New_entries

CVE-2021-46904

description

In the Linux kernel, the following vulnerability has been resolved: net: hso: fix null-ptr-deref during tty device unregistration Multiple ttys try to claim the same the minor number causing a double unregistration of the same device. The first unregistration succeeds but the next one results in a null-ptr-deref. The get_free_serial_index() function returns an available minor number but doesnt assign it immediately. The assignment is done by the caller later. But before this assignment, calls to get_free_serial_index() would return the same minor number. Fix this by modifying get_free_serial_index to assign the minor number immediately after one is found to be and rename it to obtain_minor() to better reflect what it does. Similary, rename set_serial_by_index() to release_minor() and modify it to free up the minor number of the given hso_serial. Every obtain_minor() should have corresponding release_minor() call.

description

在Linux内核中,已解决以下漏洞:net:hso:fix在tty设备注销期间修复null ptr deref多个tty试图声明相同的次要编号,导致同一设备双重注销。第一次注销成功,但下一次注销会导致ptr defef为空。get_free_serial_index()函数返回一个可用的次要数字,但不会立即赋值。该分配稍后由调用方完成。但在此赋值之前,对get_free_serial_index()的调用将返回相同的次要数字。通过修改get_free_serial_index来解决这个问题,在发现一个后立即分配次要编号,并将其重命名为获取次要编号(),以更好地反映它的作用。类似地,将set_serial_by_index()重命名为release_minor(),并对其进行修改以释放给定hso_serial的次要编号。每个获取minor()都应该有相应的release_minor()调用。

cvss epss percentile
None 0.04% 10.59%

references

CVE-2021-46905

description

In the Linux kernel, the following vulnerability has been resolved: net: hso: fix NULL-deref on disconnect regression Commit 8a12f8836145 (“net: hso: fix null-ptr-deref during tty device unregistration”) fixed the racy minor allocation reported by syzbot, but introduced an unconditional NULL-pointer dereference on every disconnect instead. Specifically, the serial device table must no longer be accessed after the minor has been released by hso_serial_tty_unregister().

description

在Linux内核中,已解决以下漏洞:net:hso:fix NULL deref on disconnect regression Commit 8a12f8836145(“net:hso:fix NULL ptr deref during tty device unregistration”)修复了syzbot报告的racy次要分配,但在每次断开连接时引入了无条件的NULL指针取消引用。具体而言,在hso_serial_tty_unregister()释放次要设备后,不得再访问串行设备表。

cvss epss percentile
None 0.04% 8.10%

references

CVE-2022-48626

description

In the Linux kernel, the following vulnerability has been resolved: moxart: fix potential use-after-free on remove path It was reported that the mmc host structure could be accessed after it was freed in moxart_remove(), so fix this by saving the base register of the device and using it instead of the pointer dereference.

description

在Linux内核中,已解决以下漏洞:moxart:fix在remove path上释放后的潜在使用据报道,mmc主机结构在moxart_remove()中释放后可以访问,因此通过保存设备的基寄存器并使用它而不是指针解引用来修复此问题。

cvss epss percentile
None 0.04% 10.59%

references

CVE-2023-52465

description

In the Linux kernel, the following vulnerability has been resolved: power: supply: Fix null pointer dereference in smb2_probe devm_kasprintf and devm_kzalloc return a pointer to dynamically allocated memory which can be NULL upon failure.

description

在Linux内核中,已解决以下漏洞:电源:修复smb2_probe devm_kasprintf中的空指针取消引用,devm_kzalloc返回一个指向动态分配内存的指针,该指针在失败时可能为空。

cvss epss percentile
None 0.04% 12.26%

references

CVE-2023-52466

description

In the Linux kernel, the following vulnerability has been resolved: PCI: Avoid potential out-of-bounds read in pci_dev_for_each_resource() Coverity complains that pointer in the pci_dev_for_each_resource() may be wrong, i.e., might be used for the out-of-bounds read. There is no actual issue right now because we have another check afterwards and the out-of-bounds read is not being performed. In any case its better code with this fixed, hence the proposed change. As Jonas pointed out “It probably makes the code slightly less performant as res will now be checked for being not NULL (which will always be true), but I doubt it will be significant (or in any hot paths).”

