Alan Coopersmith

**Name of the Vulnerable Software and Affected Versions** MongoDB Server versions prior to 8.2.3 MongoDB Server versions prior to 8.0.17 MongoDB Server versions prior to 7.0.28 MongoDB Server versions prior to 6.0.27 MongoDB Server versions prior to 5.0.32 MongoDB Server versions prior to 4.4.30 MongoDB Server versions 4.2.0 and earlier MongoDB Server versions 4.0.0 and earlier MongoDB Server versions 3.6.0 and earlier **Description** An issue exists in the handling of Zlib compressed protocol headers where mismatched length fields can allow an unauthenticated remote attacker to read uninitialized heap memory. This occurs because the server may return the size of the allocated memory buffer instead of the actual length of the decompressed data during the decompression logic that runs before authentication. This can lead to the exposure of sensitive information, such as passwords, API keys, session tokens, and other in-memory secrets. Approximately 87,000 MongoDB servers are estimated to be exposed to the internet and potentially vulnerable, with 42% of cloud environments containing at least one vulnerable instance. Real-world exploitation has been reported, including claims of a breach at Ubisoft affecting Rainbow Six Siege, where attackers allegedly used this flaw to leak memory and pivot into internal systems. **Recommendations** Upgrade to version 8.2.3 or newer. Upgrade to version 8.0.17 or newer. Upgrade to version 7.0.28 or newer. Upgrade to version 6.0.27 or newer. Upgrade to version 5.0.32 or newer. Upgrade to version 4.4.30 or newer. For versions 4.2, 4.0, and 3.6, upgrade to a supported version or isolate the instances via firewall. As a temporary mitigation, disable zlib compression by setting `net.compression.compressors` to `snappy,zstd` or `disabled` in the configuration, or use the `networkMessageCompressors` parameter. Restrict MongoDB server exposure through firewall rules, implementing private networking or VPC-only access to ensure databases are not publicly accessible.

**Name of the Vulnerable Software and Affected Versions** PostgreSQL versions prior to 17.5, 16.9, 15.13, 14.18, and 13.21 **Description** The vulnerability is related to a buffer over-read in PostgreSQL's GB18030 encoding validation. This issue allows a database input provider to achieve temporary denial of service on platforms where a 1-byte over-read can elicit process termination. The vulnerability affects the database server and also libpq. An attacker could possibly use this issue to cause PostgreSQL to crash, resulting in a denial of service. **Recommendations** To resolve the issue, update to the latest patched version of PostgreSQL, which includes versions 17.5, 16.9, 15.13, 14.18, and 13.21. Specifically: - For versions prior to 17.5, update to version 17.5 or later. - For versions prior to 16.9, update to version 16.9 or later. - For versions prior to 15.13, update to version 15.13 or later. - For versions prior to 14.18, update to version 14.18 or later. - For versions prior to 13.21, update to version 13.21 or later.

Name of the Vulnerable Software and Affected Versions: GNOME GLib versions prior to 2.82.1 Description: The issue is related to an off-by-one error and resultant buffer overflow in the `gio/gsocks4aproxy.c` component of GNOME GLib. This occurs because `SOCKS4 CONN MSG LEN` is not sufficient for a trailing `0` character. The vulnerability is associated with uncontrolled copying of input data, which could allow a remote attacker to cause a denial of service. Despite being marked as critical, exploitation of this issue in real-world scenarios is considered highly unlikely. Recommendations: For GNOME GLib versions prior to 2.82.1, update to version 2.82.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable `gio/gsocks4aproxy.c` component until a patch is applied. Avoid using the `SOCKS4 CONN MSG LEN` variable in affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** CPython (affected versions not specified) **Description** The issue is related to regular expressions used in tarfile.TarFile header parsing, which can cause excessive backtracking and are vulnerable to ReDoS via specifically-crafted tar archives. This can lead to a denial of service. The vulnerability is associated with incorrect syntax analysis of the file header. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Intel Xeon processors (4th or 5th generation) **Description** The issue is related to hardware logic with insecure de-synchronization in Intel DSA and Intel IAA, which may allow an authorized user to potentially enable escalation of privilege or denial of service via local access. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Xorg-server (affected versions not specified) **Description** A heap-based buffer over-read issue was found in the X.org server's `ProcAppleDRICreatePixmap()` function. This occurs when byte-swapped length values are used in replies, potentially leading to memory leakage and segmentation faults, especially when triggered by a client with different endianness. An attacker could exploit this to cause the X server to read heap memory values and transmit them back to the client until encountering an unmapped page, resulting in a crash. Although the attacker cannot control the specific memory copied into the replies, small length values typically stored in a 32-bit integer can result in significant attempted out-of-bounds reads. This could allow an attacker to access confidential data, compromise their integrity, and cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GNOME VTE versions prior to 0.76.3 **Description** The issue allows an attacker to cause a denial of service, specifically memory consumption, via a window resize escape sequence. This is related to a historical issue. **Recommendations** For versions prior to 0.76.3, update to version 0.76.3 or later to resolve the issue. As a temporary workaround, consider restricting the processing of window resize escape sequences until a patch is available.

