007ff916216a00\n \nModules linked in: mce_inject hwpoison_inject\n---[ end trace 0000000000000000 ]---\n\nAnd before the panic, there had an warning about bad page state:\n\nBUG: Bad page state in process page-types  pfn:8cee00\npage: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8cee00\nflags: 0x6fffe0000000000(node=1|zone=2|lastcpupid=0x7fff)\npage_type: 0xffffff7f(buddy)\nraw: 06fffe0000000000 ffffd901241c0008 ffffd901240f8008 0000000000000000\nraw: 0000000000000000 0000000000000009 00000000ffffff7f 0000000000000000\npage dumped because: nonzero mapcount\nModules linked in: mce_inject hwpoison_inject\nCPU: 8 PID: 154211 Comm: page-types Not tainted 6.9.0-rc4-00499-g5544ec3178e2-dirty #22\nCall Trace:\n \n dump_stack_lvl+0x83/0xa0\n bad_page+0x63/0xf0\n free_unref_page+0x36e/0x5c0\n unpoison_memory+0x50b/0x630\n simple_attr_write_xsigned.constprop.0.isra.0+0xb3/0x110\n debugfs_attr_write+0x42/0x60\n full_proxy_write+0x5b/0x80\n vfs_write+0xcd/0x550\n ksys_write+0x64/0xe0\n do_syscall_64+0xc2/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f189a514887\nRSP: 002b:00007ffdcd899718 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f189a514887\nRDX: 0000000000000009 RSI: 00007ffdcd899730 RDI: 0000000000000003\nRBP: 00007ffdcd8997a0 R08: 0000000000000000 R09: 00007ffdcd8994b2\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007ffdcda199a8\nR13: 0000000000404af1 R14: 000000000040ad78 R15: 00007f189a7a5040\n \n\nThe root cause should be the below race:\n\n memory_failure\n  try_memory_failure_hugetlb\n   me_huge_page\n    __page_handle_poison\n     dissolve_free_hugetlb_folio\n     drain_all_pages -- Buddy page can be isolated e.g. for compaction.\n     take_page_off_buddy -- Failed as page is not in the \n---truncated---"}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: mm/memory-failure: corrige el manejo de p\u00e1ginas disueltas pero no eliminadas de las p\u00e1ginas de amigos Cuando hice pruebas de falla de memoria recientemente, se produce el siguiente p\u00e1nico: p\u00e1gina: refcount:0 mapcount:0 mapeo :0000000000000000 \u00edndice:0x0 pfn:0x8cee00 banderas: 0x6fffe0000000000(nodo=1|zona=2|lastcpupid=0x7fff) raw: 06fffe0000000000 muerto000000000100 muerto000000000122 00000 00000000000 raw: 0000000000000000 00000000000000009 00000000ffffffff 0000000000000000 p\u00e1gina volcada porque: VM_BUG_ON_PAGE(!PageBuddy(page)) -- ----------[ cortar aqu\u00ed ]----------- \u00a1ERROR del kernel en include/linux/page-flags.h:1009! c\u00f3digo de operaci\u00f3n no v\u00e1lido: 0000 [#1] PREEMPT SMP NOPTI RIP: 0010:__del_page_from_free_list+0x151/0x180 RSP: 0018:ffffa49c90437998 EFLAGS: 00000046 RAX: 0000000000000035 RBX: 0000009 RCX: ffff8dd8dfd1c9c8 RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff8dd8dfd1c9c0 RBP: ffffd901233b8000 R08 : ffffffffab5511f8 R09: 0000000000008c69 R10: 0000000000003c15 R11: ffffffffab5511f8 R12: ffff8dd8fffc0c80 R13: 0000000000000001 R14: ffff8dd8fffc0 c80 R15: 0000000000000009 FS: 00007ff916304740(0000) GS:ffff8dd8dfd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 80050033 CR2: 000055eae50124c8 CR3: 00000008479e0000 CR4: 00000000000006f0 Seguimiento de llamadas:  __rmqueue_pcplist+0x23b/0x520 get_page_from_freelist+0x26b/0xe40 __alloc_pages_noprof+0x113 /0x1120 __folio_alloc_noprof+0x11/0xb0 alloc_buddy_hugetlb_folio.isra.0+0x5a/0x130 __alloc_fresh_hugetlb_folio+0xe7/0x140 alloc_pool_huge_folio +0x68/0x100 set_max_huge_pages+0x13d/0x340 hugetlb_sysctl_handler_common+0xe8/0x110 proc_sys_call_handler+0x194/0x280 vfs_write+0x387/0x550 ksys_write+0x64/0xe0 +0xc2/0x1d0 entrada_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7ff916114887 RSP: 002b:00007ffec8a2fd78 EFLAGS : 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000055eae500e350 RCX: 00007ff916114887 RDX: 0000000000000004 RSI: 000055eae500e39 0 RDI: 0000000000000003 RBP: 000055eae50104c0 R08: 0000000000000000 R09: 000055eae50104c0 R10: 0000000000000077 R11: 00000000000000246 R 12: 0000000000000004 R13: 00000000000000004 R14: 00007ff916216b80 R15: 00007ff916216a00  M\u00f3dulos vinculados en: mce_inject hwpoison_inject ---[ end trace 0000000000000000 ]--- Y antes del p\u00e1nico, hab\u00eda una advertencia sobre el estado incorrecto de la p\u00e1gina: ERROR: Estado incorrecto de la p\u00e1gina en el proceso tipos de p\u00e1gina pfn:8cee00 p\u00e1gina: refcount:0 mapcount:0 mapeo:0000000000000000 \u00edndice:0x0 pfn:0x8cee00 banderas: 0x6fffe0000000000(nodo=1|zona=2|lastcpupid=0x7fff) tipo de p\u00e1gina: 0xffffff7f(amigo) raw: 06fffe0000000000 241c0008 ffffd901240f8008 0000000000000000 raw: 0000000000000000 0000000000000009 00000000ffffff7f 0000000000000000 p\u00e1gina volcado porque: mapcount distinto de cero M\u00f3dulos vinculados en: mce_inject hwpoison_inject CPU: 8 PID: 154211 Comm: tipos de p\u00e1gina No contaminados 6.9.0-rc4-00499-g5544ec3178e2-dirty #22 Seguimiento de llamadas:  dump_stack_lvl+0x83/0xa0 bad_page+ 0x63/0xf0 free_unref_page+0x36e/0x5c0 unpoison_memory+0x50b/0x630 simple_attr_write_xsigned.constprop.0.isra.0+0xb3/0x110 debugfs_attr_write+0x42/0x60 full_proxy_write+0x5b/0x80 /0x550 ksys_write+0x64/0xe0 do_syscall_64+0xc2/ 0x1d0 Entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f189a514887 RSP: 002b:00007ffdcd899718 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffda RBX: 0000000000000000 RCX: 00007f189a514887 RDX: 0000000000000009 RSI: 00007ffdcd899730 RDI: 0000000000000003 RBP: 00007ffdcd8997a0 0000000000000000 R09: 00007ffdcd8994b2 R10 : 0000000000000000 R11: 0000000000000246 R12: 00007ffdcda199a8 R13: 0000000000404af1 R14: 000000000040ad78 R15: 00007f189a7a5040 > La causa ra\u00edz deber\u00eda ser la siguiente raza: Memory_failure try_memory_failure_hugetlb me_huge_page __page_handle_poison dissolve_free_hugetlb_folio Drain_all_pages ---truncado---"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/00b0752c7f15dfdf129cacc6a27d61c54141182b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/41cd2de3c95020b7f86a3cb5fab42fbf454a63bd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8cf360b9d6a840700e06864236a01a883b34bbad", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/bb9bb13ce64cc7cae47f5e2ab9ce93b7bfa0117e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-39301", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-25T15:15:14.240", "lastModified": "2024-06-25T18:50:42.040", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/9p: fix uninit-value in p9_client_rpc()\n\nSyzbot with the help of KMSAN reported the following error:\n\nBUG: KMSAN: uninit-value in trace_9p_client_res include/trace/events/9p.h:146 [inline]\nBUG: KMSAN: uninit-value in p9_client_rpc+0x1314/0x1340 net/9p/client.c:754\n trace_9p_client_res include/trace/events/9p.h:146 [inline]\n p9_client_rpc+0x1314/0x1340 net/9p/client.c:754\n p9_client_create+0x1551/0x1ff0 net/9p/client.c:1031\n v9fs_session_init+0x1b9/0x28e0 fs/9p/v9fs.c:410\n v9fs_mount+0xe2/0x12b0 fs/9p/vfs_super.c:122\n legacy_get_tree+0x114/0x290 fs/fs_context.c:662\n vfs_get_tree+0xa7/0x570 fs/super.c:1797\n do_new_mount+0x71f/0x15e0 fs/namespace.c:3352\n path_mount+0x742/0x1f20 fs/namespace.c:3679\n do_mount fs/namespace.c:3692 [inline]\n __do_sys_mount fs/namespace.c:3898 [inline]\n __se_sys_mount+0x725/0x810 fs/namespace.c:3875\n __x64_sys_mount+0xe4/0x150 fs/namespace.c:3875\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was created at:\n __alloc_pages+0x9d6/0xe70 mm/page_alloc.c:4598\n __alloc_pages_node include/linux/gfp.h:238 [inline]\n alloc_pages_node include/linux/gfp.h:261 [inline]\n alloc_slab_page mm/slub.c:2175 [inline]\n allocate_slab mm/slub.c:2338 [inline]\n new_slab+0x2de/0x1400 mm/slub.c:2391\n ___slab_alloc+0x1184/0x33d0 mm/slub.c:3525\n __slab_alloc mm/slub.c:3610 [inline]\n __slab_alloc_node mm/slub.c:3663 [inline]\n slab_alloc_node mm/slub.c:3835 [inline]\n kmem_cache_alloc+0x6d3/0xbe0 mm/slub.c:3852\n p9_tag_alloc net/9p/client.c:278 [inline]\n p9_client_prepare_req+0x20a/0x1770 net/9p/client.c:641\n p9_client_rpc+0x27e/0x1340 net/9p/client.c:688\n p9_client_create+0x1551/0x1ff0 net/9p/client.c:1031\n v9fs_session_init+0x1b9/0x28e0 fs/9p/v9fs.c:410\n v9fs_mount+0xe2/0x12b0 fs/9p/vfs_super.c:122\n legacy_get_tree+0x114/0x290 fs/fs_context.c:662\n vfs_get_tree+0xa7/0x570 fs/super.c:1797\n do_new_mount+0x71f/0x15e0 fs/namespace.c:3352\n path_mount+0x742/0x1f20 fs/namespace.c:3679\n do_mount fs/namespace.c:3692 [inline]\n __do_sys_mount fs/namespace.c:3898 [inline]\n __se_sys_mount+0x725/0x810 fs/namespace.c:3875\n __x64_sys_mount+0xe4/0x150 fs/namespace.c:3875\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nIf p9_check_errors() fails early in p9_client_rpc(), req->rc.tag\nwill not be properly initialized. However, trace_9p_client_res()\nends up trying to print it out anyway before p9_client_rpc()\nfinishes.\n\nFix this issue by assigning default values to p9_fcall fields\nsuch as 'tag' and (just in case KMSAN unearths something new) 'id'\nduring the tag allocation stage."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: net/9p: corrige el valor uninit en p9_client_rpc() Syzbot con la ayuda de KMSAN inform\u00f3 el siguiente error: ERROR: KMSAN: valor uninit en trace_9p_client_res include/trace/events/ 9p.h:146 [en l\u00ednea] ERROR: KMSAN: valor uninit en p9_client_rpc+0x1314/0x1340 net/9p/client.c:754 trace_9p_client_res include/trace/events/9p.h:146 [en l\u00ednea] p9_client_rpc+0x1314/0x1340 net/9p/client.c:754 p9_client_create+0x1551/0x1ff0 net/9p/client.c:1031 v9fs_session_init+0x1b9/0x28e0 fs/9p/v9fs.c:410 v9fs_mount+0xe2/0x12b0 fs/9p/vfs_super.c: 122 Legacy_get_tree+0x114/0x290 fs/fs_context.c:662 vfs_get_tree+0xa7/0x570 fs/super.c:1797 do_new_mount+0x71f/0x15e0 fs/namespace.c:3352 path_mount+0x742/0x1f20 fs/namespace.c:3679 montar fs/namespace.c:3692 [en l\u00ednea] __do_sys_mount fs/namespace.c:3898 [en l\u00ednea] __se_sys_mount+0x725/0x810 fs/namespace.c:3875 __x64_sys_mount+0xe4/0x150 fs/namespace.c:3875 do_syscall_64+0xd5/ 0x1f0 Entry_SYSCALL_64_after_hwframe+0x6d/0x75 Uninit se cre\u00f3 en: __alloc_pages+0x9d6/0xe70 mm/page_alloc.c:4598 __alloc_pages_node include/linux/gfp.h:238 [en l\u00ednea] alloc_pages_node include/linux/gfp.h:261 [en l\u00ednea] p\u00e1gina mm /slub.c:2175 [en l\u00ednea] allocate_slab mm/slub.c:2338 [en l\u00ednea] new_slab+0x2de/0x1400 mm/slub.c:2391 ___slab_alloc+0x1184/0x33d0 mm/slub.c:3525 __slab_alloc mm/slub.c :3610 [en l\u00ednea] __slab_alloc_node mm/slub.c:3663 [en l\u00ednea] slab_alloc_node mm/slub.c:3835 [en l\u00ednea] kmem_cache_alloc+0x6d3/0xbe0 mm/slub.c:3852 p9_tag_alloc net/9p/client.c:278 [ en l\u00ednea] p9_client_prepare_req+0x20a/0x1770 net/9p/client.c:641 p9_client_rpc+0x27e/0x1340 net/9p/client.c:688 p9_client_create+0x1551/0x1ff0 net/9p/client.c:1031 1b9/0x28e0fs /9p/v9fs.c:410 v9fs_mount+0xe2/0x12b0 fs/9p/vfs_super.c:122 Legacy_get_tree+0x114/0x290 fs/fs_context.c:662 vfs_get_tree+0xa7/0x570 fs/super.c:1797 do_new_mount+0x71f/ 0x15e0 fs/namespace.c:3352 path_mount+0x742/0x1f20 fs/namespace.c:3679 do_mount fs/namespace.c:3692 [en l\u00ednea] __do_sys_mount fs/namespace.c:3898 [en l\u00ednea] __se_sys_mount+0x725/0x810 fs/namespace .c: 3875 __x64_sys_mount+0xe4/0x150 fs/namespace.c: 3875 do_syscall_64+0xd5/0x1f0 entry_syscall_64_after_hwframe+0x6d/0x75 if p9_check_errors () fails en p9_client no se inicialice correctamente. Sin embargo, trace_9p_client_res() termina intentando imprimirlo de todos modos antes de que finalice p9_client_rpc(). Solucione este problema asignando valores predeterminados a los campos p9_fcall como 'etiqueta' y (en caso de que KMSAN descubra algo nuevo) 'id' durante la etapa de asignaci\u00f3n de etiquetas."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/124947855564572713d705a13be7d0c9dae16a17", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/2101901dd58c6da4924bc5efb217a1d83436290b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/25460d6f39024cc3b8241b14c7ccf0d6f11a736a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/6c1791130b781c843572fb6391c4a4c5d857ab17", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/72c5d8e416ecc46af370a1340b3db5ff0b0cc867", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/89969ffbeb948ffc159d19252e7469490103011b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ca71f204711ad24113e8b344dc5bb8b0385f5672", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/fe5c604053c36c62af24eee8a76407d026ea5163", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-39362", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-25T15:15:14.327", "lastModified": "2024-06-25T18:50:42.040", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: acpi: Unbind mux adapters before delete\n\nThere is an issue with ACPI overlay table removal specifically related\nto I2C multiplexers.\n\nConsider an ACPI SSDT Overlay that defines a PCA9548 I2C mux on an\nexisting I2C bus. When this table is loaded we see the creation of a\ndevice for the overall PCA9548 chip and 8 further devices - one\ni2c_adapter each for the mux channels. These are all bound to their\nACPI equivalents via an eventual invocation of acpi_bind_one().\n\nWhen we unload the SSDT overlay we run into the problem. The ACPI\ndevices are deleted as normal via acpi_device_del_work_fn() and the\nacpi_device_del_list.\n\nHowever, the following warning and stack trace is output as the\ndeletion does not go smoothly:\n------------[ cut here ]------------\nkernfs: can not remove 'physical_node', no directory\nWARNING: CPU: 1 PID: 11 at fs/kernfs/dir.c:1674 kernfs_remove_by_name_ns+0xb9/0xc0\nModules linked in:\nCPU: 1 PID: 11 Comm: kworker/u128:0 Not tainted 6.8.0-rc6+ #1\nHardware name: congatec AG conga-B7E3/conga-B7E3, BIOS 5.13 05/16/2023\nWorkqueue: kacpi_hotplug acpi_device_del_work_fn\nRIP: 0010:kernfs_remove_by_name_ns+0xb9/0xc0\nCode: e4 00 48 89 ef e8 07 71 db ff 5b b8 fe ff ff ff 5d 41 5c 41 5d e9 a7 55 e4 00 0f 0b eb a6 48 c7 c7 f0 38 0d 9d e8 97 0a d5 ff <0f> 0b eb dc 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90\nRSP: 0018:ffff9f864008fb28 EFLAGS: 00010286\nRAX: 0000000000000000 RBX: ffff8ef90a8d4940 RCX: 0000000000000000\nRDX: ffff8f000e267d10 RSI: ffff8f000e25c780 RDI: ffff8f000e25c780\nRBP: ffff8ef9186f9870 R08: 0000000000013ffb R09: 00000000ffffbfff\nR10: 00000000ffffbfff R11: ffff8f000e0a0000 R12: ffff9f864008fb50\nR13: ffff8ef90c93dd60 R14: ffff8ef9010d0958 R15: ffff8ef9186f98c8\nFS:  0000000000000000(0000) GS:ffff8f000e240000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f48f5253a08 CR3: 00000003cb82e000 CR4: 00000000003506f0\nCall Trace:\n \n ? kernfs_remove_by_name_ns+0xb9/0xc0\n ? __warn+0x7c/0x130\n ? kernfs_remove_by_name_ns+0xb9/0xc0\n ? report_bug+0x171/0x1a0\n ? handle_bug+0x3c/0x70\n ? exc_invalid_op+0x17/0x70\n ? asm_exc_invalid_op+0x1a/0x20\n ? kernfs_remove_by_name_ns+0xb9/0xc0\n ? kernfs_remove_by_name_ns+0xb9/0xc0\n acpi_unbind_one+0x108/0x180\n device_del+0x18b/0x490\n ? srso_return_thunk+0x5/0x5f\n ? srso_return_thunk+0x5/0x5f\n device_unregister+0xd/0x30\n i2c_del_adapter.part.0+0x1bf/0x250\n i2c_mux_del_adapters+0xa1/0xe0\n i2c_device_remove+0x1e/0x80\n device_release_driver_internal+0x19a/0x200\n bus_remove_device+0xbf/0x100\n device_del+0x157/0x490\n ? __pfx_device_match_fwnode+0x10/0x10\n ? srso_return_thunk+0x5/0x5f\n device_unregister+0xd/0x30\n i2c_acpi_notify+0x10f/0x140\n notifier_call_chain+0x58/0xd0\n blocking_notifier_call_chain+0x3a/0x60\n acpi_device_del_work_fn+0x85/0x1d0\n process_one_work+0x134/0x2f0\n worker_thread+0x2f0/0x410\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xe3/0x110\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2f/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n \n---[ end trace 0000000000000000 ]---\n...\nrepeated 7 more times, 1 for each channel of the mux\n...\n\nThe issue is that the binding of the ACPI devices to their peer I2C\nadapters is not correctly cleaned up. Digging deeper into the issue we\nsee that the deletion order is such that the ACPI devices matching the\nmux channel i2c adapters are deleted first during the SSDT overlay\nremoval. For each of the channels we see a call to i2c_acpi_notify()\nwith ACPI_RECONFIG_DEVICE_REMOVE but, because these devices are not\nactually i2c_clients, nothing is done for them.\n\nLater on, after each of the mux channels has been dealt with, we come\nto delete the i2c_client representing the PCA9548 device. This is the\ncall stack we see above, whereby the kernel cleans up the i2c_client\nincluding destruction of the mux and its channel adapters. At this\npoint we do attempt to unbind from the ACPI peers but those peers \n---truncated---"}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: i2c: acpi: desvincular adaptadores mux antes de eliminar Hay un problema con la eliminaci\u00f3n de la tabla de superposici\u00f3n ACPI espec\u00edficamente relacionado con los multiplexores I2C. Considere una superposici\u00f3n ACPI SSDT que define un mux I2C PCA9548 en un bus I2C existente. Cuando se carga esta tabla, vemos la creaci\u00f3n de un dispositivo para el chip PCA9548 general y 8 dispositivos m\u00e1s, un i2c_adapter cada uno para los canales mux. Todos estos est\u00e1n vinculados a sus equivalentes ACPI mediante una eventual invocaci\u00f3n de acpi_bind_one(). Cuando descargamos la superposici\u00f3n SSDT nos encontramos con el problema. Los dispositivos ACPI se eliminan normalmente a trav\u00e9s de acpi_device_del_work_fn() y acpi_device_del_list. Sin embargo, se genera la siguiente advertencia y seguimiento de la pila ya que la eliminaci\u00f3n no se realiza correctamente: ------------[ cortar aqu\u00ed ]------------ kernfs: no se puede elimine 'physical_node', sin directorio ADVERTENCIA: CPU: 1 PID: 11 en fs/kernfs/dir.c:1674 kernfs_remove_by_name_ns+0xb9/0xc0 M\u00f3dulos vinculados en: CPU: 1 PID: 11 Comm: kworker/u128:0 No contaminado 6.8 .0-rc6+ #1 Nombre de hardware: congatec AG conga-B7E3/conga-B7E3, BIOS 5.13 16/05/2023 Cola de trabajo: kacpi_hotplug acpi_device_del_work_fn RIP: 0010:kernfs_remove_by_name_ns+0xb9/0xc0 C\u00f3digo: e4 00 48 89 ef e8 07 71db ff 5b b8 fe ff ff ff 5d 41 5c 41 5d e9 a7 55 e4 00 0f 0b eb a6 48 c7 c7 f0 38 0d 9d e8 97 0a d5 ff <0f> 0b eb dc 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 RSP: 0018:ffff9f864008fb28 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff8ef90a8d4940 RCX: 0000000000000000 RDX: 8f000e267d10 RSI: ffff8f000e25c780 RDI: ffff8f000e25c780 RBP: ffff8ef9186f9870 R08: 0000000000013ffb R09: 00000000ffffbfff R10: 00000000ffffbfff R11 : ffff8f000e0a0000 R12: ffff9f864008fb50 R13: ffff8ef90c93dd60 R14: ffff8ef9010d0958 R15: ffff8ef9186f98c8 FS: 0000000000000000(0000) GS:ffff8f000e240000(0000) 00000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f48f5253a08 CR3: 00000003cb82e000 CR4: 00000000003506f0 Rastreo de llamadas: < TAREA> ? kernfs_remove_by_name_ns+0xb9/0xc0? __advertir+0x7c/0x130 ? kernfs_remove_by_name_ns+0xb9/0xc0? report_bug+0x171/0x1a0? handle_bug+0x3c/0x70? exc_invalid_op+0x17/0x70? asm_exc_invalid_op+0x1a/0x20? kernfs_remove_by_name_ns+0xb9/0xc0? kernfs_remove_by_name_ns+0xb9/0xc0 acpi_unbind_one+0x108/0x180 device_del+0x18b/0x490 ? srso_return_thunk+0x5/0x5f? srso_return_thunk+0x5/0x5f dispositivo_unregister+0xd/0x30 i2c_del_adapter.part.0+0x1bf/0x250 i2c_mux_del_adapters+0xa1/0xe0 i2c_device_remove+0x1e/0x80 dispositivo_release_driver_internal+0x19a/0x200 move_device+0xbf/0x100 dispositivo_del+0x157/0x490 ? __pfx_device_match_fwnode+0x10/0x10? srso_return_thunk+0x5/0x5f device_unregister+0xd/0x30 i2c_acpi_notify+0x10f/0x140 notifier_call_chain+0x58/0xd0 blocking_notifier_call_chain+0x3a/0x60 acpi_device_del_work_fn+0x85/0x1d0 34/0x2f0 hilo_trabajador+0x2f0/0x410 ? __pfx_worker_thread+0x10/0x10 kthread+0xe3/0x110 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2f/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30  ---[ end trace 0000000000000000 ]--- ... repetido 7 veces m\u00e1s, 1 por cada canal del mux ... El problema es que el enlace de los dispositivos ACPI a sus adaptadores I2C pares no se limpian correctamente. Profundizando en el problema, vemos que el orden de eliminaci\u00f3n es tal que los dispositivos ACPI que coinciden con los adaptadores i2c del canal mux se eliminan primero durante la eliminaci\u00f3n de la superposici\u00f3n SSDT. Para cada uno de los canales vemos una llamada a i2c_acpi_notify() con ACPI_RECONFIG_DEVICE_REMOVE pero, como estos dispositivos no son en realidad i2c_clients, no se hace nada por ellos. M\u00e1s adelante, despu\u00e9s de haber tratado cada uno de los canales mux, procedemos a eliminar el i2c_client que representa el dispositivo PCA9548.  ---truncados---"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/3f858bbf04dbac934ac279aaee05d49eb9910051", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4f08050a47a59d199e214d711b989bb4f5150373", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/90dd0592b3b005d6f15c4e23e1364d3ae95e588d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b1574c8c0a80bd587a7651bf64f00be1f5391d27", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-39371", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-25T15:15:14.410", "lastModified": "2024-06-25T18:50:42.040", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: check for non-NULL file pointer in io_file_can_poll()\n\nIn earlier kernels, it was possible to trigger a NULL pointer\ndereference off the forced async preparation path, if no file had\nbeen assigned. The trace leading to that looks as follows:\n\nBUG: kernel NULL pointer dereference, address: 00000000000000b0\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP\nCPU: 67 PID: 1633 Comm: buf-ring-invali Not tainted 6.8.0-rc3+ #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS unknown 2/2/2022\nRIP: 0010:io_buffer_select+0xc3/0x210\nCode: 00 00 48 39 d1 0f 82 ae 00 00 00 48 81 4b 48 00 00 01 00 48 89 73 70 0f b7 50 0c 66 89 53 42 85 ed 0f 85 d2 00 00 00 48 8b 13 <48> 8b 92 b0 00 00 00 48 83 7a 40 00 0f 84 21 01 00 00 4c 8b 20 5b\nRSP: 0018:ffffb7bec38c7d88 EFLAGS: 00010246\nRAX: ffff97af2be61000 RBX: ffff97af234f1700 RCX: 0000000000000040\nRDX: 0000000000000000 RSI: ffff97aecfb04820 RDI: ffff97af234f1700\nRBP: 0000000000000000 R08: 0000000000200030 R09: 0000000000000020\nR10: ffffb7bec38c7dc8 R11: 000000000000c000 R12: ffffb7bec38c7db8\nR13: ffff97aecfb05800 R14: ffff97aecfb05800 R15: ffff97af2be5e000\nFS:  00007f852f74b740(0000) GS:ffff97b1eeec0000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00000000000000b0 CR3: 000000016deab005 CR4: 0000000000370ef0\nCall Trace:\n \n ? __die+0x1f/0x60\n ? page_fault_oops+0x14d/0x420\n ? do_user_addr_fault+0x61/0x6a0\n ? exc_page_fault+0x6c/0x150\n ? asm_exc_page_fault+0x22/0x30\n ? io_buffer_select+0xc3/0x210\n __io_import_iovec+0xb5/0x120\n io_readv_prep_async+0x36/0x70\n io_queue_sqe_fallback+0x20/0x260\n io_submit_sqes+0x314/0x630\n __do_sys_io_uring_enter+0x339/0xbc0\n ? __do_sys_io_uring_register+0x11b/0xc50\n ? vm_mmap_pgoff+0xce/0x160\n do_syscall_64+0x5f/0x180\n entry_SYSCALL_64_after_hwframe+0x46/0x4e\nRIP: 0033:0x55e0a110a67e\nCode: ba cc 00 00 00 45 31 c0 44 0f b6 92 d0 00 00 00 31 d2 41 b9 08 00 00 00 41 83 e2 01 41 c1 e2 04 41 09 c2 b8 aa 01 00 00 0f 05  90 89 30 eb a9 0f 1f 40 00 48 8b 42 20 8b 00 a8 06 75 af 85 f6\n\nbecause the request is marked forced ASYNC and has a bad file fd, and\nhence takes the forced async prep path.\n\nCurrent kernels with the request async prep cleaned up can no longer hit\nthis issue, but for ease of backporting, let's add this safety check in\nhere too as it really doesn't hurt. For both cases, this will inevitably\nend with a CQE posted with -EBADF."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: io_uring: comprueba si hay un puntero de archivo que no sea NULL en io_file_can_poll(). En kernels anteriores, era posible activar una desreferencia del puntero NULL fuera de la ruta de preparaci\u00f3n asincr\u00f3nica forzada, si no se hab\u00eda creado ning\u00fan archivo. asignado. El rastro que conduce a esto tiene el siguiente aspecto: ERROR: desreferencia del puntero NULL del kernel, direcci\u00f3n: 00000000000000b0 PGD 0 P4D 0 Ups: 0000 [#1] CPU SMP PREEMPT: 67 PID: 1633 Comm: buf-ring-invali Not tainted 6.8.0 -rc3+ #1 Nombre del hardware: PC est\u00e1ndar QEMU (i440FX + PIIX, 1996), BIOS desconocido 2/2/2022 RIP: 0010:io_buffer_select+0xc3/0x210 C\u00f3digo: 00 00 48 39 d1 0f 82 ae 00 00 00 48 81 4b 48 00 00 01 00 48 89 73 70 0f b7 50 0c 66 89 53 42 85 ed 0f 85 d2 00 00 00 48 8b 13 <48> 8b 92 b0 00 00 00 48 83 7a 40 00 84 21 01 00 00 4c 8b 20 5b RSP: 0018:ffffb7bec38c7d88 EFLAGS: 00010246 RAX: ffff97af2be61000 RBX: ffff97af234f1700 RCX: 00000000000000040 RDX: 0000000000000000 RSI: 97aecfb04820 RDI: ffff97af234f1700 RBP: 0000000000000000 R08: 0000000000200030 R09: 0000000000000020 R10: ffffb7bec38c7dc8 R11: 000000000000 c000 R12: ffffb7bec38c7db8 R13: ffff97aecfb05800 R14 : ffff97aecfb05800 R15: ffff97af2be5e000 FS: 00007f852f74b740(0000) GS:ffff97b1eeec0000(0000) knlGS:00000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000000b0 CR3: 000000016deab005 CR4: 0000000000370ef0 Seguimiento de llamadas:  ? __die+0x1f/0x60 ? page_fault_oops+0x14d/0x420? do_user_addr_fault+0x61/0x6a0? exc_page_fault+0x6c/0x150? asm_exc_page_fault+0x22/0x30? io_buffer_select+0xc3/0x210 __io_import_iovec+0xb5/0x120 io_readv_prep_async+0x36/0x70 io_queue_sqe_fallback+0x20/0x260 io_submit_sqes+0x314/0x630 __do_sys_io_uring_enter+0x33 9/0xbc0 ? __do_sys_io_uring_register+0x11b/0xc50? vm_mmap_pgoff+0xce/0x160 do_syscall_64+0x5f/0x180 Entry_SYSCALL_64_after_hwframe+0x46/0x4e RIP: 0033:0x55e0a110a67e C\u00f3digo: ba cc 00 00 00 45 31 c0 44 0f b6 92 d0 0 00 00 31 d2 41 b9 08 00 00 00 41 83 e2 01 41 c1 e2 04 41 09 c2 b8 aa 01 00 00 0f 05  90 89 30 eb a9 0f 1f 40 00 48 8b 42 20 8b 00 a8 06 75 af 85 f6 porque la solicitud est\u00e1 marcada como ASYNC forzado y tiene un archivo incorrecto fd y, por lo tanto, toma la ruta de preparaci\u00f3n asincr\u00f3nica forzada. Los kernels actuales con la preparaci\u00f3n as\u00edncrona de solicitud limpia ya no pueden solucionar este problema, pero para facilitar la compatibilidad, agreguemos esta verificaci\u00f3n de seguridad aqu\u00ed tambi\u00e9n, ya que realmente no hace da\u00f1o. En ambos casos, esto inevitablemente terminar\u00e1 con un CQE publicado con -EBADF."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/43cfac7b88adedfb26c27834386992650f1642f3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5fc16fa5f13b3c06fdb959ef262050bd810416a2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/65561b4c1c9e01443cb76387eb36a9109e7048ee", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c2844d5e58576c55d8e8d4a9f74902d3f7be8044", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-39461", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-25T15:15:14.500", "lastModified": "2024-06-25T18:50:42.040", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: bcm: rpi: Assign ->num before accessing ->hws\n\nCommit f316cdff8d67 (\"clk: Annotate struct clk_hw_onecell_data with\n__counted_by\") annotated the hws member of 'struct clk_hw_onecell_data'\nwith __counted_by, which informs the bounds sanitizer about the number\nof elements in hws, so that it can warn when hws is accessed out of\nbounds. As noted in that change, the __counted_by member must be\ninitialized with the number of elements before the first array access\nhappens, otherwise there will be a warning from each access prior to the\ninitialization because the number of elements is zero. This occurs in\nraspberrypi_discover_clocks() due to ->num being assigned after ->hws\nhas been accessed:\n\n  UBSAN: array-index-out-of-bounds in drivers/clk/bcm/clk-raspberrypi.c:374:4\n  index 3 is out of range for type 'struct clk_hw *[] __counted_by(num)' (aka 'struct clk_hw *[]')\n\nMove the ->num initialization to before the first access of ->hws, which\nclears up the warning."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: clk: bcm: rpi: Assign ->num before accessing ->hws Commit f316cdff8d67 (\"clk: Annotate struct clk_hw_onecell_data with __counted_by\") anot\u00f3 el miembro hws de 'struct clk_hw_onecell_data' con __counted_by, que informa al sanitizante de los l\u00edmites sobre la cantidad de elementos en hws, para que pueda advertir cuando se accede a hws fuera de los l\u00edmites. Como se se\u00f1al\u00f3 en ese cambio, el miembro __counted_by debe inicializarse con la cantidad de elementos antes de que ocurra el primer acceso a la matriz; de lo contrario, habr\u00e1 una advertencia de cada acceso antes de la inicializaci\u00f3n porque la cantidad de elementos es cero. Esto ocurre en raspberrypi_discover_clocks() debido a que ->num se asigna despu\u00e9s de que se haya accedido a ->hws: UBSAN: array-index-out-of-bounds in drivers/clk/bcm/clk-raspberrypi.c:374:4 index 3 est\u00e1 fuera del rango para el tipo 'struct clk_hw *[] __counted_by(num)' (tambi\u00e9n conocido como 'struct clk_hw *[]') Mueva la inicializaci\u00f3n ->num antes del primer acceso de ->hws, lo que borra la advertencia."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/6dc445c1905096b2ed4db1a84570375b4e00cc0f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9562dbe5cdbb16ac887d27ef6f179980bb99193c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/cdf9c7871d58d3df59d2775982e3533adb8ec920", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-39462", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-25T15:15:14.580", "lastModified": "2024-06-25T18:50:42.040", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: bcm: dvp: Assign ->num before accessing ->hws\n\nCommit f316cdff8d67 (\"clk: Annotate struct clk_hw_onecell_data with\n__counted_by\") annotated the hws member of 'struct clk_hw_onecell_data'\nwith __counted_by, which informs the bounds sanitizer about the number\nof elements in hws, so that it can warn when hws is accessed out of\nbounds. As noted in that change, the __counted_by member must be\ninitialized with the number of elements before the first array access\nhappens, otherwise there will be a warning from each access prior to the\ninitialization because the number of elements is zero. This occurs in\nclk_dvp_probe() due to ->num being assigned after ->hws has been\naccessed:\n\n  UBSAN: array-index-out-of-bounds in drivers/clk/bcm/clk-bcm2711-dvp.c:59:2\n  index 0 is out of range for type 'struct clk_hw *[] __counted_by(num)' (aka 'struct clk_hw *[]')\n\nMove the ->num initialization to before the first access of ->hws, which\nclears up the warning."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: clk: bcm: dvp: Assign ->num before accessing ->hws Commit f316cdff8d67 (\"clk: Annotate struct clk_hw_onecell_data with __counted_by\") anot\u00f3 el miembro hws de 'struct clk_hw_onecell_data' con __counted_by, que informa al sanitizante de los l\u00edmites sobre la cantidad de elementos en hws, para que pueda advertir cuando se accede a hws fuera de los l\u00edmites. Como se se\u00f1al\u00f3 en ese cambio, el miembro __counted_by debe inicializarse con la cantidad de elementos antes de que ocurra el primer acceso a la matriz; de lo contrario, habr\u00e1 una advertencia de cada acceso antes de la inicializaci\u00f3n porque la cantidad de elementos es cero. Esto ocurre en clk_dvp_probe() debido a que ->num se asigna despu\u00e9s de que se haya accedido a ->hws: UBSAN: array-index-out-of-bounds in drivers/clk/bcm/clk-bcm2711-dvp.c:59:2 El \u00edndice 0 est\u00e1 fuera del rango para el tipo 'struct clk_hw *[] __counted_by(num)' (tambi\u00e9n conocido como 'struct clk_hw *[]'). Mueva la inicializaci\u00f3n ->num antes del primer acceso de ->hws, lo que borra la advertencia. ."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/0dc913217fb79096597005bba9ba738e2db5cd02", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9368cdf90f52a68120d039887ccff74ff33b4444", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a1dd92fca0d6b58b55ed0484f75d4205dbb77010", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-39463", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-25T15:15:14.760", "lastModified": "2024-06-25T18:50:42.040", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\n9p: add missing locking around taking dentry fid list\n\nFix a use-after-free on dentry's d_fsdata fid list when a thread\nlooks up a fid through dentry while another thread unlinks it:\n\nUAF thread:\nrefcount_t: addition on 0; use-after-free.\n p9_fid_get linux/./include/net/9p/client.h:262\n v9fs_fid_find+0x236/0x280 linux/fs/9p/fid.c:129\n v9fs_fid_lookup_with_uid linux/fs/9p/fid.c:181\n v9fs_fid_lookup+0xbf/0xc20 linux/fs/9p/fid.c:314\n v9fs_vfs_getattr_dotl+0xf9/0x360 linux/fs/9p/vfs_inode_dotl.c:400\n vfs_statx+0xdd/0x4d0 linux/fs/stat.c:248\n\nFreed by:\n p9_fid_destroy (inlined)\n p9_client_clunk+0xb0/0xe0 linux/net/9p/client.c:1456\n p9_fid_put linux/./include/net/9p/client.h:278\n v9fs_dentry_release+0xb5/0x140 linux/fs/9p/vfs_dentry.c:55\n v9fs_remove+0x38f/0x620 linux/fs/9p/vfs_inode.c:518\n vfs_unlink+0x29a/0x810 linux/fs/namei.c:4335\n\nThe problem is that d_fsdata was not accessed under d_lock, because\nd_release() normally is only called once the dentry is otherwise no\nlonger accessible but since we also call it explicitly in v9fs_remove\nthat lock is required:\nmove the hlist out of the dentry under lock then unref its fids once\nthey are no longer accessible."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: 9p: agregar bloqueo faltante al tomar la lista de fid de dentry. Se corrigi\u00f3 un use-after-free en la lista de fid d_fsdata de dentry cuando un subproceso busca un fid a trav\u00e9s de dentry mientras otro subproceso lo desvincula: UAF hilo: refcount_t: suma en 0; use-after-free. p9_fid_get linux/./include/net/9p/client.h:262 v9fs_fid_find+0x236/0x280 linux/fs/9p/fid.c:129 v9fs_fid_lookup_with_uid linux/fs/9p/fid.c:181 v9fs_fid_lookup+0xbf/0xc20 Linux /fs/9p/fid.c:314 v9fs_vfs_getattr_dotl+0xf9/0x360 linux/fs/9p/vfs_inode_dotl.c:400 vfs_statx+0xdd/0x4d0 linux/fs/stat.c:248 Liberado por: p9_fid_destroy (en l\u00ednea) desconocido+0xb0 /0xe0 linux/net/9p/client.c:1456 p9_fid_put linux/./include/net/9p/client.h:278 v9fs_dentry_release+0xb5/0x140 linux/fs/9p/vfs_dentry.c:55 v9fs_remove+0x38f/0x620 linux/fs/9p/vfs_inode.c:518 vfs_unlink+0x29a/0x810 linux/fs/namei.c:4335 El problema es que no se accedi\u00f3 a d_fsdata bajo d_lock, porque normalmente d_release() solo se llama una vez que dentry no est\u00e1 disponible. ya no es accesible, pero como tambi\u00e9n lo llamamos expl\u00edcitamente en v9fs_remove, ese bloqueo es necesario: mueva la hlist fuera del dentry bajo bloqueo y luego elimine la referencia de sus fids una vez que ya no sean accesibles."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/c898afdc15645efb555acb6d85b484eb40a45409", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/cb299cdba09f46f090b843d78ba26b667d50a456", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f0c5c944c6d8614c19e6e9a97fd2011dcd30e8f5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/fe17ebf22feb4ad7094d597526d558a49aac92b4", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-39464", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-25T15:15:14.953", "lastModified": "2024-06-25T18:50:42.040", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: v4l: async: Fix notifier list entry init\n\nstruct v4l2_async_notifier has several list_head members, but only\nwaiting_list and done_list are initialized. notifier_entry was kept\n'zeroed' leading to an uninitialized list_head.\nThis results in a NULL-pointer dereference if csi2_async_register() fails,\ne.g. node for remote endpoint is disabled, and returns -ENOTCONN.\nThe following calls to v4l2_async_nf_unregister() results in a NULL\npointer dereference.\nAdd the missing list head initializer."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: media: v4l: async: correcci\u00f3n de la entrada de la lista de notificadores init struct v4l2_async_notifier tiene varios miembros list_head, pero solo se inicializan la lista de espera y la lista de hechos. notifier_entry se mantuvo 'puesto a cero', lo que gener\u00f3 un list_head no inicializado. Esto da como resultado una desreferencia del puntero NULL si csi2_async_register() falla, por ejemplo, el nodo para el endpoint remoto est\u00e1 deshabilitado y devuelve -ENOTCONN. Las siguientes llamadas a v4l2_async_nf_unregister() dan como resultado una desreferencia del puntero NULL. Agregue el inicializador de encabezado de lista que falta."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/44f6d619c30f0c65fcdd2b6eba70fdb4460d87ad", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/6d8acd02c4c6a8f917eefac1de2e035521ca119d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a80d1da923f671c1e6a14e8417cd2f117b27a442", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-39465", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-25T15:15:15.037", "lastModified": "2024-06-25T18:50:42.040", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mgb4: Fix double debugfs remove\n\nFixes an error where debugfs_remove_recursive() is called first on a parent\ndirectory and then again on a child which causes a kernel panic.\n\n[hverkuil: added Fixes/Cc tags]"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: media: mgb4: Fix double debugfs remove Corrige un error donde se llama a debugfs_remove_recursive() primero en un directorio principal y luego nuevamente en un hijo, lo que provoca un p\u00e1nico en el kernel. [hverkuil: se agregaron correcciones/etiquetas CC]"}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/252204b634efffd8b167d77413c93d0192aaf5f6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/825fc49497957310e421454fe3fb8b8d8d8e2dd2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-39466", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-25T15:15:15.117", "lastModified": "2024-06-25T18:50:42.040", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal/drivers/qcom/lmh: Check for SCM availability at probe\n\nUp until now, the necessary scm availability check has not been\nperformed, leading to possible null pointer dereferences (which did\nhappen for me on RB1).\n\nFix that."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: Thermal/drivers/qcom/lmh: Verificar la disponibilidad de SCM en la sonda Hasta ahora, no se ha realizado la verificaci\u00f3n de disponibilidad de SCM necesaria, lo que lleva a posibles desreferencias de puntero nulo (lo que me pas\u00f3 en RB1). Arregla eso."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/0a47ba94ec3d8f782b33e3d970cfcb769b962464", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/2226b145afa5e13cb60dbe77fb20fb0666a1caf3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/560d69c975072974c11434ca6953891e74c1a665", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/aa1a0807b4a76b44fb6b58a7e9087cd4b18ab41b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d9d3490c48df572edefc0b64655259eefdcbb9be", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-39467", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-25T15:15:15.190", "lastModified": "2024-06-25T18:50:42.040", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to do sanity check on i_xattr_nid in sanity_check_inode()\n\nsyzbot reports a kernel bug as below:\n\nF2FS-fs (loop0): Mounted with checkpoint version = 48b305e4\n==================================================================\nBUG: KASAN: slab-out-of-bounds in f2fs_test_bit fs/f2fs/f2fs.h:2933 [inline]\nBUG: KASAN: slab-out-of-bounds in current_nat_addr fs/f2fs/node.h:213 [inline]\nBUG: KASAN: slab-out-of-bounds in f2fs_get_node_info+0xece/0x1200 fs/f2fs/node.c:600\nRead of size 1 at addr ffff88807a58c76c by task syz-executor280/5076\n\nCPU: 1 PID: 5076 Comm: syz-executor280 Not tainted 6.9.0-rc5-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n f2fs_test_bit fs/f2fs/f2fs.h:2933 [inline]\n current_nat_addr fs/f2fs/node.h:213 [inline]\n f2fs_get_node_info+0xece/0x1200 fs/f2fs/node.c:600\n f2fs_xattr_fiemap fs/f2fs/data.c:1848 [inline]\n f2fs_fiemap+0x55d/0x1ee0 fs/f2fs/data.c:1925\n ioctl_fiemap fs/ioctl.c:220 [inline]\n do_vfs_ioctl+0x1c07/0x2e50 fs/ioctl.c:838\n __do_sys_ioctl fs/ioctl.c:902 [inline]\n __se_sys_ioctl+0x81/0x170 fs/ioctl.c:890\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThe root cause is we missed to do sanity check on i_xattr_nid during\nf2fs_iget(), so that in fiemap() path, current_nat_addr() will access\nnat_bitmap w/ offset from invalid i_xattr_nid, result in triggering\nkasan bug report, fix it."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: f2fs: correcci\u00f3n para realizar una verificaci\u00f3n de estado en i_xattr_nid en sanity_check_inode() syzbot informa un error en el kernel como se muestra a continuaci\u00f3n: F2FS-fs (loop0): Montado con la versi\u00f3n de punto de control = 48b305e4 ==== ==================================================== ============ ERROR: KASAN: losa fuera de los l\u00edmites en f2fs_test_bit fs/f2fs/f2fs.h:2933 [en l\u00ednea] ERROR: KASAN: losa fuera de los l\u00edmites en current_nat_addr fs/f2fs/node.h:213 [en l\u00ednea] ERROR: KASAN: losa fuera de los l\u00edmites en f2fs_get_node_info+0xece/0x1200 fs/f2fs/node.c:600 Lectura de tama\u00f1o 1 en la direcci\u00f3n ffff88807a58c76c mediante la tarea syz-executor280 /5076 CPU: 1 PID: 5076 Comm: syz-executor280 No contaminado 6.9.0-rc5-syzkaller #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 27/03/2024 Seguimiento de llamadas:  __dump_stack lib/dump_stack.c:88 [en l\u00ednea] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [en l\u00ednea] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report +0x143/0x180 mm/kasan/report.c:601 f2fs_test_bit fs/f2fs/f2fs.h:2933 [en l\u00ednea] current_nat_addr fs/f2fs/node.h:213 [en l\u00ednea] f2fs_get_node_info+0xece/0x1200 fs/f2fs/node. c:600 f2fs_xattr_fiemap fs/f2fs/data.c:1848 [en l\u00ednea] f2fs_fiemap+0x55d/0x1ee0 fs/f2fs/data.c:1925 ioctl_fiemap fs/ioctl.c:220 [en l\u00ednea] do_vfs_ioctl+0x1c07/0x2e50 ioctl. c:838 __do_sys_ioctl fs/ioctl.c:902 [en l\u00ednea] __se_sys_ioctl+0x81/0x170 fs/ioctl.c:890 do_syscall_x64 arch/x86/entry/common.c:52 [en l\u00ednea] do_syscall_64+0xf5/0x240 arch/x86/ Entry/common.c:83 Entry_SYSCALL_64_after_hwframe+0x77/0x7f La causa principal es que no hicimos una verificaci\u00f3n de cordura en i_xattr_nid durante f2fs_iget(), de modo que en la ruta fiemap(), current_nat_addr() acceder\u00e1 a nat_bitmap con desplazamiento desde i_xattr_nid no v\u00e1lido, resulta en la activaci\u00f3n del informe de error de Kasan, corr\u00edjalo."