Cedric Buissart

**Name of the Vulnerable Software and Affected Versions** JSS (affected versions not specified) **Description** A flaw was found in JSS, where it did not properly free up all memory. Over time, the wasted memory builds up in the server memory, saturating the server’s RAM. This flaw allows an attacker to force the invocation of an out-of-memory process, causing a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ghostscript (affected versions not specified) **Description** A trivial sandbox escape flaw was found in the ghostscript interpreter by injecting a specially crafted pipe command. This flaw allows a specially crafted document to execute arbitrary commands on the system in the context of the ghostscript interpreter. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. The vulnerability can be exploited by injecting a specially crafted pipe command, allowing a remote attacker to execute arbitrary code. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SSSD (affected versions not specified) **Description** The issue is related to the sssctl command in the SSSD service, which lacks input sanitization measures. This allows a remote attacker to exploit the vulnerability, potentially gaining access to confidential data, disrupting data integrity, and causing a denial of service. The flaw is specifically found in the logs-fetch and cache-expire subcommands, which are vulnerable to shell command injection. This could trick the root user into running a specially crafted sssctl command, such as via sudo, to gain root access. The highest threat from this issue is to confidentiality, integrity, as well as system availability. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Red Hat Satellite tfm-rubygem-foreman ansible versions prior to 4.0.3.4 **Description** A flaw in Red Hat Satellite's Job Invocation allows a malicious user to scan through the invocation, potentially searching for passwords and other sensitive data due to improper restriction of the "User Input" entry. **Recommendations** For tfm-rubygem-foreman ansible versions prior to 4.0.3.4, update to version 4.0.3.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the Job Invocation feature to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** dmg2img versions through 20170502 **Description** A flaw was found in dmg2img where it did not validate the size of the read buffer during memcpy() inside the main() function. This possibly leads to memory layout information leaking in the data, which might be used in a chain of vulnerability to reach code execution. The exploitation of this flaw could allow a remote attacker to access confidential data and cause a denial of service. **Recommendations** For versions through 20170502, as a temporary workaround, consider restricting the use of the main() function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** dmg2img versions through 20170502 **Description** A flaw was found in the `fill mishblk()` function, which does not check the length of the read buffer and copies 0xCC bytes from it. The length of the buffer is controlled by an attacker, allowing for a potential memory layout information leak by providing a length smaller than 0xCC, causing `memcpy` to reach out of the malloc'ed bound. This could be used in a chain of vulnerabilities to reach code execution. The exploitation of this flaw may allow a remote attacker to access confidential data and cause a denial of service. **Recommendations** For versions through 20170502, consider disabling the `fill mishblk()` function until a patch is available to prevent potential memory layout information leaks and code execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** 389-ds-base versions prior to 0.56.7 **Description** A flaw was found in slapi-nis that could allow an unauthenticated attacker to crash the 389-ds-base directory server due to a NULL pointer dereference during the parsing of the Binding DN. The highest threat from this issue is to system availability. This could be exploited by a remote attacker to cause a denial of service. **Recommendations** For versions prior to 0.56.7, update to version 0.56.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the slapi-nis component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Nettle versions prior to 3.7.2 **Description** A flaw was found in the Nettle signature verification functions, including GOST DSA, EDDSA, and ECDSA, where the Elliptic Curve Cryptography point multiply function is called with out-of-range scalers, possibly resulting in incorrect results. This allows an attacker to force an invalid signature, causing an assertion failure or possible validation issues. The highest threat to this vulnerability is to confidentiality, integrity, and system availability. An attacker may exploit this vulnerability by inputting an invalid signature, potentially allowing them to execute arbitrary code. **Recommendations** For versions prior to 3.7.2, update to version 3.7.2 or later to resolve the issue. As a temporary workaround, consider restricting the use of the vulnerable signature verification functions until a patch is available. Avoid using the `GOST DSA`, `EDDSA`, and `ECDSA` functions in sensitive operations until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** 389-ds-base (affected versions not specified) **Description** The issue allows an unauthenticated attacker to check the existence of an entry in the LDAP database by exploiting the different replies from 389-ds-base when binding against a DN during authentication. This can lead to the disclosure of information and potentially allow a remote attacker to access confidential data. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0 **Description** A flaw was found in the "Leaf and Chain" OCSP policy implementation where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to attacks such as Man in the Middle. **Recommendations** For JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, consider disabling the "Leaf and Chain" OCSP policy until a patch is available to prevent implicit trust of the root certificate. Restrict access to applications using this policy to minimize the risk of exploitation. Avoid using the affected CryptoManager versions in sensitive environments until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ghostscript versions 9.x before 9.50 **Description** A flaw in the .setuserparams2 procedure of Ghostscript allows scripts to bypass `-dSAFER` restrictions by not properly securing its privileged calls. This enables a specially crafted PostScript file to disable security protection, access the file system, or execute arbitrary commands. The issue is related to the incorrect use of privileged APIs, which can be exploited by a remote attacker to execute arbitrary commands or access the file system, bypassing the restrictions imposed by `-dSAFER`. **Recommendations** For Ghostscript versions 9.x before 9.50, update to version 9.50 or later to resolve the issue. As a temporary workaround, consider disabling the use of the `.setuserparams2` procedure until a patch is available. Restrict access to sensitive files and directories to minimize the risk of exploitation. Avoid using specially crafted PostScript files that could exploit this issue until the software is updated.

