ISHACK AI BOT

Microsoft Edge Chromium: CVE-2024-9603 Type Confusion in V8 Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 10/08/2024 Created 10/12/2024 Added 10/11/2024 Modified 01/28/2025 Description Type Confusion in V8 in Google Chrome prior to 129.0.6668.100 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) Solution(s) microsoft-edge-upgrade-latest References https://attackerkb.com/topics/cve-2024-9603 CVE - 2024-9603 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-9603

Rocky Linux: CVE-2024-43484: .NET-8.0 (Multiple Advisories) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 10/08/2024 Created 11/05/2024 Added 11/04/2024 Modified 01/28/2025 Description .NET, .NET Framework, and Visual Studio Denial of Service Vulnerability Solution(s) rocky-upgrade-aspnetcore-runtime-6.0 rocky-upgrade-aspnetcore-runtime-8.0 rocky-upgrade-aspnetcore-runtime-dbg-8.0 rocky-upgrade-aspnetcore-targeting-pack-6.0 rocky-upgrade-aspnetcore-targeting-pack-8.0 rocky-upgrade-dotnet rocky-upgrade-dotnet-apphost-pack-6.0 rocky-upgrade-dotnet-apphost-pack-6.0-debuginfo rocky-upgrade-dotnet-apphost-pack-8.0 rocky-upgrade-dotnet-apphost-pack-8.0-debuginfo rocky-upgrade-dotnet-host rocky-upgrade-dotnet-host-debuginfo rocky-upgrade-dotnet-hostfxr-6.0 rocky-upgrade-dotnet-hostfxr-6.0-debuginfo rocky-upgrade-dotnet-hostfxr-8.0 rocky-upgrade-dotnet-hostfxr-8.0-debuginfo rocky-upgrade-dotnet-runtime-6.0 rocky-upgrade-dotnet-runtime-6.0-debuginfo rocky-upgrade-dotnet-runtime-8.0 rocky-upgrade-dotnet-runtime-8.0-debuginfo rocky-upgrade-dotnet-runtime-dbg-8.0 rocky-upgrade-dotnet-sdk-6.0 rocky-upgrade-dotnet-sdk-6.0-debuginfo rocky-upgrade-dotnet-sdk-6.0-source-built-artifacts rocky-upgrade-dotnet-sdk-8.0 rocky-upgrade-dotnet-sdk-8.0-debuginfo rocky-upgrade-dotnet-sdk-8.0-source-built-artifacts rocky-upgrade-dotnet-sdk-dbg-8.0 rocky-upgrade-dotnet-targeting-pack-6.0 rocky-upgrade-dotnet-targeting-pack-8.0 rocky-upgrade-dotnet-templates-6.0 rocky-upgrade-dotnet-templates-8.0 rocky-upgrade-dotnet6.0-debuginfo rocky-upgrade-dotnet6.0-debugsource rocky-upgrade-dotnet8.0-debuginfo rocky-upgrade-dotnet8.0-debugsource rocky-upgrade-netstandard-targeting-pack-2.1 References https://attackerkb.com/topics/cve-2024-43484 CVE - 2024-43484 https://errata.rockylinux.org/RLSA-2024:7851 https://errata.rockylinux.org/RLSA-2024:7867 https://errata.rockylinux.org/RLSA-2024:7868 https://errata.rockylinux.org/RLSA-2024:7869

Rocky Linux: CVE-2024-38229: .NET-8.0 (Multiple Advisories) Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 10/08/2024 Created 11/05/2024 Added 11/04/2024 Modified 01/28/2025 Description .NET and Visual Studio Remote Code Execution Vulnerability Solution(s) rocky-upgrade-aspnetcore-runtime-8.0 rocky-upgrade-aspnetcore-runtime-dbg-8.0 rocky-upgrade-aspnetcore-targeting-pack-8.0 rocky-upgrade-dotnet rocky-upgrade-dotnet-apphost-pack-8.0 rocky-upgrade-dotnet-apphost-pack-8.0-debuginfo rocky-upgrade-dotnet-host rocky-upgrade-dotnet-host-debuginfo rocky-upgrade-dotnet-hostfxr-8.0 rocky-upgrade-dotnet-hostfxr-8.0-debuginfo rocky-upgrade-dotnet-runtime-8.0 rocky-upgrade-dotnet-runtime-8.0-debuginfo rocky-upgrade-dotnet-runtime-dbg-8.0 rocky-upgrade-dotnet-sdk-8.0 rocky-upgrade-dotnet-sdk-8.0-debuginfo rocky-upgrade-dotnet-sdk-8.0-source-built-artifacts rocky-upgrade-dotnet-sdk-dbg-8.0 rocky-upgrade-dotnet-targeting-pack-8.0 rocky-upgrade-dotnet-templates-8.0 rocky-upgrade-dotnet8.0-debuginfo rocky-upgrade-dotnet8.0-debugsource rocky-upgrade-netstandard-targeting-pack-2.1 References https://attackerkb.com/topics/cve-2024-38229 CVE - 2024-38229 https://errata.rockylinux.org/RLSA-2024:7868 https://errata.rockylinux.org/RLSA-2024:7869

