ISHACK AI BOT

BeyondTrust Remote Support: CVE-2024-12686: Unauthenticated Remote Execution Severity 7 CVSS (AV:N/AC:H/Au:S/C:C/I:C/A:C) Published 12/18/2024 Created 01/15/2025 Added 01/14/2025 Modified 01/16/2025 Description A vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) which can allow an attacker with existing administrative privileges to inject commands and run as a site user. Solution(s) beyondtrust-bt24-11-remote References https://attackerkb.com/topics/cve-2024-12686 CVE - 2024-12686 https://www.beyondtrust.com/trust-center/security-advisories/bt24-11

Oracle Linux: CVE-2024-53158: ELSA-2025-20095: Unbreakable Enterprise kernel security update (IMPORTANT) (Multiple Advisories) Severity 4 CVSS (AV:L/AC:L/Au:M/C:N/I:N/A:C) Published 12/24/2024 Created 02/13/2025 Added 02/11/2025 Modified 02/13/2025 Description In the Linux kernel, the following vulnerability has been resolved: soc: qcom: geni-se: fix array underflow in geni_se_clk_tbl_get() This loop is supposed to break if the frequency returned from clk_round_rate() is the same as on the previous iteration.However, that check doesn't make sense on the first iteration through the loop. It leads to reading before the start of these->clk_perf_tbl[] array. Solution(s) oracle-linux-upgrade-kernel-uek References https://attackerkb.com/topics/cve-2024-53158 CVE - 2024-53158 ELSA-2025-20095 ELSA-2025-20100

Debian: CVE-2024-53151: linux -- security update Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 12/24/2024 Created 01/14/2025 Added 01/13/2025 Modified 01/30/2025 Description In the Linux kernel, the following vulnerability has been resolved: svcrdma: Address an integer overflow Dan Carpenter reports: > Commit 78147ca8b4a9 ("svcrdma: Add a "parsed chunk list" data > structure") from Jun 22, 2020 (linux-next), leads to the following > Smatch static checker warning: > > net/sunrpc/xprtrdma/svc_rdma_recvfrom.c:498 xdr_check_write_chunk() > warn: potential user controlled sizeof overflow 'segcount * 4 * 4' > > net/sunrpc/xprtrdma/svc_rdma_recvfrom.c > 488 static bool xdr_check_write_chunk(struct svc_rdma_recv_ctxt *rctxt) > 489 { > 490 u32 segcount; > 491 __be32 *p; > 492 > 493 if (xdr_stream_decode_u32(&rctxt->rc_stream, &segcount)) > ^^^^^^^^ > > 494 return false; > 495 > 496 /* A bogus segcount causes this buffer overflow check to fail. */ > 497 p = xdr_inline_decode(&rctxt->rc_stream, > --> 498 segcount * rpcrdma_segment_maxsz * sizeof(*p)); > > > segcount is an untrusted u32.On 32bit systems anything >= SIZE_MAX / 16 will > have an integer overflow and some those values will be accepted by > xdr_inline_decode(). Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2024-53151 CVE - 2024-53151

Oracle Linux: CVE-2024-53155: ELSA-2025-20095: Unbreakable Enterprise kernel security update (IMPORTANT) (Multiple Advisories) Severity 6 CVSS (AV:L/AC:L/Au:S/C:C/I:N/A:C) Published 12/24/2024 Created 02/13/2025 Added 02/11/2025 Modified 02/13/2025 Description In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix uninitialized value in ocfs2_file_read_iter() Syzbot has reported the following KMSAN splat: BUG: KMSAN: uninit-value in ocfs2_file_read_iter+0x9a4/0xf80 ocfs2_file_read_iter+0x9a4/0xf80 __io_read+0x8d4/0x20f0 io_read+0x3e/0xf0 io_issue_sqe+0x42b/0x22c0 io_wq_submit_work+0xaf9/0xdc0 io_worker_handle_work+0xd13/0x2110 io_wq_worker+0x447/0x1410 ret_from_fork+0x6f/0x90 ret_from_fork_asm+0x1a/0x30 Uninit was created at: __alloc_pages_noprof+0x9a7/0xe00 alloc_pages_mpol_noprof+0x299/0x990 alloc_pages_noprof+0x1bf/0x1e0 allocate_slab+0x33a/0x1250 ___slab_alloc+0x12ef/0x35e0 kmem_cache_alloc_bulk_noprof+0x486/0x1330 __io_alloc_req_refill+0x84/0x560 io_submit_sqes+0x172f/0x2f30 __se_sys_io_uring_enter+0x406/0x41c0 __x64_sys_io_uring_enter+0x11f/0x1a0 x64_sys_call+0x2b54/0x3ba0 do_syscall_64+0xcd/0x1e0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Since an instance of 'struct kiocb' may be passed from the block layer with 'private' field uninitialized, introduce 'ocfs2_iocb_init_rw_locked()' and use it from where 'ocfs2_dio_end_io()' might take care, i.e. in 'ocfs2_file_read_iter()' and 'ocfs2_file_write_iter()'. Solution(s) oracle-linux-upgrade-kernel-uek References https://attackerkb.com/topics/cve-2024-53155 CVE - 2024-53155 ELSA-2025-20095 ELSA-2025-20100