**Name of the Vulnerable Software and Affected Versions** Ghostscript versions prior to 9.50 **Description** The issue is related to the .buildfont1 procedure in Ghostscript, which did not properly secure its privileged calls, allowing scripts to bypass `-dSAFER` restrictions. An attacker could exploit this flaw by creating a specially crafted PostScript file to escalate privileges and access files outside of restricted areas. This could potentially be used to execute arbitrary code in the system. **Recommendations** For Ghostscript versions prior to 9.50, update to version 9.50 or later to resolve the issue. As a temporary workaround, consider restricting access to the .buildfont1 procedure until a patch is available. Avoid processing specially crafted PostScript files that could exploit this vulnerability.

**Name of the Vulnerable Software and Affected Versions** 389-ds-base versions 1.4.0.x before 1.4.0.17 Red Hat Enterprise Linux 7.5 **Description** The issue is related to excessive CPU consumption, which can lead to a denial of service. An attacker can provoke this condition, causing the system to become unresponsive. The problem is associated with an incorrectly applied fix in Red Hat Enterprise Linux 7.5. **Recommendations** For 389-ds-base versions 1.4.0.x before 1.4.0.17, update to version 1.4.0.17 or later to resolve the issue. For Red Hat Enterprise Linux 7.5, apply the correct fix for the excessive CPU consumption issue to prevent denial of service attacks.

**Name of the Vulnerable Software and Affected Versions** Ghostscript versions prior to 9.27 **Description** The issue is related to insecure privilege management in the DefineResource method of the Ghostscript file conversion program. Exploitation of this issue could allow a remote attacker to elevate their privileges. A specially crafted PostScript file could exploit this flaw to access the file system outside of the constraints imposed by -dSAFER. **Recommendations** For Ghostscript versions prior to 9.27, update to version 9.27 or later to resolve the issue. As a temporary workaround, consider restricting access to the DefineResource method until a patch is available. Avoid using the forceput operator in the DefineResource method until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Ghostscript versions prior to 9.27 **Description** The issue is related to the superexec operator being available in the internal dictionary in Ghostscript, which could allow a specially crafted PostScript file to access the file system outside of the constraints imposed by -dSAFER. This flaw is associated with insecure privilege management, potentially enabling a remote attacker to elevate their privileges. **Recommendations** For Ghostscript versions prior to 9.27, update to version 9.27 or later to resolve the issue. As a temporary workaround, consider restricting access to the superexec operator in the internal dictionary until a patch is available.

**Name of the Vulnerable Software and Affected Versions** 389-ds-base (affected versions not specified) **Description** A double-free issue was found in the way 389-ds-base handles virtual attributes context in persistent searches. This could allow an attacker to send a series of search requests, forcing the server to behave unexpectedly and crash. The vulnerability is related to the use of memory after it has been freed when handling private pblock and duplicated pblock with the same pb vattr context pointer. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ghostscript versions prior to 9.27 **Description** The issue is related to the incorrect usage of privileged APIs in the Ghostscript PostScript file conversion program. Exploitation of this issue may allow a remote attacker to access the file system, bypassing the restrictions imposed by -dSAFER, using a specially crafted PostScript file. **Recommendations** For Ghostscript versions prior to 9.27, update to version 9.27 or later to resolve the issue. As a temporary workaround, consider restricting access to privileged operators to minimize the risk of exploitation. Avoid using specially crafted PostScript files that could exploit this flaw until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Artifex Ghostscript versions prior to 9.26 **Description** A carefully crafted PDF file can cause an extremely long running computation when parsing the file, indicating a potential issue with the parsing mechanism. **Recommendations** For versions prior to 9.26, update to version 9.26 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** cobbler versions 2.6.x **Description** A flaw was discovered in cobbler where its CobblerXMLRPCInterface class exposes all functions over XMLRPC, allowing a remote, unauthenticated attacker to gain high privileges within cobbler and upload files to arbitrary locations in the context of the daemon. **Recommendations** For cobbler versions 2.6.x, consider restricting access to the CobblerXMLRPCInterface class until a patch is available. As a temporary workaround, limit the exposure of XMLRPC functions to prevent unauthorized access.

**Name of the Vulnerable Software and Affected Versions** perl-archive-zip (affected versions not specified) **Description** The issue is related to a directory traversal in Archive::Zip, where the Archive::Zip module does not properly sanitize paths while extracting zip files. This could allow an attacker to write or overwrite arbitrary files in the context of the perl interpreter by providing a specially crafted archive for processing. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.