Antonio Morales

Name of the Vulnerable Software and Affected Versions versions not specified Description Improperly built order clauses lead to a SQL injection vulnerability in the articles webservice endpoint. The vulnerability exists due to a flaw in how order clauses are constructed, potentially allowing an attacker to inject malicious SQL code. The affected API endpoint is '/articles'. The vulnerability could allow an attacker to manipulate database queries through the `order` parameter. Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Poppler versions prior to 25.10.0 **Description** Poppler is a library used for rendering PDF files and modifying their structure. A use-after-free (write) issue exists due to the use of raw pointers to elements within a `std::vector` in the `StructTreeRoot` class. This can result in dangling pointers when the vector is resized. The vulnerability originates from how `refToParentMap` stores references to `std::vector` elements using raw pointers, which become invalid upon vector resizing. A `std::vector` reallocates memory and moves elements when it reaches capacity, invalidating any previously stored raw pointers to those elements. **Recommendations** Update to Poppler version 25.10.0 or later.

**Name of the Vulnerable Software and Affected Versions** GStreamer versions prior to 1.24.10 **Description** GStreamer is a library for constructing graphs of media-handling components. An integer underflow has been detected in the `extract cc from data` function within `qtdemux.c`. In the `FOURCC c708` case, the subtraction `atom length - 8` may result in an underflow if `atom length` is less than 8. When that subtraction underflows, `*cclen` ends up being a large number, and then `cclen` is passed to `g memdup2`, leading to an out-of-bounds (OOB) read. This issue may allow a remote attacker to access confidential information. **Recommendations** For versions prior to 1.24.10, update to version 1.24.10 to resolve the issue. As a temporary workaround, consider restricting access to the `qtdemux.c` component until a patch is available. Avoid using the `extract cc from data` function in sensitive operations until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** GStreamer versions prior to 1.24.10 **Description** The issue is related to an out-of-bounds read in the `gst wavparse cue chunk` function within `gstwavparse.c`. This occurs due to a discrepancy between the size of the data buffer and the size value provided to the function, causing a comparison to fail and allowing access beyond the bounds of the data buffer. The root cause is a miscalculation when clipping the chunk size based on upstream data size. This can lead to a crash or the leak of sensitive data. **Recommendations** For versions prior to 1.24.10, update to version 1.24.10 to resolve the issue. As a temporary workaround, consider restricting access to the `gst wavparse cue chunk` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** GStreamer versions prior to 1.24.10 **Description** The issue is related to an out-of-bounds (OOB) read in the `qtdemux parse svq3 stsd data` function within `qtdemux.c`. Specifically, in the `FOURCC SMI ` case, `seqh size` is read from the input file without proper validation. If `seqh size` is greater than the remaining size of the data buffer, it can lead to an OOB-read in the following call to `gst buffer fill`, which internally uses `memcpy`. This can result in reading up to 4GB of process memory or potentially causing a segmentation fault (SEGV) when accessing invalid memory. **Recommendations** For GStreamer versions prior to 1.24.10, update to version 1.24.10 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `qtdemux parse svq3 stsd data` function until a patch is available. Avoid using the `seqh size` variable in the affected `qtdemux.c` file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GStreamer versions prior to 1.24.10 **Description** A null pointer dereference vulnerability has been discovered in the `gst matroska demux parse blockgroup or simpleblock` function within `matroska-demux.c`. This function does not properly check the validity of the `*sub` pointer of `GstBuffer` before performing dereferences, which may result in null pointer dereferences. The vulnerability can be exploited by a remote attacker to cause a denial of service. **Recommendations** For versions prior to 1.24.10, update to version 1.24.10 to resolve the issue. As a temporary workaround, consider disabling the `gst matroska demux parse blockgroup or simpleblock` function until a patch is available. Restrict access to the `matroska-demux.c` module to minimize the risk of exploitation. Avoid using the `GstBuffer` `*sub` pointer in the affected function until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** GStreamer versions prior to 1.24.10 **Description** The issue is related to an integer underflow in the `qtdemux parse trak` function within `qtdemux.c`. This underflow can occur during the strf parsing case when the subtraction size -= 40 results in a negative value if it is less than 40. As a consequence, the subsequent call to `gst buffer fill` invokes `memcpy` with a large copy size, leading to an out-of-bounds (OOB) read. This can potentially allow a remote attacker to execute arbitrary code. **Recommendations** For versions prior to 1.24.10, update to version 1.24.10 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `qtdemux parse trak` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** GStreamer versions prior to 1.24.10 **Description** The issue is related to a null pointer dereference vulnerability