Debian: CVE-2024-53148: linux -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 12/24/2024 Created 01/14/2025 Added 01/13/2025 Modified 01/13/2025 Description In the Linux kernel, the following vulnerability has been resolved: comedi: Flush partial mappings in error case If some remap_pfn_range() calls succeeded before one failed, we still have buffer pages mapped into the userspace page tables when we drop the buffer reference with comedi_buf_map_put(bm). The userspace mappings are only cleaned up later in the mmap error path. Fix it by explicitly flushing all mappings in our VMA on the error path. See commit 79a61cc3fc04 ("mm: avoid leaving partial pfn mappings around in error case"). Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2024-53148 CVE - 2024-53148

Debian: CVE-2024-53161: linux -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 12/24/2024 Created 01/14/2025 Added 01/13/2025 Modified 02/06/2025 Description In the Linux kernel, the following vulnerability has been resolved: EDAC/bluefield: Fix potential integer overflow The 64-bit argument for the "get DIMM info" SMC call consists of mem_ctrl_idx left-shifted 16 bits and OR-ed with DIMM index.With mem_ctrl_idx defined as 32-bits wide the left-shift operation truncates the upper 16 bits of information during the calculation of the SMC argument. The mem_ctrl_idx stack variable must be defined as 64-bits wide to prevent any potential integer overflow, i.e. loss of data from upper 16 bits. Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2024-53161 CVE - 2024-53161

Debian: CVE-2024-53146: linux -- security update Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 12/24/2024 Created 01/14/2025 Added 01/13/2025 Modified 01/30/2025 Description In the Linux kernel, the following vulnerability has been resolved: NFSD: Prevent a potential integer overflow If the tag length is >= U32_MAX - 3 then the "length + 4" addition can result in an integer overflow. Address this by splitting the decoding into several steps so that decode_cb_compound4res() does not have to perform arithmetic on the unsafe length value. Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2024-53146 CVE - 2024-53146

Oracle Linux: CVE-2024-53150: ELSA-2025-20095: Unbreakable Enterprise kernel security update (IMPORTANT) (Multiple Advisories) Severity 6 CVSS (AV:L/AC:L/Au:S/C:C/I:N/A:C) Published 12/24/2024 Created 02/13/2025 Added 02/11/2025 Modified 02/13/2025 Description In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix out of bounds reads when finding clock sources The current USB-audio driver code doesn't check bLength of each descriptor at traversing for clock descriptors.That is, when a device provides a bogus descriptor with a shorter bLength, the driver might hit out-of-bounds reads. For addressing it, this patch adds sanity checks to the validator functions for the clock descriptor traversal.When the descriptor length is shorter than expected, it's skipped in the loop. For the clock source and clock multiplier descriptors, we can just check bLength against the sizeof() of each descriptor type. OTOH, the clock selector descriptor of UAC2 and UAC3 has an array of bNrInPins elements and two more fields at its tail, hence those have to be checked in addition to the sizeof() check. Solution(s) oracle-linux-upgrade-kernel-uek References https://attackerkb.com/topics/cve-2024-53150 CVE - 2024-53150 ELSA-2025-20095 ELSA-2025-20100

Debian: CVE-2024-53145: linux -- security update Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 12/24/2024 Created 01/14/2025 Added 01/13/2025 Modified 01/28/2025 Description In the Linux kernel, the following vulnerability has been resolved: um: Fix potential integer overflow during physmem setup This issue happens when the real map size is greater than LONG_MAX, which can be easily triggered on UML/i386. Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2024-53145 CVE - 2024-53145

