Etienne Stalmans

Name of the Vulnerable Software and Affected Versions: Polycom HDX Series (affected versions not specified) Description: An authenticated command injection vulnerability exists in the Polycom HDX Series command shell interface accessible over Telnet. The `lan traceroute` command in the `devcmds` console accepts unsanitized input, allowing attackers to execute arbitrary system commands. By injecting shell metacharacters through the traceroute interface, an attacker can achieve remote code execution under the context of the root user. This flaw affects systems where Telnet access is enabled and either unauthenticated access is allowed or credentials are known. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Squashfs-Tools version 4.5 **Description** The issue is related to the `squashfs opendir` function in the `unsquash-1.c` component of Squashfs-Tools. This function stores the filename in the directory entry, which is then used by `unsquashfs` to create the new file during the unsquash process. However, the filename is not validated for traversal outside of the destination directory, allowing writing to locations outside of the destination. This can be exploited by a remote attacker to compromise data integrity and cause a denial of service. **Recommendations** For Squashfs-Tools version 4.5, as a temporary workaround, consider disabling the `squashfs opendir` function until a patch is available. Restrict access to the `unsquashfs` component to minimize the risk of exploitation. Avoid using the `unsquashfs` command with untrusted input until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Docker versions prior to 18.09.4 **Description** The issue is related to insufficient argument validation in the `docker build` command, allowing an attacker to potentially gain unauthorized access to information, cause a denial of service, or impact the availability of information. Specifically, the problem lies in how `docker build` processes remote git URLs, leading to command injection into the underlying `git clone` command. This can result in code execution in the context of the user executing the `docker build` command, as git ref can be misinterpreted as a flag. **Recommendations** For Docker versions prior to 18.09.4, update to version 18.09.4 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `docker build` command with remote git URLs to minimize the risk of exploitation. Avoid using potentially malicious git URLs in the `docker build` command until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Microsoft Word versions (affected versions not specified) Office 365 ProPlus versions (affected versions not specified) Microsoft Office versions (affected versions not specified) Description: An information disclosure issue exists due to improper use of Microsoft Word macro buttons. This could allow a remote attacker to read arbitrary files by crafting a special document file and convincing the user to open it. The attacker must know the location of the file they wish to access. Recommendations: For Microsoft Word, consider disabling the use of macro buttons until a fix is available. For Office 365 ProPlus, restrict access to sensitive files that could be accessed through this vulnerability. For Microsoft Office, avoid opening specially crafted document files from untrusted sources. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Ruby versions prior to 2.4.3 Description: The issue is related to command injection in Net::FTP. The `get`, `getbinaryfile`, `gettextfile`, `put`, `putbinaryfile`, and `puttextfile` methods use `Kernel#open` to open a local file. If the `localfile` argument starts with the "|" pipe character, the command following the pipe character is executed. This could allow malicious FTP servers to cause arbitrary command execution by manipulating the `localfile` argument, which defaults to `File.basename(remotefile)`. The vulnerability is due to an input filtering error. Recommendations: For Ruby versions prior to 2.4.3, update to version 2.4.3 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the `localfile` argument with the "|" pipe character in the affected Net::FTP methods until a patch is applied. Restrict access to the `Net::FTP` class to minimize the risk of exploitation. Avoid using the `localfile` argument in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Git versions prior to 2.13.7 Git versions 2.14.x prior to 2.14.4 Git versions 2.15.x prior to 2.15.2 Git versions 2.16.x prior to 2.16.4 Git versions 2.17.x prior to 2.17.1 **Description** The issue is related to errors in processing specially formed submodule names in the .gitmodules file. This can allow a remote attacker to execute arbitrary code. The vulnerability can be exploited when a malicious project with a crafted .gitmodules file is cloned using "git clone --recurse-submodules", leading to directory traversal and the execution of post-checkout hooks from a submodule. **Recommendations** For Git versions prior to 2.13.7, update to version 2.13.7 or later. For Git versions 2.14.x prior to 2.14.4, update to version 2.14.4 or later. For Git versions 2.15.x prior to 2.15.2, update to version 2.15.2 or later. For Git versions 2.16.x prior to 2.16.4, update to version 2.16.4 or later. For Git versions 2.17.x prior to 2.17.1, update to version 2.17.1 or later. As a temporary workaround, consider avoiding the use of "git clone --recurse-submodules" until a patch is applied.