Microsoft Windows: CVE-2024-37983: Windows Resume Extensible Firmware Interface Security Feature Bypass Vulnerability Severity 7 CVSS (AV:L/AC:L/Au:M/C:C/I:C/A:C) Published 10/08/2024 Created 10/09/2024 Added 10/08/2024 Modified 12/10/2024 Description Microsoft Windows: CVE-2024-37983: Windows Resume Extensible Firmware Interface Security Feature Bypass Vulnerability Solution(s) microsoft-windows-windows_10-1507-kb5044286 microsoft-windows-windows_10-1607-kb5044293 microsoft-windows-windows_10-1809-kb5044277 microsoft-windows-windows_10-21h2-kb5044273 microsoft-windows-windows_10-22h2-kb5044273 microsoft-windows-windows_11-21h2-kb5044280 microsoft-windows-windows_11-22h2-kb5044285 microsoft-windows-windows_11-23h2-kb5044285 microsoft-windows-windows_11-24h2-kb5044284 microsoft-windows-windows_server_2012-kb5044342 microsoft-windows-windows_server_2012_r2-kb5044343 microsoft-windows-windows_server_2016-1607-kb5044293 microsoft-windows-windows_server_2019-1809-kb5044277 microsoft-windows-windows_server_2022-21h2-kb5044281 microsoft-windows-windows_server_2022-22h2-kb5044281 microsoft-windows-windows_server_2022-23h2-kb5044288 References https://attackerkb.com/topics/cve-2024-37983 CVE - 2024-37983 https://support.microsoft.com/help/5044273 https://support.microsoft.com/help/5044277 https://support.microsoft.com/help/5044280 https://support.microsoft.com/help/5044281 https://support.microsoft.com/help/5044284 https://support.microsoft.com/help/5044285 https://support.microsoft.com/help/5044286 https://support.microsoft.com/help/5044288 https://support.microsoft.com/help/5044293 https://support.microsoft.com/help/5044342 https://support.microsoft.com/help/5044343 View more

Microsoft Windows: CVE-2024-43615: Microsoft OpenSSH for Windows Remote Code Execution Vulnerability Severity 7 CVSS (AV:N/AC:H/Au:S/C:C/I:C/A:C) Published 10/08/2024 Created 10/09/2024 Added 10/08/2024 Modified 11/12/2024 Description Microsoft Windows: CVE-2024-43615: Microsoft OpenSSH for Windows Remote Code Execution Vulnerability Solution(s) microsoft-windows-windows_10-1809-kb5044277 microsoft-windows-windows_10-21h2-kb5044273 microsoft-windows-windows_10-22h2-kb5044273 microsoft-windows-windows_11-21h2-kb5044280 microsoft-windows-windows_11-22h2-kb5044285 microsoft-windows-windows_11-23h2-kb5044285 microsoft-windows-windows_11-24h2-kb5044284 microsoft-windows-windows_server_2019-1809-kb5044277 microsoft-windows-windows_server_2022-21h2-kb5044281 microsoft-windows-windows_server_2022-22h2-kb5044281 microsoft-windows-windows_server_2022-23h2-kb5044288 References https://attackerkb.com/topics/cve-2024-43615 CVE - 2024-43615 https://support.microsoft.com/help/5044273 https://support.microsoft.com/help/5044277 https://support.microsoft.com/help/5044280 https://support.microsoft.com/help/5044281 https://support.microsoft.com/help/5044284 https://support.microsoft.com/help/5044285 https://support.microsoft.com/help/5044288 View more