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/1640dcf383cdba52be8b28d2a1a2aa7ef7a30c98", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/20faaf30e55522bba2b56d9c46689233205d7717", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/68e3cd4ecb8603936cccdc338929130045df2e57", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/75c87e2ac6149abf44bdde0dd6d541763ddb0dff", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8c8aa473fe6eb46a4bf99f3ea2dbe52bf0c1a1f0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/be0155202e431f3007778568a72432c68f8946ba", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c559a8d840562fbfce9f318448dda2f7d3e6d8e8", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-39468", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-25T15:15:15.270", "lastModified": "2024-06-25T18:50:42.040", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix deadlock in smb2_find_smb_tcon()\n\nUnlock cifs_tcp_ses_lock before calling cifs_put_smb_ses() to avoid such\ndeadlock."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: smb: cliente: soluciona el punto muerto en smb2_find_smb_tcon() Desbloquea cifs_tcp_ses_lock antes de llamar a cifs_put_smb_ses() para evitar dicho punto muerto."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/02c418774f76a0a36a6195c9dbf8971eb4130a15", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/225de871ddf994f69a57f035709cad9c0ab8615a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8d0f5f1ccf675454a833a573c53830a49b7d1a47", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b09b556e48968317887a11243a5331a7bc00ece5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-39469", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-25T15:15:15.340", "lastModified": "2024-06-25T18:50:42.040", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors\n\nThe error handling in nilfs_empty_dir() when a directory folio/page read\nfails is incorrect, as in the old ext2 implementation, and if the\nfolio/page cannot be read or nilfs_check_folio() fails, it will falsely\ndetermine the directory as empty and corrupt the file system.\n\nIn addition, since nilfs_empty_dir() does not immediately return on a\nfailed folio/page read, but continues to loop, this can cause a long loop\nwith I/O if i_size of the directory's inode is also corrupted, causing the\nlog writer thread to wait and hang, as reported by syzbot.\n\nFix these issues by making nilfs_empty_dir() immediately return a false\nvalue (0) if it fails to get a directory folio/page."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: nilfs2: corrige el error de c\u00e1lculo de nilfs_empty_dir() y el bucle largo en errores de E/S. El manejo de errores en nilfs_empty_dir() cuando falla la lectura de una p\u00e1gina/folio de directorio es incorrecto, como en el antiguo ext2 implementaci\u00f3n, y si la publicaci\u00f3n/p\u00e1gina no se puede leer o nilfs_check_folio() falla, determinar\u00e1 err\u00f3neamente que el directorio est\u00e1 vac\u00edo y da\u00f1ar\u00e1 el sistema de archivos. Adem\u00e1s, dado que nilfs_empty_dir() no regresa inmediatamente tras una lectura fallida de un folio/p\u00e1gina, sino que contin\u00faa en bucle, esto puede provocar un bucle largo con E/S si i_size del inodo del directorio tambi\u00e9n est\u00e1 da\u00f1ado, lo que provoca que el subproceso del escritor de registros se bloquee. espera y cuelga, seg\u00fan lo informado por syzbot. Solucione estos problemas haciendo que nilfs_empty_dir() devuelva inmediatamente un valor falso (0) si no puede obtener una p\u00e1gina/folio del directorio."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/129dcd3e7d036218db3f59c82d82004b9539ed82", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/59f14875a96ef93f05b82ad3c980605f2cb444b5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7373a51e7998b508af7136530f3a997b286ce81c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d18b05eda7fa77f02114f15b02c009f28ee42346", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-39470", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-25T15:15:15.417", "lastModified": "2024-06-25T18:50:42.040", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\neventfs: Fix a possible null pointer dereference in eventfs_find_events()\n\nIn function eventfs_find_events,there is a potential null pointer\nthat may be caused by calling update_events_attr which will perform\nsome operations on the members of the ei struct when ei is NULL.\n\nHence,When ei->is_freed is set,return NULL directly."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: eventfs: se corrige una posible desreferencia de puntero nulo en eventfs_find_events() En la funci\u00f3n eventfs_find_events, existe un posible puntero nulo que puede deberse a la llamada a update_events_attr que realizar\u00e1 algunas operaciones en los miembros de la estructura ei cuando ei es NULL. Por lo tanto, cuando se establece ei->is_freed, se devuelve NULL directamente."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/5ade5fbdbbb1f023bb70730ba4d74146c8bc7eb9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7a1b2d138189375ed1dcd7d0851118230221bd1d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d4e9a968738bf66d3bb852dd5588d4c7afd6d7f4", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-39471", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-06-25T15:15:15.490", "lastModified": "2024-06-25T18:50:42.040", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: add error handle to avoid out-of-bounds\n\nif the sdma_v4_0_irq_id_to_seq return -EINVAL, the process should\nbe stop to avoid out-of-bounds read, so directly return -EINVAL."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: drm/amdgpu: agregue un controlador de error para evitar lecturas fuera de los l\u00edmites si sdma_v4_0_irq_id_to_seq devuelve -EINVAL, el proceso debe detenerse para evitar lecturas fuera de los l\u00edmites, por lo que debe regresar directamente -EINVAL."}], "metrics": {}, "references": [{"url": "https://git.kernel.org/stable/c/011552f29f20842c9a7a21bffe1f6a2d6457ba46", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/0964c84b93db7fbf74f357c1e20957850e092db3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5594971e02764aa1c8210ffb838cb4e7897716e8", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5b0a3dc3e87821acb80e841b464d335aff242691", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8112fa72b7f139052843ff484130d6f97e9f052f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8b2faf1a4f3b6c748c0da36cda865a226534d520", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ea906e9ac61e3152bef63597f2d9f4a812fc346a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}, {"cve": {"id": "CVE-2024-5805", "sourceIdentifier": "security@progress.com", "published": "2024-06-25T15:15:15.603", "lastModified": "2024-06-25T18:50:42.040", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Improper Authentication vulnerability in Progress MOVEit Gateway (SFTP modules) allows Authentication Bypass.This issue affects MOVEit Gateway: 2024.0.0."}, {"lang": "es", "value": "Vulnerabilidad de autenticaci\u00f3n incorrecta en progreso MOVEit Gateway (m\u00f3dulos SFTP) permite omitir la autenticaci\u00f3n. Este problema afecta a MOVEit Gateway: 2024.0.0."}], "metrics": {"cvssMetricV31": [{"source": "security@progress.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "security@progress.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-287"}]}], "references": [{"url": "https://community.progress.com/s/article/MOVEit-Gateway-Critical-Security-Alert-Bulletin-June-2024-CVE-2024-5805", "source": "security@progress.com"}, {"url": "https://www.progress.com/moveit", "source": "security@progress.com"}]}}, {"cve": {"id": "CVE-2024-5806", "sourceIdentifier": "security@progress.com", "published": "2024-06-25T15:15:15.850", "lastModified": "2024-06-26T00:15:11.293", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Authentication Bypass.This issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, from 2024.0.0 before 2024.0.2."}, {"lang": "es", "value": "Vulnerabilidad de autenticaci\u00f3n incorrecta en Progress MOVEit Transfer (m\u00f3dulo SFTP) puede provocar una omisi\u00f3n de autenticaci\u00f3n. Este problema afecta a MOVEit Transfer: desde 2023.0.0 antes de 2023.0.11, desde 2023.1.0 antes de 2023.1.6, desde 2024.0.0 antes de 2024.0.2."}], "metrics": {"cvssMetricV31": [{"source": "security@progress.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "security@progress.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-287"}]}], "references": [{"url": "https://community.progress.com/s/article/MOVEit-Transfer-Product-Security-Alert-Bulletin-June-2024-CVE-2024-5806", "source": "security@progress.com"}, {"url": "https://www.progress.com/moveit", "source": "security@progress.com"}]}}, {"cve": {"id": "CVE-2024-0171", "sourceIdentifier": "security_alert@emc.com", "published": "2024-06-25T16:15:24.197", "lastModified": "2024-06-25T18:50:42.040", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Dell PowerEdge Server BIOS contains an TOCTOU race condition vulnerability. A local low privileged attacker could potentially exploit this vulnerability to gain access to otherwise unauthorized resources."}, {"lang": "es", "value": "Dell PowerEdge Server BIOS contiene una vulnerabilidad de condici\u00f3n de ejecuci\u00f3n TOCTOU. Un atacante local con pocos privilegios podr\u00eda explotar esta vulnerabilidad para obtener acceso a recursos que de otro modo no estar\u00edan autorizados."}], "metrics": {"cvssMetricV31": [{"source": "security_alert@emc.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.1, "impactScore": 3.7}]}, "weaknesses": [{"source": "security_alert@emc.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-367"}]}], "references": [{"url": "https://www.dell.com/support/kbdoc/en-us/000226253/dsa-2024-039-security-update-for-dell-amd-based-poweredge-server-vulnerability", "source": "security_alert@emc.com"}]}}, {"cve": {"id": "CVE-2024-5988", "sourceIdentifier": "PSIRT@rockwellautomation.com", "published": "2024-06-25T16:15:24.937", "lastModified": "2024-06-25T18:50:42.040", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Due to an improper input validation, an unauthenticated threat actor can send a malicious message to invoke a local or remote executable and cause a remote code execution condition on the Rockwell Automation\u00a0ThinManager\u00ae ThinServer\u2122."}, {"lang": "es", "value": "Debido a una validaci\u00f3n de entrada incorrecta, un actor de amenazas no autenticado puede enviar un mensaje malicioso para invocar un ejecutable local o remoto y provocar una condici\u00f3n de ejecuci\u00f3n remota de c\u00f3digo en el ThinManager\u00ae ThinServer\u2122 de Rockwell Automation."}], "metrics": {}, "weaknesses": [{"source": "PSIRT@rockwellautomation.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}]}], "references": [{"url": "https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1677.html", "source": "PSIRT@rockwellautomation.com"}]}}, {"cve": {"id": "CVE-2024-5989", "sourceIdentifier": "PSIRT@rockwellautomation.com", "published": "2024-06-25T16:15:25.363", "lastModified": "2024-06-25T18:50:42.040", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Due to an improper input validation, an unauthenticated threat actor can send a malicious message to invoke SQL injection into the program and cause a remote code execution condition on the Rockwell Automation\u00a0ThinManager\u00ae ThinServer\u2122."}, {"lang": "es", "value": "Debido a una validaci\u00f3n de entrada incorrecta, un actor de amenazas no autenticado puede enviar un mensaje malicioso para invocar una inyecci\u00f3n SQL en el programa y provocar una condici\u00f3n de ejecuci\u00f3n remota de c\u00f3digo en el ThinManager\u00ae ThinServer\u2122 de Rockwell Automation."}], "metrics": {}, "weaknesses": [{"source": "PSIRT@rockwellautomation.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}]}], "references": [{"url": "https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1677.html", "source": "PSIRT@rockwellautomation.com"}]}}, {"cve": {"id": "CVE-2024-5990", "sourceIdentifier": "PSIRT@rockwellautomation.com", "published": "2024-06-25T16:15:25.470", "lastModified": "2024-06-25T18:50:42.040", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Due to an improper input validation, an unauthenticated threat actor can send a malicious message to a monitor thread within Rockwell Automation ThinServer\u2122 and cause a denial-of-service condition on the affected device."}, {"lang": "es", "value": "Debido a una validaci\u00f3n de entrada incorrecta, un actor de amenazas no autenticado puede enviar un mensaje malicioso a un hilo de monitor dentro de Rockwell Automation ThinServer\u2122 y provocar una condici\u00f3n de denegaci\u00f3n de servicio en el dispositivo afectado."}], "metrics": {}, "weaknesses": [{"source": "PSIRT@rockwellautomation.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}]}], "references": [{"url": "https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1677.html", "source": "PSIRT@rockwellautomation.com"}]}}, {"cve": {"id": "CVE-2024-6238", "sourceIdentifier": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "published": "2024-06-25T16:15:25.727", "lastModified": "2024-06-25T18:50:42.040", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "pgAdmin <= 8.8 has an installation Directory permission issue.\u00a0Because of this issue,\u00a0attackers can gain unauthorised access to the installation directory on the Debian or RHEL 8 platforms."}, {"lang": "es", "value": "pgAdmin <= 8.8 tiene un problema de permiso de directorio de instalaci\u00f3n. Debido a este problema, los atacantes pueden obtener acceso no autorizado al directorio de instalaci\u00f3n en las plataformas Debian o RHEL 8."}], "metrics": {"cvssMetricV31": [{"source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 7.4, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.1, "impactScore": 3.7}]}, "references": [{"url": "https://github.com/pgadmin-org/pgadmin4/issues/7605", "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007"}]}}, {"cve": {"id": "CVE-2024-6257", "sourceIdentifier": "security@hashicorp.com", "published": "2024-06-25T17:15:10.827", "lastModified": "2024-06-25T18:50:42.040", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "HashiCorp\u2019s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution."}, {"lang": "es", "value": "Se puede obligar a la librer\u00eda de HashiCorp a ejecutar una actualizaci\u00f3n de Git en una configuraci\u00f3n de Git existente modificada maliciosamente, lo que podr\u00eda conducir a la ejecuci\u00f3n de c\u00f3digo arbitrario."}], "metrics": {"cvssMetricV31": [{"source": "security@hashicorp.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH"}, "exploitabilityScore": 1.7, "impactScore": 6.0}]}, "weaknesses": [{"source": "security@hashicorp.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-77"}]}], "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2024-13-hashicorp-go-getter-vulnerable-to-code-execution-on-git-update-via-git-config-manipulation/68081", "source": "security@hashicorp.com"}]}}, {"cve": {"id": "CVE-2024-6308", "sourceIdentifier": "cna@vuldb.com", "published": "2024-06-25T17:15:11.180", "lastModified": "2024-06-25T21:16:02.087", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability was found in itsourcecode Simple Online Hotel Reservation System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file index.php. The manipulation of the argument username leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-269620."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en itsourcecode Simple Online Hotel Reservation System 1.0. Ha sido declarada cr\u00edtica. Esta vulnerabilidad afecta a un c\u00f3digo desconocido del archivo index.php. La manipulaci\u00f3n del argumento nombre de usuario conduce a la inyecci\u00f3n de SQL. El ataque se puede iniciar de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. El identificador de esta vulnerabilidad es VDB-269620."}], "metrics": {"cvssMetricV31": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.4}], "cvssMetricV2": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "cna@vuldb.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://github.com/L1OudFd8cl09/CVE/blob/main/25_06_2024_a.md", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.269620", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.269620", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.363955", "source": "cna@vuldb.com"}]}}, {"cve": {"id": "CVE-2024-36819", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-25T19:15:11.837", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "MAP-OS 4.45.0 and earlier is vulnerable to Cross-Site Scripting (XSS). This vulnerability allows malicious users to insert a malicious payload into the \"Client Name\" input. When a service order from this client is created, the malicious payload is displayed on the administrator and employee dashboards, resulting in unauthorized script execution whenever the dashboard is loaded."}, {"lang": "es", "value": "MAP-OS 4.45.0 y versiones anteriores son vulnerables a Cross-Site Scripting (XSS). Esta vulnerabilidad permite a usuarios malintencionados insertar un payload malicioso en la entrada \"Nombre del cliente\". Cuando se crea una orden de servicio de este cliente, el payload malicioso se muestra en los paneles de administrador y de empleado, lo que resulta en la ejecuci\u00f3n de scripts no autorizados cada vez que se carga el panel."}], "metrics": {}, "references": [{"url": "https://github.com/RamonSilva20/mapos/commit/3559bae4782162faab94670f503fd35b0f331929", "source": "cve@mitre.org"}, {"url": "https://github.com/RamonSilva20/mapos/tree/master", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-37820", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-25T19:15:11.943", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A nil pointer dereference in PingCAP TiDB v8.2.0-alpha-216-gfe5858b allows attackers to crash the application via expression.inferCollation."}, {"lang": "es", "value": "Una desreferencia de puntero nulo en PingCAP TiDB v8.2.0-alpha-216-gfe5858b permite a los atacantes bloquear la aplicaci\u00f3n mediante expression.inferCollation."}], "metrics": {}, "references": [{"url": "https://github.com/pingcap/tidb/issues/53580", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-37167", "sourceIdentifier": "security-advisories@github.com", "published": "2024-06-25T20:15:11.513", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Tuleap is an Open Source Suite to improve management of software developments and collaboration. Users are able to see backlog items that they should not see. This issue has been patched in Tuleap Community Edition version 15.9.99.97."}, {"lang": "es", "value": "Tuleap es una suite de c\u00f3digo abierto para mejorar la gesti\u00f3n de los desarrollos de software y la colaboraci\u00f3n. Los usuarios pueden ver los elementos pendientes que no deber\u00edan ver. Este problema se solucion\u00f3 en la versi\u00f3n 15.9.99.97 de Tuleap Community Edition."}], "metrics": {"cvssMetricV31": [{"source": "security-advisories@github.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "security-advisories@github.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-285"}]}], "references": [{"url": "https://github.com/Enalean/tuleap/commit/13eec93a353d2daf47bb8b9c548cc02f78b93a5e", "source": "security-advisories@github.com"}, {"url": "https://github.com/Enalean/tuleap/security/advisories/GHSA-4c9f-284j-phvj", "source": "security-advisories@github.com"}, {"url": "https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=13eec93a353d2daf47bb8b9c548cc02f78b93a5e", "source": "security-advisories@github.com"}, {"url": "https://tuleap.net/plugins/tracker/?aid=38297", "source": "security-advisories@github.com"}]}}, {"cve": {"id": "CVE-2024-37894", "sourceIdentifier": "security-advisories@github.com", "published": "2024-06-25T20:15:11.873", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to an Out-of-bounds Write error when assigning ESI variables, Squid is susceptible to a Memory Corruption error. This error can lead to a Denial of Service attack."}, {"lang": "es", "value": "Squid es un proxy de almacenamiento en cach\u00e9 para la Web que admite HTTP, HTTPS, FTP y m\u00e1s. Debido a un error de escritura fuera de los l\u00edmites al asignar variables ESI, Squid es susceptible a un error de corrupci\u00f3n de memoria. Este error puede provocar un ataque de denegaci\u00f3n de servicio."}], "metrics": {"cvssMetricV31": [{"source": "security-advisories@github.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 6.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.8, "impactScore": 4.0}]}, "weaknesses": [{"source": "security-advisories@github.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-787"}]}], "references": [{"url": "https://github.com/squid-cache/squid/commit/f411fe7d75197852f0e5ee85027a06d58dd8df4c.patch", "source": "security-advisories@github.com"}, {"url": "https://github.com/squid-cache/squid/security/advisories/GHSA-wgvf-q977-9xjg", "source": "security-advisories@github.com"}]}}, {"cve": {"id": "CVE-2024-4498", "sourceIdentifier": "security@huntr.dev", "published": "2024-06-25T20:15:12.127", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A Path Traversal and Remote File Inclusion (RFI) vulnerability exists in the parisneo/lollms-webui application, affecting versions v9.7 to the latest. The vulnerability arises from insufficient input validation in the `/apply_settings` function, allowing an attacker to manipulate the `discussion_db_name` parameter to traverse the file system and include arbitrary files. This issue is compounded by the bypass of input filtering in the `install_binding`, `reinstall_binding`, and `unInstall_binding` endpoints, despite the presence of a `sanitize_path_from_endpoint(data.name)` filter. Successful exploitation enables an attacker to upload and execute malicious code on the victim's system, leading to Remote Code Execution (RCE)."}, {"lang": "es", "value": "Existe una vulnerabilidad de Path Traversal e inclusi\u00f3n remota de archivos (RFI) en la aplicaci\u00f3n parisneo/lollms-webui, que afecta a las versiones v9.7 hasta la \u00faltima. La vulnerabilidad surge de una validaci\u00f3n de entrada insuficiente en la funci\u00f3n `/apply_settings`, lo que permite a un atacante manipular el par\u00e1metro `discussion_db_name` para atravesar el sistema de archivos e incluir archivos arbitrarios. Este problema se ve agravado por la omisi\u00f3n del filtrado de entrada en los endpoints `install_binding`, `reinstall_binding` y `unInstall_binding`, a pesar de la presencia de un filtro `sanitize_path_from_endpoint(data.name)`. La explotaci\u00f3n exitosa permite a un atacante cargar y ejecutar c\u00f3digo malicioso en el sistema de la v\u00edctima, lo que lleva a la ejecuci\u00f3n remota de c\u00f3digo (RCE)."}], "metrics": {"cvssMetricV30": [{"source": "security@huntr.dev", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.7, "baseSeverity": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 6.0}]}, "weaknesses": [{"source": "security@huntr.dev", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://huntr.com/bounties/9238e88a-a6ca-4915-9b5d-6cdb4148d3f4", "source": "security@huntr.dev"}]}}, {"cve": {"id": "CVE-2024-4883", "sourceIdentifier": "security@progress.com", "published": "2024-06-25T20:15:12.320", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In WhatsUp Gold versions released before 2023.1.3, a Remote Code Execution issue exists in Progress WhatsUp Gold. This vulnerability allows an unauthenticated attacker to achieve the RCE as a service account through NmApi.exe."}, {"lang": "es", "value": "En las versiones de WhatsUp Gold lanzadas antes de 2023.1.3, existe un problema de ejecuci\u00f3n remota de c\u00f3digo en Progress WhatsUp Gold. Esta vulnerabilidad permite que un atacante no autenticado obtenga RCE como cuenta de servicio a trav\u00e9s de NmApi.exe."}], "metrics": {"cvssMetricV31": [{"source": "security@progress.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "security@progress.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-77"}, {"lang": "en", "value": "CWE-78"}, {"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-June-2024", "source": "security@progress.com"}, {"url": "https://www.progress.com/network-monitoring", "source": "security@progress.com"}]}}, {"cve": {"id": "CVE-2024-4884", "sourceIdentifier": "security@progress.com", "published": "2024-06-25T20:15:12.547", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In WhatsUp Gold versions released before 2023.1.3,\u00a0an unauthenticated Remote Code Execution vulnerability in Progress WhatsUpGold.\u00a0\u00a0The Apm.UI.Areas.APM.Controllers.CommunityController\n\n allows execution of commands with iisapppool\\nmconsole privileges."}, {"lang": "es", "value": "En las versiones de WhatsUp Gold lanzadas antes de 2023.1.3, se detect\u00f3 una vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo no autenticada en WhatsUpGold en curso.  Apm.UI.Areas.APM.Controllers.CommunityController permite la ejecuci\u00f3n de comandos con privilegios de iisapppool\\nmconsole."}], "metrics": {"cvssMetricV31": [{"source": "security@progress.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "security@progress.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-77"}, {"lang": "en", "value": "CWE-78"}, {"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-June-2024", "source": "security@progress.com"}, {"url": "https://www.progress.com/network-monitoring", "source": "security@progress.com"}]}}, {"cve": {"id": "CVE-2024-4885", "sourceIdentifier": "security@progress.com", "published": "2024-06-25T20:15:12.970", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In WhatsUp Gold versions released before 2023.1.3,\u00a0an unauthenticated Remote Code Execution vulnerability in Progress WhatsUpGold.\u00a0\u00a0The \n\nWhatsUp.ExportUtilities.Export.GetFileWithoutZip\n\n\n\n allows execution of commands with iisapppool\\nmconsole privileges."}, {"lang": "es", "value": "En las versiones de WhatsUp Gold lanzadas antes de 2023.1.3, se detect\u00f3 una vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo no autenticada en WhatsUpGold en curso.  WhatsUp.ExportUtilities.Export.GetFileWithoutZip permite la ejecuci\u00f3n de comandos con privilegios de iisapppool\\nmconsole."}], "metrics": {"cvssMetricV31": [{"source": "security@progress.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "security@progress.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-June-2024", "source": "security@progress.com"}, {"url": "https://www.progress.com/network-monitoring", "source": "security@progress.com"}]}}, {"cve": {"id": "CVE-2024-5008", "sourceIdentifier": "security@progress.com", "published": "2024-06-25T20:15:13.173", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In WhatsUp Gold versions released before 2023.1.3, \n\nan authenticated user with certain permissions can upload an arbitrary file and obtain RCE using\u00a0Apm.UI.Areas.APM.Controllers.Api.Applications.AppProfileImportController."}, {"lang": "es", "value": "En las versiones de WhatsUp Gold lanzadas antes de 2023.1.3, un usuario autenticado con ciertos permisos puede cargar un archivo arbitrario y obtener RCE usando Apm.UI.Areas.APM.Controllers.Api.Applications.AppProfileImportController."}], "metrics": {"cvssMetricV31": [{"source": "security@progress.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "security@progress.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-June-2024", "source": "security@progress.com"}, {"url": "https://www.progress.com/network-monitoring", "source": "security@progress.com"}]}}, {"cve": {"id": "CVE-2024-5009", "sourceIdentifier": "security@progress.com", "published": "2024-06-25T20:15:13.427", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In WhatsUp Gold versions released before 2023.1.3,\u00a0an Improper Access Control vulnerability in Wug.UI.Controllers.InstallController.SetAdminPassword allows local attackers to modify admin's password."}, {"lang": "es", "value": "En las versiones de WhatsUp Gold lanzadas antes de 2023.1.3, una vulnerabilidad de control de acceso inadecuado en Wug.UI.Controllers.InstallController.SetAdminPassword permite a atacantes locales modificar la contrase\u00f1a del administrador."}], "metrics": {"cvssMetricV31": [{"source": "security@progress.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 5.9}]}, "weaknesses": [{"source": "security@progress.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-269"}]}], "references": [{"url": "https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-June-2024", "source": "security@progress.com"}, {"url": "https://www.progress.com/network-monitoring", "source": "security@progress.com"}]}}, {"cve": {"id": "CVE-2024-5010", "sourceIdentifier": "security@progress.com", "published": "2024-06-25T20:15:13.617", "lastModified": "2024-06-26T14:15:11.250", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In WhatsUp Gold versions released before 2023.1.3, a vulnerability exists in the TestController functionality.\u00a0 A specially crafted \n\nunauthenticated\n\nHTTP request can lead to a disclosure of sensitive information."}, {"lang": "es", "value": "En las versiones de WhatsUp Gold lanzadas antes de 2023.1.3, existe una vulnerabilidad en la funcionalidad TestController. Una solicitud HTTP no autenticada especialmente manipulada puede dar lugar a la divulgaci\u00f3n de informaci\u00f3n confidencial."}], "metrics": {"cvssMetricV31": [{"source": "security@progress.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "security@progress.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}], "references": [{"url": "https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-June-2024", "source": "security@progress.com"}, {"url": "https://www.progress.com/network-monitoring", "source": "security@progress.com"}, {"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-1933", "source": "security@progress.com"}]}}, {"cve": {"id": "CVE-2024-5011", "sourceIdentifier": "security@progress.com", "published": "2024-06-25T20:15:13.810", "lastModified": "2024-06-26T14:15:11.350", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In WhatsUp Gold versions released before 2023.1.3, an uncontrolled resource consumption vulnerability exists.\u00a0A specially crafted unauthenticated HTTP request\u00a0to the TestController Chart functionality\u00a0can lead to denial of service."}, {"lang": "es", "value": "En las versiones de WhatsUp Gold lanzadas antes de 2023.1.3, existe una vulnerabilidad de consumo descontrolado de recursos. Una solicitud HTTP no autenticada especialmente manipulada para la funcionalidad TestController Chart puede provocar una denegaci\u00f3n de servicio."}], "metrics": {"cvssMetricV31": [{"source": "security@progress.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "security@progress.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}]}], "references": [{"url": "https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-June-2024", "source": "security@progress.com"}, {"url": "https://www.progress.com/network-monitoring", "source": "security@progress.com"}, {"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-1934", "source": "security@progress.com"}]}}, {"cve": {"id": "CVE-2024-5276", "sourceIdentifier": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "published": "2024-06-25T20:15:14.013", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A SQL Injection vulnerability in Fortra FileCatalyst Workflow allows an attacker to modify application data.\u00a0 Likely impacts include creation of administrative users and deletion or modification of data in the application database. Data exfiltration via SQL injection is not possible using this vulnerability. Successful unauthenticated exploitation requires a Workflow system with anonymous access enabled, otherwise an authenticated user is required.\u00a0This issue affects all versions of FileCatalyst Workflow from 5.1.6 Build 135 and earlier."}, {"lang": "es", "value": "Una vulnerabilidad de inyecci\u00f3n SQL en Fortra FileCatalyst Workflow permite a un atacante modificar los datos de la aplicaci\u00f3n. Los impactos probables incluyen la creaci\u00f3n de usuarios administrativos y la eliminaci\u00f3n o modificaci\u00f3n de datos en la base de datos de la aplicaci\u00f3n. La exfiltraci\u00f3n de datos mediante inyecci\u00f3n SQL no es posible gracias a esta vulnerabilidad. La explotaci\u00f3n exitosa sin autenticaci\u00f3n requiere un sistema de flujo de trabajo con acceso an\u00f3nimo habilitado; de lo contrario, se requiere un usuario autenticado. Este problema afecta a todas las versiones de FileCatalyst Workflow desde 5.1.6 Build 135 y anteriores."}], "metrics": {"cvssMetricV31": [{"source": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://support.fortra.com/filecatalyst/kb-articles/advisory-6-24-2024-filecatalyst-workflow-sql-injection-vulnerability-YmYwYWY4OTYtNTUzMi1lZjExLTg0MGEtNjA0NWJkMDg3MDA0", "source": "df4dee71-de3a-4139-9588-11b62fe6c0ff"}, {"url": "https://www.fortra.com/security/advisory/fi-2024-008", "source": "df4dee71-de3a-4139-9588-11b62fe6c0ff"}, {"url": "https://www.tenable.com/security/research/tra-2024-25", "source": "df4dee71-de3a-4139-9588-11b62fe6c0ff"}]}}, {"cve": {"id": "CVE-2024-6206", "sourceIdentifier": "security-alert@hpe.com", "published": "2024-06-25T20:15:14.210", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A security vulnerability has been identified in HPE Athonet Mobile Core software. The core application contains a code injection vulnerability where a threat actor could execute arbitrary commands with the privilege of the underlying container leading to complete takeover of the target system."}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad de seguridad en el software HPE Athonet Mobile Core. La aplicaci\u00f3n principal contiene una vulnerabilidad de inyecci\u00f3n de c\u00f3digo donde un actor de amenazas podr\u00eda ejecutar comandos arbitrarios con el privilegio del contenedor subyacente, lo que llevar\u00eda a tomar el control completo del sistema de destino."}], "metrics": {"cvssMetricV31": [{"source": "security-alert@hpe.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH"}, "exploitabilityScore": 1.6, "impactScore": 5.9}]}, "references": [{"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn04659en_us&docLocale=en_US", "source": "security-alert@hpe.com"}]}}, {"cve": {"id": "CVE-2024-21739", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-25T21:15:57.007", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Geehy APM32F103CCT6, APM32F103RCT6, APM32F103RCT7, and APM32F103VCT6 devices have Incorrect Access Control."}, {"lang": "es", "value": "Los dispositivos Geehy APM32F103CCT6, APM32F103RCT6, APM32F103RCT7 y APM32F103VCT6 tienen control de acceso incorrecto."}], "metrics": {}, "references": [{"url": "https://tches.iacr.org/index.php/TCHES/article/view/11422/10927", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-21740", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-25T21:15:57.190", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Artery AT32F415CBT7 and AT32F421C8T7 devices have Incorrect Access Control."}, {"lang": "es", "value": "Los dispositivos Artery AT32F415CBT7 y AT32F421C8T7 tienen control de acceso incorrecto."}], "metrics": {}, "references": [{"url": "https://tches.iacr.org/index.php/TCHES/article/view/11422/10927", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-21741", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-25T21:15:57.357", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "GigaDevice GD32E103C8T6 devices have Incorrect Access Control."}, {"lang": "es", "value": "Los dispositivos GigaDevice GD32E103C8T6 tienen un control de acceso incorrecto."}], "metrics": {}, "references": [{"url": "https://tches.iacr.org/index.php/TCHES/article/view/11422/10927", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-34400", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-25T21:15:59.090", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "An issue was discovered in VirtoSoftware Virto Kanban Board Web Part before 5.3.5.1 for SharePoint 2019. There is /_layouts/15/Virto.KanbanTaskManager/api/KanbanData.ashx LinkTitle2 XSS."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en VirtoSoftware Virto Kanban Board Web Part anterior a 5.3.5.1 para SharePoint 2019. Hay /_layouts/15/Virto.KanbanTaskManager/api/KanbanData.ashx LinkTitle2 XSS."}], "metrics": {}, "references": [{"url": "https://download.virtosoftware.com/Manuals/nu_ncsc_virto_one_kanban_board_5.3.3_pt_disclosure.pdf", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-35526", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-25T21:15:59.170", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "An issue in Daemon PTY Limited FarCry Core framework before 7.2.14 allows attackers to access sensitive information in the /facade directory."}, {"lang": "es", "value": "Un problema en Daemon PTY Limited FarCry Core framework anterior a 7.2.14 permite a los atacantes acceder a informaci\u00f3n confidencial en el directorio /facade."}], "metrics": {}, "references": [{"url": "https://bastionsecurity.co.nz/advisories/farcry-core-multiple.html", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-37843", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-25T21:15:59.770", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Craft CMS up to v3.7.31 was discovered to contain a SQL injection vulnerability via the GraphQL API endpoint."}, {"lang": "es", "value": "Se descubri\u00f3 que Craft CMS hasta v3.7.31 conten\u00eda una vulnerabilidad de inyecci\u00f3n SQL a trav\u00e9s del endpoint de la API GraphQL."}], "metrics": {}, "references": [{"url": "https://blog.smithsecurity.biz/craft-cms-unauthenticated-sqli-via-graphql", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-37855", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-25T21:15:59.867", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "An issue in Nepstech Wifi Router xpon (terminal) NTPL-Xpon1GFEVN, hardware verstion 1.0 firmware 2.0.1 allows a remote attacker to execute arbitrary code via the router's Telnet port 2345 without requiring authentication credentials."}, {"lang": "es", "value": "Un problema en Nepstech Wifi Router xpon (terminal) NTPL-Xpon1GFEVN, la versi\u00f3n de hardware 1.0, firmware 2.0.1, permite a un atacante remoto ejecutar c\u00f3digo arbitrario a trav\u00e9s del puerto Telnet 2345 del enrutador sin requerir credenciales de autenticaci\u00f3n."}], "metrics": {}, "references": [{"url": "https://github.com/sudo-subho/nepstech-xpon-router-rce", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-38516", "sourceIdentifier": "security-advisories@github.com", "published": "2024-06-25T21:15:59.957", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "ai-client-html is an Aimeos e-commerce HTML client component. Debug information revealed sensitive information from environment variables in error log. This issue has been patched in versions 2024.04.7, 2023.10.15, 2022.10.13 and 2021.10.22."}, {"lang": "es", "value": "ai-client-html es un componente del cliente HTML de comercio electr\u00f3nico de Aimeos. La informaci\u00f3n de depuraci\u00f3n revel\u00f3 informaci\u00f3n confidencial de las variables de entorno en el registro de errores. Este problema se solucion\u00f3 en las versiones 2024.04.7, 2023.10.15, 2022.10.13 y 2021.10.22."}], "metrics": {"cvssMetricV31": [{"source": "security-advisories@github.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "security-advisories@github.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-1295"}]}], "references": [{"url": "https://github.com/aimeos/ai-client-html/commit/bb389620ffc3cf4a2f29c11a1e5f512049e0c132", "source": "security-advisories@github.com"}, {"url": "https://github.com/aimeos/ai-client-html/security/advisories/GHSA-ppm5-jv84-2xg2", "source": "security-advisories@github.com"}]}}, {"cve": {"id": "CVE-2024-5012", "sourceIdentifier": "security@progress.com", "published": "2024-06-25T21:16:00.320", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In WhatsUp Gold versions released before 2023.1.3, there is a\u00a0missing authentication vulnerability in WUGDataAccess.Credentials. This\u00a0vulnerability allows\u00a0unauthenticated attackers to disclose Windows Credentials stored in the product Credential Library."}, {"lang": "es", "value": "En las versiones de WhatsUp Gold lanzadas antes de 2023.1.3, falta una vulnerabilidad de autenticaci\u00f3n en WUGDataAccess.Credentials. Esta vulnerabilidad permite a atacantes no autenticados revelar las credenciales de Windows almacenadas en la librer\u00eda de credenciales del producto."}], "metrics": {"cvssMetricV31": [{"source": "security@progress.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 4.0}]}, "weaknesses": [{"source": "security@progress.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-287"}]}], "references": [{"url": "https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-June-2024", "source": "security@progress.com"}, {"url": "https://www.progress.com/network-monitoring", "source": "security@progress.com"}]}}, {"cve": {"id": "CVE-2024-5013", "sourceIdentifier": "security@progress.com", "published": "2024-06-25T21:16:00.510", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In WhatsUp Gold versions released before 2023.1.3,\u00a0an unauthenticated Denial of Service \n\nvulnerability was identified.\u00a0An unauthenticated attacker can put the application into the SetAdminPassword installation step, which renders the application non-accessible."}, {"lang": "es", "value": "En las versiones de WhatsUp Gold lanzadas antes de 2023.1.3, se identific\u00f3 una vulnerabilidad de denegaci\u00f3n de servicio no autenticada. Un atacante no autenticado puede colocar la aplicaci\u00f3n en el paso de instalaci\u00f3n SetAdminPassword, lo que hace que la aplicaci\u00f3n no sea accesible."}], "metrics": {"cvssMetricV31": [{"source": "security@progress.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "security@progress.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}]}], "references": [{"url": "https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-June-2024", "source": "security@progress.com"}, {"url": "https://www.progress.com/network-monitoring", "source": "security@progress.com"}]}}, {"cve": {"id": "CVE-2024-5014", "sourceIdentifier": "security@progress.com", "published": "2024-06-25T21:16:00.703", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In WhatsUp Gold versions released before 2023.1.3, a Server Side Request Forgery vulnerability exists in the\u00a0GetASPReport feature. This allows any authenticated user to retrieve ASP reports from an HTML form."