description

在Linux内核中,已解决以下漏洞:PCI:避免PCI_dev_for_each_resource()中潜在的越界读取。Coverity抱怨PCI_dev-for_each-resource()的指针可能是错误的,即可能用于越界读取。现在没有实际问题,因为我们之后还有另一次检查,并且没有执行越界读取。在任何情况下,它的更好的代码与此固定,因此提出了更改。正如Jonas所指出的,“这可能会使代码的性能稍微降低,因为现在将检查res是否为NULL(这将始终是真的),但我怀疑它是否有意义(或在任何热路径中)。”

cvss epss percentile
None 0.04% 12.26%

references

CVE-2023-52467

description

In the Linux kernel, the following vulnerability has been resolved: mfd: syscon: Fix null pointer dereference in of_syscon_register() kasprintf() returns a pointer to dynamically allocated memory which can be NULL upon failure.

description

在Linux内核中,已解决以下漏洞:mfd:syscon:修复of_syscon_register()中的空指针取消引用kasprintf()返回一个指向动态分配内存的指针,该指针在失败时可能为null。

cvss epss percentile
None 0.04% 8.10%

references

CVE-2023-52468

description

In the Linux kernel, the following vulnerability has been resolved: class: fix use-after-free in class_register() The lock_class_key is still registered and can be found in lock_keys_hash hlist after subsys_private is freed in error handler path.A task who iterate over the lock_keys_hash later may cause use-after-free.So fix that up and unregister the lock_class_key before kfree(cp). On our platform, a driver fails to kset_register because of creating duplicate filename /class/xxx.With Kasan enabled, it prints a invalid-access bug report. KASAN bug report: BUG: KASAN: invalid-access in lockdep_register_key+0x19c/0x1bc Write of size 8 at addr 15ffff808b8c0368 by task modprobe/252 Pointer tag: [15], memory tag: [fe] CPU: 7 PID: 252 Comm: modprobe Tainted: G W 6.6.0-mainline-maybe-dirty #1 Call trace: dump_backtrace+0x1b0/0x1e4 show_stack+0x2c/0x40 dump_stack_lvl+0xac/0xe0 print_report+0x18c/0x4d8 kasan_report+0xe8/0x148 __hwasan_store8_noabort+0x88/0x98 lockdep_register_key+0x19c/0x1bc class_register+0x94/0x1ec init_module+0xbc/0xf48 [rfkill] do_one_initcall+0x17c/0x72c do_init_module+0x19c/0x3f8 … Memory state around the buggy address: ffffff808b8c0100: 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a ffffff808b8c0200: 8a 8a 8a 8a 8a 8a 8a 8a fe fe fe fe fe fe fe fe >ffffff808b8c0300: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe ^ ffffff808b8c0400: 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 As CONFIG_KASAN_GENERIC is not set, Kasan reports invalid-access not use-after-free here.In this case, modprobe is manipulating the corrupted lock_keys_hash hlish where lock_class_key is already freed before. Its worth noting that this only can happen if lockdep is enabled, which is not true for normal system.

description

在Linux内核中,已解决以下漏洞:class:fix在class_register()中修复释放后使用。在错误处理程序路径中释放subsys_private后,lock_class_key仍在注册,并且可以在lock_keys_hash-hlist中找到。稍后迭代lock_keys_hash的任务可能会在释放后导致使用。因此,修复此问题并在kfree(cp)之前注销lock_class_key。在我们的平台上,由于创建了重复的filename/class/xxx,驱动程序无法kset_register。启用Kasan后,它会打印一份无效的访问错误报告。KASAN错误报告:bug:KASAN:lockdep_register_key+0x19c/0x1bc中的访问无效任务modprobe/252在地址15ffff808b8c0368写入大小为8的指针标记:[15],内存标记:[fe]CPU:7 PID:252通信:modprobe已损坏:G W 6.6.0-主线-主机#1调用跟踪:dump_backtrace+0x1b0/0x1e4 show_stack+0x2c/0x40 dump_stack_lvl+0xac/0xe0 print_report+0x18c/0x4d8 kasan_report+0xe8/0x148 __hwasan_store8_noabort+0x88/0x98 lockdep_register_key+0x19c/0x1bc class_register+0x94/0x1ec init_module+0xbc/0xf48[rfkill]do_one_initcall+0x17c7c/0x72c do_init_module+0x19c/0x3f8。。。错误地址周围的内存状态:ffffff 808b8c0100:8a 8a 8a 8aa 8a 8a 8a 8c 8a fffffffff 808b8c0200:8a 8a8 8a 8a8 afe fe fe fe fe fe>ffffffff 806b8c0300:fe fe fe ffe fe fe fe fi ^ ffffffoff 808b8c0400:03 03 03 03 01 03 03 03 04 03 03 03 05 03 03 03由于CONFIG_KASAN_GENERIC未设置,KASAN报告无效访问在此免费后不使用。在这种情况下,modprobe正在处理损坏的lock_keys_hash-hlish,其中lock_class_key之前已经释放。值得注意的是,只有在启用lockdep的情况下才会发生这种情况,而正常系统则不然。

