redox-os v0.1.0 was discovered to contain a use-after-free bug via the gethostbyaddr() function at /src/header/netdb/mod.rs.
Category Archives: Advisories
USN-6054-1: Django vulnerability
Moataz Al-Sharida and nawaik discovered that Django incorrectly handled
uploading multiple files using one form field. A remote attacker could
possibly use this issue to bypass certain validations.
CVE-2022-30995
Sensitive information disclosure due to improper authentication. The following products are affected: Acronis Cyber Protect 15 (Windows, Linux) before build 29486, Acronis Cyber Backup 12.5 (Windows, Linux) before build 16545.
CVE-2022-3405
Code execution and sensitive information disclosure due to excessive privileges assigned to Acronis Agent. The following products are affected: Acronis Cyber Protect 15 (Windows, Linux) before build 29486, Acronis Cyber Backup 12.5 (Windows, Linux) before build 16545.
Oracle WebLogic Server Vulnerability (CVE-2023-21839) added to CISA Known Exploited Vulnerabilities (KEV) Catalog
What is Oracle WebLogic?
Oracle WebLogic is an enterprise
application server developed by Oracle. According to 6sense.com, the
application server is used by thousands of companies namely AT&T, NTT
Data, Verizon, etc.
What is the attack?
The attack targets
vulnerable Oracle WebLogic Server specifically in Oracle Fusion Middleware. The vulnerability is tracked under CVE-2023-21839 and exploits the flaw that allows unauthorized access to the
vulnerable servers via T3 and IIOP (Oracle proprietary protocol). The affected
versions are: 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0.
The vulnerability has a CVSS base score of 7.5 and attack
complexity is rated “low” in the vendor advisory.
Why this is significant?
On May 1st, 2023, CISA
(Cybersecurity & Infrastructure Security Agency) added the Oracle
WebLogic Server vulnerability (CVE-2023-21839) to their Known Exploited
Vulnerabilities Catalog. Successful exploitation of the vulnerability allows
unauthenticated attacker to compromise vulnerable Oracle WebLogic Server.
What is the vendor solution?
Oracle released a critical patch
last January.
What is the FortiGuard Coverage?
FortiGuard Labs is currently
investigating coverage for CVE-2023-21839.
SEC Consult SA-20230502-0 :: Bypassing cluster isolation through insecure defaults and shared storage in Databricks Platform
Posted by SEC Consult Vulnerability Lab, Research via Fulldisclosure on May 02
SEC Consult Vulnerability Lab Security Advisory < 20230502-0 >
=======================================================================
title: Bypassing cluster isolation through insecure defaults and
shared storage
product: Databricks Platform
vulnerable version: PaaS version as of 2023-01-26
fixed version: Current PaaS version
CVE number: –
impact: critical…
Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution
Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Google Chrome is a web browser used to access the internet. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
tinyproxy-1.8.4-2.el7
FEDORA-EPEL-2023-c1088e0644
Packages in this update:
tinyproxy-1.8.4-2.el7
Update description:
This updates tinyproxy to version 1.8.4, which as released by upstream fixes CVE-2012-3505. It also included a backport from a newer upstream release to fix CVE-2017-11747.