}, {"lang": "es", "value": "En las versiones de WhatsUp Gold lanzadas antes de 2023.1.3, existe una vulnerabilidad de Server Side Request Forgery en la funci\u00f3n GetASPReport. Esto permite que cualquier usuario autenticado recupere informes ASP desde un formulario HTML."}], "metrics": {"cvssMetricV31": [{"source": "security@progress.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "security@progress.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-June-2024", "source": "security@progress.com"}, {"url": "https://www.progress.com/network-monitoring", "source": "security@progress.com"}]}}, {"cve": {"id": "CVE-2024-5015", "sourceIdentifier": "security@progress.com", "published": "2024-06-25T21:16:00.890", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In WhatsUp Gold versions released before 2023.1.3,\u00a0an authenticated SSRF vulnerability in Wug.UI.Areas.Wug.Controllers.SessionControler.Update allows a low privileged user to chain this SSRF with an Improper Access Control vulnerability. This can be used to escalate privileges to Admin."}, {"lang": "es", "value": "En las versiones de WhatsUp Gold lanzadas antes de 2023.1.3, una vulnerabilidad SSRF autenticada en Wug.UI.Areas.Wug.Controllers.SessionControler.Update permite a un usuario con pocos privilegios encadenar esta SSRF con una vulnerabilidad de control de acceso inadecuado. Esto se puede utilizar para escalar privilegios a Administrador."}], "metrics": {"cvssMetricV31": [{"source": "security@progress.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "security@progress.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-June-2024", "source": "security@progress.com"}, {"url": "https://www.progress.com/network-monitoring", "source": "security@progress.com"}]}}, {"cve": {"id": "CVE-2024-5016", "sourceIdentifier": "security@progress.com", "published": "2024-06-25T21:16:01.163", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In WhatsUp Gold versions released before 2023.1.3, Distributed Edition installations can be exploited by using a deserialization\u00a0tool to achieve a Remote Code Execution as SYSTEM.\u00a0\nThe vulnerability exists in the main message processing routines\u00a0NmDistributed.DistributedServiceBehavior.OnMessage for server and NmDistributed.DistributedClient.OnMessage for clients."}, {"lang": "es", "value": "En las versiones de WhatsUp Gold lanzadas antes de 2023.1.3, las instalaciones de Distributed Edition se pueden explotar mediante el uso de una herramienta de deserializaci\u00f3n para lograr una ejecuci\u00f3n remota de c\u00f3digo como SYSTEM. La vulnerabilidad existe en las rutinas principales de procesamiento de mensajes NmDistributed.DistributedServiceBehavior.OnMessage para el servidor y NmDistributed.DistributedClient.OnMessage para los clientes."}], "metrics": {"cvssMetricV31": [{"source": "security@progress.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "security@progress.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-502"}]}], "references": [{"url": "https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-June-2024", "source": "security@progress.com"}, {"url": "https://www.progress.com/network-monitoring", "source": "security@progress.com"}]}}, {"cve": {"id": "CVE-2024-5017", "sourceIdentifier": "security@progress.com", "published": "2024-06-25T21:16:01.357", "lastModified": "2024-06-26T14:15:11.587", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In WhatsUp Gold versions released before 2023.1.3, a path traversal vulnerability exists.\u00a0A specially crafted unauthenticated HTTP request\u00a0to AppProfileImport can lead can lead to information disclosure."}, {"lang": "es", "value": "En las versiones de WhatsUp Gold lanzadas antes de 2023.1.3, existe una vulnerabilidad de Path Traversal. Una solicitud HTTP no autenticada especialmente manipulada para AppProfileImport puede dar lugar a la divulgaci\u00f3n de informaci\u00f3n."}], "metrics": {"cvssMetricV31": [{"source": "security@progress.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "security@progress.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-June-2024", "source": "security@progress.com"}, {"url": "https://www.progress.com/network-monitoring", "source": "security@progress.com"}, {"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-1932", "source": "security@progress.com"}]}}, {"cve": {"id": "CVE-2024-5018", "sourceIdentifier": "security@progress.com", "published": "2024-06-25T21:16:01.543", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Path Traversal vulnerability exists Wug.UI.Areas.Wug.Controllers.SessionController.LoadNMScript. This allows allows reading of any file from the applications web-root directory ."}, {"lang": "es", "value": "En las versiones de WhatsUp Gold lanzadas antes de 2023.1.3, existe una vulnerabilidad de Path Traversal no autenticada Wug.UI.Areas.Wug.Controllers.SessionController.LoadNMScript. Esto permite la lectura de cualquier archivo desde el directorio ra\u00edz web de la aplicaci\u00f3n."}], "metrics": {"cvssMetricV31": [{"source": "security@progress.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "security@progress.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-June-2024", "source": "security@progress.com"}, {"url": "https://www.progress.com/network-monitoring", "source": "security@progress.com"}]}}, {"cve": {"id": "CVE-2024-5019", "sourceIdentifier": "security@progress.com", "published": "2024-06-25T21:16:01.743", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In WhatsUp Gold versions released before 2023.1.3,\u00a0\n\nan unauthenticated Arbitrary File Read issue exists in Wug.UI.Areas.Wug.Controllers.SessionController.CachedCSS. This\u00a0vulnerability allows reading of any file with iisapppool\\NmConsole privileges."}, {"lang": "es", "value": "En las versiones de WhatsUp Gold lanzadas antes de 2023.1.3, existe un problema de lectura arbitraria de archivos no autenticados en Wug.UI.Areas.Wug.Controllers.SessionController.CachedCSS. Esta vulnerabilidad permite la lectura de cualquier archivo con privilegios iisapppool\\NmConsole."}], "metrics": {"cvssMetricV31": [{"source": "security@progress.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "security@progress.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-June-2024", "source": "security@progress.com"}, {"url": "https://www.progress.com/network-monitoring", "source": "security@progress.com"}]}}, {"cve": {"id": "CVE-2024-30112", "sourceIdentifier": "psirt@hcl.com", "published": "2024-06-25T22:15:30.117", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "HCL Connections is vulnerable to a cross-site scripting attack where an attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user which leads to executing malicious script code. This may let the attacker steal cookie-based authentication credentials and comprise user's account then launch other attacks."}, {"lang": "es", "value": "HCL Connections es vulnerable a un ataque de Cross-Site Scripting en el que un atacante puede aprovechar este problema para ejecutar c\u00f3digo de script arbitrario en el navegador de un usuario desprevenido, lo que lleva a la ejecuci\u00f3n de c\u00f3digo de scripts maliciosos. Esto puede permitir al atacante robar credenciales de autenticaci\u00f3n basadas en cookies, acceder a la cuenta del usuario y luego lanzar otros ataques."}], "metrics": {"cvssMetricV31": [{"source": "psirt@hcl.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "references": [{"url": "https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0114148", "source": "psirt@hcl.com"}]}}, {"cve": {"id": "CVE-2024-30931", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-25T22:15:30.313", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Stored Cross Site Scripting vulnerability in Emby Media Server Emby Media Server 4.8.3.0 allows a remote attacker to escalate privileges via the notifications.html component."}, {"lang": "es", "value": "Vulnerabilidad de Cross-Site Scripting almacenado en Emby Media Server Emby Media Server 4.8.3.0 permite a un atacante remoto escalar privilegios a trav\u00e9s del componente Notifications.html."}], "metrics": {}, "references": [{"url": "https://happy-little-accidents.pages.dev/posts/CVE-2024-30931/", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-35527", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-25T22:15:30.403", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "An arbitrary file upload vulnerability in /fileupload/upload.cfm in Daemon PTY Limited FarCry Core framework before 7.2.14 allows attackers to execute arbitrary code via uploading a crafted .cfm file."}, {"lang": "es", "value": "Una vulnerabilidad de carga de archivos arbitrarios en /fileupload/upload.cfm en Daemon PTY Limited FarCry Core framework anterior a 7.2.14 permite a los atacantes ejecutar c\u00f3digo arbitrario cargando un archivo .cfm manipulado."}], "metrics": {}, "references": [{"url": "https://bastionsecurity.co.nz/advisories/farcry-core-multiple.html", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-37742", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-25T22:15:35.183", "lastModified": "2024-06-26T20:15:15.917", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Insecure Access Control in Safe Exam Browser (SEB) = 3.5.0 on Windows. The vulnerability allows an attacker to share clipboard data between the SEB kiosk mode and the underlying system, compromising exam integrity. By exploiting this flaw, an attacker can bypass exam controls and gain an unfair advantage during exams."}, {"lang": "es", "value": "Un problema en Safe Exam Browser para Windows anterior a 3.6 permite a un atacante compartir datos del portapapeles entre el modo quiosco SEB y el sistema subyacente, comprometiendo la integridad del examen, lo que puede llevar a la ejecuci\u00f3n de c\u00f3digo arbitrario y a la obtenci\u00f3n de informaci\u00f3n confidencial a trav\u00e9s del componente de administraci\u00f3n del portapapeles."}], "metrics": {}, "references": [{"url": "https://github.com/Eteblue/CVE-2024-37742", "source": "cve@mitre.org"}, {"url": "https://youtu.be/SOm0Hgny_3U", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-6060", "sourceIdentifier": "103e4ec9-0a87-450b-af77-479448ddef11", "published": "2024-06-25T22:15:35.347", "lastModified": "2024-06-26T15:15:20.570", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "An information disclosure vulnerability in Phloc Webscopes 7.0.0 allows local attackers with access to the log files to view logged HTTP requests that contain user passwords or other sensitive information."}, {"lang": "es", "value": "Una vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n en Phloc Webscopes 7.0.0 permite a atacantes locales con acceso a los archivos de registro ver solicitudes HTTP registradas que contienen contrase\u00f1as de usuario u otra informaci\u00f3n confidencial."}], "metrics": {}, "weaknesses": [{"source": "103e4ec9-0a87-450b-af77-479448ddef11", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-532"}]}], "references": [{"url": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2024-6060", "source": "103e4ec9-0a87-450b-af77-479448ddef11"}]}}, {"cve": {"id": "CVE-2024-29953", "sourceIdentifier": "sirt@brocade.com", "published": "2024-06-26T00:15:10.030", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability in the web interface in Brocade Fabric OS before v9.2.1, v9.2.0b, and v9.1.1d prints encoded session passwords on session storage for Virtual Fabric platforms. \nThis could allow an authenticated user to view other users' session encoded passwords."}, {"lang": "es", "value": "Una vulnerabilidad en la interfaz web en Brocade Fabric OS anterior a v9.2.1, v9.2.0b y v9.1.1d imprime contrase\u00f1as de sesi\u00f3n codificadas en el almacenamiento de sesiones para plataformas Virtual Fabric. Esto podr\u00eda permitir que un usuario autenticado vea las contrase\u00f1as codificadas de sesi\u00f3n de otros usuarios."}], "metrics": {"cvssMetricV31": [{"source": "sirt@brocade.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "sirt@brocade.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-922"}]}], "references": [{"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/23227", "source": "sirt@brocade.com"}]}}, {"cve": {"id": "CVE-2024-29954", "sourceIdentifier": "sirt@brocade.com", "published": "2024-06-26T00:15:10.263", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability in a password management API in Brocade Fabric OS versions before v9.2.1, v9.2.0b, v9.1.1d, and v8.2.3e prints sensitive information in log files. This could allow an authenticated user to view the server passwords for protocols such as scp and sftp.\n\nDetail.\nWhen the firmwaredownload command is incorrectly entered or points to an erroneous file, the firmware download log captures the failed command, including any password entered in the command line."}, {"lang": "es", "value": "Una vulnerabilidad en una API de administraci\u00f3n de contrase\u00f1as en las versiones de Brocade Fabric OS anteriores a v9.2.1, v9.2.0b, v9.1.1d y v8.2.3e imprime informaci\u00f3n confidencial en archivos de registro. Esto podr\u00eda permitir a un usuario autenticado ver las contrase\u00f1as del servidor para protocolos como scp y sftp. Detalle. Cuando el comando de descarga de firmware se ingresa incorrectamente o apunta a un archivo err\u00f3neo, el registro de descarga de firmware captura el comando fallido, incluida cualquier contrase\u00f1a ingresada en la l\u00ednea de comando."}], "metrics": {"cvssMetricV31": [{"source": "sirt@brocade.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.5, "impactScore": 4.0}]}, "weaknesses": [{"source": "sirt@brocade.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-312"}]}], "references": [{"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/23226", "source": "sirt@brocade.com"}]}}, {"cve": {"id": "CVE-2024-38364", "sourceIdentifier": "security-advisories@github.com", "published": "2024-06-26T00:15:10.480", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "DSpace is an open source software is a turnkey repository application used by more than 2,000 organizations and institutions worldwide to provide durable access to digital resources. In DSpace 7.0 through 7.6.1, when an HTML, XML or JavaScript Bitstream is downloaded, the user's browser may execute any embedded JavaScript. If that embedded JavaScript is malicious, there is a risk of an XSS attack. This vulnerability has been patched in version 7.6.2."}, {"lang": "es", "value": "DSpace es un software de c\u00f3digo abierto, una aplicaci\u00f3n de repositorio llave en mano utilizada por m\u00e1s de 2000 organizaciones e instituciones en todo el mundo para brindar acceso duradero a recursos digitales. En DSpace 7.0 a 7.6.1, cuando se descarga un Bitstream HTML, XML o JavaScript, el navegador del usuario puede ejecutar cualquier JavaScript incrustado. Si ese JavaScript incrustado es malicioso, existe el riesgo de sufrir un ataque XSS. Esta vulnerabilidad ha sido parcheada en la versi\u00f3n 7.6.2."}], "metrics": {"cvssMetricV31": [{"source": "security-advisories@github.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW", "baseScore": 2.6, "baseSeverity": "LOW"}, "exploitabilityScore": 1.2, "impactScore": 1.4}]}, "weaknesses": [{"source": "security-advisories@github.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://github.com/DSpace/DSpace/commit/f1059b4340857cca3dc4c45b1ebbadce6bb61c0b", "source": "security-advisories@github.com"}, {"url": "https://github.com/DSpace/DSpace/pull/8891", "source": "security-advisories@github.com"}, {"url": "https://github.com/DSpace/DSpace/pull/9638", "source": "security-advisories@github.com"}, {"url": "https://github.com/DSpace/DSpace/security/advisories/GHSA-94cc-xjxr-pwvf", "source": "security-advisories@github.com"}]}}, {"cve": {"id": "CVE-2024-38526", "sourceIdentifier": "security-advisories@github.com", "published": "2024-06-26T00:15:10.703", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "pdoc provides API Documentation for Python Projects. Documentation generated with `pdoc --math` linked to JavaScript files from polyfill.io. The polyfill.io CDN has been sold and now serves malicious code. This issue has been fixed in pdoc 14.5.1."}, {"lang": "es", "value": "pdoc proporciona documentaci\u00f3n API para proyectos Python. Documentaci\u00f3n generada con `pdoc --math` vinculada a archivos JavaScript de polyfill.io. El CDN polyfill.io se vendi\u00f3 y ahora contiene c\u00f3digo malicioso. Este problema se solucion\u00f3 en pdoc 14.5.1."}], "metrics": {"cvssMetricV31": [{"source": "security-advisories@github.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "LOW", "baseScore": 7.2, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 2.7}]}, "references": [{"url": "https://github.com/mitmproxy/pdoc/pull/703", "source": "security-advisories@github.com"}, {"url": "https://github.com/mitmproxy/pdoc/security/advisories/GHSA-5vgj-ggm4-fg62", "source": "security-advisories@github.com"}, {"url": "https://sansec.io/research/polyfill-supply-chain-attack", "source": "security-advisories@github.com"}]}}, {"cve": {"id": "CVE-2024-4869", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-26T00:15:10.897", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The WP Cookie Consent ( for GDPR, CCPA & ePrivacy ) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018Client-IP\u2019 header in all versions up to, and including, 3.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento WP Cookie Consent (para GDPR, CCPA y ePrivacy) para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s del encabezado 'Client-IP' en todas las versiones hasta la 3.2.0 incluida debido a una sanitizaci\u00f3n insuficiente de la entrada y un escape de salida. Esto hace posible que atacantes no autenticados inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 2.7}]}, "references": [{"url": "https://plugins.trac.wordpress.org/browser/gdpr-cookie-consent/tags/3.2.0/public/class-gdpr-cookie-consent-public.php#L793", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/gdpr-cookie-consent/tags/3.2.0/public/modules/consent-logs/class-wpl-cookie-consent-consent-logs.php#L570", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/507b2e65-987b-4d4a-8a99-5366048d925e?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-5460", "sourceIdentifier": "sirt@brocade.com", "published": "2024-06-26T00:15:11.093", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability in the default configuration of the Simple Network \nManagement Protocol (SNMP) feature of Brocade Fabric OS versions before \nv9.0.0 could allow an authenticated, remote attacker to read data from \nan affected device via SNMP. The vulnerability is due to hard-coded, \ndefault community string in the configuration file for the SNMP daemon. \nAn attacker could exploit this vulnerability by using the static \ncommunity string in SNMP version 1 queries to an affected device."}, {"lang": "es", "value": "Una vulnerabilidad en la configuraci\u00f3n predeterminada de la funci\u00f3n del Protocolo simple de administraci\u00f3n de red (SNMP) de las versiones de Brocade Fabric OS anteriores a v9.0.0 podr\u00eda permitir que un atacante remoto autenticado lea datos de un dispositivo afectado a trav\u00e9s de SNMP. La vulnerabilidad se debe a una cadena de comunidad predeterminada codificada en el archivo de configuraci\u00f3n del demonio SNMP. Un atacante podr\u00eda aprovechar esta vulnerabilidad utilizando la cadena de comunidad est\u00e1tica en las consultas SNMP versi\u00f3n 1 a un dispositivo afectado."}], "metrics": {"cvssMetricV31": [{"source": "sirt@brocade.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "sirt@brocade.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-798"}]}], "references": [{"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24409", "source": "sirt@brocade.com"}]}}, {"cve": {"id": "CVE-2024-24764", "sourceIdentifier": "security-advisories@github.com", "published": "2024-06-26T01:15:47.890", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "October is a self-hosted CMS platform based on the Laravel PHP Framework. This issue affects authenticated administrators who may be redirected to an untrusted URL using the PageFinder schema.  The resolver for the page finder link schema (`october://`) allowed external links, therefore allowing an open redirect outside the scope of the active host. This vulnerability has been patched in version 3.5.15."}, {"lang": "es", "value": "October es una plataforma CMS autohospedada basada en Laravel PHP Framework. Este problema afecta a los administradores autenticados que pueden ser redirigidos a una URL que no es de confianza mediante el esquema de PageFinder. El solucionador del esquema de enlace del buscador de p\u00e1ginas (`october://`) permit\u00eda enlaces externos, por lo que permit\u00eda una redirecci\u00f3n abierta fuera del alcance del host activo. Esta vulnerabilidad ha sido parcheada en la versi\u00f3n 3.5.15."}], "metrics": {"cvssMetricV31": [{"source": "security-advisories@github.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "LOW", "baseScore": 3.5, "baseSeverity": "LOW"}, "exploitabilityScore": 0.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "security-advisories@github.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-601"}]}], "references": [{"url": "https://github.com/octobercms/october/security/advisories/GHSA-v2vf-jv88-3fp5", "source": "security-advisories@github.com"}]}}, {"cve": {"id": "CVE-2024-5173", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-26T02:15:09.340", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The HT Mega \u2013 Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Video player widget settings in all versions up to, and including, 2.5.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento HT Mega \u2013 Absolute Addons For Elementor para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s de la configuraci\u00f3n del widget del reproductor de video en todas las versiones hasta la 2.5.5 incluida debido a una sanitizaci\u00f3n de entrada insuficiente y a un escape de salida en los atributos proporcionados por el usuario. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "references": [{"url": "https://plugins.trac.wordpress.org/browser/ht-mega-for-elementor/tags/2.5.3/includes/widgets/htmega_videoplayer.php#L549", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/aac9569e-d33d-45b3-bd03-2e7f48536ae5?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-28973", "sourceIdentifier": "security_alert@emc.com", "published": "2024-06-26T03:15:09.640", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Dell PowerProtect DD, versions prior to 8.0, LTS 7.13.1.0, LTS 7.10.1.30, LTS 7.7.5.40 contain a Stored Cross-Site Scripting Vulnerability. A remote high privileged attacker could potentially exploit this vulnerability, leading to the storage of malicious HTML or JavaScript codes in a trusted application data store. When a high privileged victim user accesses the data store through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery"}, {"lang": "es", "value": "Dell PowerProtect DD, versiones anteriores a 8.0, LTS 7.13.1.0, LTS 7.10.1.30, LTS 7.7.5.40 contienen una vulnerabilidad de Cross-Site Scripting Almacenado. Un atacante remoto con altos privilegios podr\u00eda explotar esta vulnerabilidad, lo que llevar\u00eda al almacenamiento de c\u00f3digos HTML o JavaScript maliciosos en un almac\u00e9n de datos de aplicaciones confiable. Cuando un usuario v\u00edctima con altos privilegios accede al almac\u00e9n de datos a trav\u00e9s de sus navegadores, el navegador web ejecuta el c\u00f3digo malicioso en el contexto de la aplicaci\u00f3n web vulnerable. La explotaci\u00f3n puede dar lugar a la divulgaci\u00f3n de informaci\u00f3n, el robo de sesiones o la falsificaci\u00f3n de solicitudes por parte del cliente."}], "metrics": {"cvssMetricV31": [{"source": "security_alert@emc.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.7, "impactScore": 3.7}]}, "weaknesses": [{"source": "security_alert@emc.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://www.dell.com/support/kbdoc/en-us/000226148/dsa-2024-219-dell-technologies-powerprotect-dd-security-update-for-multiple-security-vulnerabilities", "source": "security_alert@emc.com"}]}}, {"cve": {"id": "CVE-2024-29173", "sourceIdentifier": "security_alert@emc.com", "published": "2024-06-26T03:15:09.877", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Dell PowerProtect DD, versions prior to 8.0, LTS 7.13.1.0, LTS 7.10.1.30, LTS 7.7.5.40 contain a Server-Side Request Forgery (SSRF) vulnerability. A remote high privileged attacker could potentially exploit this vulnerability, leading to disclosure of information on the application or remote client."}, {"lang": "es", "value": "Dell PowerProtect DD, versiones anteriores a 8.0, LTS 7.13.1.0, LTS 7.10.1.30, LTS 7.7.5.40 contienen una vulnerabilidad de Server Side Request Forgery (SSRF). Un atacante remoto con altos privilegios podr\u00eda explotar esta vulnerabilidad, lo que llevar\u00eda a la divulgaci\u00f3n de informaci\u00f3n sobre la aplicaci\u00f3n o el cliente remoto."}], "metrics": {"cvssMetricV31": [{"source": "security_alert@emc.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.3, "impactScore": 4.0}]}, "weaknesses": [{"source": "security_alert@emc.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "https://www.dell.com/support/kbdoc/en-us/000226148/dsa-2024-219-dell-technologies-powerprotect-dd-security-update-for-multiple-security-vulnerabilities", "source": "security_alert@emc.com"}]}}, {"cve": {"id": "CVE-2024-29174", "sourceIdentifier": "security_alert@emc.com", "published": "2024-06-26T03:15:10.100", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Dell Data Domain, versions prior to 7.13.0.0, LTS 7.7.5.30, LTS 7.10.1.20 contain an SQL Injection vulnerability. A local low privileged attacker could potentially exploit this vulnerability, leading to the execution of certain SQL commands on the application's backend database causing unauthorized access to application data."}, {"lang": "es", "value": "Dell Data Domain, versiones anteriores a 7.13.0.0, LTS 7.7.5.30, LTS 7.10.1.20 contienen una vulnerabilidad de inyecci\u00f3n SQL. Un atacante local con pocos privilegios podr\u00eda explotar esta vulnerabilidad, lo que llevar\u00eda a la ejecuci\u00f3n de ciertos comandos SQL en la base de datos backend de la aplicaci\u00f3n, lo que provocar\u00eda un acceso no autorizado a los datos de la aplicaci\u00f3n."}], "metrics": {"cvssMetricV31": [{"source": "security_alert@emc.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "security_alert@emc.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://www.dell.com/support/kbdoc/en-us/000226148/dsa-2024-219-dell-technologies-powerprotect-dd-security-update-for-multiple-security-vulnerabilities", "source": "security_alert@emc.com"}]}}, {"cve": {"id": "CVE-2024-29175", "sourceIdentifier": "security_alert@emc.com", "published": "2024-06-26T03:15:10.303", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Dell PowerProtect Data Domain, versions prior to 7.13.0.0, LTS 7.7.5.40, LTS 7.10.1.30 contain an weak cryptographic algorithm vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to man-in-the-middle attack that exposes sensitive session information."}, {"lang": "es", "value": "Dell PowerProtect Data Domain, versiones anteriores a 7.13.0.0, LTS 7.7.5.40, LTS 7.10.1.30 contienen una vulnerabilidad de algoritmo criptogr\u00e1fico d\u00e9bil. Un atacante remoto no autenticado podr\u00eda explotar esta vulnerabilidad, lo que provocar\u00eda un ataque de intermediario que exponga informaci\u00f3n confidencial de la sesi\u00f3n."}], "metrics": {"cvssMetricV31": [{"source": "security_alert@emc.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "security_alert@emc.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-327"}]}], "references": [{"url": "https://www.dell.com/support/kbdoc/en-us/000226148/dsa-2024-219-dell-technologies-powerprotect-dd-security-update-for-multiple-security-vulnerabilities", "source": "security_alert@emc.com"}]}}, {"cve": {"id": "CVE-2024-29176", "sourceIdentifier": "security_alert@emc.com", "published": "2024-06-26T03:15:10.533", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Dell PowerProtect DD, versions prior to 8.0, LTS 7.13.1.0, LTS 7.10.1.30, LTS 7.7.5.40 contain a buffer overflow vulnerability. A remote low privileged attacker could potentially exploit this vulnerability, leading to an application crash or execution of arbitrary code on the vulnerable application's underlying operating system with privileges of the vulnerable application."}, {"lang": "es", "value": "Dell PowerProtect DD, versiones anteriores a 8.0, LTS 7.13.1.0, LTS 7.10.1.30, LTS 7.7.5.40 contienen una vulnerabilidad de desbordamiento del b\u00fafer. Un atacante remoto con pocos privilegios podr\u00eda explotar esta vulnerabilidad, lo que provocar\u00eda un bloqueo de la aplicaci\u00f3n o la ejecuci\u00f3n de c\u00f3digo arbitrario en el sistema operativo subyacente de la aplicaci\u00f3n vulnerable con los privilegios de la aplicaci\u00f3n vulnerable."}], "metrics": {"cvssMetricV31": [{"source": "security_alert@emc.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "security_alert@emc.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-788"}]}], "references": [{"url": "https://www.dell.com/support/kbdoc/en-us/000226148/dsa-2024-219-dell-technologies-powerprotect-dd-security-update-for-multiple-security-vulnerabilities", "source": "security_alert@emc.com"}]}}, {"cve": {"id": "CVE-2024-29177", "sourceIdentifier": "security_alert@emc.com", "published": "2024-06-26T03:15:10.767", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Dell PowerProtect DD, versions prior to 8.0, LTS 7.13.1.0, LTS 7.10.1.30, LTS 7.7.5.40 contain a disclosure of temporary sensitive information vulnerability. A remote high privileged attacker could potentially exploit this vulnerability, leading to the reuse of disclosed information to gain unauthorized access to the application report."}, {"lang": "es", "value": "Dell PowerProtect DD, versiones anteriores a 8.0, LTS 7.13.1.0, LTS 7.10.1.30, LTS 7.7.5.40 contienen una divulgaci\u00f3n de vulnerabilidad de informaci\u00f3n confidencial temporal. Un atacante remoto con privilegios elevados podr\u00eda explotar esta vulnerabilidad, lo que llevar\u00eda a la reutilizaci\u00f3n de la informaci\u00f3n divulgada para obtener acceso no autorizado al informe de la aplicaci\u00f3n."}], "metrics": {"cvssMetricV31": [{"source": "security_alert@emc.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW"}, "exploitabilityScore": 1.2, "impactScore": 1.4}]}, "weaknesses": [{"source": "security_alert@emc.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-532"}]}], "references": [{"url": "https://www.dell.com/support/kbdoc/en-us/000226148/dsa-2024-219-dell-technologies-powerprotect-dd-security-update-for-multiple-security-vulnerabilities", "source": "security_alert@emc.com"}]}}, {"cve": {"id": "CVE-2024-5181", "sourceIdentifier": "security@huntr.dev", "published": "2024-06-26T03:15:10.987", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A command injection vulnerability exists in the mudler/localai version 2.14.0. The vulnerability arises from the application's handling of the backend parameter in the configuration file, which is used in the name of the initialized process. An attacker can exploit this vulnerability by manipulating the path of the vulnerable binary file specified in the backend parameter, allowing the execution of arbitrary code on the system. This issue is due to improper neutralization of special elements used in an OS command, leading to potential full control over the affected system."}, {"lang": "es", "value": "Existe una vulnerabilidad de inyecci\u00f3n de comandos en la versi\u00f3n 2.14.0 de mudler/localai. La vulnerabilidad surge del manejo por parte de la aplicaci\u00f3n del par\u00e1metro backend en el archivo de configuraci\u00f3n, que se utiliza en el nombre del proceso inicializado. Un atacante puede explotar esta vulnerabilidad manipulando la ruta del archivo binario vulnerable especificado en el par\u00e1metro backend, permitiendo la ejecuci\u00f3n de c\u00f3digo arbitrario en el sistema. Este problema se debe a una neutralizaci\u00f3n inadecuada de elementos especiales utilizados en un comando del sistema operativo, lo que lleva a un posible control total sobre el sistema afectado."}], "metrics": {"cvssMetricV30": [{"source": "security@huntr.dev", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "security@huntr.dev", "type": "Primary", "description": [{"lang": "en", "value": "CWE-78"}]}], "references": [{"url": "https://github.com/mudler/localai/commit/1a3dedece06cab1acc3332055d285ac540a47f0e", "source": "security@huntr.dev"}, {"url": "https://huntr.com/bounties/c6e3cb58-6fa4-4207-bb92-ae7644174661", "source": "security@huntr.dev"}]}}, {"cve": {"id": "CVE-2024-27867", "sourceIdentifier": "product-security@apple.com", "published": "2024-06-26T04:15:11.637", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "An authentication issue was addressed with improved state management. This issue is fixed in AirPods Firmware Update 6A326, AirPods Firmware Update 6F8, and Beats Firmware Update 6F8. When your headphones are seeking a connection request to one of your previously paired devices, an attacker in Bluetooth range might be able to spoof the intended source device and gain access to your headphones."}, {"lang": "es", "value": "Se solucion\u00f3 un problema de autenticaci\u00f3n con una gesti\u00f3n de estado mejorada. Este problema se solucion\u00f3 en la Actualizaci\u00f3n de firmware de AirPods 6A326, la Actualizaci\u00f3n de firmware de AirPods 6F8 y la Actualizaci\u00f3n de firmware de Beats 6F8. Cuando sus auriculares buscan una solicitud de conexi\u00f3n a uno de sus dispositivos previamente emparejados, un atacante dentro del alcance de Bluetooth podr\u00eda falsificar el dispositivo fuente deseado y obtener acceso a sus auriculares."}], "metrics": {}, "references": [{"url": "https://support.apple.com/en-us/HT214111", "source": "product-security@apple.com"}, {"url": "https://support.apple.com/kb/HT214111", "source": "product-security@apple.com"}]}}, {"cve": {"id": "CVE-2024-37138", "sourceIdentifier": "security_alert@emc.com", "published": "2024-06-26T04:15:13.000", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Dell PowerProtect DD, versions prior to 8.0, LTS 7.13.1.0, LTS 7.10.1.30, LTS 7.7.5.40 on DDMC contain a relative path traversal vulnerability. A remote high privileged attacker could potentially exploit this vulnerability, leading to the application sending over an unauthorized file to the managed system."}, {"lang": "es", "value": "Dell PowerProtect DD, versiones anteriores a 8.0, LTS 7.13.1.0, LTS 7.10.1.30, LTS 7.7.5.40 en DDMC contienen una vulnerabilidad de Path Traversal relativo. Un atacante remoto con altos privilegios podr\u00eda explotar esta vulnerabilidad, lo que provocar\u00eda que la aplicaci\u00f3n env\u00ede un archivo no autorizado al sistema administrado."}], "metrics": {"cvssMetricV31": [{"source": "security_alert@emc.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.1, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.3, "impactScore": 1.4}]}, "weaknesses": [{"source": "security_alert@emc.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-23"}]}], "references": [{"url": "https://www.dell.com/support/kbdoc/en-us/000226148/dsa-2024-219-dell-technologies-powerprotect-dd-security-update-for-multiple-security-vulnerabilities", "source": "security_alert@emc.com"}]}}, {"cve": {"id": "CVE-2024-37139", "sourceIdentifier": "security_alert@emc.com", "published": "2024-06-26T04:15:13.350", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Dell PowerProtect DD, versions prior to 8.0, LTS 7.13.1.0, LTS 7.10.1.30, LTS 7.7.5.40 contain an Improper Control of a Resource Through its Lifetime vulnerability in an admin operation. A remote low privileged attacker could potentially exploit this vulnerability, leading to temporary resource constraint of system application. Exploitation may lead to denial of service of the application."}, {"lang": "es", "value": "Dell PowerProtect DD, versiones anteriores a 8.0, LTS 7.13.1.0, LTS 7.10.1.30, LTS 7.7.5.40 contienen una vulnerabilidad de control inadecuado de un recurso durante su vida \u00fatil en una operaci\u00f3n de administraci\u00f3n. Un atacante remoto con pocos privilegios podr\u00eda explotar esta vulnerabilidad, lo que provocar\u00eda una limitaci\u00f3n temporal de recursos de la aplicaci\u00f3n del sistema. La explotaci\u00f3n puede dar lugar a la denegaci\u00f3n del servicio de la aplicaci\u00f3n."}], "metrics": {"cvssMetricV31": [{"source": "security_alert@emc.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "security_alert@emc.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-664"}]}], "references": [{"url": "https://www.dell.com/support/kbdoc/en-us/000226148/dsa-2024-219-dell-technologies-powerprotect-dd-security-update-for-multiple-security-vulnerabilities", "source": "security_alert@emc.com"}]}}, {"cve": {"id": "CVE-2024-37140", "sourceIdentifier": "security_alert@emc.com", "published": "2024-06-26T04:15:13.667", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Dell PowerProtect DD, versions prior to 8.0, LTS 7.13.1.0, LTS 7.10.1.30, LTS 7.7.5.40 contain an OS command injection vulnerability in an admin operation. A remote low privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the system application's underlying OS with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker."}, {"lang": "es", "value": "Dell PowerProtect DD, versiones anteriores a 8.0, LTS 7.13.1.0, LTS 7.10.1.30, LTS 7.7.5.40 contienen una vulnerabilidad de inyecci\u00f3n de comandos del sistema operativo en una operaci\u00f3n de administraci\u00f3n. Un atacante remoto con pocos privilegios podr\u00eda explotar esta vulnerabilidad, lo que llevar\u00eda a la ejecuci\u00f3n de comandos arbitrarios del sistema operativo en el sistema operativo subyacente de la aplicaci\u00f3n del sistema con los privilegios de la aplicaci\u00f3n vulnerable. La explotaci\u00f3n puede llevar a que un atacante se apodere del sistema."}], "metrics": {"cvssMetricV31": [{"source": "security_alert@emc.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "security_alert@emc.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-78"}]}], "references": [{"url": "https://www.dell.com/support/kbdoc/en-us/000226148/dsa-2024-219-dell-technologies-powerprotect-dd-security-update-for-multiple-security-vulnerabilities", "source": "security_alert@emc.com"}]}}, {"cve": {"id": "CVE-2024-37141", "sourceIdentifier": "security_alert@emc.com", "published": "2024-06-26T04:15:13.940", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Dell PowerProtect DD, versions prior to 8.0, LTS 7.13.1.0, LTS 7.10.1.30, LTS 7.7.5.40 contain an open redirect vulnerability. A remote low privileged attacker could potentially exploit this vulnerability, leading to information disclosure."}, {"lang": "es", "value": "Dell PowerProtect DD, versiones anteriores a 8.0, LTS 7.13.1.0, LTS 7.10.1.30, LTS 7.7.5.40 contienen una vulnerabilidad de redireccionamiento abierto. Un atacante remoto con pocos privilegios podr\u00eda explotar esta vulnerabilidad, lo que llevar\u00eda a la divulgaci\u00f3n de informaci\u00f3n."}], "metrics": {"cvssMetricV31": [{"source": "security_alert@emc.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW"}, "exploitabilityScore": 2.1, "impactScore": 1.4}]}, "weaknesses": [{"source": "security_alert@emc.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-601"}]}], "references": [{"url": "https://www.dell.com/support/kbdoc/en-us/000226148/dsa-2024-219-dell-technologies-powerprotect-dd-security-update-for-multiple-security-vulnerabilities", "source": "security_alert@emc.com"}]}}, {"cve": {"id": "CVE-2024-21520", "sourceIdentifier": "report@snyk.io", "published": "2024-06-26T05:15:50.093", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Versions of the package djangorestframework before 3.15.2 are vulnerable to Cross-site Scripting (XSS) via the break_long_headers template filter due to improper input sanitization before splitting and joining with 
 tags."}, {"lang": "es", "value": "Las versiones del paquete djangorestframework anteriores a la 3.15.2 son vulnerables a Cross-site Scripting (XSS) a trav\u00e9s del filtro de plantilla break_long_headers debido a una sanitizaci\u00f3n inadecuada de la entrada antes de dividir y unir con etiquetas 