**Name of the Vulnerable Software and Affected Versions** libxml2 versions 2.11.5 and earlier **Description** The issue is related to a use-after-free vulnerability in the `xmlUnlinkNode` function, located in `tree.c`, which can occur after a certain memory allocation fails. This could potentially allow a remote attacker to cause a denial of service. The vendor has stated that they do not consider this issue critical enough to warrant a fix because an attacker typically cannot control when memory allocations fail. **Recommendations** For libxml2 versions 2.11.5 and earlier, as a temporary workaround, consider disabling the `xmlUnlinkNode` function until a patch is available. Restrict access to the `tree.c` module to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** libX11 versions prior to 1.8.6 **Description** A security flaw was found in libX11 due to functions in src/InitExt.c not checking if the values provided for the Request, Event, or Error IDs are within the bounds of the arrays that those functions write to. This can lead to memory corruption, potentially causing the client to crash, if a malicious server or proxy-in-the-middle provides out-of-bounds values. The issue is related to buffer overflows in InitExt.c. **Recommendations** For libX11 versions prior to 1.8.6, update to version 1.8.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable `src/InitExt.c` functions until a patch is available. Avoid using the `Request`, `Event`, or `Error` IDs in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** libXpm (affected versions not specified) **Description** A flaw was found in libXpm. When processing files with .Z or .gz extensions, the library calls external programs to compress and uncompress files, relying on the PATH environment variable to find these programs, which could allow a malicious user to execute other programs by manipulating the `PATH` environment variable. This could potentially allow an attacker to execute arbitrary code with elevated privileges. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** libcroco versions 0.6.13 and earlier **Description** The issue is related to the `cr parser parse any core` function in the `cr-parser.c` component of the libcroco library, which is used for working with cascading style sheets (css2). It is associated with uncontrolled recursion. Exploitation of this issue may allow a remote attacker to compromise data integrity and cause a denial of service. **Recommendations** For libcroco versions 0.6.13 and earlier, consider disabling the `cr parser parse any core` function as a temporary workaround until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** xorg-x11-server versions prior to 1.19.5 **Description** The issue is related to an integer overflow in the `ProcDbeGetVisualInfo` function, which could allow a malicious X client to cause the X server to crash or possibly execute arbitrary code. **Recommendations** For versions prior to 1.19.5, update to version 1.19.5 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** libXfont versions prior to 1.4.9 libXfont versions 1.5.x prior to 1.5.1 **Description** The issue is related to the `bdfReadCharacters` function in `bitmap/bdfread.c`, which does not properly perform type conversion for metrics values. This allows remote authenticated users to cause a denial of service (out-of-bounds memory access) and possibly execute arbitrary code via a crafted BDF font file. **Recommendations** For libXfont versions prior to 1.4.9, update to version 1.4.9 or later. For libXfont versions 1.5.x prior to 1.5.1, update to version 1.5.1 or later.

**Name of the Vulnerable Software and Affected Versions** libXfont versions 1.1 through 1.4.6 **Description** The issue is related to a stack-based buffer overflow in the `bdfReadCharacters` function, which can be triggered by a long string in a character name in a BDF font file. This can cause a denial of service (crash) or possibly allow remote attackers to execute arbitrary code. Multiple vulnerabilities in the libXfont package can lead to violations of confidentiality, integrity, and availability of protected information, and these vulnerabilities can be exploited remotely. **Recommendations** For libXfont versions 1.1 through 1.4.6, update to version 1.4.7 or later to resolve the issue.