in the `gst matroska demux add wvpk header` function. This vulnerability can be exploited by a remote attacker to cause a denial of service. The function does not properly check the validity of the `stream->codec priv` pointer, which can lead to a crash of the application if `stream->codec priv` is NULL. **Recommendations** For versions prior to 1.24.10, update to version 1.24.10 or later to resolve the issue. As a temporary workaround, consider disabling the `gst matroska demux add wvpk header` function until a patch is available. Restrict access to the `matroska-demux` component to minimize the risk of exploitation. Avoid using the `stream->codec priv` pointer in the affected code until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** GStreamer versions prior to 1.24.10 **Description** The issue is related to an integer underflow in the `qtdemux parse theora extension` function within `qtdemux.c`. This underflow causes the `size` variable to hold a large unintended value when cast to an unsigned integer. The vulnerability leads to a situation where only 0x89 bytes are allocated, despite the large input size, resulting in the data from the input file overwriting the content of the `GstMapInfo` info structure. This can cause a function pointer hijack, allowing an attacker to alter the execution flow of the program and potentially leading to arbitrary code execution. **Recommendations** For versions prior to 1.24.10, update to version 1.24.10 to resolve the issue. As a temporary workaround, consider restricting the use of the `qtdemux parse theora extension` function until a patch is available. Avoid using the `gst buffer new and alloc` function with large input sizes until the issue is resolved. Restrict access to the `gst memory unmap` function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GStreamer versions prior to 1.24.10 **Description** The issue is related to an integer overflow in the memory reallocation process. The program attempts to reallocate memory to accommodate a certain number of elements, but if the value read from the input file is large enough, it can lead to an integer overflow during the addition. As a consequence, the memory allocation might be significantly smaller than intended, potentially causing an out-of-bounds write when the program iterates through the elements and attempts to write to the allocated memory. **Recommendations** For versions prior to 1.24.10, update to version 1.24.10 to resolve the issue. As a temporary workaround, consider restricting the input file size to prevent large values from being read and causing the integer overflow. Additionally, restrict access to the `stream->samples` memory area to minimize the risk of exploitation until the update is applied.

**Name of the Vulnerable Software and Affected Versions** GStreamer versions prior to 1.24.10 **Description** The issue is related to a null pointer dereference vulnerability in the `gst jpeg dec negotiate` function. This vulnerability can be exploited by a remote attacker to cause a Denial of Service (DoS) by triggering a segmentation fault. The vulnerability occurs because the `gst jpeg dec negotiate` function does not check for a NULL return value from `gst video decoder set output state`, leading to null pointer dereferences. **Recommendations** For versions prior to 1.24.10, update to version 1.24.10 or later to resolve the issue. As a temporary workaround, consider disabling the `gst jpeg dec negotiate` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** GStreamer versions prior to 1.24.10 **Description** A null pointer dereference has been discovered in the `id3v2 read synch uint` function, located in id3v2.c. If `id3v2 read synch uint` is called with a null `work->hdr.frame data`, the pointer `guint8 *data` is accessed without validation, resulting in a null pointer dereference. This issue can result in a Denial of Service (DoS) by triggering a segmentation fault (SEGV). **Recommendations** For versions prior to 1.24.10, update to version 1.24.10 to resolve the issue. As a temporary workaround, consider disabling the `id3v2 read synch uint` function until a patch is available. Restrict access to the `id3v2.c` module to minimize the risk of exploitation. Avoid using the `work->hdr.frame data` parameter in the affected function until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** GStreamer versions prior to 1.24.10 **Description** A null pointer dereference issue has been identified in the `parse lrc` function within `gstsubparse.c`. This function calls `strchr()` to find the character `']'` in the string line. If the string line does not contain the character `']'`, `strchr()` returns `NULL`, and a subsequent call to `g strdup(start + 1)` leads to a null pointer dereference. This issue can be exploited to cause a denial of service. **Recommendations** For versions prior to 1.24.10, update to version 1.24.10 to resolve the issue. As a temporary workaround, consider disabling the `parse lrc` function until a patch is available. Restrict access to the vulnerable `gstsubparse.c` module to minimize the risk of exploitation. Avoid using the `parse lrc` function in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** GStreamer versions prior to 1.24.10 **Description** The issue is related to a use-after-free vulnerability in the GStreamer multimedia framework. This vulnerability is associated with the processing of CodecPrivate elements in Matroska streams. Specifically, in the GST MATROSKA ID CODECPRIVATE case within the `gst matroska demux parse stream` function, a data chunk is allocated using `gst ebml read