."}], "metrics": {"cvssMetricV31": [{"source": "report@snyk.io", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "report@snyk.io", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://github.com/encode/django-rest-framework/commit/3b41f0124194430da957b119712978fa2266b642", "source": "report@snyk.io"}, {"url": "https://github.com/encode/django-rest-framework/pull/9435", "source": "report@snyk.io"}, {"url": "https://security.snyk.io/vuln/SNYK-PYTHON-DJANGORESTFRAMEWORK-7252137", "source": "report@snyk.io"}]}}, {"cve": {"id": "CVE-2024-34580", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-26T05:15:51.093", "lastModified": "2024-06-26T16:15:11.437", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Apache XML Security for C++ through 2.0.4 implements the XML Signature Syntax and Processing (XMLDsig) specification without protection against an SSRF payload in a KeyInfo element. NOTE: the supplier disputes this CVE Record on the grounds that they are implementing the specification \"correctly\" and are not \"at fault.\""}, {"lang": "es", "value": "Apache XML Security para C++ hasta 2.0.4 implementa la especificaci\u00f3n de procesamiento y sintaxis de firma XML (XMLDsig) sin protecci\u00f3n contra un payload SSRF en un elemento KeyInfo. NOTA: el proveedor cuestiona este Registro CVE con el argumento de que est\u00e1 implementando la especificaci\u00f3n \"correctamente\" y no tiene \"culpa\"."}], "metrics": {}, "references": [{"url": "https://cloud.google.com/blog/topics/threat-intelligence/apache-library-allows-server-side-request-forgery", "source": "cve@mitre.org"}, {"url": "https://github.com/zmanion/Vulnerabilities/blob/main/CVE-2024-21893.md", "source": "cve@mitre.org"}, {"url": "https://santuario.apache.org/download.html", "source": "cve@mitre.org"}, {"url": "https://www.sonatype.com/blog/the-exploited-ivanti-connect-ssrf-vulnerability-stems-from-xmltooling-oss-library", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-34581", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-26T05:15:51.227", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The W3C XML Signature Syntax and Processing (XMLDsig) specification, starting with 1.0, was originally published with a \"RetrievalMethod is a URI ... that may be used to obtain key and/or certificate information\" statement and no accompanying information about SSRF risks, and this may have contributed to vulnerable implementations such as those discussed in CVE-2023-36661 and CVE-2024-21893. NOTE: this was mitigated in 1.1 and 2.0 via a directly referenced Best Practices document that calls on implementers to be wary of SSRF."}, {"lang": "es", "value": "La especificaci\u00f3n W3C XML Signature Syntax and Processing (XMLDsig), a partir de 1.0, se public\u00f3 originalmente con una declaraci\u00f3n \"RetrievalMethod es un URI... que puede usarse para obtener informaci\u00f3n de clave y/o certificado\" y sin informaci\u00f3n adjunta sobre los riesgos de SSRF, y esto puede haber contribuido a implementaciones vulnerables como las analizadas en CVE-2023-36661 y CVE-2024-21893. NOTA: esto se mitig\u00f3 en 1.1 y 2.0 a trav\u00e9s de un documento de Mejores Pr\u00e1cticas al que se hace referencia directamente y que pide a los implementadores que tengan cuidado con la SSRF."}], "metrics": {}, "references": [{"url": "https://github.com/zmanion/Vulnerabilities/blob/main/CVE-2024-21893.md", "source": "cve@mitre.org"}, {"url": "https://www.w3.org/Signature/Drafts/WD-xmldsig-core-200003plc/", "source": "cve@mitre.org"}, {"url": "https://www.w3.org/TR/2013/NOTE-xmldsig-bestpractices-20130411/", "source": "cve@mitre.org"}, {"url": "https://www.w3.org/TR/xmldsig-core1/", "source": "cve@mitre.org"}, {"url": "https://www.w3.org/TR/xmldsig-core2/", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-36802", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-26T06:15:15.200", "lastModified": "2024-06-26T06:15:15.200", "vulnStatus": "Rejected", "descriptions": [{"lang": "en", "value": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none."}], "metrics": {}, "references": []}}, {"cve": {"id": "CVE-2024-3633", "sourceIdentifier": "contact@wpscan.com", "published": "2024-06-26T06:15:15.400", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The WebP & SVG Support WordPress plugin through 1.4.0 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads."}, {"lang": "es", "value": "El complemento WebP & SVG Support de WordPress hasta la versi\u00f3n 1.4.0 no sanitiza los archivos SVG cargados, lo que podr\u00eda permitir a los usuarios con un rol tan bajo como Autor cargar un SVG malicioso que contenga payloads XSS."}], "metrics": {}, "references": [{"url": "https://wpscan.com/vulnerability/2e0baffb-7ab8-4c17-aa2a-7f28a0be1a41/", "source": "contact@wpscan.com"}]}}, {"cve": {"id": "CVE-2024-4105", "sourceIdentifier": "7168b535-132a-4efe-a076-338f829b2eb9", "published": "2024-06-26T06:15:15.500", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability has been found in FAST/TOOLS and CI Server. The affected product's WEB HMI server's function to process HTTP requests has a security flaw (Reflected XSS) that allows the execution of malicious scripts. Therefore, if a client PC with inadequate security measures accesses a product URL containing a malicious request, the malicious script may be executed on the client PC.\nThe affected products and versions are as follows:\nFAST/TOOLS (Packages: RVSVRN, UNSVRN, HMIWEB, FTEES, HMIMOB) R9.01 to R10.04\nCI Server R1.01.00 to R1.03.00"}, {"lang": "es", "value": "Se ha encontrado una vulnerabilidad en FAST/TOOLS y CI Server. La funci\u00f3n del servidor WEB HMI del producto afectado para procesar solicitudes HTTP tiene un fallo de seguridad (XSS Reflejado) que permite la ejecuci\u00f3n de scripts maliciosos. Por lo tanto, si una PC cliente con medidas de seguridad inadecuadas accede a la URL de un producto que contiene una solicitud maliciosa, el script malicioso puede ejecutarse en la PC cliente. Los productos y versiones afectados son los siguientes: FAST/TOOLS (Paquetes: RVSVRN, UNSVRN, HMIWEB, FTEES, HMIMOB) R9.01 a R10.04 CI Server R1.01.00 a R1.03.00"}], "metrics": {"cvssMetricV31": [{"source": "7168b535-132a-4efe-a076-338f829b2eb9", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "7168b535-132a-4efe-a076-338f829b2eb9", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://web-material3.yokogawa.com/1/36059/files/YSAR-24-0001-E.pdf", "source": "7168b535-132a-4efe-a076-338f829b2eb9"}]}}, {"cve": {"id": "CVE-2024-4106", "sourceIdentifier": "7168b535-132a-4efe-a076-338f829b2eb9", "published": "2024-06-26T06:15:15.830", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability has been found in FAST/TOOLS and CI Server. The affected products have built-in accounts with no passwords set. Therefore, if the product is operated without a password set by default, an attacker can break into the affected product.\nThe affected products and versions are as follows:\nFAST/TOOLS (Packages: RVSVRN, UNSVRN, HMIWEB, FTEES, HMIMOB) R9.01 to R10.04\nCI Server R1.01.00 to R1.03.00"}, {"lang": "es", "value": "Se ha encontrado una vulnerabilidad en FAST/TOOLS y CI Server. Los productos afectados tienen cuentas integradas sin contrase\u00f1as establecidas. Por lo tanto, si el producto se utiliza sin una contrase\u00f1a predeterminada, un atacante puede acceder al producto afectado. Los productos y versiones afectados son los siguientes: FAST/TOOLS (Paquetes: RVSVRN, UNSVRN, HMIWEB, FTEES, HMIMOB) R9.01 a R10.04 CI Server R1.01.00 a R1.03.00"}], "metrics": {"cvssMetricV31": [{"source": "7168b535-132a-4efe-a076-338f829b2eb9", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "7168b535-132a-4efe-a076-338f829b2eb9", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-258"}]}], "references": [{"url": "https://web-material3.yokogawa.com/1/36059/files/YSAR-24-0001-E.pdf", "source": "7168b535-132a-4efe-a076-338f829b2eb9"}]}}, {"cve": {"id": "CVE-2024-4758", "sourceIdentifier": "contact@wpscan.com", "published": "2024-06-26T06:15:16.133", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The Muslim Prayer Time BD WordPress plugin through 2.4 does not have CSRF check in place when reseting its settings, which could allow attackers to make a logged in admin reset them via a CSRF attack"}, {"lang": "es", "value": "El complemento Muslim Prayer Time BD de WordPress hasta la versi\u00f3n 2.4 no tiene activada la verificaci\u00f3n CSRF al restablecer su configuraci\u00f3n, lo que podr\u00eda permitir a los atacantes hacer que un administrador que haya iniciado sesi\u00f3n los restablezca mediante un ataque CSRF."}], "metrics": {}, "references": [{"url": "https://wpscan.com/vulnerability/64ec57a5-35d8-4c69-bdba-096c2245a0db/", "source": "contact@wpscan.com"}]}}, {"cve": {"id": "CVE-2024-4957", "sourceIdentifier": "contact@wpscan.com", "published": "2024-06-26T06:15:16.237", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The Frontend Checklist WordPress plugin through 2.3.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)"}, {"lang": "es", "value": "El complemento Frontend Checklist de WordPress hasta la versi\u00f3n 2.3.2 no sanitiza ni escapa a algunas de sus configuraciones, lo que podr\u00eda permitir a usuarios con privilegios elevados, como el administrador, realizar ataques de Cross-Site Scripting Almacenado incluso cuando la capacidad unfiltered_html no est\u00e1 permitida (por ejemplo, en una configuraci\u00f3n multisitio)."}], "metrics": {}, "references": [{"url": "https://wpscan.com/vulnerability/0a560ed4-7dec-4274-b4a4-39dea0c0d67e/", "source": "contact@wpscan.com"}]}}, {"cve": {"id": "CVE-2024-4959", "sourceIdentifier": "contact@wpscan.com", "published": "2024-06-26T06:15:16.347", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The Frontend Checklist WordPress plugin through 2.3.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)"}, {"lang": "es", "value": "El complemento Frontend Checklist de WordPress hasta la versi\u00f3n 2.3.2 no sanitiza ni escapa a algunas de sus configuraciones, lo que podr\u00eda permitir a usuarios con privilegios elevados, como el administrador, realizar ataques de Cross-Site Scripting Almacenado incluso cuando la capacidad unfiltered_html no est\u00e1 permitida (por ejemplo, en una configuraci\u00f3n multisitio)."}], "metrics": {}, "references": [{"url": "https://wpscan.com/vulnerability/449e4da8-beae-4ff6-9ddc-0e17781c0391/", "source": "contact@wpscan.com"}]}}, {"cve": {"id": "CVE-2024-5071", "sourceIdentifier": "contact@wpscan.com", "published": "2024-06-26T06:15:16.463", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The Bookster  WordPress plugin through 1.1.0 allows adding sensitive parameters when validating appointments allowing attackers to manipulate the data sent when booking an appointment (the request body) to change its status from pending to approved."}, {"lang": "es", "value": "El complemento Bookster WordPress hasta la versi\u00f3n 1.1.0 permite agregar par\u00e1metros confidenciales al validar citas, lo que permite a los atacantes manipular los datos enviados al reservar una cita (el cuerpo de la solicitud) para cambiar su estado de pendiente a aprobado."}], "metrics": {}, "references": [{"url": "https://wpscan.com/vulnerability/07b293cf-5174-45de-8606-a782a96a35b3/", "source": "contact@wpscan.com"}]}}, {"cve": {"id": "CVE-2024-5169", "sourceIdentifier": "contact@wpscan.com", "published": "2024-06-26T06:15:16.543", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The Video Widget WordPress plugin through 1.2.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)"}, {"lang": "es", "value": "El complemento Video Widget de WordPress hasta la versi\u00f3n 1.2.3 no sanitiza ni escapa a algunas de sus configuraciones, lo que podr\u00eda permitir a usuarios con privilegios elevados, como el administrador, realizar ataques de Cross-Site Scripting Almacenado incluso cuando la capacidad unfiltered_html no est\u00e1 permitida (por ejemplo, en una configuraci\u00f3n multisitio)."}], "metrics": {}, "references": [{"url": "https://wpscan.com/vulnerability/f0de62e3-5e85-43f3-8e3e-e816dafb1406/", "source": "contact@wpscan.com"}]}}, {"cve": {"id": "CVE-2024-5199", "sourceIdentifier": "contact@wpscan.com", "published": "2024-06-26T06:15:16.633", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The Spotify Play Button WordPress plugin through 1.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks."}, {"lang": "es", "value": "El complemento Spotify Play Button de WordPress hasta la versi\u00f3n 1.0 no valida ni escapa algunos de sus atributos de c\u00f3digo corto antes de devolverlos a una p\u00e1gina/publicaci\u00f3n donde est\u00e1 incrustado el c\u00f3digo corto, lo que podr\u00eda permitir a los usuarios con el rol de colaborador y superior realizar ataques de Cross-Site Scripting Almacenado."}], "metrics": {}, "references": [{"url": "https://wpscan.com/vulnerability/a2cb8d7d-6d7c-42e9-b3db-cb3959bfd41b/", "source": "contact@wpscan.com"}]}}, {"cve": {"id": "CVE-2024-5332", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-26T06:15:16.740", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Card widget in all versions up to, and including, 2.6.9.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "Los complementos Exclusive Addons for Elementor para WordPress son vulnerables a Cross-Site Scripting Almacenado a trav\u00e9s del widget de tarjeta del complemento en todas las versiones hasta la 2.6.9.8 incluida debido a una sanitizaci\u00f3n de entrada insuficiente y a un escape de salida en los atributos proporcionados por el usuario. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3103786/exclusive-addons-for-elementor", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a8c547cc-2820-4138-b042-a0ec2e7f2fca?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-5473", "sourceIdentifier": "contact@wpscan.com", "published": "2024-06-26T06:15:17.197", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The Simple Photoswipe WordPress plugin through 0.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)."}, {"lang": "es", "value": "El complemento Simple Photoswipe de WordPress hasta la versi\u00f3n 0.1 no sanitiza ni escapa a algunas de sus configuraciones, lo que podr\u00eda permitir a usuarios con privilegios elevados, como el administrador, realizar ataques de Cross-Site Scripting Almacenado incluso cuando la capacidad unfiltered_html no est\u00e1 permitida (por ejemplo, en una configuraci\u00f3n multisitio)."}], "metrics": {}, "references": [{"url": "https://wpscan.com/vulnerability/9c70cfc4-5759-469a-a6a3-510c405bd28a/", "source": "contact@wpscan.com"}]}}, {"cve": {"id": "CVE-2024-5573", "sourceIdentifier": "contact@wpscan.com", "published": "2024-06-26T06:15:17.300", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The Easy Table of Contents WordPress plugin before 2.0.66 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed"}, {"lang": "es", "value": "El complemento Easy Table of Contents de WordPress anterior a 2.0.66 no sanitiza ni escapa a algunas de sus configuraciones, lo que podr\u00eda permitir a usuarios con altos privilegios, como editores, realizar ataques de Cross-Site Scripting incluso cuando unfiltered_html no est\u00e1 permitido."}], "metrics": {}, "references": [{"url": "https://wpscan.com/vulnerability/3b01044b-355f-40d3-8e11-23a890f98c76/", "source": "contact@wpscan.com"}]}}, {"cve": {"id": "CVE-2024-5215", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-26T07:15:11.013", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "The HT Mega \u2013 Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 2.5.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento HT Mega \u2013 Absolute Addons For Elementor para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s de m\u00faltiples widgets en todas las versiones hasta la 2.5.5 incluida debido a una sanitizaci\u00f3n de entrada insuficiente y a un escape de salida en los atributos proporcionados por el usuario. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "references": [{"url": "https://plugins.trac.wordpress.org/browser/ht-mega-for-elementor/trunk/includes/widgets/htmega_user_login_form.php#L1961", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/ht-mega-for-elementor/trunk/includes/widgets/htmega_user_register_form.php#L2910", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/ht-mega-for-elementor/trunk/includes/widgets/htmega_videoplayer.php#L520", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/changeset/3106524/", "source": "security@wordfence.com"}, {"url": "https://wordpress.org/plugins/ht-mega-for-elementor/#developers", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/86dfdc4f-1cc2-4b0d-b79c-bee3d6956eb4?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-28830", "sourceIdentifier": "security@checkmk.com", "published": "2024-06-26T08:15:09.630", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Insertion of Sensitive Information into Log File in Checkmk GmbH's Checkmk versions <2.3.0p7, <2.2.0p28, <2.1.0p45 and <=2.0.0p39 (EOL) causes automation user secrets to be written to audit log files accessible to administrators."}, {"lang": "es", "value": "La inserci\u00f3n de informaci\u00f3n confidencial en un archivo de registro en las versiones de Checkmk GmbH <2.3.0p7, <2.2.0p28, <2.1.0p45 y <=2.0.0p39 (EOL) hace que los secretos de usuario de automatizaci\u00f3n se escriban en archivos de registro de auditor\u00eda accesibles a los administradores."}], "metrics": {"cvssMetricV31": [{"source": "security@checkmk.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW"}, "exploitabilityScore": 1.2, "impactScore": 1.4}]}, "weaknesses": [{"source": "security@checkmk.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-532"}]}], "references": [{"url": "https://checkmk.com/werk/17056", "source": "security@checkmk.com"}]}}, {"cve": {"id": "CVE-2024-37098", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-26T11:15:51.613", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Server-Side Request Forgery (SSRF) vulnerability in Blossom Themes BlossomThemes Email Newsletter.This issue affects BlossomThemes Email Newsletter: from n/a through 2.2.6."}, {"lang": "es", "value": "Vulnerabilidad de Server Side Request Forgery (SSRF) en Blossom Themes BlossomThemes Email Newsletter. Este problema afecta a BlossomThemes Email Newsletter: desde n/a hasta 2.2.6."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/blossomthemes-email-newsletter/wordpress-blossomthemes-email-newsletter-plugin-2-2-7-server-side-request-forgery-ssrf-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2024-37252", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-26T11:15:51.860", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Icegram Email Subscribers & Newsletters allows SQL Injection.This issue affects Email Subscribers & Newsletters: from n/a through 5.7.25."}, {"lang": "es", "value": "La neutralizaci\u00f3n inadecuada de elementos especiales utilizados en una vulnerabilidad de comando SQL ('inyecci\u00f3n SQL') en Icegram Email Subscribers & Newsletters permite la inyecci\u00f3n de SQL. Este problema afecta a Email Subscribers & Newsletters: desde n/a hasta 5.7.25."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "LOW", "baseScore": 9.3, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 4.7}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/email-subscribers/wordpress-email-subscribers-by-icegram-express-plugin-5-7-25-sql-injection-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2024-6344", "sourceIdentifier": "cna@vuldb.com", "published": "2024-06-26T11:15:52.073", "lastModified": "2024-06-27T00:15:13.360", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability, which was classified as problematic, was found in ZKTeco ZKBio CVSecurity V5000 4.1.0. This affects an unknown part of the component Push Configuration Section. The manipulation of the argument Configuration Name leads to cross site scripting. It is possible to initiate the attack remotely. The identifier VDB-269733 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Una vulnerabilidad fue encontrada en ZKTeco ZKBio CVSecurity V5000 4.1.0 y clasificada como problem\u00e1tica. Una parte desconocida del componente Push Configuration afecta a una parte desconocida. La manipulaci\u00f3n del argumento Nombre de configuraci\u00f3n conduce a Cross-Site Scripting. Es posible iniciar el ataque de forma remota. A esta vulnerabilidad se le asign\u00f3 el identificador VDB-269733. NOTA: Se contact\u00f3 primeramente con el proveedor sobre esta divulgaci\u00f3n, pero no respondi\u00f3 de ninguna manera."}], "metrics": {"cvssMetricV31": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 2.4, "baseSeverity": "LOW"}, "exploitabilityScore": 0.9, "impactScore": 1.4}], "cvssMetricV2": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "MULTIPLE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 3.3}, "baseSeverity": "LOW", "exploitabilityScore": 6.4, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "cna@vuldb.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://vuldb.com/?ctiid.269733", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.269733", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.358596", "source": "cna@vuldb.com"}]}}, {"cve": {"id": "CVE-2024-4228", "sourceIdentifier": "iletisim@usom.gov.tr", "published": "2024-06-26T15:15:19.977", "lastModified": "2024-06-26T15:15:19.977", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), CWE - 200 - Exposure of Sensitive Information to an Unauthorized Actor, CWE - 522 - Insufficiently Protected Credentials vulnerability in Magarsus Consultancy SSO (Single Sign On) allows SQL Injection.This issue affects SSO (Single Sign On): from 1.0 before 1.1."}], "metrics": {"cvssMetricV31": [{"source": "iletisim@usom.gov.tr", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "iletisim@usom.gov.tr", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://www.usom.gov.tr/bildirim/tr-24-0800", "source": "iletisim@usom.gov.tr"}]}}, {"cve": {"id": "CVE-2024-4604", "sourceIdentifier": "iletisim@usom.gov.tr", "published": "2024-06-26T15:15:20.257", "lastModified": "2024-06-26T15:15:20.257", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Magarsus Consultancy SSO (Single Sign On) allows Manipulating Hidden Fields.This issue affects SSO (Single Sign On): from 1.0 before 1.1."}], "metrics": {"cvssMetricV31": [{"source": "iletisim@usom.gov.tr", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "iletisim@usom.gov.tr", "type": "Primary", "description": [{"lang": "en", "value": "CWE-601"}]}], "references": [{"url": "https://www.usom.gov.tr/bildirim/tr-24-0800", "source": "iletisim@usom.gov.tr"}]}}, {"cve": {"id": "CVE-2024-6349", "sourceIdentifier": "security@huntr.dev", "published": "2024-06-26T15:15:20.690", "lastModified": "2024-06-26T15:15:20.690", "vulnStatus": "Rejected", "descriptions": [{"lang": "en", "value": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."}], "metrics": {}, "references": []}}, {"cve": {"id": "CVE-2024-25637", "sourceIdentifier": "security-advisories@github.com", "published": "2024-06-26T16:15:10.910", "lastModified": "2024-06-26T16:15:10.910", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "October is a self-hosted CMS platform based on the Laravel PHP Framework. The X-October-Request-Handler Header does not sanitize the AJAX handler name and allows unescaped HTML to be reflected back. There is no impact since this vulnerability cannot be exploited through normal browser interactions. This unescaped value is only detectable when using a proxy interception tool. This issue has been patched in version 3.5.15.\n"}], "metrics": {"cvssMetricV31": [{"source": "security-advisories@github.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW"}, "exploitabilityScore": 1.6, "impactScore": 1.4}]}, "weaknesses": [{"source": "security-advisories@github.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://github.com/octobercms/october/security/advisories/GHSA-rjw8-v7rr-r563", "source": "security-advisories@github.com"}]}}, {"cve": {"id": "CVE-2024-38271", "sourceIdentifier": "cve-coordination@google.com", "published": "2024-06-26T16:15:11.560", "lastModified": "2024-06-26T16:15:11.560", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "There exists a vulnerability in Quickshare/Nearby where an attacker can force the a victim to stay connected to a temporary hotspot created for the share. As part of the sequence of packets in a QuickShare connection over Bluetooth, the attacker forces the victim to connect to the attacker\u2019s WiFi network and then sends an OfflineFrame that crashes Quick Share.\nThis makes the Wifi connection to the attacker\u2019s network last instead of returning to the old network when the Quick Share session is done allowing the attacker to be a MiTM. We recommend upgrading to version\u00a01.0.1724.0 of Quickshare or above"}], "metrics": {}, "weaknesses": [{"source": "cve-coordination@google.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-404"}]}], "references": [{"url": "https://github.com/google/nearby/pull/2433", "source": "cve-coordination@google.com"}, {"url": "https://github.com/google/nearby/pull/2435", "source": "cve-coordination@google.com"}]}}, {"cve": {"id": "CVE-2024-38272", "sourceIdentifier": "cve-coordination@google.com", "published": "2024-06-26T16:15:11.733", "lastModified": "2024-06-26T16:15:11.733", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "There exists a vulnerability in Quickshare/Nearby where an attacker can bypass the accept file dialog on QuickShare Windows.\u00a0Normally in QuickShare Windows app we can't send a file without the user accept from the receiving device if the visibility is set to everyone mode or contacts mode.\u00a0We recommend upgrading to version 1.0.1724.0 of Quickshare or above"}], "metrics": {}, "weaknesses": [{"source": "cve-coordination@google.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-294"}]}], "references": [{"url": "https://github.com/google/nearby/pull/2402", "source": "cve-coordination@google.com"}, {"url": "https://github.com/google/nearby/pull/2589", "source": "cve-coordination@google.com"}]}}, {"cve": {"id": "CVE-2024-39458", "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "published": "2024-06-26T17:15:27.020", "lastModified": "2024-06-26T18:15:15.410", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "When Jenkins Structs Plugin 337.v1b_04ea_4df7c8 and earlier fails to configure a build step, it logs a warning message containing diagnostic information that may contain secrets passed as step parameters, potentially resulting in accidental exposure of secrets through the default system log."}], "metrics": {}, "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/06/26/2", "source": "jenkinsci-cert@googlegroups.com"}, {"url": "https://www.jenkins.io/security/advisory/2024-06-26/#SECURITY-3371", "source": "jenkinsci-cert@googlegroups.com"}]}}, {"cve": {"id": "CVE-2024-39459", "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "published": "2024-06-26T17:15:27.110", "lastModified": "2024-06-26T18:15:15.457", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "In rare cases Jenkins Plain Credentials Plugin 182.v468b_97b_9dcb_8 and earlier stores secret file credentials unencrypted (only Base64 encoded) on the Jenkins controller file system, where they can be viewed by users with access to the Jenkins controller file system (global credentials) or with Item/Extended Read permission (folder-scoped credentials)."}], "metrics": {}, "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/06/26/2", "source": "jenkinsci-cert@googlegroups.com"}, {"url": "https://www.jenkins.io/security/advisory/2024-06-26/#SECURITY-2495", "source": "jenkinsci-cert@googlegroups.com"}]}}, {"cve": {"id": "CVE-2024-39460", "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "published": "2024-06-26T17:15:27.180", "lastModified": "2024-06-26T18:15:15.500", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "Jenkins Bitbucket Branch Source Plugin 886.v44cf5e4ecec5 and earlier prints the Bitbucket OAuth access token as part of the Bitbucket URL in the build log in some cases."}], "metrics": {}, "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/06/26/2", "source": "jenkinsci-cert@googlegroups.com"}, {"url": "https://www.jenkins.io/security/advisory/2024-06-26/#SECURITY-3363", "source": "jenkinsci-cert@googlegroups.com"}]}}, {"cve": {"id": "CVE-2024-6354", "sourceIdentifier": "security@devolutions.net", "published": "2024-06-26T17:15:27.497", "lastModified": "2024-06-26T17:15:27.497", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "Improper access control in PAM dashboard in Devolutions Remote Desktop Manager 2024.2.11 and earlier on Windows allows an authenticated user to bypass the execute permission via the use of the PAM dashboard."}], "metrics": {}, "references": [{"url": "https://devolutions.net/security/advisories/DEVO-2024-0010", "source": "security@devolutions.net"}]}}, {"cve": {"id": "CVE-2024-35545", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-26T18:15:14.940", "lastModified": "2024-06-26T18:15:14.940", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "MAP-OS v4.45.0 and earlier was discovered to contain a cross-site scripting (XSS) vulnerability."}], "metrics": {}, "references": [{"url": "https://github.com/RamonSilva20/mapos/commit/3559bae4782162faab94670f503fd35b0f331929", "source": "cve@mitre.org"}, {"url": "https://github.com/RamonSilva20/mapos/tree/master", "source": "cve@mitre.org"}, {"url": "https://portswigger.net/web-security/cross-site-scripting/stored", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-33326", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-26T19:15:13.210", "lastModified": "2024-06-26T19:15:13.210", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "A cross-site scripting (XSS) vulnerability in the component XsltResultControllerHtml.jsp of Lumisxp v15.0.x to v16.1.x allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the lumPageID parameter."}], "metrics": {}, "references": [{"url": "https://gist.github.com/rodnt/51ae2897abfff1bdcedccf72edbf3d24", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-33327", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-26T19:15:13.290", "lastModified": "2024-06-26T19:15:13.290", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "A cross-site scripting (XSS) vulnerability in the component UrlAccessibilityEvaluation.jsp of Lumisxp v15.0.x to v16.1.x allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the contentHtml parameter."}], "metrics": {}, "references": [{"url": "https://gist.github.com/rodnt/c53d4c95bb6966f0a2cf381ae5089c79", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-33328", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-26T19:15:13.373", "lastModified": "2024-06-26T19:15:13.373", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "A cross-site scripting (XSS) vulnerability in the component main.jsp of Lumisxp v15.0.x to v16.1.x allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the pageId parameter."}], "metrics": {}, "references": [{"url": "https://gist.github.com/rodnt/cf2946b0f6136cd03ee4737aa72ae95b", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-33329", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-26T19:15:13.453", "lastModified": "2024-06-26T19:15:13.453", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "A hardcoded privileged ID within Lumisxp v15.0.x to v16.1.x allows attackers to bypass authentication and access internal pages and other sensitive information."}], "metrics": {}, "references": [{"url": "https://gist.github.com/rodnt/f6b3a2ac875b8f13656063eefbfd9812", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-38375", "sourceIdentifier": "security-advisories@github.com", "published": "2024-06-26T19:15:13.677", "lastModified": "2024-06-26T19:15:13.677", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "@fastly/js-compute is a JavaScript SDK and runtime for building Fastly Compute applications. The implementation of several functions were determined to include a use-after-free bug. This bug could allow for unintended data loss if the result of the preceding functions were sent anywhere else, and often results in a guest trap causing services to return a 500. This bug has been fixed in version 3.16.0 of the `@fastly/js-compute` package."}], "metrics": {"cvssMetricV31": [{"source": "security-advisories@github.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:H", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "HIGH", "baseScore": 5.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 0.5, "impactScore": 4.7}]}, "weaknesses": [{"source": "security-advisories@github.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-416"}]}], "references": [{"url": "https://github.com/fastly/js-compute-runtime/commit/4e16641ef4e159c4a11b500ac861b8fa8d9ff5d3", "source": "security-advisories@github.com"}, {"url": "https://github.com/fastly/js-compute-runtime/security/advisories/GHSA-mp3g-vpm9-9vqv", "source": "security-advisories@github.com"}]}}, {"cve": {"id": "CVE-2024-38520", "sourceIdentifier": "security-advisories@github.com", "published": "2024-06-26T19:15:13.890", "lastModified": "2024-06-26T19:15:13.890", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "SoftEtherVPN is a an open-source cross-platform multi-protocol VPN Program. When SoftEtherVPN is deployed with L2TP enabled on a device, it introduces the possibility of the host being used for amplification/reflection traffic generation because it will respond to every packet with two response packets that are larger than the request packet size. These sorts of techniques are used by external actors who generate spoofed source IPs to target a destination on the internet. This vulnerability has been patched in version 5.02.5185.\n"}], "metrics": {"cvssMetricV31": [{"source": "security-advisories@github.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "security-advisories@github.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}]}], "references": [{"url": "https://github.com/SoftEtherVPN/SoftEtherVPN/commit/c2a7aa548137dc80c6aafdc645cf4dc34e0dc764", "source": "security-advisories@github.com"}, {"url": "https://github.com/SoftEtherVPN/SoftEtherVPN/releases/tag/5.02.5185", "source": "security-advisories@github.com"}, {"url": "https://github.com/SoftEtherVPN/SoftEtherVPN/security/advisories/GHSA-j35p-p8pj-vqxq", "source": "security-advisories@github.com"}]}}, {"cve": {"id": "CVE-2023-26877", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-26T20:15:14.777", "lastModified": "2024-06-26T20:15:14.777", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "File upload vulnerability found in Softexpert Excellence Suite v.2.1 allows attackers to execute arbitrary code via a .php file upload to the form/efms_exec_html/file_upload_parser.php endpoint."}], "metrics": {}, "references": [{"url": "https://gist.github.com/rodnt/90ac26fdf891e602f6f090d6aebce32d", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-38527", "sourceIdentifier": "security-advisories@github.com", "published": "2024-06-26T20:15:16.020", "lastModified": "2024-06-26T20:15:16.020", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "ZenUML is JavaScript-based diagramming tool that requires no server, using Markdown-inspired text definitions and a renderer to create and modify sequence diagrams. Markdown-based comments in the ZenUML diagram syntax are susceptible to Cross-site Scripting (XSS). The comment feature allows the user to attach small notes for reference. This feature allows the user to enter in their comment in markdown comment, allowing them to use common markdown features, such as `**` for bolded text. However, the markdown text is currently not sanitized before rendering, allowing an attacker to enter a malicious payload for the comment which leads to XSS. This puts existing applications that use ZenUML unsandboxed at risk of arbitrary JavaScript execution when rendering user-controlled diagrams. This vulnerability was patched in version 3.23.25,"}], "metrics": {"cvssMetricV31": [{"source": "security-advisories@github.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.2, "impactScore": 2.7}]}, "weaknesses": [{"source": "security-advisories@github.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://github.com/mermaid-js/zenuml-core/commit/ad7545b33f5f27466cbf357beb65969ca1953e3c", "source": "security-advisories@github.com"}, {"url": "https://github.com/mermaid-js/zenuml-core/security/advisories/GHSA-q6xv-jm4v-349h", "source": "security-advisories@github.com"}]}}, {"cve": {"id": "CVE-2024-38949", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-26T20:15:16.263", "lastModified": "2024-06-26T20:15:16.263", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "Heap Buffer Overflow vulnerability in Libde265 v1.0.15 allows attackers to crash the application via crafted payload to display444as420 function at sdl.cc"}], "metrics": {}, "references": [{"url": "https://github.com/strukturag/libde265/issues/460", "source": "cve@mitre.org"}, {"url": "https://github.com/zhangteng0526/CVE-information/blob/main/CVE-2024-38949", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-38950", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-26T20:15:16.367", "lastModified": "2024-06-26T20:15:16.367", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "Heap Buffer Overflow vulnerability in Libde265 v1.0.15 allows attackers to crash the application via crafted payload to __interceptor_memcpy function."}], "metrics": {}, "references": [{"url": "https://github.com/strukturag/libde265/issues/460", "source": "cve@mitre.org"}, {"url": "https://github.com/zhangteng0526/CVE-information/blob/main/CVE-2024-38950", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-39241", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-26T20:15:16.447", "lastModified": "2024-06-26T20:15:16.447", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "Cross Site Scripting (XSS) vulnerability in skycaiji 2.8 allows attackers to run arbitrary code via /admin/tool/preview."}], "metrics": {}, "references": [{"url": "https://fushuling.com/index.php/2024/06/19/test3/", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-39242", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-26T20:15:16.527", "lastModified": "2024-06-26T20:15:16.527", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "A cross-site scripting (XSS) vulnerability in skycaiji v2.8 allows attackers to execute arbitrary web scripts or HTML via a crafted payload using eval(String.fromCharCode())."}], "metrics": {}, "references": [{"url": "https://fushuling.com/index.php/2024/06/13/test2/", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-39243", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-26T20:15:16.610", "lastModified": "2024-06-26T20:15:16.610", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "An issue discovered in skycaiji 2.8 allows attackers to run arbitrary code via crafted POST request to /index.php?s=/admin/develop/editor_save."}], "metrics": {}, "references": [{"url": "https://fushuling.com/index.php/2024/06/11/test/", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-1839", "sourceIdentifier": "9119a7d8-5eab-497f-8521-727c672e3725", "published": "2024-06-26T21:15:12.597", "lastModified": "2024-06-26T21:15:12.597", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "Intrado 911 Emergency Gateway login form is vulnerable to an unauthenticated blind time-based SQL injection, which may allow an unauthenticated remote attacker to execute malicious code, exfiltrate data, or manipulate the database."}], "metrics": {"cvssMetricV31": [{"source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 6.0}]}, "weaknesses": [{"source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-163-04", "source": "9119a7d8-5eab-497f-8521-727c672e3725"}]}}, {"cve": {"id": "CVE-2024-23765", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-26T21:15:12.897", "lastModified": "2024-06-26T21:15:12.897", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "An issue was discovered on HMS Anybus X-Gateway AB7832-F 3 devices. The gateway exposes an unidentified service on port 7412 on the network. All the network services of the gateway become unresponsive after sending 85 requests to this port. The content and length of the frame does not matter. The device needs to be restarted to resume operations."}], "metrics": {}, "references": [{"url": "https://sensepost.com/blog/2024/targeting-an-industrial-protocol-gateway/", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-23766", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-26T21:15:12.977", "lastModified": "2024-06-26T21:15:12.977", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "An issue was discovered on HMS Anybus X-Gateway AB7832-F 3 devices. The gateway exposes a web interface on port 80. An unauthenticated GET request to a specific URL triggers the reboot of the Anybus gateway (or at least most of its modules). An attacker can use this feature to carry out a denial of service attack by continuously sending GET requests to that URL."}], "metrics": {}, "references": [{"url": "https://sensepost.com/blog/2024/targeting-an-industrial-protocol-gateway/", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-23767", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-26T21:15:13.057", "lastModified": "2024-06-26T21:15:13.057", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "An issue was discovered on HMS Anybus X-Gateway AB7832-F firmware version 3. The HICP protocol allows unauthenticated changes to a device's network configurations."}], "metrics": {}, "references": [{"url": "https://sensepost.com/blog/2024/targeting-an-industrial-protocol-gateway/", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-36829", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-26T21:15:13.387", "lastModified": "2024-06-26T21:15:13.387", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "Incorrect access control in Teldat M1 v11.00.05.50.01 allows attackers to obtain sensitive information via a crafted query string."}], "metrics": {}, "references": [{"url": "https://gist.github.com/MILPDS/96843ccf7369ec1da643b7d6e22d428d", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-6355", "sourceIdentifier": "cna@vuldb.com", "published": "2024-06-26T21:15:13.533", "lastModified": "2024-06-26T21:15:13.533", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "A vulnerability was found in Genexis Tilgin Fiber Home Gateway HG1522 CSx000-01_09_01_12. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /status/product_info/. The manipulation of the argument product_info leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-269755. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV31": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 1.4}], "cvssMetricV2": [{"source": "cna@vuldb.com", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 5.0}, "baseSeverity": "MEDIUM", "exploitabilityScore": 10.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "cna@vuldb.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://vuldb.com/?ctiid.269755", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.269755", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.359289", "source": "cna@vuldb.com"}]}}, {"cve": {"id": "CVE-2024-37247", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-26T22:15:10.000", "lastModified": "2024-06-26T22:15:10.000", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in twinpictures, baden03 jQuery T(-) Countdown Widget allows Stored XSS.This issue affects jQuery T(-) Countdown Widget: from n/a through 2.3.25."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.3, "impactScore": 3.7}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/jquery-t-countdown-widget/wordpress-jquery-t-countdown-widget-plugin-2-3-25-cross-site-scripting-xss-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2024-37248", "sourceIdentifier": "audit@patchstack.com", "published": "2024-06-26T22:15:10.223", "lastModified": "2024-06-26T22:15:10.223", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in CryoutCreations Anima allows Stored XSS.This issue affects Anima: from n/a through 1.4.1."}], "metrics": {"cvssMetricV31": [{"source": "audit@patchstack.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.3, "impactScore": 3.7}]}, "weaknesses": [{"source": "audit@patchstack.com", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/anima/wordpress-anima-theme-1-4-1-cross-site-scripting-xss-vulnerability?_s_id=cve", "source": "audit@patchstack.com"}]}}, {"cve": {"id": "CVE-2024-37571", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-26T22:15:10.450", "lastModified": "2024-06-26T22:15:10.450", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "Buffer Overflow vulnerability in SAS Broker 9.2 build 1495 allows attackers to cause denial of service or obtain sensitive information via crafted payload to the '_debug' parameter."