Microsoft Windows: CVE-2024-43565: Windows Network Address Translation (NAT) Denial of Service Vulnerability Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 10/08/2024 Created 10/09/2024 Added 10/08/2024 Modified 11/12/2024 Description Microsoft Windows: CVE-2024-43565: Windows Network Address Translation (NAT) Denial of Service Vulnerability Solution(s) microsoft-windows-windows_10-1507-kb5044286 microsoft-windows-windows_10-1607-kb5044293 microsoft-windows-windows_10-1809-kb5044277 microsoft-windows-windows_10-21h2-kb5044273 microsoft-windows-windows_10-22h2-kb5044273 microsoft-windows-windows_11-21h2-kb5044280 microsoft-windows-windows_11-22h2-kb5044285 microsoft-windows-windows_11-23h2-kb5044285 microsoft-windows-windows_11-24h2-kb5044284 microsoft-windows-windows_server_2016-1607-kb5044293 microsoft-windows-windows_server_2019-1809-kb5044277 microsoft-windows-windows_server_2022-21h2-kb5044281 microsoft-windows-windows_server_2022-22h2-kb5044281 microsoft-windows-windows_server_2022-23h2-kb5044288 References https://attackerkb.com/topics/cve-2024-43565 CVE - 2024-43565 https://support.microsoft.com/help/5044273 https://support.microsoft.com/help/5044277 https://support.microsoft.com/help/5044280 https://support.microsoft.com/help/5044281 https://support.microsoft.com/help/5044284 https://support.microsoft.com/help/5044285 https://support.microsoft.com/help/5044286 https://support.microsoft.com/help/5044288 https://support.microsoft.com/help/5044293 View more

Debian: CVE-2024-43364: cacti -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 10/07/2024 Created 02/13/2025 Added 02/12/2025 Modified 02/12/2025 Description Cacti is an open source performance and fault management framework. The `title` parameter is not properly sanitized when saving external links in links.php . Morever, the said title parameter is stored in the database and reflected back to user in index.php, finally leading to stored XSS. Users with the privilege to create external links can manipulate the `title` parameter in the http post request while creating external links to perform stored XSS attacks. The vulnerability known as XSS (Cross-Site Scripting) occurs when an application allows untrusted user input to be displayed on a web page without proper validation or escaping. This issue has been addressed in release version 1.2.28. All users are advised to upgrade. There are no known workarounds for this vulnerability. Solution(s) debian-upgrade-cacti References https://attackerkb.com/topics/cve-2024-43364 CVE - 2024-43364 DLA-4048-1 DSA-5862-1

Huawei EulerOS: CVE-2024-47814: vim security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 10/07/2024 Created 01/16/2025 Added 01/15/2025 Modified 01/15/2025 Description Vim is an open source, command line text editor. A use-after-free was found in Vim < 9.1.0764. When closing a buffer (visible in a window) a BufWinLeave auto command can cause an use-after-free if this auto command happens to re-open the same buffer in a new split window. Impact is low since the user must have intentionally set up such a strange auto command and run some buffer unload commands. However this may lead to a crash. This issue has been addressed in version 9.1.0764 and all users are advised to upgrade. There are no known workarounds for this vulnerability. Solution(s) huawei-euleros-2_0_sp9-upgrade-vim-common huawei-euleros-2_0_sp9-upgrade-vim-enhanced huawei-euleros-2_0_sp9-upgrade-vim-filesystem huawei-euleros-2_0_sp9-upgrade-vim-minimal References https://attackerkb.com/topics/cve-2024-47814 CVE - 2024-47814 EulerOS-SA-2025-1066

Alma Linux: CVE-2024-31227: Moderate: redis:7 security update (ALSA-2024-10869) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 10/07/2024 Created 12/11/2024 Added 12/10/2024 Modified 12/10/2024 Description Redis is an open source, in-memory database that persists on disk. An authenticated with sufficient privileges may create a malformed ACL selector which, when accessed, triggers a server panic and subsequent denial of service. The problem exists in Redis 7 prior to versions 7.2.6 and 7.4.1. Users are advised to upgrade. There are no known workarounds for this vulnerability. Solution(s) alma-upgrade-redis alma-upgrade-redis-devel alma-upgrade-redis-doc References https://attackerkb.com/topics/cve-2024-31227 CVE - 2024-31227 https://errata.almalinux.org/9/ALSA-2024-10869.html