binary`. Later, the allocated memory is freed in the `gst matroska track free` function through the call to `g free` (`track->codec priv`). However, the freed memory is accessed in the `caps serialize` function through `gst value serialize buffer`, resulting in a use-after-free read vulnerability. This occurs because the function attempts to process memory that has already been freed. **Recommendations** For GStreamer versions prior to 1.24.10, update to version 1.24.10 or later to resolve the issue. As a temporary workaround, consider restricting access to the `gst matroska demux parse stream` function and the `gst value serialize buffer` function until a patch is available. Avoid using the `gst ebml read binary` function in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** GStreamer versions prior to 1.24.10 **Description** A vulnerability has been identified in the `gst wavparse smpl chunk` function within `gstwavparse.c`. This function attempts to read 4 bytes from the data + 12 offset without checking if the size of the data buffer is sufficient. If the buffer is too small, the function reads beyond its bounds, resulting in an out-of-bounds read. This issue may allow a remote attacker to cause a denial of service. **Recommendations** For versions prior to 1.24.10, update to version 1.24.10 to resolve the issue. As a temporary workaround, consider restricting the use of the `gst wavparse smpl chunk` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** GStreamer versions prior to 1.24.10 **Description** The issue is related to an out-of-bounds read vulnerability in the `parse ds64` function within `gstwavparse.c`. This vulnerability allows reading beyond the bounds of the data buffer, potentially leading to a crash (denial of service) or the leak of sensitive data. The `parse ds64` function does not check that the buffer `buf` contains sufficient data before attempting to read from it, doing multiple `GST READ UINT32 LE` operations without performing boundary checks. **Recommendations** For versions prior to 1.24.10, update to version 1.24.10 to resolve the issue. As a temporary workaround, consider restricting access to the `parse ds64` function within `gstwavparse.c` to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GStreamer versions prior to 1.24.10 **Description** The issue is related to a function `gst wavparse adtl chunk` in the GStreamer multimedia framework, which is associated with an out-of-bounds read in memory. This can be exploited by a remote attacker to cause a denial of service. The vulnerability arises due to insufficient validation of the size parameter, potentially leading to reading up to 4 GB of process memory or causing a segmentation fault when accessing invalid memory. **Recommendations** For versions prior to 1.24.10, update to version 1.24.10 to resolve the issue. As a temporary workaround, consider restricting access to the `gst wavparse adtl chunk` function within `gstwavparse.c` to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GStreamer versions prior to 1.24.10 **Description** The issue is related to an out-of-bounds (OOB) read vulnerability in the `gst avi subtitle parse gab2 chunk` function within `gstavisubtitle.c`. This function reads the `name length` value directly from the input file without proper checking, leading to an integer overflow when `name length` is greater than 0xFFFFFFFF - 17. As a result, the function attempts to access memory beyond the buffer, causing an OOB-read. This could allow a remote attacker to cause a denial of service. **Recommendations** For versions prior to 1.24.10, update to version 1.24.10 to resolve the issue. As a temporary workaround, consider restricting the use of the `gst avi subtitle parse gab2 chunk` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** GStreamer versions prior to 1.24.10 **Description** A null pointer dereference vulnerability has been identified in the `gst gdk pixbuf dec flush` function within `gstgdkpixbufdec.c`. This function invokes `memcpy`, using `out pix` as the destination address. `out pix` is expected to point to the frame 0 from the frame structure, which is read from the input file. However, in certain situations, it can point to a NULL frame, causing the subsequent call to `memcpy` to attempt writing to the null address (0x00), leading to a null pointer dereference. This can result in a Denial of Service (DoS) by triggering a segmentation fault (SEGV). **Recommendations** Update to version 1.24.10 to fix the vulnerability. As a temporary workaround, consider disabling the `gst gdk pixbuf dec flush` function until a patch is available. Restrict access to the `gstgdkpixbufdec.c` module to minimize the risk of exploitation. Avoid using the `out pix` variable in the affected function until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** GStreamer versions prior to 1.24.10 **Description** A stack-buffer overflow has been detected in the `gst opus dec parse header` function within `gstopusdec.c`. The `pos` array is a stack-allocated buffer of size 64. If `n channels` exceeds 64, the for loop will write beyond the boundaries of the `pos` array. The value written will always be `GST AUDIO CHANNEL POSITION NONE`. This bug allows overwriting the EIP address allocated in the stack. **Recommendations** For versions prior to 1.24.10, update to version 1.24.10 to resolve the issue. As a temporary workaround, consider restricting the value of `n channels` to 64 or less to prevent the stack-buffer overflow until a patch is available. Restrict access to the `gst opus dec parse header` function to minimize the risk of exploitation.