cvss epss percentile
None 0.04% 12.26%

references

CVE-2023-52469

description

In the Linux kernel, the following vulnerability has been resolved: drivers/amd/pm: fix a use-after-free in kv_parse_power_table When ps allocated by kzalloc equals to NULL, kv_parse_power_table frees adev->pm.dpm.ps that allocated before. However, after the control flow goes through the following call chains: kv_parse_power_table |-> kv_dpm_init |-> kv_dpm_sw_init |-> kv_dpm_fini The adev->pm.dpm.ps is used in the for loop of kv_dpm_fini after its first free in kv_parse_power_table and causes a use-after-free bug.

description

在Linux内核中,已解决以下漏洞:drivers/amd/pm:修复kv_parse_power_table中释放后的使用当kzalloc分配的ps等于NULL时,kv_parse_prower_table释放之前分配的adev->pm.dpm.ps。然而,在控制流经过以下调用链之后:kv_parse_power_table |->kv_dpm_init|->kv_dpm_sw_init|->kv_dpm_fini在kv_parse_prower_table中首次释放后,adev->pm.dpm.ps在kv_dpm_fili的for循环中使用,并导致释放后使用错误。

cvss epss percentile
None 0.04% 10.59%

references

CVE-2023-52470

description

In the Linux kernel, the following vulnerability has been resolved: drm/radeon: check the alloc_workqueue return value in radeon_crtc_init() check the alloc_workqueue return value in radeon_crtc_init() to avoid null-ptr-deref.

description

在Linux内核中,已解决以下漏洞:drm/radeon:检查rade_crtc_init()中的alloc_workqueue返回值检查rade_crtc_init(。

cvss epss percentile
None 0.04% 10.59%

references

CVE-2023-52471

description

In the Linux kernel, the following vulnerability has been resolved: ice: Fix some null pointer dereference issues in ice_ptp.c devm_kasprintf() returns a pointer to dynamically allocated memory which can be NULL upon failure.

description

在Linux内核中,以下漏洞已得到解决:ice:修复了ice_ptp中的一些空指针取消引用问题。c devm_kasprintf()返回一个指向动态分配内存的指针,该指针在失败时可能为null。

cvss epss percentile
None 0.04% 6.87%

CVE-2023-52472

description

In the Linux kernel, the following vulnerability has been resolved: crypto: rsa - add a check for allocation failure Static checkers insist that the mpi_alloc() allocation can fail so add a check to prevent a NULL dereference. Small allocations like this cant actually fail in current kernels, but adding a check is very simple and makes the static checkers happy.

description

在Linux内核中,已解决以下漏洞:crypto:rsa-添加分配失败检查静态检查程序坚持认为mpi_alloc()分配可能失败,因此添加检查以防止NULL解引用。在当前内核中,像这样的小分配实际上不会失败,但添加检查非常简单,可以让静态检查人员感到高兴。

cvss epss percentile
None 0.04% 12.26%

references

CVE-2023-52473

description

In the Linux kernel, the following vulnerability has been resolved: thermal: core: Fix NULL pointer dereference in zone registration error path If device_register() in thermal_zone_device_register_with_trips() returns an error, the tz variable is set to NULL and subsequently dereferenced in kfree(tz->tzp). Commit adc8749b150c (“thermal/drivers/core: Use put_device() if device_register() fails”) added the tz = NULL assignment in question to avoid a possible double-free after dropping the reference to the zone device. However, after commit 4649620d9404 (“thermal: core: Make thermal_zone_device_unregister() return after freeing the zone”), that assignment has become redundant, because dropping the reference to the zone device does not cause the zone object to be freed any more. Drop it to address the NULL pointer dereference.