Debian: CVE-2024-53154: linux -- security update Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 12/24/2024 Created 01/14/2025 Added 01/13/2025 Modified 01/28/2025 Description In the Linux kernel, the following vulnerability has been resolved: clk: clk-apple-nco: Add NULL check in applnco_probe Add NULL check in applnco_probe, to handle kernel NULL pointer dereference error. Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2024-53154 CVE - 2024-53154

Oracle Linux: CVE-2024-53156: ELSA-2025-20095: Unbreakable Enterprise kernel security update (IMPORTANT) (Multiple Advisories) Severity 6 CVSS (AV:L/AC:L/Au:S/C:C/I:N/A:C) Published 12/24/2024 Created 02/13/2025 Added 02/11/2025 Modified 02/13/2025 Description In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: add range check for conn_rsp_epid in htc_connect_service() I found the following bug in my fuzzer: UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath9k/htc_hst.c:26:51 index 255 is out of range for type 'htc_endpoint [22]' CPU: 0 UID: 0 PID: 8 Comm: kworker/0:0 Not tainted 6.11.0-rc6-dirty #14 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: events request_firmware_work_func Call Trace: <TASK> dump_stack_lvl+0x180/0x1b0 __ubsan_handle_out_of_bounds+0xd4/0x130 htc_issue_send.constprop.0+0x20c/0x230 ? _raw_spin_unlock_irqrestore+0x3c/0x70 ath9k_wmi_cmd+0x41d/0x610 ? mark_held_locks+0x9f/0xe0 ... Since this bug has been confirmed to be caused by insufficient verification of conn_rsp_epid, I think it would be appropriate to add a range check for conn_rsp_epid to htc_connect_service() to prevent the bug from occurring. Solution(s) oracle-linux-upgrade-kernel-uek References https://attackerkb.com/topics/cve-2024-53156 CVE - 2024-53156 ELSA-2025-20095 ELSA-2025-20100

Debian: CVE-2024-53240: linux -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 12/24/2024 Created 01/14/2025 Added 01/13/2025 Modified 01/13/2025 Description In the Linux kernel, the following vulnerability has been resolved: xen/netfront: fix crash when removing device When removing a netfront device directly after a suspend/resume cycle it might happen that the queues have not been setup again, causing a crash during the attempt to stop the queues another time. Fix that by checking the queues are existing before trying to stop them. This is XSA-465 / CVE-2024-53240. Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2024-53240 CVE - 2024-53240

Oracle Linux: CVE-2024-53148: ELSA-2025-20095: Unbreakable Enterprise kernel security update (IMPORTANT) (Multiple Advisories) Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 12/24/2024 Created 02/13/2025 Added 02/11/2025 Modified 02/13/2025 Description In the Linux kernel, the following vulnerability has been resolved: comedi: Flush partial mappings in error case If some remap_pfn_range() calls succeeded before one failed, we still have buffer pages mapped into the userspace page tables when we drop the buffer reference with comedi_buf_map_put(bm). The userspace mappings are only cleaned up later in the mmap error path. Fix it by explicitly flushing all mappings in our VMA on the error path. See commit 79a61cc3fc04 ("mm: avoid leaving partial pfn mappings around in error case"). Solution(s) oracle-linux-upgrade-kernel-uek References https://attackerkb.com/topics/cve-2024-53148 CVE - 2024-53148 ELSA-2025-20095 ELSA-2025-20100

Ubuntu: (CVE-2024-53161): linux-bluefield vulnerability Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 12/24/2024 Created 02/12/2025 Added 02/11/2025 Modified 02/11/2025 Description In the Linux kernel, the following vulnerability has been resolved: EDAC/bluefield: Fix potential integer overflow The 64-bit argument for the "get DIMM info" SMC call consists of mem_ctrl_idx left-shifted 16 bits and OR-ed with DIMM index.With mem_ctrl_idx defined as 32-bits wide the left-shift operation truncates the upper 16 bits of information during the calculation of the SMC argument. The mem_ctrl_idx stack variable must be defined as 64-bits wide to prevent any potential integer overflow, i.e. loss of data from upper 16 bits. Solution(s) ubuntu-upgrade-linux-bluefield References https://attackerkb.com/topics/cve-2024-53161 CVE - 2024-53161 https://git.kernel.org/stable/c/000930193fe5eb79ce5563ee2e9ddb0c6e4e1bb5 https://git.kernel.org/stable/c/1fe774a93b46bb029b8f6fa9d1f25affa53f06c6 https://git.kernel.org/stable/c/4ad7033de109d0fec99086f352f58a3412e378b8 https://git.kernel.org/stable/c/578ca89b04680145d41011e7cec8806fefbb59e7 https://git.kernel.org/stable/c/8cc31cfa36ff37aff399b72faa2ded58110112ae https://git.kernel.org/stable/c/ac6ebb9edcdb7077e841862c402697c4c48a7c0a https://git.kernel.org/stable/c/e0269ea7a628fdeddd65b92fe29c09655dbb80b9 https://git.kernel.org/stable/c/fdb90006184aa84c7b4e09144ed0936d4e1891a7 https://www.cve.org/CVERecord?id=CVE-2024-53161 View more

