Sandipan Roy

**Nome do Software Vulnerável e Versões Afetadas** Linux kernel (versões afetadas não especificadas) **Descrição** Um problema existe nos subsistemas xfrm-ESP e RxRPC do kernel Linux envolvendo o processamento criptográfico in-place inseguro de fragmentos de buffer de socket compartilhados. Especificamente, quando o `MSG SPLICE PAGES` anexa páginas de um pipe diretamente a um `skb`, os caminhos de anexo de datagrama IPv4/IPv6 não definem a flag `SKBFL SHARED FRAG` ao realizar o splicing de páginas em `skbs` UDP. Isso faz com que pacotes ESP-in-UDP feitos de páginas de pipe compartilhadas sejam tratados como `skbs` não lineares não clonados comuns, levando a entrada ESP a usar um caminho rápido no-COW e descriptografar in-place sobre dados que não são de propriedade privada do `skb`. Esta operação fora dos limites permite que um invasor local de baixo privilégio corrompa o conteúdo do cache de página de arquivos legíveis, incluindo arquivos sensíveis do sistema, resultando potencialmente na escalação de privilégios para root. A variante xfrm-ESP requer a criação de um usuário não privilegiado ou namespace de rede, enquanto a variante RxRPC depende da disponibilidade do módulo `rxrpc` no sistema alvo. **Recomendações** No momento, não há informações sobre uma versão mais recente que contenha a correção para esta vulnerabilidade.

**Name of the Vulnerable Software and Affected Versions** oFono (affected versions not specified) **Description** A flaw in the oFono interface for working with mobile connectivity is related to a buffer overflow in the `decode deliver()` function during SMS decoding. This issue can be exploited by a remote attacker to access confidential data, compromise its integrity, and cause a denial of service. The attack scenario is assumed to be accessible from a compromised modem, a malicious base station, or via SMS. A bound check for the `memcpy` length in `decode submit()` was forgotten in `decode deliver()`, leading to the stack overflow bug. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GnuTLS (affected versions not specified) **Description** A vulnerability was found related to the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange, which differ from response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue is associated with information disclosure through inconsistency. Exploitation of the vulnerability may allow a remote attacker to access confidential data. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** 3Scale Admin Portal (affected versions not specified) **Description** A flaw was found in 3Scale Admin Portal. If a user logs out from the personal tokens page and then presses the back button in the browser, the tokens page is rendered from the browser cache, potentially allowing an attacker to disclose protected information. **Recommendations** As a temporary workaround, consider clearing the browser cache after logging out from the personal tokens page to minimize the risk of exploitation. Restrict access to the personal tokens page until a patch is available. Avoid using the back button in the browser after logging out from the personal tokens page until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Hot Rod client versions (affected versions not specified) Netty versions (affected versions not specified) **Description** A security issue occurs as the Hot Rod client and Netty do not enable hostname validation when using TLS, possibly resulting in a man-in-the-middle (MITM) attack. This issue can allow a remote attacker to execute a man-in-the-middle attack. **Recommendations** For Hot Rod client, enable hostname validation when using TLS to prevent man-in-the-middle attacks. For Netty, users are advised to enable host name validation in their configurations by setting the protocol to "HTTPS" in the SSLParameters of the SSLEngine. A change in default behavior is expected in the `5.x` release branch with no backport planned.