description

在Linux内核中,已解决以下漏洞:thermal:core:修复区域注册错误路径中的NULL指针取消引用。如果thermal_zone_device_register_with_trips()中的device_register()返回错误,则tz变量设置为NULL,随后在kfree中取消引用(tz->tzp)。提交adc8749b150c(“thermal/drivers/core:如果device_register()失败,请使用put_device()”)添加了有问题的tz=NULL赋值,以避免在删除对区域设备的引用后可能出现双重空闲。但是,在提交4649620d9404(“thermal:core:使thermal_zone_device_unregister()在释放区域后返回”)之后,该分配已变得多余,因为删除对区域设备的引用不会再释放区域对象。将其删除以解决NULL指针取消引用的问题。

cvss epss percentile
None 0.04% 12.26%

references

CVE-2024-0435

description

User can send a chat that contains an XSS opportunity that will then run when the chat is sent and on subsequent page loads. Given the minimum requirement for a user to send a chat is to be given access to a workspace via an admin the risk is low. Additionally, the location in which the XSS renders is only limited to the user who submits the XSS. Ultimately, this attack is limited to the user attacking themselves. There is no anonymous chat submission unless the user does not take the minimum steps required to protect their instance.

description

用户可以发送包含XSS机会的聊天,该机会将在发送聊天时运行,并在随后的页面加载中运行。考虑到用户发送聊天的最低要求是通过管理员访问工作空间,风险很低。此外,XSS呈现的位置仅限于提交XSS的用户。最终,这种攻击仅限于用户攻击自己。除非用户没有采取保护其实例所需的最低步骤,否则不会提交匿名聊天。

cvss epss percentile
8.1 HIGH None None

references

CVE-2024-0436

description

Theoretically, it would be possible for an attacker to brute-force the password for an instance in single-user password protection mode via a timing attack given the linear nature of the !== used for comparison. The risk is minified by the additional overhead of the request, which varies in a non-constant nature making the attack less reliable to execute

description

从理论上讲,考虑到“!==”的线性性质,攻击者有可能在单用户密码保护模式下通过定时攻击强行破解实例的密码用于比较。请求的额外开销以非恒定的性质变化,使攻击执行起来不太可靠,从而降低了风险

cvss epss percentile
7.1 HIGH 0.04% 6.87%

references

CVE-2024-0439

description

As a manager, you should not be able to modify a series of settings. In the UI this is indeed hidden as a convenience for the role since most managers would not be savvy enough to modify these settings. They can use their token to still modify those settings though through a standard HTTP request While this is not a critical vulnerability, it does indeed need to be patched to enforce the expected permission level.

description

作为管理者,您不应该能够修改一系列设置。在用户界面中,这确实是为了方便角色而隐藏的,因为大多数经理都不够精明,无法修改这些设置。尽管通过标准HTTP请求,他们仍然可以使用令牌修改这些设置。虽然这不是一个关键漏洞,但确实需要对其进行修补,以强制执行预期的权限级别。

cvss epss percentile
7.1 HIGH 0.04% 6.87%

references

CVE-2024-0440

description

Attacker, with permission to submit a link or submits a link via POST to be collected that is using the file:// protocol can then introspect host files and other relatively stored files.

description

攻击者有权提交链接或通过POST提交使用file://协议收集的链接,然后可以内省主机文件和其他相对存储的文件。

cvss epss percentile
None 0.04% 6.87%

CVE-2024-0455

description

The inclusion of the web scraper for AnythingLLM means that any user with the proper authorization level (manager, admin, and when in single user) could put in the URL http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance which is a special IP and URL that resolves only when the request comes from within an EC2 instance. This would allow the user to see the connection/secret credentials for their specific instance and be able to manage it regardless of who deployed it. The user would have to have pre-existing knowledge of the hosting infra which the target instance is deployed on, but if sent - would resolve if on EC2 and the proper iptable or firewall rule is not configured for their setup.