Alma Linux: CVE-2024-31228: Important: redis:6 security update (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 10/07/2024 Created 12/11/2024 Added 12/10/2024 Modified 01/30/2025 Description Redis is an open source, in-memory database that persists on disk. Authenticated users can trigger a denial-of-service by using specially crafted, long string match patterns on supported commands such as `KEYS`, `SCAN`, `PSUBSCRIBE`, `FUNCTION LIST`, `COMMAND LIST` and ACL definitions. Matching of extremely long patterns may result in unbounded recursion, leading to stack overflow and process crash. This problem has been fixed in Redis versions 6.2.16, 7.2.6, and 7.4.1. Users are advised to upgrade. There are no known workarounds for this vulnerability. Solution(s) alma-upgrade-redis alma-upgrade-redis-devel alma-upgrade-redis-doc References https://attackerkb.com/topics/cve-2024-31228 CVE - 2024-31228 https://errata.almalinux.org/8/ALSA-2025-0595.html https://errata.almalinux.org/9/ALSA-2024-10869.html https://errata.almalinux.org/9/ALSA-2025-0693.html

Oracle Linux: CVE-2024-31228: ELSA-2024-10869:redis:7 security update (MODERATE) (Multiple Advisories) Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 10/07/2024 Created 12/10/2024 Added 12/07/2024 Modified 02/05/2025 Description Redis is an open source, in-memory database that persists on disk. Authenticated users can trigger a denial-of-service by using specially crafted, long string match patterns on supported commands such as `KEYS`, `SCAN`, `PSUBSCRIBE`, `FUNCTION LIST`, `COMMAND LIST` and ACL definitions. Matching of extremely long patterns may result in unbounded recursion, leading to stack overflow and process crash. This problem has been fixed in Redis versions 6.2.16, 7.2.6, and 7.4.1. Users are advised to upgrade. There are no known workarounds for this vulnerability. A flaw was found in Redis. This flaw allows authenticated users to trigger a denial of service by using specially crafted, long string match patterns on supported commands such as `KEYS`, `SCAN`, `PSUBSCRIBE`, `FUNCTION LIST`, `COMMAND LIST`, and ACL definitions. Matching of extremely long patterns may result in unbounded recursion, leading to stack overflow and process crashes. Solution(s) oracle-linux-upgrade-redis oracle-linux-upgrade-redis-devel oracle-linux-upgrade-redis-doc References https://attackerkb.com/topics/cve-2024-31228 CVE - 2024-31228 ELSA-2024-10869 ELSA-2025-0595 ELSA-2025-0693

Red Hat: CVE-2024-31449: redis: Lua library commands may lead to stack overflow and RCE in Redis (Multiple Advisories) Severity 6 CVSS (AV:L/AC:H/Au:S/C:C/I:C/A:C) Published 10/07/2024 Created 01/24/2025 Added 01/23/2025 Modified 02/10/2025 Description Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to trigger a stack buffer overflow in the bit library, which may potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This problem has been fixed in Redis versions 6.2.16, 7.2.6, and 7.4.1. Users are advised to upgrade. There are no known workarounds for this vulnerability. Solution(s) redhat-upgrade-redis redhat-upgrade-redis-debuginfo redhat-upgrade-redis-debugsource redhat-upgrade-redis-devel redhat-upgrade-redis-doc References CVE-2024-31449 RHSA-2024:10869 RHSA-2025:0595 RHSA-2025:0693

Red Hat: CVE-2024-31228: redis: Denial-of-service due to unbounded pattern matching in Redis (Multiple Advisories) Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 10/07/2024 Created 01/24/2025 Added 01/23/2025 Modified 02/10/2025 Description Redis is an open source, in-memory database that persists on disk. Authenticated users can trigger a denial-of-service by using specially crafted, long string match patterns on supported commands such as `KEYS`, `SCAN`, `PSUBSCRIBE`, `FUNCTION LIST`, `COMMAND LIST` and ACL definitions. Matching of extremely long patterns may result in unbounded recursion, leading to stack overflow and process crash. This problem has been fixed in Redis versions 6.2.16, 7.2.6, and 7.4.1. Users are advised to upgrade. There are no known workarounds for this vulnerability. Solution(s) redhat-upgrade-redis redhat-upgrade-redis-debuginfo redhat-upgrade-redis-debugsource redhat-upgrade-redis-devel redhat-upgrade-redis-doc References CVE-2024-31228 RHSA-2024:10869 RHSA-2025:0595 RHSA-2025:0693