**Name of the Vulnerable Software and Affected Versions** OpenSC (affected versions not specified) **Description** A security flaw in OpenSC causes a buffer overrun vulnerability in `pkcs15` `cardos have verifyrc package`. An attacker can supply a smart card package with malformed ASN1 context. The `cardos have verifyrc package` function scans the ASN1 buffer for 2 tags, where the remaining length is wrongly calculated due to a moved starting pointer. This leads to a possible heap-based buffer out of bounds read. In cases where ASAN is enabled while compiling, this causes a crash. Further information leak or more damage is possible. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** quarkus-core (affected versions not specified) **Description** A vulnerability was found in the implementation of the TLS protocol in the Quarkus Java framework. This issue is related to the insufficient reliability of encryption when using the quarkus.http.ssl.protocols configuration. The vulnerability occurs because the TLS protocol configured with quarkus.http.ssl.protocols is not enforced, allowing a client to force the selection of a weaker supported TLS protocol. This could potentially allow a remote attacker to gain unauthorized access to protected information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenLDAP (affected versions not specified) **Description** The issue is related to a null pointer dereference in the `ber memalloc x()` function. This can be exploited by a remote attacker to cause a denial of service. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited. The technical details about exploitation include a null pointer dereference in the `ber memalloc x()` function. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ofono (affected versions not specified) **Description** A flaw was found in ofono, an Open Source Telephony on Linux, where a stack overflow bug is triggered within the `decode status report()` function during SMS decoding. The attack scenario is assumed to be accessible from a compromised modem, a malicious base station, or just SMS. There is a bound check for the `memcpy` length in `decode submit()`, but it was forgotten in `decode status report()`. This vulnerability may allow a remote attacker to access confidential data, disrupt its integrity, and cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ofono (affected versions not specified) **Description** A flaw was found in ofono, an Open Source Telephony on Linux, where a stack overflow bug is triggered within the `decode deliver report()` function during SMS decoding. This issue is related to the parsing of SMS PDUs and can be exploited remotely without requiring authentication. The attack scenario is assumed to be accessible from a compromised modem, a malicious base station, or via SMS. A bound check for the `memcpy` length was forgotten in `decode deliver report()`, unlike in `decode submit()`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** oFono (affected versions not specified) **Description** A flaw in oFono, an Open Source Telephony on Linux, is related to a stack overflow bug triggered within the `decode submit report()` function during SMS decoding in PDU format. This issue may allow a remote attacker to execute arbitrary code. The attack scenario is assumed to be accessible from a compromised modem, a malicious base station, or just SMS. There is a bound check for the `memcpy` length in `decode submit()`, but it was forgotten in `decode submit report()`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ofono (affected versions not specified) **Description** A flaw was found in ofono, an Open Source Telephony on Linux, where a stack overflow bug is triggered within the `sms decode address field()` function during the SMS PDU decoding. This issue can be exploited remotely, potentially allowing an attacker to execute arbitrary code. The attack scenario is assumed to be accessible from a compromised modem, a malicious base station, or just SMS. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** libtiff (affected versions not specified) **Description** A security flaw in the libtiff library causes a heap buffer overflow in the `extractContigSamples32bits()` function, located in tiffcrop.c. This issue can be exploited by an attacker using specially crafted data, potentially leading to a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Undertow (affected versions not specified) **Description** The undertow client does not check the server identity presented by the server certificate in https connections, which is a compulsory step that should be performed by default in https and http/2. This issue affects the TLS client protocol. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Quarkus (affected versions not specified) **Description** The issue is related to the Quarkus Form Authentication session cookie Path attribute being set to `/`, which may lead to a cross-site attack and potentially result in Information Disclosure. This can be prevented by using the Quarkus CSRF Prevention feature. The vulnerability is also associated with a lack of protection for the web page structure, which could allow a remote attacker to conduct a cross-site scripting (XSS) attack. **Recommendations** As a temporary workaround, consider using the Quarkus CSRF Prevention feature to prevent cross-site attacks. Restrict access to the Quarkus Form Authentication session cookie to minimize the risk of exploitation. Avoid setting the Path attribute of the Quarkus Form Authentication session cookie to `/` until a more secure configuration is implemented.

**Nome do software vulnerável e versões afetadas** codeplex-codehaus (versões afetadas não especificadas) Bamboo Data Center e Server, versões 9.2.1 a 9.2.7 **Descrição** Foi encontrada uma falha no codeplex-codehaus, permitindo que um ataque de traversal de diretório acesse arquivos e diretórios armazenados fora da pasta pretendida. Ao manipular arquivos com sequências `../` e suas variações ou ao usar caminhos absolutos de arquivos, pode ser possível acessar arquivos e diretórios arbitrários armazenados no sistema de arquivos, incluindo código-fonte de aplicativos, configuração e outros arquivos críticos do sistema. **Recomendações** Para as versões 9.2.1 a 9.2.7 do Bamboo Data Center e Server, atualize para uma versão igual ou superior à 9.2.8. Como solução alternativa temporária, considere restringir o acesso a arquivos e diretórios confidenciais para minimizar o risco de exploração. Evite usar caminhos absolutos de arquivos nos pontos de extremidade da API afetados até que o problema seja resolvido. Restrinja o acesso ao módulo vulnerável para minimizar o risco de exploração.

**Nome do software vulnerável e versões afetadas** nss (versões afetadas não especificadas) **Descrição** Uma falha de segurança no nss pode causar a falha da autenticação do cliente quando não há certificado de usuário no banco de dados, podendo levar a uma falha de segmentação ou à queda do sistema. **Recomendações** No momento, não há informações sobre uma versão mais recente que contenha uma correção para essa vulnerabilidade.

**Nome do software vulnerável e versões afetadas** Undertow (versões afetadas não especificadas) **Descrição** Foi identificada uma falha no Undertow que permite um ataque de negação de serviço, uma vez que o servidor Undertow aguarda indefinidamente o LAST CHUNK para invocações EJB. **Recomendações** No momento, não há informações sobre uma versão mais recente que contenha uma correção para essa vulnerabilidade.

**Nome do software vulnerável e versões afetadas** Undertow (versões afetadas não especificadas) **Descrição** Foi identificada uma falha no Undertow relacionada ao gerenciamento do controle de fluxo pelo navegador via HTTP/2, o que pode causar sobrecarga ou uma negação de serviço no servidor. Esse problema se deve a uma correção incompleta de uma falha de segurança anterior. **Recomendações** No momento, não há informações sobre uma versão mais recente que contenha uma correção para essa vulnerabilidade.

**Nome do software vulnerável e versões afetadas** Undertow (versões afetadas não especificadas) JBoss EAP 7 **Descrição** Foi encontrada uma falha no Undertow, na qual, para uma resposta AJP 400, o JBoss EAP 7 envia indevidamente dois pacotes de resposta com o sinalizador de reutilização definido, mesmo que a conexão esteja fechada. Isso leva a uma falha quando a conexão é reutilizada após uma resposta 400 por CPING, pois ele lê o segundo pacote de resposta SEND HEADERS em vez de um CPONG. **Recomendações** Para o JBoss EAP 7, considere desativar a reutilização de conexões após uma resposta AJP 400 como uma solução temporária até que um patch esteja disponível. Restrinja o acesso ao protocolo AJP para minimizar o risco de exploração. No momento, não há informações sobre uma versão mais recente que contenha uma correção para essa vulnerabilidade.