}], "metrics": {}, "references": [{"url": "https://gist.github.com/MILPDS/e9da6d07ba1789defacec08f2f03293d", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-37734", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-26T22:15:10.533", "lastModified": "2024-06-26T22:15:10.533", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "An issue in OpenEMR 7.0.2 allows a remote attacker to escalate privileges viaa crafted POST request using the noteid parameter."}], "metrics": {}, "references": [{"url": "https://github.com/A3h1nt/CVEs/tree/main/OpenEMR", "source": "cve@mitre.org"}, {"url": "https://github.com/openemr/openemr/pull/7435#event-12872646667", "source": "cve@mitre.org"}]}}, {"cve": {"id": "CVE-2024-28982", "sourceIdentifier": "security.vulnerabilities@hitachivantara.com", "published": "2024-06-26T23:15:19.287", "lastModified": "2024-06-26T23:15:19.287", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "Hitachi Vantara Pentaho Business Analytics Server versions before 10.1.0.0 and 9.3.0.7, including 8.3.x do not correctly protect the ACL service endpoint of the Pentaho User Console against XML External Entity Reference."}], "metrics": {"cvssMetricV31": [{"source": "security.vulnerabilities@hitachivantara.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "security.vulnerabilities@hitachivantara.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-776"}]}], "references": [{"url": "https://support.pentaho.com/hc/en-us/articles/27569195609869--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Improper-Restriction-of-XML-External-Entity-Reference-versions-before-10-1-0-0-and-9-3-0-7-including-8-3-x-Impacted-CVE-2024-28982", "source": "security.vulnerabilities@hitachivantara.com"}]}}, {"cve": {"id": "CVE-2024-28983", "sourceIdentifier": "security.vulnerabilities@hitachivantara.com", "published": "2024-06-26T23:15:19.597", "lastModified": "2024-06-26T23:15:19.597", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.1.0.0 and 9.3.0.7, including 8.3.x allow a malicious URL to inject content into the Analyzer plugin interface."}], "metrics": {"cvssMetricV31": [{"source": "security.vulnerabilities@hitachivantara.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "LOW", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.3}]}, "weaknesses": [{"source": "security.vulnerabilities@hitachivantara.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://support.pentaho.com/hc/en-us/articles/27569257123725-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Improper-Neutralization-of-Input-During-Web-Page-Generation-Cross-site-Scripting-Versions-before-10-1-0-0-and-9-3-0-7-including-8-3-x-Impacted-CVE-2024-28983", "source": "security.vulnerabilities@hitachivantara.com"}]}}, {"cve": {"id": "CVE-2024-28984", "sourceIdentifier": "security.vulnerabilities@hitachivantara.com", "published": "2024-06-26T23:15:19.800", "lastModified": "2024-06-26T23:15:19.800", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.1.0.0 and 9.3.0.7, including 8.3.x allow a malicious URL to inject content into the Analyzer plugin interface."}], "metrics": {"cvssMetricV31": [{"source": "security.vulnerabilities@hitachivantara.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "LOW", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.3}]}, "weaknesses": [{"source": "security.vulnerabilities@hitachivantara.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://support.pentaho.com/hc/en-us/articles/27569319605901-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Improper-Neutralization-of-Input-During-Web-Page-Generation-Cross-site-Scripting-Versions-before-10-1-0-0-and-9-3-0-7-including-8-3-x-Impacted-CVE-2024-28984", "source": "security.vulnerabilities@hitachivantara.com"}]}}, {"cve": {"id": "CVE-2024-1493", "sourceIdentifier": "cve@gitlab.com", "published": "2024-06-27T00:15:10.283", "lastModified": "2024-06-27T00:15:10.283", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "An issue was discovered in GitLab CE/EE affecting all versions starting from 9.2 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, with the processing logic for generating link in dependency files can lead to a regular  expression DoS attack on the server"}], "metrics": {"cvssMetricV31": [{"source": "cve@gitlab.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "cve@gitlab.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}]}], "references": [{"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/441806", "source": "cve@gitlab.com"}, {"url": "https://hackerone.com/reports/2370084", "source": "cve@gitlab.com"}]}}, {"cve": {"id": "CVE-2024-1816", "sourceIdentifier": "cve@gitlab.com", "published": "2024-06-27T00:15:10.523", "lastModified": "2024-06-27T00:15:10.523", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "An issue was discovered in GitLab CE/EE affecting all versions starting from 12.0 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows for an attacker to cause a denial of service using a crafted OpenAPI file."}], "metrics": {"cvssMetricV31": [{"source": "cve@gitlab.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 5.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.6, "impactScore": 3.6}]}, "weaknesses": [{"source": "cve@gitlab.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}]}], "references": [{"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/442852", "source": "cve@gitlab.com"}, {"url": "https://hackerone.com/reports/2370737", "source": "cve@gitlab.com"}]}}, {"cve": {"id": "CVE-2024-2191", "sourceIdentifier": "cve@gitlab.com", "published": "2024-06-27T00:15:10.790", "lastModified": "2024-06-27T00:15:10.790", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "An issue was discovered in GitLab CE/EE affecting all versions starting from 16.9 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows merge request title to be visible publicly despite being set as project members only."}], "metrics": {"cvssMetricV31": [{"source": "cve@gitlab.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "cve@gitlab.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "references": [{"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/444655", "source": "cve@gitlab.com"}, {"url": "https://hackerone.com/reports/2357370", "source": "cve@gitlab.com"}]}}, {"cve": {"id": "CVE-2024-3115", "sourceIdentifier": "cve@gitlab.com", "published": "2024-06-27T00:15:11.190", "lastModified": "2024-06-27T00:15:11.190", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "An issue was discovered in GitLab EE affecting all versions starting from 16.0 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows an attacker to access issues and epics without having an SSO session using Duo Chat."}], "metrics": {"cvssMetricV31": [{"source": "cve@gitlab.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "cve@gitlab.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}], "references": [{"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/452548", "source": "cve@gitlab.com"}, {"url": "https://hackerone.com/reports/2417868", "source": "cve@gitlab.com"}]}}, {"cve": {"id": "CVE-2024-3959", "sourceIdentifier": "cve@gitlab.com", "published": "2024-06-27T00:15:11.420", "lastModified": "2024-06-27T00:15:11.420", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "An issue was discovered in GitLab CE/EE affecting all versions starting from 16.7 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows private job artifacts can be accessed by any user."}], "metrics": {"cvssMetricV31": [{"source": "cve@gitlab.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "cve@gitlab.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-285"}]}], "references": [{"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/456989", "source": "cve@gitlab.com"}, {"url": "https://hackerone.com/reports/2456845", "source": "cve@gitlab.com"}]}}, {"cve": {"id": "CVE-2024-4011", "sourceIdentifier": "cve@gitlab.com", "published": "2024-06-27T00:15:11.643", "lastModified": "2024-06-27T00:15:11.643", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "An issue was discovered in GitLab CE/EE affecting all versions starting from 16.1 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows non-project member to promote key results to objectives."}], "metrics": {"cvssMetricV31": [{"source": "cve@gitlab.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW"}, "exploitabilityScore": 1.6, "impactScore": 1.4}]}, "weaknesses": [{"source": "cve@gitlab.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "references": [{"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/457235", "source": "cve@gitlab.com"}, {"url": "https://hackerone.com/reports/2456186", "source": "cve@gitlab.com"}]}}, {"cve": {"id": "CVE-2024-4557", "sourceIdentifier": "cve@gitlab.com", "published": "2024-06-27T00:15:11.863", "lastModified": "2024-06-27T00:15:11.863", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "Multiple Denial of Service (DoS) conditions has been discovered in GitLab CE/EE affecting all versions starting from 1.0 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1 which allowed an attacker to cause resource exhaustion via banzai pipeline."}], "metrics": {"cvssMetricV31": [{"source": "cve@gitlab.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "cve@gitlab.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}]}], "references": [{"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/460517", "source": "cve@gitlab.com"}, {"url": "https://hackerone.com/reports/2485172", "source": "cve@gitlab.com"}]}}, {"cve": {"id": "CVE-2024-4901", "sourceIdentifier": "cve@gitlab.com", "published": "2024-06-27T00:15:12.263", "lastModified": "2024-06-27T00:15:12.263", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "An issue was discovered in GitLab CE/EE affecting all versions starting from 16.9 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, where a stored XSS vulnerability could be imported from a project with malicious commit notes."}], "metrics": {"cvssMetricV31": [{"source": "cve@gitlab.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.3, "impactScore": 5.8}]}, "weaknesses": [{"source": "cve@gitlab.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/461773", "source": "cve@gitlab.com"}, {"url": "https://hackerone.com/reports/2500163", "source": "cve@gitlab.com"}]}}, {"cve": {"id": "CVE-2024-5430", "sourceIdentifier": "cve@gitlab.com", "published": "2024-06-27T00:15:12.650", "lastModified": "2024-06-27T00:15:12.650", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "An issue was discovered in GitLab CE/EE affecting all versions starting from 16.10 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows a project maintainer can delete the merge request approval policy via graphQL."}], "metrics": {"cvssMetricV31": [{"source": "cve@gitlab.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.3, "impactScore": 4.0}]}, "weaknesses": [{"source": "cve@gitlab.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "references": [{"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/464017", "source": "cve@gitlab.com"}, {"url": "https://hackerone.com/reports/2520947", "source": "cve@gitlab.com"}]}}, {"cve": {"id": "CVE-2024-5655", "sourceIdentifier": "cve@gitlab.com", "published": "2024-06-27T00:15:12.887", "lastModified": "2024-06-27T00:15:12.887", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "An issue was discovered in GitLab CE/EE affecting all versions starting from 15.8 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows an attacker to trigger a pipeline as another user under certain circumstances."}], "metrics": {"cvssMetricV31": [{"source": "cve@gitlab.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 9.6, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.1, "impactScore": 5.8}]}, "weaknesses": [{"source": "cve@gitlab.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "references": [{"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/465862", "source": "cve@gitlab.com"}, {"url": "https://hackerone.com/reports/2536320", "source": "cve@gitlab.com"}]}}, {"cve": {"id": "CVE-2024-6323", "sourceIdentifier": "cve@gitlab.com", "published": "2024-06-27T00:15:13.130", "lastModified": "2024-06-27T00:15:13.130", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "Improper authorization in global search in GitLab EE affecting all versions from 16.11 prior to 16.11.5 and 17.0 prior to 17.0.3 and 17.1 prior to 17.1.1 allows an attacker leak content of a private repository in a public project."}], "metrics": {"cvssMetricV31": [{"source": "cve@gitlab.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "cve@gitlab.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-653"}]}], "references": [{"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/457912", "source": "cve@gitlab.com"}]}}, {"cve": {"id": "CVE-2024-5289", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-27T03:15:50.593", "lastModified": "2024-06-27T03:15:50.593", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "The Gutenberg Blocks with AI by Kadence WP \u2013 Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Google Maps widget parameters in all versions up to, and including, 3.2.42 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "references": [{"url": "https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.2.38/includes/blocks/class-kadence-blocks-googlemaps-block.php#L226", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.2.42/includes/blocks/class-kadence-blocks-googlemaps-block.php#L237", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f9c0ad1e-380e-4b67-b07e-70bf44e4e614?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-6054", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-27T03:15:50.890", "lastModified": "2024-06-27T03:15:50.890", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "The Auto Featured Image plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'create_post_attachment_from_url' function in all versions up to, and including, 1.2. This makes it possible for authenticated attackers, with contributor-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "references": [{"url": "https://plugins.trac.wordpress.org/browser/auto-featured-image/tags/1.2/auto-featured-image.php#L167", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4d1512c2-75c1-405b-8bb4-f42ec69159a7?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-4569", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-27T04:15:11.537", "lastModified": "2024-06-27T04:15:11.537", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018url\u2019 parameter in versions up to, and including, 1.13.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "references": [{"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/trunk/modules/modal-popup/widgets/modal-popup.php#L1060", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/changeset/3107074/", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/63ef7383-d684-473b-aa0f-45027ef245f6?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-4570", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-27T04:15:12.553", "lastModified": "2024-06-27T04:15:12.553", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018url\u2019 parameter in versions up to, and including, 1.13.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "references": [{"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/tags/1.13.4/classes/helper.php#L232", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/changeset/3107074/", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ab5f43c0-83d3-4d09-becd-a3552bebd609?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-6283", "sourceIdentifier": "security@wordfence.com", "published": "2024-06-27T05:15:51.700", "lastModified": "2024-06-27T05:15:51.700", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "The DethemeKit For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the URL parameter of the De Gallery widget in all versions up to and including 2.1.5 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user clicks on the injected link."}], "metrics": {"cvssMetricV31": [{"source": "security@wordfence.com", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "references": [{"url": "https://plugins.trac.wordpress.org/browser/dethemekit-for-elementor/trunk/widgets/dethemekit-grid.php#L2565", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/dethemekit-for-elementor/trunk/widgets/dethemekit-grid.php#L2900", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9b2083f9-79d0-43f6-b7ae-a5817dc561b0?source=cve", "source": "security@wordfence.com"}]}}, {"cve": {"id": "CVE-2024-1330", "sourceIdentifier": "contact@wpscan.com", "published": "2024-06-27T06:15:09.800", "lastModified": "2024-06-27T06:15:09.800", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "The kadence-blocks-pro WordPress plugin before 2.3.8 does not prevent users with at least the contributor role using some of its shortcode's functionalities to leak arbitrary options from the database."}], "metrics": {}, "references": [{"url": "https://wpscan.com/vulnerability/1988815b-7a53-4657-9b1c-1f83c9f9ccfd/", "source": "contact@wpscan.com"}]}}, {"cve": {"id": "CVE-2024-3111", "sourceIdentifier": "contact@wpscan.com", "published": "2024-06-27T06:15:11.643", "lastModified": "2024-06-27T06:15:11.643", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "The Interactive Content  WordPress plugin before 1.15.8 does not validate uploads which could allow a Contributors and above to update malicious SVG files, leading to Stored Cross-Site Scripting issues"}], "metrics": {}, "references": [{"url": "https://wpscan.com/vulnerability/7c39f3b5-d407-4eb0-aa34-b498fe196c55/", "source": "contact@wpscan.com"}]}}, {"cve": {"id": "CVE-2024-4664", "sourceIdentifier": "contact@wpscan.com", "published": "2024-06-27T06:15:13.627", "lastModified": "2024-06-27T06:15:13.627", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "The WP Chat App WordPress plugin before 3.6.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admins to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed."}], "metrics": {}, "references": [{"url": "https://wpscan.com/vulnerability/46ada0b4-f3cd-44fb-a568-3345e639bdb6/", "source": "contact@wpscan.com"}]}}, {"cve": {"id": "CVE-2024-4704", "sourceIdentifier": "contact@wpscan.com", "published": "2024-06-27T06:15:14.697", "lastModified": "2024-06-27T06:15:14.697", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "The Contact Form 7 WordPress plugin before 5.9.5 has an open redirect that allows an attacker to utilize a false URL and redirect to the URL of their choosing."}], "metrics": {}, "references": [{"url": "https://wpscan.com/vulnerability/8bdcdb5a-9026-4157-8592-345df8fb1a17/", "source": "contact@wpscan.com"}]}}, {"cve": {"id": "CVE-2024-22231", "sourceIdentifier": "security@vmware.com", "published": "2024-06-27T07:15:52.623", "lastModified": "2024-06-27T07:15:52.623", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "Syndic cache directory creation is vulnerable to a directory traversal attack in salt project which can lead\u00a0a malicious attacker to create an arbitrary directory on a Salt master."}], "metrics": {"cvssMetricV31": [{"source": "security@vmware.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.1, "impactScore": 1.4}]}, "references": [{"url": "https://saltproject.io/security-announcements/2024-01-31-advisory/", "source": "security@vmware.com"}]}}, {"cve": {"id": "CVE-2024-22232", "sourceIdentifier": "security@vmware.com", "published": "2024-06-27T07:15:54.227", "lastModified": "2024-06-27T07:15:54.227", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "A specially crafted url can be created which leads to a directory traversal in the salt file server.\nA malicious user can read an arbitrary file from a Salt master\u2019s filesystem."}], "metrics": {"cvssMetricV31": [{"source": "security@vmware.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.1, "impactScore": 4.0}]}, "references": [{"url": "https://saltproject.io/security-announcements/2024-01-31-advisory/", "source": "security@vmware.com"}]}}]}
\ No newline at end of file
diff --git a/prospector/evaluation/multiple_cves.json b/prospector/evaluation/multiple_cves.json
new file mode 100644
index 000000000..7fb0e91bc
--- /dev/null
+++ b/prospector/evaluation/multiple_cves.json
@@ -0,0 +1 @@
+[{"nvd_info": {"cve": {"id": "CVE-2024-22263", "sourceIdentifier": "security@vmware.com", "published": "2024-06-19T15:15:58.327", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Spring Cloud Data Flow is a microservices-based Streaming and Batch data processing in Cloud Foundry and Kubernetes. The Skipper server has the ability to receive upload package requests. However, due to improper sanitization for upload path, a malicious user who has access to skipper server api can use a crafted upload request to write arbitrary file to any location on file system, may even compromises the server."}, {"lang": "es", "value": "Spring Cloud Data Flow es un procesamiento de datos por lotes y streaming basado en microservicios en Cloud Foundry y Kubernetes. El servidor Skipper tiene la capacidad de recibir solicitudes de carga de paquetes. Sin embargo, debido a una sanitizaci\u00f3n inadecuada de la ruta de carga, un usuario malintencionado que tenga acceso a la API del servidor skipper puede utilizar una solicitud de carga manipulada para escribir un archivo arbitrario en cualquier ubicaci\u00f3n del sistema de archivos e incluso puede comprometer el servidor."}], "metrics": {"cvssMetricV31": [{"source": "security@vmware.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "references": [{"url": "https://spring.io/security/cve-2024-22263", "source": "security@vmware.com"}]}}, "repo_url": "https://github.com/cloudfoundry/uaa", "version_interval": "None:None"}, {"nvd_info": {"cve": {"id": "CVE-2024-22263", "sourceIdentifier": "security@vmware.com", "published": "2024-06-19T15:15:58.327", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Spring Cloud Data Flow is a microservices-based Streaming and Batch data processing in Cloud Foundry and Kubernetes. The Skipper server has the ability to receive upload package requests. However, due to improper sanitization for upload path, a malicious user who has access to skipper server api can use a crafted upload request to write arbitrary file to any location on file system, may even compromises the server."}, {"lang": "es", "value": "Spring Cloud Data Flow es un procesamiento de datos por lotes y streaming basado en microservicios en Cloud Foundry y Kubernetes. El servidor Skipper tiene la capacidad de recibir solicitudes de carga de paquetes. Sin embargo, debido a una sanitizaci\u00f3n inadecuada de la ruta de carga, un usuario malintencionado que tenga acceso a la API del servidor skipper puede utilizar una solicitud de carga manipulada para escribir un archivo arbitrario en cualquier ubicaci\u00f3n del sistema de archivos e incluso puede comprometer el servidor."}], "metrics": {"cvssMetricV31": [{"source": "security@vmware.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "references": [{"url": "https://spring.io/security/cve-2024-22263", "source": "security@vmware.com"}]}}, "repo_url": "https://github.com/spring-projects/spring-framework", "version_interval": "None:None"}, {"nvd_info": {"cve": {"id": "CVE-2024-32030", "sourceIdentifier": "security-advisories@github.com", "published": "2024-06-19T17:15:57.863", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Kafka UI is an Open-Source Web UI for Apache Kafka Management. Kafka UI API allows users to connect to different Kafka brokers by specifying their network address and port. As a separate feature, it also provides the ability to monitor the performance of Kafka brokers by connecting to their JMX ports. JMX is based on the RMI protocol, so it is inherently susceptible to deserialization attacks. A potential attacker can exploit this feature by connecting Kafka UI backend to its own malicious broker. This vulnerability affects the deployments where one of the following occurs: 1. dynamic.config.enabled property is set in settings. It's not enabled by default, but it's suggested to be enabled in many tutorials for Kafka UI, including its own README.md. OR  2. an attacker has access to the Kafka cluster that is being connected to Kafka UI. In this scenario the attacker can exploit this vulnerability to expand their access and execute code on Kafka UI as well. Instead of setting up a legitimate JMX port, an attacker can create an RMI listener that returns a malicious serialized object for any RMI call. In the worst case it could lead to remote code execution as Kafka UI has the required gadget chains in its classpath. This issue may lead to post-auth remote code execution. This is particularly dangerous as Kafka-UI does not have authentication enabled by default. This issue has been addressed in version 0.7.2. All users are advised to upgrade. There are no known workarounds for this vulnerability. These issues were discovered and reported by the GitHub Security lab and is also tracked as GHSL-2023-230."}, {"lang": "es", "value": "Kafka UI es una interfaz de usuario web de c\u00f3digo abierto para la administraci\u00f3n de Apache Kafka. La API de Kafka UI permite a los usuarios conectarse a diferentes corredores de Kafka especificando su direcci\u00f3n de red y puerto. Como caracter\u00edstica independiente, tambi\u00e9n brinda la capacidad de monitorear el desempe\u00f1o de los corredores de Kafka conect\u00e1ndose a sus puertos JMX. JMX se basa en el protocolo RMI, por lo que es inherentemente susceptible a ataques de deserializaci\u00f3n. Un atacante potencial puede aprovechar esta caracter\u00edstica conectando el backend de la interfaz de usuario de Kafka a su propio agente malicioso. Esta vulnerabilidad afecta las implementaciones donde ocurre una de las siguientes situaciones: 1. La propiedad dynamic.config.enabled est\u00e1 configurada en la configuraci\u00f3n. No est\u00e1 habilitado de forma predeterminada, pero se sugiere habilitarlo en muchos tutoriales para Kafka UI, incluido su propio README.md. O 2. un atacante tiene acceso al cl\u00faster de Kafka que se est\u00e1 conectando a la interfaz de usuario de Kafka. En este escenario, el atacante puede aprovechar esta vulnerabilidad para ampliar su acceso y ejecutar c\u00f3digo tambi\u00e9n en la interfaz de usuario de Kafka. En lugar de configurar un puerto JMX leg\u00edtimo, un atacante puede crear un detector RMI que devuelva un objeto serializado malicioso para cualquier llamada RMI. En el peor de los casos, podr\u00eda conducir a la ejecuci\u00f3n remota de c\u00f3digo, ya que Kafka UI tiene las cadenas de dispositivos necesarias en su classpath. Este problema puede provocar la ejecuci\u00f3n remota de c\u00f3digo posterior a la autenticaci\u00f3n. Esto es particularmente peligroso ya que Kafka-UI no tiene la autenticaci\u00f3n habilitada de forma predeterminada. Este problema se solucion\u00f3 en la versi\u00f3n 0.7.2. Se recomienda a todos los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad. Estos problemas fueron descubiertos e informados por el laboratorio de seguridad de GitHub y tambi\u00e9n se rastrean como GHSL-2023-230."}], "metrics": {"cvssMetricV31": [{"source": "security-advisories@github.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "security-advisories@github.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-502"}, {"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "https://github.com/provectus/kafka-ui/commit/83b5a60cc08501b570a0c4d0b4cdfceb1b88d6b7#diff-37e769f4709c1e78c076a5949bbcead74e969725bfd89c7c4ba6d6f229a411e6R36", "source": "security-advisories@github.com"}, {"url": "https://github.com/provectus/kafka-ui/pull/4427", "source": "security-advisories@github.com"}, {"url": "https://securitylab.github.com/advisories/GHSL-2023-229_GHSL-2023-230_kafka-ui/", "source": "security-advisories@github.com"}]}}, "repo_url": "https://github.com/apache/olingo-odata4", "version_interval": "None:None"}, {"nvd_info": {"cve": {"id": "CVE-2024-34693", "sourceIdentifier": "security@apache.org", "published": "2024-06-20T09:15:11.683", "lastModified": "2024-06-20T12:43:25.663", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Improper Input Validation vulnerability in Apache Superset, allows for an authenticated attacker to create a MariaDB connection with local_infile enabled. If both the MariaDB server (off by default) and the local mysql client on the web server are set to allow for local infile, it's possible for the attacker to execute a specific MySQL/MariaDB SQL command that is able to read files from the server and insert their content on a MariaDB database table.This issue affects Apache Superset: before 3.1.3 and version 4.0.0\n\nUsers are recommended to upgrade to version 4.0.1 or 3.1.3, which fixes the issue.\n\n"}, {"lang": "es", "value": "Vulnerabilidad de validaci\u00f3n de entrada incorrecta en Apache Superset, permite que un atacante autenticado cree una conexi\u00f3n MariaDB con local_infile habilitado. Si tanto el servidor MariaDB (desactivado de forma predeterminada) como el cliente MySQL local en el servidor web est\u00e1n configurados para permitir el archivo local, es posible que el atacante ejecute un comando SQL MySQL/MariaDB espec\u00edfico que pueda leer archivos del servidor e inserte su contenido en una tabla de base de datos MariaDB. Este problema afecta a Apache Superset: antes de 3.1.3 y versi\u00f3n 4.0.0. Se recomienda a los usuarios actualizar a la versi\u00f3n 4.0.1 o 3.1.3, que soluciona el problema."}], "metrics": {"cvssMetricV31": [{"source": "security@apache.org", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.3, "impactScore": 4.0}]}, "weaknesses": [{"source": "security@apache.org", "type": "Primary", "description": [{"lang": "en", "value": "CWE-20"}]}], "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/06/20/1", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread/1803x1s34m7r71h1k0q1njol8k6fmyon", "source": "security@apache.org"}]}}, "repo_url": "https://github.com/apache/olingo-odata4", "version_interval": "None:None"}, {"nvd_info": {"cve": {"id": "CVE-2024-38379", "sourceIdentifier": "security@apache.org", "published": "2024-06-22T09:15:09.577", "lastModified": "2024-06-24T12:57:36.513", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Apache Allura's neighborhood settings are vulnerable to a stored XSS attack.\u00a0 Only neighborhood admins can access these settings, so the scope of risk is limited to configurations where neighborhood admins are not fully trusted.\n\nThis issue affects Apache Allura: from 1.4.0 through 1.17.0.\n\nUsers are recommended to upgrade to version 1.17.1, which fixes the issue.\n\n"}, {"lang": "es", "value": "La configuraci\u00f3n del vecindario de Apache Allura es vulnerable a un ataque XSS almacenado. Solo los administradores de vecindario pueden acceder a estas configuraciones, por lo que el alcance del riesgo se limita a configuraciones en las que no se conf\u00eda plenamente en los administradores de vecindario. Este problema afecta a Apache Allura: desde 1.4.0 hasta 1.17.0. Se recomienda a los usuarios actualizar a la versi\u00f3n 1.17.1, que soluciona el problema."}], "metrics": {}, "weaknesses": [{"source": "security@apache.org", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://lists.apache.org/thread/2lb6vp00sj2b2snpmhff5lyortxjsnrp", "source": "security@apache.org"}]}}, "repo_url": "https://github.com/apache/olingo-odata4", "version_interval": "None:None"}, {"nvd_info": {"cve": {"id": "CVE-2024-27136", "sourceIdentifier": "security@apache.org", "published": "2024-06-24T08:15:09.297", "lastModified": "2024-06-24T12:57:36.513", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "XSS in Upload page in Apache JSPWiki 2.12.1 and priors allows the attacker to execute javascript in the victim's browser and get some sensitive information about the victim.  Apache JSPWiki users should upgrade to 2.12.2 or later. "}, {"lang": "es", "value": "XSS en la p\u00e1gina de carga en Apache JSPWiki 2.12.1 y versiones anteriores permite al atacante ejecutar javascript en el navegador de la v\u00edctima y obtener informaci\u00f3n confidencial sobre la v\u00edctima. Los usuarios de Apache JSPWiki deben actualizar a 2.12.2 o posterior."}], "metrics": {}, "weaknesses": [{"source": "security@apache.org", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2024-27136", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread/gfms8gbncqqkj52p861b8fnsypwsl1d5", "source": "security@apache.org"}]}}, "repo_url": "https://github.com/apache/olingo-odata4", "version_interval": "None:None"}, {"nvd_info": {"cve": {"id": "CVE-2024-29868", "sourceIdentifier": "security@apache.org", "published": "2024-06-24T10:15:09.387", "lastModified": "2024-06-24T12:57:36.513", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Apache StreamPipes\u00a0user self-registration and password recovery mechanism.\nThis allows an attacker to guess the recovery token in a reasonable time and thereby to take over the attacked user's account.\nThis issue affects Apache StreamPipes: from 0.69.0 through 0.93.0.\n\nUsers are recommended to upgrade to version 0.95.0, which fixes the issue.\n\n"}, {"lang": "es", "value": "Uso de la vulnerabilidad del generador de n\u00fameros pseudoaleatorios (PRNG) criptogr\u00e1ficamente d\u00e9bil en el mecanismo de autorregistro de usuarios y recuperaci\u00f3n de contrase\u00f1as de Apache StreamPipes. Esto permite a un atacante adivinar el token de recuperaci\u00f3n en un tiempo razonable y as\u00ed hacerse cargo de la cuenta del usuario atacado. Este problema afecta a Apache StreamPipes: desde 0.69.0 hasta 0.93.0. Se recomienda a los usuarios actualizar a la versi\u00f3n 0.95.0, que soluciona el problema."}], "metrics": {}, "weaknesses": [{"source": "security@apache.org", "type": "Primary", "description": [{"lang": "en", "value": "CWE-338"}]}], "references": [{"url": "https://lists.apache.org/thread/g7t7zctvq2fysrw1x17flnc12592nhx7", "source": "security@apache.org"}]}}, "repo_url": "https://github.com/apache/olingo-odata4", "version_interval": "None:None"}, {"nvd_info": {"cve": {"id": "CVE-2024-37759", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-24T21:15:25.940", "lastModified": "2024-06-25T12:24:17.873", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "DataGear v5.0.0 and earlier was discovered to contain a SpEL (Spring Expression Language) expression injection vulnerability via the Data Viewing interface."}, {"lang": "es", "value": "Se descubri\u00f3 que DataGear v5.0.0 y versiones anteriores conten\u00edan una vulnerabilidad de inyecci\u00f3n de expresi\u00f3n SpEL (Spring Expression Language) a trav\u00e9s de la interfaz de visualizaci\u00f3n de datos."}], "metrics": {}, "references": [{"url": "https://github.com/crumbledwall/CVE-2024-37759_PoC", "source": "cve@mitre.org"}, {"url": "https://github.com/datageartech/datagear/issues/32", "source": "cve@mitre.org"}]}}, "repo_url": "https://github.com/spring-projects/spring-framework", "version_interval": "None:None"}, {"nvd_info": {"cve": {"id": "CVE-2024-35527", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-25T22:15:30.403", "lastModified": "2024-06-26T12:44:29.693", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "An arbitrary file upload vulnerability in /fileupload/upload.cfm in Daemon PTY Limited FarCry Core framework before 7.2.14 allows attackers to execute arbitrary code via uploading a crafted .cfm file."}, {"lang": "es", "value": "Una vulnerabilidad de carga de archivos arbitrarios en /fileupload/upload.cfm en Daemon PTY Limited FarCry Core framework anterior a 7.2.14 permite a los atacantes ejecutar c\u00f3digo arbitrario cargando un archivo .cfm manipulado."}], "metrics": {}, "references": [{"url": "https://bastionsecurity.co.nz/advisories/farcry-core-multiple.html", "source": "cve@mitre.org"}]}}, "repo_url": "https://github.com/apache/commons-fileupload", "version_interval": "None:None"}, {"nvd_info": {"cve": {"id": "CVE-2024-34580", "sourceIdentifier": "cve@mitre.org", "published": "2024-06-26T05:15:51.093", "lastModified": "2024-06-26T16:15:11.437", "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "Apache XML Security for C++ through 2.0.4 implements the XML Signature Syntax and Processing (XMLDsig) specification without protection against an SSRF payload in a KeyInfo element. NOTE: the supplier disputes this CVE Record on the grounds that they are implementing the specification \"correctly\" and are not \"at fault.\""}, {"lang": "es", "value": "Apache XML Security para C++ hasta 2.0.4 implementa la especificaci\u00f3n de procesamiento y sintaxis de firma XML (XMLDsig) sin protecci\u00f3n contra un payload SSRF en un elemento KeyInfo. NOTA: el proveedor cuestiona este Registro CVE con el argumento de que est\u00e1 implementando la especificaci\u00f3n \"correctamente\" y no tiene \"culpa\"."}], "metrics": {}, "references": [{"url": "https://cloud.google.com/blog/topics/threat-intelligence/apache-library-allows-server-side-request-forgery", "source": "cve@mitre.org"}, {"url": "https://github.com/zmanion/Vulnerabilities/blob/main/CVE-2024-21893.md", "source": "cve@mitre.org"}, {"url": "https://santuario.apache.org/download.html", "source": "cve@mitre.org"}, {"url": "https://www.sonatype.com/blog/the-exploited-ivanti-connect-ssrf-vulnerability-stems-from-xmltooling-oss-library", "source": "cve@mitre.org"}]}}, "repo_url": "https://github.com/apache/olingo-odata4", "version_interval": "None:None"}, {"nvd_info": {"cve": {"id": "CVE-2024-39458", "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "published": "2024-06-26T17:15:27.020", "lastModified": "2024-06-26T18:15:15.410", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "When Jenkins Structs Plugin 337.v1b_04ea_4df7c8 and earlier fails to configure a build step, it logs a warning message containing diagnostic information that may contain secrets passed as step parameters, potentially resulting in accidental exposure of secrets through the default system log."}], "metrics": {}, "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/06/26/2", "source": "jenkinsci-cert@googlegroups.com"}, {"url": "https://www.jenkins.io/security/advisory/2024-06-26/#SECURITY-3371", "source": "jenkinsci-cert@googlegroups.com"}]}}, "repo_url": "https://github.com/jenkinsci/jenkins", "version_interval": "None:None"}, {"nvd_info": {"cve": {"id": "CVE-2024-39459", "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "published": "2024-06-26T17:15:27.110", "lastModified": "2024-06-26T18:15:15.457", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "In rare cases Jenkins Plain Credentials Plugin 182.v468b_97b_9dcb_8 and earlier stores secret file credentials unencrypted (only Base64 encoded) on the Jenkins controller file system, where they can be viewed by users with access to the Jenkins controller file system (global credentials) or with Item/Extended Read permission (folder-scoped credentials)."}], "metrics": {}, "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/06/26/2", "source": "jenkinsci-cert@googlegroups.com"}, {"url": "https://www.jenkins.io/security/advisory/2024-06-26/#SECURITY-2495", "source": "jenkinsci-cert@googlegroups.com"}]}}, "repo_url": "https://github.com/jenkinsci/jenkins", "version_interval": "None:None"}, {"nvd_info": {"cve": {"id": "CVE-2024-39460", "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "published": "2024-06-26T17:15:27.180", "lastModified": "2024-06-26T18:15:15.500", "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "Jenkins Bitbucket Branch Source Plugin 886.v44cf5e4ecec5 and earlier prints the Bitbucket OAuth access token as part of the Bitbucket URL in the build log in some cases."}], "metrics": {}, "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/06/26/2", "source": "jenkinsci-cert@googlegroups.com"}, {"url": "https://www.jenkins.io/security/advisory/2024-06-26/#SECURITY-3363", "source": "jenkinsci-cert@googlegroups.com"}]}}, "repo_url": "https://github.com/jenkinsci/jenkins", "version_interval": "None:None"}]
\ No newline at end of file
diff --git a/prospector/evaluation/single_cve.json b/prospector/evaluation/single_cve.json
new file mode 100644
index 000000000..a2fa1d32f
--- /dev/null
+++ b/prospector/evaluation/single_cve.json
@@ -0,0 +1 @@
+[{"nvd_info": {"cve": {"id": "CVE-2020-1925", "sourceIdentifier": "security@apache.org", "published": "2020-01-09T19:15:10.807", "lastModified": "2020-01-15T14:26:32.803", "vulnStatus": "Analyzed", "descriptions": [{"lang": "en", "value": "Apache Olingo versions 4.0.0 to 4.7.0 provide the AsyncRequestWrapperImpl class which reads a URL from the Location header, and then sends a GET or DELETE request to this URL. It may allow to implement a SSRF attack. If an attacker tricks a client to connect to a malicious server, the server can make the client call any URL including internal resources which are not directly accessible by the attacker."}, {"lang": "es", "value": "Apache Olingo versiones 4.0.0 hasta 4.7.0, proporcionan la clase AsyncRequestWrapperImpl que lee una URL del encabezado Location y entonces env\u00eda una petici\u00f3n GET o DELETE a esta URL. Puede permitir implementar un ataque de tipo SSRF. Si un atacante enga\u00f1a a un cliente para que conecte con un servidor malicioso, el servidor puede hacer que el cliente llame a cualquier URL, incluyendo los recursos internos que no son accesibles directamente por el atacante."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}], "cvssMetricV2": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0}, "baseSeverity": "MEDIUM", "exploitabilityScore": 10.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:apache:olingo:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0.0", "versionEndIncluding": "4.7.0", "matchCriteriaId": "3303BD0F-10CA-4290-BC41-8653279BA978"}]}]}], "references": [{"url": "https://mail-archives.apache.org/mod_mbox/olingo-user/202001.mbox/%3CCAGSZ4d6HwpF2woOrZJg_d0SkHytXJaCtAWXa3ZtBn33WG0YFvw%40mail.gmail.com%3E", "source": "security@apache.org", "tags": ["Patch", "Third Party Advisory"]}]}}, "repo_url": "https://github.com/apache/olingo-odata4", "version_interval": "4.0.0:4.7.0"}]
\ No newline at end of file
diff --git a/prospector/llm/llm_service.py b/prospector/llm/llm_service.py
index cbc4e69e4..1134794e3 100644
--- a/prospector/llm/llm_service.py
+++ b/prospector/llm/llm_service.py
@@ -3,9 +3,12 @@
 import validators
 from langchain_core.language_models.llms import LLM
 from langchain_core.output_parsers import StrOutputParser
+from requests import HTTPError
 