Debian: CVE-2024-31228: redis -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 10/07/2024 Created 12/03/2024 Added 12/02/2024 Modified 12/02/2024 Description Redis is an open source, in-memory database that persists on disk. Authenticated users can trigger a denial-of-service by using specially crafted, long string match patterns on supported commands such as `KEYS`, `SCAN`, `PSUBSCRIBE`, `FUNCTION LIST`, `COMMAND LIST` and ACL definitions. Matching of extremely long patterns may result in unbounded recursion, leading to stack overflow and process crash. This problem has been fixed in Redis versions 6.2.16, 7.2.6, and 7.4.1. Users are advised to upgrade. There are no known workarounds for this vulnerability. Solution(s) debian-upgrade-redis References https://attackerkb.com/topics/cve-2024-31228 CVE - 2024-31228 DLA-3973-1

Alma Linux: CVE-2024-31449: Important: redis:6 security update (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 10/07/2024 Created 12/11/2024 Added 12/10/2024 Modified 01/30/2025 Description Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to trigger a stack buffer overflow in the bit library, which may potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This problem has been fixed in Redis versions 6.2.16, 7.2.6, and 7.4.1. Users are advised to upgrade. There are no known workarounds for this vulnerability. Solution(s) alma-upgrade-redis alma-upgrade-redis-devel alma-upgrade-redis-doc References https://attackerkb.com/topics/cve-2024-31449 CVE - 2024-31449 https://errata.almalinux.org/8/ALSA-2025-0595.html https://errata.almalinux.org/9/ALSA-2024-10869.html https://errata.almalinux.org/9/ALSA-2025-0693.html

Debian: CVE-2024-43363: cacti -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 10/07/2024 Created 02/13/2025 Added 02/12/2025 Modified 02/12/2025 Description Cacti is an open source performance and fault management framework. An admin user can create a device with a malicious hostname containing php code and repeat the installation process (completing only step 5 of the installation process is enough, no need to complete the steps before or after it) to use a php file as the cacti log file. After having the malicious hostname end up in the logs (log poisoning), one can simply go to the log file url to execute commands to achieve RCE. This issue has been addressed in version 1.2.28 and all users are advised to upgrade. There are no known workarounds for this vulnerability. Solution(s) debian-upgrade-cacti References https://attackerkb.com/topics/cve-2024-43363 CVE - 2024-43363 DLA-4048-1 DSA-5862-1

Debian: CVE-2024-31227: redis -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 10/07/2024 Created 01/14/2025 Added 01/13/2025 Modified 01/13/2025 Description Redis is an open source, in-memory database that persists on disk. An authenticated with sufficient privileges may create a malformed ACL selector which, when accessed, triggers a server panic and subsequent denial of service. The problem exists in Redis 7 prior to versions 7.2.6 and 7.4.1. Users are advised to upgrade. There are no known workarounds for this vulnerability. Solution(s) debian-upgrade-redis References https://attackerkb.com/topics/cve-2024-31227 CVE - 2024-31227

Debian: CVE-2024-31449: redis -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 10/07/2024 Created 01/14/2025 Added 01/13/2025 Modified 01/13/2025 Description Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to trigger a stack buffer overflow in the bit library, which may potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This problem has been fixed in Redis versions 6.2.16, 7.2.6, and 7.4.1. Users are advised to upgrade. There are no known workarounds for this vulnerability. Solution(s) debian-upgrade-redis References https://attackerkb.com/topics/cve-2024-31449 CVE - 2024-31449

Oracle Linux: CVE-2024-31449: ELSA-2024-10869:redis:7 security update (MODERATE) (Multiple Advisories) Severity 6 CVSS (AV:L/AC:H/Au:S/C:C/I:C/A:C) Published 10/07/2024 Created 12/10/2024 Added 12/07/2024 Modified 02/05/2025 Description Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to trigger a stack buffer overflow in the bit library, which may potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This problem has been fixed in Redis versions 6.2.16, 7.2.6, and 7.4.1. Users are advised to upgrade. There are no known workarounds for this vulnerability. A flaw was found in Redis. This flaw allows an authenticated user to use a specially crafted Lua script to trigger a stack buffer overflow in the bit library, which may lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. Solution(s) oracle-linux-upgrade-redis oracle-linux-upgrade-redis-devel oracle-linux-upgrade-redis-doc References https://attackerkb.com/topics/cve-2024-31449 CVE - 2024-31449 ELSA-2024-10869 ELSA-2025-0595 ELSA-2025-0693