description

AnythingLLM的web scraper的包含意味着任何具有适当授权级别的用户(管理员、管理员以及单个用户)都可以将URL“”http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance“”是一个特殊的IP和URL,只有当请求来自EC2实例时才能解析。这将允许用户查看其特定实例的连接/机密凭据,并能够对其进行管理,而不管是谁部署的。用户必须预先了解目标实例部署在其上的托管基础设施,但如果在EC2上,并且没有为其设置配置适当的“iptable”或防火墙规则,则如果发送,则会解决问题。

cvss epss percentile
9.9 CRITICAL 0.04% 6.87%

references

CVE-2024-0798

description

A user with a default role given to them by the admin can sent DELETE HTTP requests to remove-folder and remove-document to delete folders and source files from the instance even when their role should explicitly not allow this action on the system.

description

具有管理员赋予的“默认”角色的用户可以向“删除文件夹”和“删除文档”发送“删除”HTTP请求,以从实例中删除文件夹和源文件,即使他们的角色明确不允许在系统上执行此操作。

cvss epss percentile
None 0.04% 6.87%

CVE-2024-1875

description

A vulnerability was found in SourceCodester Complaint Management System 1.0 and classified as critical. This issue affects some unknown processing of the file users/register-complaint.php of the component Lodge Complaint Section. The manipulation leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-254723.

description

在SourceCodester投诉管理系统1.0中发现一个漏洞,并将其归类为严重漏洞。此问题影响了对组件Lodge complaint Section的users/register-comment.php文件的一些未知处理。这种操作会导致不受限制的上传。攻击可以远程启动。该漏洞已向公众公开,并可能被利用。此漏洞的关联标识符为VDB-254723。

cvss epss percentile
6.3 MEDIUM 0.04% 12.26%

references

CVE-2024-27350

description

Amazon Fire OS 7 before 7.6.6.9 and 8 before 8.1.0.3 allows Fire TV applications to establish local ADB (Android Debug Bridge) connections. NOTE: some third parties dispute whether this has security relevance, because an ADB connection is only possible after the (non-default) ADB Debugging option is enabled, and after the initiator of that specific connection attempt has been approved via a full-screen prompt.

description

亚马逊Fire操作系统7.6.6.9之前的7和8.1.0.3之前的8允许Fire TV应用程序建立本地ADB(Android调试桥)连接。注:一些第三方对这是否具有安全相关性表示质疑,因为只有在启用(非默认)ADB调试选项后,以及在通过全屏提示批准特定连接尝试的发起人后,才能进行ADB连接。

cvss epss percentile
None 0.04% 12.26%

references

CVE-2024-27359

description

Certain WithSecure products allow a Denial of Service because the engine scanner can go into an infinite loop when processing an archive file. This affects WithSecure Client Security 15, WithSecure Server Security 15, WithSecure Email and Server Security 15, WithSecure Elements Endpoint Protection 17 and later, WithSecure Client Security for Mac 15, WithSecure Elements Endpoint Protection for Mac 17 and later, WithSecure Linux Security 64 12.0, WithSecure Linux Protection 12.0, and WithSecure Atlant 1.0.35-1.

description

某些WithSecure产品允许拒绝服务,因为引擎扫描程序在处理存档文件时可能会进入无限循环。这会影响WithSecure Client Security 15、WithSecure Server Security 15、WithSecure Email and Server Security 15,WithSecure Elements Endpoint Protection 17及更高版本,WithSecure Client Protection for Mac 15,WithSecurity Elements Endpoints Protection for Mac 17及更新版本,WithSecurity Linux Security 64 12.0、WithSecure Linux Protection 12.0和WithSecure Atlant 1.0.35-1。

cvss epss percentile
None 0.04% 6.87%

references

Modified_entries

CVE-2024-25189

description

libjwt 1.15.3 uses strcmp (which is not constant time) to verify authentication, which makes it easier to bypass authentication via a timing side channel.

description

libjwt 1.15.3使用strcmp(不是恒定时间)来验证身份验证,这使得通过定时侧通道绕过身份验证变得更容易。

cvss epss percentile
None 0.11% 41.88%

references