Oracle Linux: CVE-2024-53161: ELSA-2025-20095: Unbreakable Enterprise kernel security update (IMPORTANT) (Multiple Advisories) Severity 4 CVSS (AV:L/AC:H/Au:M/C:N/I:N/A:C) Published 12/24/2024 Created 02/13/2025 Added 02/11/2025 Modified 02/13/2025 Description In the Linux kernel, the following vulnerability has been resolved: EDAC/bluefield: Fix potential integer overflow The 64-bit argument for the "get DIMM info" SMC call consists of mem_ctrl_idx left-shifted 16 bits and OR-ed with DIMM index.With mem_ctrl_idx defined as 32-bits wide the left-shift operation truncates the upper 16 bits of information during the calculation of the SMC argument. The mem_ctrl_idx stack variable must be defined as 64-bits wide to prevent any potential integer overflow, i.e. loss of data from upper 16 bits. Solution(s) oracle-linux-upgrade-kernel-uek References https://attackerkb.com/topics/cve-2024-53161 CVE - 2024-53161 ELSA-2025-20095 ELSA-2025-20100

Amazon Linux AMI 2: CVE-2024-50379: Security patch for tomcat (ALASTOMCAT9-2025-015) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 12/17/2024 Created 01/28/2025 Added 01/27/2025 Modified 01/27/2025 Description Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration). This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue. Solution(s) amazon-linux-ami-2-upgrade-tomcat amazon-linux-ami-2-upgrade-tomcat-admin-webapps amazon-linux-ami-2-upgrade-tomcat-docs-webapp amazon-linux-ami-2-upgrade-tomcat-el-3-0-api amazon-linux-ami-2-upgrade-tomcat-jsp-2-3-api amazon-linux-ami-2-upgrade-tomcat-jsvc amazon-linux-ami-2-upgrade-tomcat-lib amazon-linux-ami-2-upgrade-tomcat-servlet-4-0-api amazon-linux-ami-2-upgrade-tomcat-webapps References https://attackerkb.com/topics/cve-2024-50379 AL2/ALASTOMCAT9-2025-015 CVE - 2024-50379

Debian: CVE-2024-54677: tomcat10, tomcat9 -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 12/17/2024 Created 12/20/2024 Added 12/19/2024 Modified 01/20/2025 Description Uncontrolled Resource Consumption vulnerability in the examples web application provided with Apache Tomcat leads to denial of service. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.9.97. Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue. Solution(s) debian-upgrade-tomcat10 debian-upgrade-tomcat9 References https://attackerkb.com/topics/cve-2024-54677 CVE - 2024-54677 DSA-5845-1

Debian: CVE-2024-53144: linux, linux-6.1 -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 12/17/2024 Created 12/20/2024 Added 12/19/2024 Modified 01/03/2025 Description In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: Align BR/EDR JUST_WORKS paring with LE This aligned BR/EDR JUST_WORKS method with LE which since 92516cd97fd4 ("Bluetooth: Always request for user confirmation for Just Works") always request user confirmation with confirm_hint set since the likes of bluetoothd have dedicated policy around JUST_WORKS method (e.g. main.conf:JustWorksRepairing). CVE: CVE-2024-8805 Solution(s) debian-upgrade-linux debian-upgrade-linux-6-1 References https://attackerkb.com/topics/cve-2024-53144 CVE - 2024-53144 DLA-4008-1

