Manizada

**Name of the Vulnerable Software and Affected Versions** CoreDNS versions prior to 1.14.3 **Description** The DNS-over-QUIC (DoQ) server can be driven into unbounded goroutine and memory growth by an unauthenticated remote attacker. This occurs when a client opens numerous QUIC streams and sends only one byte per stream. Even when the worker pool is full, the server continues to spawn a goroutine for every accepted stream to wait for a worker token. Furthermore, active workers can block indefinitely in the `io.ReadFull()` function because there is no per-stream read deadline, allowing an attacker to pin all workers by sending a single byte while the system waits for the second byte of the DoQ length prefix. This sequence leads to memory exhaustion and an OOM-kill (Out-Of-Memory kill), resulting in a denial of service. **Recommendations** Update to version 1.14.3.

**Name of the Vulnerable Software and Affected Versions** CoreDNS (affected versions not specified) **Description** The transfer plugin in CoreDNS contains an issue where the wrong Access Control List (ACL) stanza may be selected when both a parent zone and a more-specific subzone are configured. Although intended to follow a longest zone match logic, the `longestMatch()` function in `plugin/transfer/transfer.go` utilizes lexicographic string comparison to determine the winning rule. Consequently, a permissive parent-zone transfer rule can override a restrictive subzone rule if the parent zone's name is lexicographically greater than the subzone's name. This allows unauthorized clients to perform AXFR (Full Zone Transfer) or IXFR (Incremental Zone Transfer) for the subzone and retrieve its zone contents. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CoreDNS (affected versions not specified) **Description** A TSIG authentication bypass exists in CoreDNS affecting modern transports. TSIG (Transaction Signature) is a mechanism used to authenticate DNS messages. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions OpenPrinting CUPS versions 2.4.16 and prior Description OpenPrinting CUPS is a printing system for Linux and Unix-like operating systems. A local unprivileged user can manipulate `cupsd` into authenticating to an attacker-controlled localhost IPP service using a reusable Authorization: Local token. This token allows the attacker to make /admin/ requests on localhost and combine CUPS-Create-Local-Printer with printer-is-shared=true to create a file:///... queue, bypassing FileDevice policy restrictions. Printing to this queue can lead to arbitrary root file overwrites, potentially enabling root command execution through techniques like dropping a sudoers fragment. Recommendations Versions prior to 2.4.16 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenPrinting CUPS versions 2.4.16 and earlier **Description** The RSS notifier allows path traversal in the 'notify-recipient-uri' parameter (for example, 'rss:///../job.cache'). This enables a remote IPP client to write RSS XML bytes outside the CacheDir/rss directory to any location that is lp-writable. Since CacheDir is typically group-writable by default, the notifier can replace root-managed state files using a temporary file and the `rename()` function. This can lead to the corruption of the job cache, causing the scheduler to fail and previously queued jobs to disappear after a restart of cupsd. **Recommendations** Update the rootio-cups package to a fixed version.

Name of the Vulnerable Software and Affected Versions CUPS versions 2.4.16 and prior Description A flaw exists in the CUPS printing system's `cupsd` daemon due to insufficient input validation when processing the `textWithoutLanguage` parameter. Successful exploitation allows a remote attacker to execute arbitrary code by sending a specially crafted PostScript file to a shared print queue via a Print-Job request. The server accepts a `page-border` value, preserves an embedded newline through option escaping and reparse, and then reparses the resulting second-line PPD text as a trusted scheduler control record. A subsequent raw print job can then cause the server to execute an attacker-chosen binary as `lp`. Recommendations Update to a version later than 2.4.16.

**Name of the Vulnerable Software and Affected Versions** Moby/Docker Engine versions prior to 29.3.1 **Description** A security flaw in the Moby/Docker Engine allows attackers with local access to the Docker API or container to bypass authorization plugins (AuthZ). By using specially crafted, oversized HTTP request bodies, an attacker can cause the Docker daemon to forward requests to an authorization plugin without the body. This enables the evasion of access control decisions that rely on request body inspection, potentially allowing unauthorized daemon and container operations. This can lead to the creation of privileged containers with full host filesystem access, resulting in container escape, privilege escalation to the host, and complete host compromise. **Recommendations** Upgrade Moby/Docker Engine to version 29.3.1 or later. Restrict Docker API access using TLS, firewall rules, and socket permissions to limit access to trusted users and networks. Avoid using AuthZ plugins that rely on request body inspection for security decisions as a temporary workaround. Review and harden AuthZ plugin configurations and validate request handling. Monitor Docker daemon and API logs for anomalous or crafted requests. Run Docker in rootless mode to mitigate risks. Remove or restrict untrusted authorization plugins.

**Name of the Vulnerable Software and Affected Versions** Traefik versions prior to 3.6.8 **Description** Traefik, an HTTP reverse proxy and load balancer, contains a flaw in how it manages STARTTLS requests. An unauthenticated client can bypass the `respondingTimeouts.readTimeout` setting by sending an 8-byte Postgres SSLRequest (STARTTLS) prelude and then stalling the connection. This causes connections to remain open indefinitely, leading to a denial of service. The issue occurs during protocol detection before routing, and is reachable on an entrypoint even without any Postgres/TCP routers configured. An attacker can send the Postgres SSLRequest, receive a response from Traefik, and then stop sending further bytes, keeping the connection open past the configured read timeout. This consumes file descriptors and goroutines, potentially exhausting system resources and causing the proxy to become unavailable. **Recommendations** Upgrade to Traefik version 3.6.8 or later to resolve this issue.

**Name of the Vulnerable Software and Affected Versions** systemd (affected versions not specified) **Description** The systemd-machined service has an issue with access control due to inadequate validation of the `class` parameter within the RegisterMachine D-Bus method. A local user with limited privileges can exploit this by registering a machine with a specific `class` value. This action can create a machine object controlled by the attacker, enabling them to execute methods on a privileged object. Successful exploitation allows the attacker to run arbitrary commands with root privileges on the host system. The D-Bus method involved is `RegisterMachine`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Caddy versions prior to 2.11.1 **Description** Caddy’s HTTP `host` request matcher is documented as case-insensitive, but becomes case-sensitive when configured with a large host list (more than 100 entries) due to an optimized matching path. An attacker can bypass host-based routing and any access controls associated with that route by altering the casing of the `Host` header. This is a route/auth bypass in Caddy’s request-matching layer. Internet-exposed Caddy deployments relying on `host` matchers with large host lists to protect routes can be bypassed by changing the case of the `Host` header, potentially allowing unauthorized access to sensitive endpoints. The affected component is the `MatchHost` matcher, specifically the `MatchHost.MatchWithError` function. The vulnerability occurs because the matcher uses a case-sensitive string comparison when the host list exceeds 100 entries. The `Host` header is a standard HTTP request header used to identify the requested resource. **Recommendations** Update to Caddy version 2.11.1 or later.

**Name of the Vulnerable Software and Affected Versions** Caddy versions prior to 2.11.1 **Description** Caddy’s HTTP `path` request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences (`%xx`) it compares against the request's escaped path without lowercasing. This can allow an attacker to bypass path-based routing and any access controls attached to that route by changing the casing of the request path. The issue occurs because `r.URL.EscapedPath()` is not lowercased, leading to case differences in the request path causing the escaped-space match to fail even though `MatchPath` is meant to be case-insensitive. An attacker can bypass route restrictions by changing the casing of the request path. **Recommendations** Update to Caddy version 2.11.1 or later.