Huawei EulerOS: CVE-2024-47814: vim security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 10/07/2024 Created 01/15/2025 Added 01/14/2025 Modified 01/14/2025 Description Vim is an open source, command line text editor. A use-after-free was found in Vim < 9.1.0764. When closing a buffer (visible in a window) a BufWinLeave auto command can cause an use-after-free if this auto command happens to re-open the same buffer in a new split window. Impact is low since the user must have intentionally set up such a strange auto command and run some buffer unload commands. However this may lead to a crash. This issue has been addressed in version 9.1.0764 and all users are advised to upgrade. There are no known workarounds for this vulnerability. Solution(s) huawei-euleros-2_0_sp10-upgrade-vim-common huawei-euleros-2_0_sp10-upgrade-vim-enhanced huawei-euleros-2_0_sp10-upgrade-vim-filesystem huawei-euleros-2_0_sp10-upgrade-vim-minimal References https://attackerkb.com/topics/cve-2024-47814 CVE - 2024-47814 EulerOS-SA-2025-1033

FreeBSD: VID-79B1F4EE-860A-11EF-B2DC-CBCCBF25B7EA: gitea -- token missing access control for packages Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 10/06/2024 Created 10/12/2024 Added 10/11/2024 Modified 10/11/2024 Description Problem Description: Fix bug when a token is given public only Solution(s) freebsd-upgrade-package-gitea

FreeBSD: VID-FE7031D3-3000-4B43-9FA6-52C2B624B8F9: zeek -- potential DoS vulnerability Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 10/05/2024 Created 10/08/2024 Added 10/06/2024 Modified 10/06/2024 Description Tim Wojtulewicz of Corelight reports: Adding to the POP3 hardening in 7.0.2, the parser now simply discards too many pending commands, rather than any attempting to process them. Further, invalid server responses do not result in command completion anymore. Processing out-of-order commands or finishing commands based on invalid server responses could result in inconsistent analyzer state, potentially triggering null pointer references for crafted traffic. Solution(s) freebsd-upgrade-package-zeek

Amazon Linux AMI 2: CVE-2024-47850: Security patch for cups-filters (ALAS-2024-2656) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 10/04/2024 Created 11/05/2024 Added 11/04/2024 Modified 11/04/2024 Description CUPS cups-browsed before 2.5b1 will send an HTTP POST request to an arbitrary destination and port in response to a single IPP UDP packet requesting a printer to be added, a different vulnerability than CVE-2024-47176. (The request is meant to probe the new printer but can be used to create DDoS amplification attacks.) Solution(s) amazon-linux-ami-2-upgrade-cups-filters amazon-linux-ami-2-upgrade-cups-filters-debuginfo amazon-linux-ami-2-upgrade-cups-filters-devel amazon-linux-ami-2-upgrade-cups-filters-libs References https://attackerkb.com/topics/cve-2024-47850 AL2/ALAS-2024-2656 CVE - 2024-47850

Microsoft Edge Chromium: CVE-2024-7025 Integer overflow in Layout Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 10/04/2024 Created 10/05/2024 Added 10/04/2024 Modified 01/28/2025 Description Integer overflow in Layout in Google Chrome prior to 129.0.6668.89 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) Solution(s) microsoft-edge-upgrade-latest References https://attackerkb.com/topics/cve-2024-7025 CVE - 2024-7025 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-7025

Jenkins Advisory 2024-11-27: CVE-2024-47855: Denial of service vulnerability in bundled json-lib Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 10/04/2024 Created 11/29/2024 Added 11/28/2024 Modified 11/28/2024 Description util/JSONTokener.java in JSON-lib before 3.1.0 mishandles an unbalanced comment string. Solution(s) jenkins-lts-upgrade-2_479_2 jenkins-upgrade-2_487 References https://attackerkb.com/topics/cve-2024-47855 CVE - 2024-47855 https://jenkins.io/security/advisory/2024-11-27/