+from datamodel.commit import Commit
 from llm.instantiation import create_model_instance
-from llm.prompts import prompt_best_guess
+from llm.prompts.classify_commit import zero_shot as cc_zero_shot
+from llm.prompts.get_repository_url import prompt_best_guess
 from log.logger import logger
 from util.config_parser import LLMServiceConfig
 from util.singleton import Singleton
@@ -74,3 +77,45 @@ def get_repository_url(self, advisory_description, advisory_references) -> str:
             raise RuntimeError(f"Prompt-model chain could not be invoked: {e}")
 
         return url
+
+    def classify_commit(
+        self, diff: str, repository_name: str, commit_message: str
+    ) -> bool:
+        """Ask an LLM whether a commit is security relevant or not. The response will be either True or False.
+
+        Args:
+            candidate (Commit): The commit to input into the LLM
+
+        Returns:
+            True if the commit is deemed security relevant, False if not.
+
+        Raises:
+            ValueError if there is an error in the model invocation or the response was not valid.
+        """
+        try:
+            chain = cc_zero_shot | self.model | StrOutputParser()
+
+            is_relevant = chain.invoke(
+                {
+                    "diff": diff,
+                    "repository_name": repository_name,
+                    "commit_message": commit_message,
+                }
+            )
+            logger.info(f"LLM returned is_relevant={is_relevant}")
+
+        except HTTPError as e:
+            # if the diff is too big, a 400 error is returned -> silently ignore by returning False for this commit
+            status_code = e.response.status_code
+            if status_code == 400:
+                return False
+            raise RuntimeError(f"Prompt-model chain could not be invoked: {e}")
+        except Exception as e:
+            raise RuntimeError(f"Prompt-model chain could not be invoked: {e}")
+
+        if is_relevant == "True":
+            return True
+        elif is_relevant == "False":
+            return False
+        else:
+            raise RuntimeError(f"The model returned an invalid response: {is_relevant}")
diff --git a/prospector/llm/models/gemini.py b/prospector/llm/models/gemini.py
index 147086254..ab8135729 100644
--- a/prospector/llm/models/gemini.py
+++ b/prospector/llm/models/gemini.py
@@ -60,6 +60,7 @@ def _call(
 