SUSE: CVE-2024-9779: SUSE Linux Security Advisory Severity 8 CVSS (AV:N/AC:M/Au:N/C:P/I:C/A:N) Published 12/17/2024 Created 01/15/2025 Added 01/14/2025 Modified 01/28/2025 Description A flaw was found in Open Cluster Management (OCM) when a user has access to the worker nodes which contain the cluster-manager or klusterlet deployments. The cluster-manager deployment uses a service account with the same name "cluster-manager" which is bound to a ClusterRole also named "cluster-manager", which includes the permission to create Pod resources. If this deployment runs a pod on an attacker-controlled node, the attacker can obtain the cluster-manager's token and steal any service account token by creating and mounting the target service account to control the whole cluster. Solution(s) suse-upgrade-govulncheck-vulndb References https://attackerkb.com/topics/cve-2024-9779 CVE - 2024-9779

BeyondTrust Remote Support: CVE-2024-12356: Unauthenticated Remote Execution Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 12/17/2024 Created 02/11/2025 Added 02/10/2025 Modified 02/12/2025 Description All BeyondTrust Remote Support versions contain a command injection vulnerability which can be exploited through a malicious client request. Successful exploitation of this vulnerability can allow an unauthenticated remote attacker to execute underlying operating system commands within the context of the site user Solution(s) beyondtrust-bt24-10 References https://attackerkb.com/topics/cve-2024-12356 CVE - 2024-12356 https://www.beyondtrust.com/trust-center/security-advisories/bt24-10

BeyondTrust Privileged Remote Access: CVE-2024-12356: Unauthenticated Remote Execution Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 12/17/2024 Created 01/15/2025 Added 01/14/2025 Modified 01/15/2025 Description All BeyondTrust Privileged Remote Access versions contain a command injection vulnerability which can be exploited through a malicious client request. Successful exploitation of this vulnerability can allow an unauthenticated remote attacker to execute underlying operating system commands within the context of the site user Solution(s) beyondtrust-bt24-10-remote References https://attackerkb.com/topics/cve-2024-12356 CVE - 2024-12356 https://www.beyondtrust.com/trust-center/security-advisories/bt24-10

BeyondTrust Remote Support: CVE-2024-12356: Unauthenticated Remote Execution Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 12/17/2024 Created 01/15/2025 Added 01/14/2025 Modified 01/15/2025 Description All BeyondTrust Remote Support versions contain a command injection vulnerability which can be exploited through a malicious client request. Successful exploitation of this vulnerability can allow an unauthenticated remote attacker to execute underlying operating system commands within the context of the site user Solution(s) beyondtrust-bt24-10-remote References https://attackerkb.com/topics/cve-2024-12356 CVE - 2024-12356 https://www.beyondtrust.com/trust-center/security-advisories/bt24-10

Oracle Linux: CVE-2024-11614: ELSA-2025-0210:dpdk security update (IMPORTANT) (Multiple Advisories) Severity 6 CVSS (AV:A/AC:L/Au:N/C:N/I:N/A:C) Published 12/17/2024 Created 01/14/2025 Added 01/10/2025 Modified 01/16/2025 Description An out-of-bounds read vulnerability was found in DPDK's Vhost library checksum offload feature. This issue enables an untrusted or compromised guest to crash the hypervisor's vSwitch by forging Virtio descriptors to cause out-of-bounds reads. This flaw allows an attacker with a malicious VM using a virtio driver to cause the vhost-user side to crash by sending a packet with a Tx checksum offload request and an invalid csum_start offset. Solution(s) oracle-linux-upgrade-dpdk oracle-linux-upgrade-dpdk-devel oracle-linux-upgrade-dpdk-doc oracle-linux-upgrade-dpdk-tools References https://attackerkb.com/topics/cve-2024-11614 CVE - 2024-11614 ELSA-2025-0210 ELSA-2025-0222

Oracle Linux: CVE-2024-53241: ELSA-2025-20095: Unbreakable Enterprise kernel security update (IMPORTANT) (Multiple Advisories) Severity 6 CVSS (AV:A/AC:L/Au:S/C:C/I:N/A:N) Published 12/17/2024 Created 02/13/2025 Added 02/11/2025 Modified 02/13/2025 Description No description is available for this CVE. Solution(s) oracle-linux-upgrade-kernel-uek References https://attackerkb.com/topics/cve-2024-53241 CVE - 2024-53241 ELSA-2025-20095

VMware Photon OS: CVE-2024-50379 Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 12/17/2024 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration). This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2024-50379 CVE - 2024-50379