         try:
             response = requests.post(endpoint, headers=headers, json=data)
+            response.raise_for_status()
             return self.parse(response.json())
         except requests.exceptions.HTTPError as http_error:
             logger.error(
diff --git a/prospector/llm/models/mistral.py b/prospector/llm/models/mistral.py
index 9708d8e31..42a90dcc3 100644
--- a/prospector/llm/models/mistral.py
+++ b/prospector/llm/models/mistral.py
@@ -41,6 +41,7 @@ def _call(
 
         try:
             response = requests.post(endpoint, headers=headers, json=data)
+            response.raise_for_status()
             return self.parse(response.json())
         except requests.exceptions.HTTPError as http_error:
             logger.error(
diff --git a/prospector/llm/models/openai.py b/prospector/llm/models/openai.py
index 76d95ef5b..ae78fbc28 100644
--- a/prospector/llm/models/openai.py
+++ b/prospector/llm/models/openai.py
@@ -44,6 +44,7 @@ def _call(
 
         try:
             response = requests.post(endpoint, headers=headers, json=data)
+            response.raise_for_status()
             return self.parse(response.json())
         except requests.exceptions.HTTPError as http_error:
             logger.error(
diff --git a/prospector/llm/prompts/classify_commit.py b/prospector/llm/prompts/classify_commit.py
new file mode 100644
index 000000000..c6409a4a4
--- /dev/null
+++ b/prospector/llm/prompts/classify_commit.py
@@ -0,0 +1,16 @@
+from langchain.prompts import PromptTemplate
+
+zero_shot = PromptTemplate.from_template(
+    """Is the following commit security relevant or not?
+Please provide the output as a boolean value: ```ANSWER:```
+If it is security relevant just answer ```ANSWER:True``` otherwise answer ```ANSWER:False```.
+
+To provide you with some context, the name of the repository is: {repository_name}, and the
+commit message is: {commit_message}.
+
+Finally, here is the diff of the commit:
+{diff}\n
+
+
+```ANSWER: ```\n"""
+)
diff --git a/prospector/llm/prompts.py b/prospector/llm/prompts/get_repository_url.py
similarity index 100%
rename from prospector/llm/prompts.py
rename to prospector/llm/prompts/get_repository_url.py
diff --git a/prospector/requirements.in b/prospector/requirements.in
index 6d7d7f4b3..720c5295e 100644
--- a/prospector/requirements.in
+++ b/prospector/requirements.in
@@ -3,6 +3,7 @@ beautifulsoup4
 colorama
 datasketch
 fastapi
+google-cloud-aiplatform==1.49.0
 Jinja2
 langchain
 langchain_openai
diff --git a/prospector/requirements.txt b/prospector/requirements.txt
index 0ca435446..1a5a11dee 100644
--- a/prospector/requirements.txt
+++ b/prospector/requirements.txt
@@ -39,7 +39,7 @@ frozenlist==1.4.1
 fsspec==2024.6.0
 google-api-core==2.19.0
 google-auth==2.29.0
-google-cloud-aiplatform==1.53.0
+google-cloud-aiplatform==1.49.0
 google-cloud-bigquery==3.24.0
 google-cloud-core==2.4.1
 google-cloud-resource-manager==1.12.3
diff --git a/prospector/rules/rules.py b/prospector/rules/rules.py
index fb190c9ff..996ee9a5e 100644
--- a/prospector/rules/rules.py
+++ b/prospector/rules/rules.py
@@ -3,22 +3,26 @@
 from typing import List, Tuple
 
 from datamodel.advisory import AdvisoryRecord
-from datamodel.commit import Commit
-from datamodel.nlp import clean_string, find_similar_words
+from datamodel.commit import Commit, apply_ranking
+from llm.llm_service import LLMService
 from rules.helpers import extract_security_keywords
 from stats.execution import Counter, execution_statistics
 from util.lsh import build_lsh_index, decode_minhash
 
+MAX_COMMITS_FOR_LLM_RULES = 1
+
+
 rule_statistics = execution_statistics.sub_collection("rules")
 
 
 class Rule:
     lsh_index = None
+    llm_service: LLMService = None
 
     def __init__(self, id: str, relevance: int):
         self.id = id
-        self.message = ""
         self.relevance = relevance
+        self.message = ""
 
     @abstractmethod
     def apply(self, candidate: Commit, advisory_record: AdvisoryRecord) -> bool:
@@ -37,54 +41,51 @@ def as_dict(self):
     def get_rule_as_tuple(self) -> Tuple[str, str, int]:
         return (self.id, self.message, self.relevance)
 
+    def get_id(self):
+        return self.id
+
 
 def apply_rules(
     candidates: List[Commit],
     advisory_record: AdvisoryRecord,
-    rules=["ALL"],
+    enabled_rules: List[str] = [],
 ) -> List[Commit]:
-    enabled_rules = get_enabled_rules(rules)
-
-    rule_statistics.collect("active", len(enabled_rules), unit="rules")
+    """Applies the selected set of rules and returns the ranked list of commits (uses apply_ranking())."""
 
     Rule.lsh_index = build_lsh_index()
 
+    phase_1_rules = [rule for rule in RULES_PHASE_1 if rule.get_id() in enabled_rules]
+    phase_2_rules = [rule for rule in RULES_PHASE_2 if rule.get_id() in enabled_rules]
+
+    if phase_2_rules:
+        Rule.llm_service = LLMService()
+
+    rule_statistics.collect(
+        "active", len(phase_1_rules) + len(phase_2_rules), unit="rules"
+    )
+
     for candidate in candidates:
         Rule.lsh_index.insert(candidate.commit_id, decode_minhash(candidate.minhash))
 
     with Counter(rule_statistics) as counter:
         counter.initialize("matches", unit="matches")
         for candidate in candidates:
-            for rule in enabled_rules:
+            for rule in phase_1_rules:
                 if rule.apply(candidate, advisory_record):
                     counter.increment("matches")
                     candidate.add_match(rule.as_dict())
             candidate.compute_relevance()
 
-    # for candidate in candidates:
-    #     if candidate.has_twin():
-    #         for twin in candidate.twins:
-    #             for other_candidate in candidates:
-    #                 if (
-    #                     other_candidate.commit_id == twin[1]
-    #                     and other_candidate.relevance > candidate.relevance
-    #                 ):
-    #                     candidate.relevance = other_candidate.relevance
-    #                     # Add a reason on why we are doing this.
-
-    return candidates
-
+        candidates = apply_ranking(candidates)
 
-def get_enabled_rules(rules: List[str]) -> List[Rule]:
-    if "ALL" in rules:
-        return RULES
-
-    enabled_rules = []
-    for r in RULES:
-        if r.id in rules:
-            enabled_rules.append(r)
+        for candidate in candidates[:MAX_COMMITS_FOR_LLM_RULES]:
+            for rule in phase_2_rules:
+                if rule.apply(candidate):
+                    counter.increment("matches")
+                    candidate.add_match(rule.as_dict())
+            candidate.compute_relevance()
 
-    return enabled_rules
+    return apply_ranking(candidates)
 
 
 # TODO: This could include issues, PRs, etc.
@@ -409,7 +410,19 @@ def apply(self, candidate: Commit, advisory_record: AdvisoryRecord):
         return False
 
 
-RULES: List[Rule] = [
+class CommitIsSecurityRelevant(Rule):
+    """Matches commits that are deemed security relevant by the commit classification service."""
+
+    def apply(
+        self,
+        candidate: Commit,
+    ) -> bool:
+        return LLMService().classify_commit(
+            candidate.diff, candidate.repository, candidate.message
+        )
+
+
+RULES_PHASE_1: List[Rule] = [
     VulnIdInMessage("VULN_ID_IN_MESSAGE", 64),
     # CommitMentionedInAdv("COMMIT_IN_ADVISORY", 64),
     CrossReferencedBug("XREF_BUG", 32),
@@ -429,23 +442,6 @@ def apply(self, candidate: Commit, advisory_record: AdvisoryRecord):
     CommitHasTwins("COMMIT_HAS_TWINS", 2),
 ]
 
-rules_list = [
-    "COMMIT_IN_REFERENCE",
-    "VULN_ID_IN_MESSAGE",
-    "VULN_ID_IN_LINKED_ISSUE",
-    "XREF_BUG",
-    "XREF_GH",
-    "CHANGES_RELEVANT_FILES",
-    "CHANGES_RELEVANT_CODE",
-    "RELEVANT_WORDS_IN_MESSAGE",
-    "ADV_KEYWORDS_IN_FILES",
-    "ADV_KEYWORDS_IN_MSG",
-    "SEC_KEYWORDS_IN_MESSAGE",
-    "SEC_KEYWORDS_IN_LINKED_GH",
-    "SEC_KEYWORDS_IN_LINKED_BUG",
-    "GITHUB_ISSUE_IN_MESSAGE",
-    "BUG_IN_MESSAGE",
-    "COMMIT_HAS_TWINS",
+RULES_PHASE_2: List[Rule] = [
+    CommitIsSecurityRelevant("COMMIT_IS_SECURITY_RELEVANT", 32)
 ]
-
-# print(" & ".join([f"\\rot{{{x}}}" for x in rules_list]))
diff --git a/prospector/rules/rules_test.py b/prospector/rules/rules_test.py
index 63ff21e16..5b5abf730 100644
--- a/prospector/rules/rules_test.py
+++ b/prospector/rules/rules_test.py
@@ -1,38 +1,68 @@
 from typing import List
 
 import pytest
+from requests_cache import Optional
 
 from datamodel.advisory import AdvisoryRecord
 from datamodel.commit import Commit
 from rules.rules import apply_rules
+from util.lsh import get_encoded_minhash
 
 # from datamodel.commit_features import CommitWithFeatures
 
+MOCK_CVE_ID = "CVE-2020-26258"
+
+
+def get_msg(text, limit_length: Optional[int] = None) -> str:
+    return text[:limit_length] if limit_length else text
+
 
 @pytest.fixture
 def candidates():
     return [
+        # Should match: VulnIdInMessage, ReferencesGhIssue
         Commit(
             repository="repo1",
-            commit_id="1",
-            message="Blah blah blah fixes CVE-2020-26258 and a few other issues",
+            commit_id="1234567890",
+            message=f"Blah blah blah fixes {MOCK_CVE_ID} and a few other issues",
             ghissue_refs={"example": ""},
             changed_files={"foo/bar/otherthing.xml", "pom.xml"},
-            cve_refs=["CVE-2020-26258"],
+            cve_refs=[f"{MOCK_CVE_ID}"],
+            minhash=get_encoded_minhash(
+                get_msg(
+                    f"Blah blah blah fixes {MOCK_CVE_ID} and a few other issues",
+                    50,
+                )
+            ),
         ),
-        Commit(repository="repo2", commit_id="2", cve_refs=["CVE-2020-26258"]),
+        Commit(
+            repository="repo2",
+            commit_id="2234567890",
+            message="",
+            minhash=get_encoded_minhash(get_msg("")),
+        ),
+        # Should match: VulnIdInMessage, ReferencesGhIssue
         Commit(
             repository="repo3",
-            commit_id="3",
-            message="Another commit that fixes CVE-2020-26258",
+            commit_id="3234567890",
+            message=f"Another commit that fixes {MOCK_CVE_ID}",
             ghissue_refs={"example": ""},
+            cve_refs=[f"{MOCK_CVE_ID}"],
+            minhash=get_encoded_minhash(
+                get_msg(f"Another commit that fixes {MOCK_CVE_ID}", 50)
+            ),
         ),
+        # Should match: SecurityKeywordsInMsg
         Commit(
             repository="repo4",
-            commit_id="4",
+            commit_id="4234567890",
             message="Endless loop causes DoS vulnerability",
             changed_files={"foo/bar/otherthing.xml", "pom.xml"},
+            minhash=get_encoded_minhash(
+                get_msg("Endless loop causes DoS vulnerability", 50)
+            ),
         ),
+        # Should match: AdvKeywordsInFiles, SecurityKeywordsInMsg, CommitMentionedInReference
         Commit(
             repository="repo5",
             commit_id="7532d2fb0d6081a12c2a48ec854a81a8b718be62",
@@ -40,111 +70,56 @@ def candidates():
             changed_files={
                 "core/src/main/java/org/apache/cxf/workqueue/AutomaticWorkQueueImpl.java"
             },
+            minhash=get_encoded_minhash(get_msg("Insecure deserialization", 50)),
         ),
+        # TODO: Not matched by existing tests: GHSecurityAdvInMessage, ReferencesBug, ChangesRelevantCode, TwinMentionedInAdv, VulnIdInLinkedIssue, SecurityKeywordInLinkedGhIssue, SecurityKeywordInLinkedBug, CrossReferencedBug, CrossReferencedGh, CommitHasTwins, ChangesRelevantFiles, CommitMentionedInAdv, RelevantWordsInMessage
     ]
 
 
 @pytest.fixture
 def advisory_record():
     return AdvisoryRecord(
-        vulnerability_id="CVE-2020-26258",
+        cve_id=f"{MOCK_CVE_ID}",
         repository_url="https://github.com/apache/struts",
         published_timestamp=1607532756,
-        references=["https://reference.to/some/commit/7532d2fb0d60"],
+        references={
+            "https://reference.to/some/commit/7532d2fb0d60": 1,
+        },
         keywords=["AutomaticWorkQueueImpl"],
-        paths=["pom.xml"],
+        # paths=["pom.xml"],
     )
 
 
-def test_apply_rules_all(candidates: List[Commit], advisory_record: AdvisoryRecord):
-    annotated_candidates = apply_rules(candidates, advisory_record)
-
-    assert len(annotated_candidates[0].matched_rules) == 4
-    assert annotated_candidates[0].matched_rules[0][0] == "CVE_ID_IN_MESSAGE"
-    assert "CVE-2020-26258" in annotated_candidates[0].matched_rules[0][1]
-
-    # assert len(annotated_candidates[0].annotations) > 0
-    # assert "REF_ADV_VULN_ID" in annotated_candidates[0].annotations
-    # assert "REF_GH_ISSUE" in annotated_candidates[0].annotations
-    # assert "CH_REL_PATH" in annotated_candidates[0].annotations
-
-    # assert len(annotated_candidates[1].annotations) > 0
-    # assert "REF_ADV_VULN_ID" in annotated_candidates[1].annotations
-    # assert "REF_GH_ISSUE" not in annotated_candidates[1].annotations
-    # assert "CH_REL_PATH" not in annotated_candidates[1].annotations
-
-    # assert len(annotated_candidates[2].annotations) > 0
-    # assert "REF_ADV_VULN_ID" not in annotated_candidates[2].annotations
-    # assert "REF_GH_ISSUE" in annotated_candidates[2].annotations
-    # assert "CH_REL_PATH" not in annotated_candidates[2].annotations
-
-    # assert len(annotated_candidates[3].annotations) > 0
-    # assert "REF_ADV_VULN_ID" not in annotated_candidates[3].annotations
-    # assert "REF_GH_ISSUE" not in annotated_candidates[3].annotations
-    # assert "CH_REL_PATH" in annotated_candidates[3].annotations
-    # assert "SEC_KEYWORD_IN_COMMIT_MSG" in annotated_candidates[3].annotations
-
-    # assert "SEC_KEYWORD_IN_COMMIT_MSG" in annotated_candidates[4].annotations
-    # assert "TOKENS_IN_MODIFIED_PATHS" in annotated_candidates[4].annotations
-    # assert "COMMIT_MENTIONED_IN_ADV" in annotated_candidates[4].annotations
-
-
-def test_apply_rules_selected(
-    candidates: List[Commit], advisory_record: AdvisoryRecord
-):
-    annotated_candidates = apply_rules(
-        candidates=candidates,
-        advisory_record=advisory_record,
-        rules=[
-            "REF_ADV_VULN_ID",
-            "REF_GH_ISSUE",
-            "CH_REL_PATH",
-            "SEC_KEYWORD_IN_COMMIT_MSG",
-            "TOKENS_IN_MODIFIED_PATHS",
-            "COMMIT_MENTIONED_IN_ADV",
-        ],
-    )
+def test_apply_phase_1_rules(candidates: List[Commit], advisory_record: AdvisoryRecord):
+    annotated_candidates = apply_rules(candidates, advisory_record, rules=["phase_1"])
 
-    assert len(annotated_candidates[0].annotations) > 0
-    assert "REF_ADV_VULN_ID" in annotated_candidates[0].annotations
-    assert "REF_GH_ISSUE" in annotated_candidates[0].annotations
-    assert "CH_REL_PATH" in annotated_candidates[0].annotations
-
-    assert len(annotated_candidates[1].annotations) > 0
-    assert "REF_ADV_VULN_ID" in annotated_candidates[1].annotations
-    assert "REF_GH_ISSUE" not in annotated_candidates[1].annotations
-    assert "CH_REL_PATH" not in annotated_candidates[1].annotations
-
-    assert len(annotated_candidates[2].annotations) > 0
-    assert "REF_ADV_VULN_ID" not in annotated_candidates[2].annotations
-    assert "REF_GH_ISSUE" in annotated_candidates[2].annotations
-    assert "CH_REL_PATH" not in annotated_candidates[2].annotations
-
-    assert len(annotated_candidates[3].annotations) > 0
-    assert "REF_ADV_VULN_ID" not in annotated_candidates[3].annotations
-    assert "REF_GH_ISSUE" not in annotated_candidates[3].annotations
-    assert "CH_REL_PATH" in annotated_candidates[3].annotations
-    assert "SEC_KEYWORD_IN_COMMIT_MSG" in annotated_candidates[3].annotations
-
-    assert "SEC_KEYWORD_IN_COMMIT_MSG" in annotated_candidates[4].annotations
-    assert "TOKENS_IN_MODIFIED_PATHS" in annotated_candidates[4].annotations
-    assert "COMMIT_MENTIONED_IN_ADV" in annotated_candidates[4].annotations
-
-
-def test_apply_rules_selected_rules(
-    candidates: List[Commit], advisory_record: AdvisoryRecord
-):
-    annotated_candidates = apply_rules(
-        candidates=candidates,
-        advisory_record=advisory_record,
-        rules=["ALL", "-REF_ADV_VULN_ID"],
-    )
+    # Repo 5: Should match: AdvKeywordsInFiles, SecurityKeywordsInMsg, CommitMentionedInReference
+    assert len(annotated_candidates[0].matched_rules) == 3
+
+    matched_rules_names = [item["id"] for item in annotated_candidates[0].matched_rules]
+    assert "ADV_KEYWORDS_IN_FILES" in matched_rules_names
+    assert "COMMIT_IN_REFERENCE" in matched_rules_names
+    assert "SEC_KEYWORDS_IN_MESSAGE" in matched_rules_names
+
+    # Repo 1: Should match: VulnIdInMessage, ReferencesGhIssue
+    assert len(annotated_candidates[1].matched_rules) == 2
+
+    matched_rules_names = [item["id"] for item in annotated_candidates[1].matched_rules]
+    assert "VULN_ID_IN_MESSAGE" in matched_rules_names
+    assert "GITHUB_ISSUE_IN_MESSAGE" in matched_rules_names
+
+    # Repo 3: Should match: VulnIdInMessage, ReferencesGhIssue
+    assert len(annotated_candidates[2].matched_rules) == 2
+
+    matched_rules_names = [item["id"] for item in annotated_candidates[2].matched_rules]
+    assert "VULN_ID_IN_MESSAGE" in matched_rules_names
+    assert "GITHUB_ISSUE_IN_MESSAGE" in matched_rules_names
 
-    assert len(annotated_candidates[0].annotations) > 0
-    assert "REF_ADV_VULN_ID" not in annotated_candidates[0].annotations
-    assert "REF_GH_ISSUE" in annotated_candidates[0].annotations
-    assert "CH_REL_PATH" in annotated_candidates[0].annotations
+    # Repo 4: Should match: SecurityKeywordsInMsg
+    assert len(annotated_candidates[3].matched_rules) == 1
 
+    matched_rules_names = [item["id"] for item in annotated_candidates[3].matched_rules]
+    assert "SEC_KEYWORDS_IN_MESSAGE" in matched_rules_names
 
-def test_sec_keywords_in_linked_issue():
-    print("TODO")
+    # Repo 2: Matches nothing
+    assert len(annotated_candidates[4].matched_rules) == 0
diff --git a/prospector/rules/test_rules.py b/prospector/rules/test_rules.py
new file mode 100644
index 000000000..5b5abf730
--- /dev/null
+++ b/prospector/rules/test_rules.py
@@ -0,0 +1,125 @@
+from typing import List
+
+import pytest
+from requests_cache import Optional
+
+from datamodel.advisory import AdvisoryRecord
+from datamodel.commit import Commit
+from rules.rules import apply_rules
+from util.lsh import get_encoded_minhash
+
+# from datamodel.commit_features import CommitWithFeatures
+
+MOCK_CVE_ID = "CVE-2020-26258"
+
+
+def get_msg(text, limit_length: Optional[int] = None) -> str:
+    return text[:limit_length] if limit_length else text
+
+
+@pytest.fixture
+def candidates():
+    return [
+        # Should match: VulnIdInMessage, ReferencesGhIssue
+        Commit(
+            repository="repo1",
+            commit_id="1234567890",
+            message=f"Blah blah blah fixes {MOCK_CVE_ID} and a few other issues",
+            ghissue_refs={"example": ""},
+            changed_files={"foo/bar/otherthing.xml", "pom.xml"},
+            cve_refs=[f"{MOCK_CVE_ID}"],
+            minhash=get_encoded_minhash(
+                get_msg(
+                    f"Blah blah blah fixes {MOCK_CVE_ID} and a few other issues",
+                    50,
+                )
+            ),
+        ),
+        Commit(
+            repository="repo2",
+            commit_id="2234567890",
+            message="",
+            minhash=get_encoded_minhash(get_msg("")),
+        ),
+        # Should match: VulnIdInMessage, ReferencesGhIssue
+        Commit(
+            repository="repo3",
+            commit_id="3234567890",
+            message=f"Another commit that fixes {MOCK_CVE_ID}",
+            ghissue_refs={"example": ""},
+            cve_refs=[f"{MOCK_CVE_ID}"],
+            minhash=get_encoded_minhash(
+                get_msg(f"Another commit that fixes {MOCK_CVE_ID}", 50)
+            ),
+        ),
+        # Should match: SecurityKeywordsInMsg
+        Commit(
+            repository="repo4",
+            commit_id="4234567890",
+            message="Endless loop causes DoS vulnerability",
+            changed_files={"foo/bar/otherthing.xml", "pom.xml"},
+            minhash=get_encoded_minhash(
+                get_msg("Endless loop causes DoS vulnerability", 50)
+            ),
+        ),
+        # Should match: AdvKeywordsInFiles, SecurityKeywordsInMsg, CommitMentionedInReference
+        Commit(
+            repository="repo5",
+            commit_id="7532d2fb0d6081a12c2a48ec854a81a8b718be62",
+            message="Insecure deserialization",
+            changed_files={
+                "core/src/main/java/org/apache/cxf/workqueue/AutomaticWorkQueueImpl.java"
+            },
+            minhash=get_encoded_minhash(get_msg("Insecure deserialization", 50)),
+        ),
+        # TODO: Not matched by existing tests: GHSecurityAdvInMessage, ReferencesBug, ChangesRelevantCode, TwinMentionedInAdv, VulnIdInLinkedIssue, SecurityKeywordInLinkedGhIssue, SecurityKeywordInLinkedBug, CrossReferencedBug, CrossReferencedGh, CommitHasTwins, ChangesRelevantFiles, CommitMentionedInAdv, RelevantWordsInMessage
+    ]
+
+
+@pytest.fixture
+def advisory_record():
+    return AdvisoryRecord(
+        cve_id=f"{MOCK_CVE_ID}",
+        repository_url="https://github.com/apache/struts",
+        published_timestamp=1607532756,
+        references={
+            "https://reference.to/some/commit/7532d2fb0d60": 1,
+        },
+        keywords=["AutomaticWorkQueueImpl"],
+        # paths=["pom.xml"],
+    )
+
+
+def test_apply_phase_1_rules(candidates: List[Commit], advisory_record: AdvisoryRecord):
+    annotated_candidates = apply_rules(candidates, advisory_record, rules=["phase_1"])
+
+    # Repo 5: Should match: AdvKeywordsInFiles, SecurityKeywordsInMsg, CommitMentionedInReference
+    assert len(annotated_candidates[0].matched_rules) == 3
+
+    matched_rules_names = [item["id"] for item in annotated_candidates[0].matched_rules]
+    assert "ADV_KEYWORDS_IN_FILES" in matched_rules_names
+    assert "COMMIT_IN_REFERENCE" in matched_rules_names
+    assert "SEC_KEYWORDS_IN_MESSAGE" in matched_rules_names
+
+    # Repo 1: Should match: VulnIdInMessage, ReferencesGhIssue
+    assert len(annotated_candidates[1].matched_rules) == 2
+
+    matched_rules_names = [item["id"] for item in annotated_candidates[1].matched_rules]
+    assert "VULN_ID_IN_MESSAGE" in matched_rules_names
+    assert "GITHUB_ISSUE_IN_MESSAGE" in matched_rules_names
+
+    # Repo 3: Should match: VulnIdInMessage, ReferencesGhIssue
+    assert len(annotated_candidates[2].matched_rules) == 2
+
+    matched_rules_names = [item["id"] for item in annotated_candidates[2].matched_rules]
+    assert "VULN_ID_IN_MESSAGE" in matched_rules_names
+    assert "GITHUB_ISSUE_IN_MESSAGE" in matched_rules_names
+
+    # Repo 4: Should match: SecurityKeywordsInMsg
+    assert len(annotated_candidates[3].matched_rules) == 1
+
+    matched_rules_names = [item["id"] for item in annotated_candidates[3].matched_rules]
+    assert "SEC_KEYWORDS_IN_MESSAGE" in matched_rules_names
+
+    # Repo 2: Matches nothing
+    assert len(annotated_candidates[4].matched_rules) == 0
diff --git a/prospector/stats/collection.py b/prospector/stats/collection.py
index 2c4a8f81e..642490f95 100644
--- a/prospector/stats/collection.py
+++ b/prospector/stats/collection.py
@@ -8,6 +8,8 @@
 
 
 class ForbiddenDuplication(ValueError):
+    """Custom Error for Collections"""
+
     ...
 
 
@@ -54,6 +56,10 @@ def _summarize_list(collection, unit: Optional[str] = None):
 
 
 class StatisticCollection(dict):
+    """The StatisticCollection can contain nested sub-collections, and each entry in the
+    collection can hold a list of values along with an optional unit.
+    """
+
     def __init__(self):
         super().__init__()
         self.units = {}
diff --git a/prospector/util/config_parser.py b/prospector/util/config_parser.py
index aace08cbf..7bc83a8e0 100644
--- a/prospector/util/config_parser.py
+++ b/prospector/util/config_parser.py
@@ -2,7 +2,7 @@
 import os
 import sys
 from dataclasses import MISSING, dataclass
-from typing import Optional
+from typing import List, Optional
 
 from omegaconf import OmegaConf
 from omegaconf.errors import (
@@ -181,8 +181,8 @@ class ReportConfig:
 class LLMServiceConfig:
     type: str
     model_name: str
-    use_llm_repository_url: bool
     ai_core_sk: str
+    use_llm_repository_url: bool
     temperature: float = 0.0
 
 
@@ -199,9 +199,14 @@ class ConfigSchema:
     report: ReportConfig = MISSING
     log_level: str = MISSING
     git_cache: str = MISSING
+    enabled_rules: List[str] = MISSING
     nvd_token: Optional[str] = None
     database: DatabaseConfig = DatabaseConfig(
-        user="postgres", password="example", host="db", port=5432, dbname="postgres"
+        user="postgres",
+        password="example",
+        host="db",
+        port=5432,
+        dbname="postgres",
     )
     llm_service: Optional[LLMServiceConfig] = None
     github_token: Optional[str] = None
@@ -232,6 +237,7 @@ def __init__(
         ping: bool,
         log_level: str,
         git_cache: str,
+        enabled_rules: List[str],
         ignore_refs: bool,
         llm_service: LLMServiceConfig,
     ):
@@ -256,6 +262,7 @@ def __init__(
         self.ping = ping
         self.log_level = log_level
         self.git_cache = git_cache
+        self.enabled_rules = enabled_rules
         self.ignore_refs = ignore_refs
 
 
@@ -291,6 +298,7 @@ def get_configuration(argv):
             report_filename=args.report_filename or conf.report.name,
             ping=args.ping,
             git_cache=conf.git_cache,
+            enabled_rules=conf.enabled_rules,
             log_level=args.log_level or conf.log_level,
             ignore_refs=args.ignore_refs,
         )