Pavel Kohout

**Name of the Vulnerable Software and Affected Versions** PostgreSQL versions 16.0 through 16.13 PostgreSQL versions 17.0 through 17.9 PostgreSQL versions 18.0 through 18.3 **Description** SQL injection in logical replication occurs when using the 'ALTER SUBSCRIPTION ... REFRESH PUBLICATION' command. This allows a subscriber table creator to execute arbitrary SQL using the credentials of the subscription's publication side. The execution is triggered during the subsequent `REFRESH PUBLICATION` operation. **Recommendations** Update versions 16.x to 16.14 Update versions 17.x to 17.10 Update versions 18.x to 18.4

**Name of the Vulnerable Software and Affected Versions** PostgreSQL versions prior to 18.4 PostgreSQL versions prior to 17.10 PostgreSQL versions prior to 16.14 PostgreSQL versions prior to 15.18 PostgreSQL versions prior to 14.23 **Description** Integer wraparound in multiple server features allows an unprivileged database user to cause the server to undersize an allocation and write out-of-bounds. This can lead to arbitrary code execution as the operating system user running the database. In applications that pass gigabyte-scale user inputs to the relevant database functions, the input provider may cause a segmentation fault, which is an error occurring when a program attempts to access a memory location that it is not allowed to access. **Recommendations** Update to version 18.4 or later. Update to version 17.10 or later. Update to version 16.14 or later. Update to version 15.18 or later. Update to version 14.23 or later.

**Name of the Vulnerable Software and Affected Versions** wolfSSHd (affected versions not specified) **Description** A read out of bounds issue exists in wolfSSHd on Windows when handling a terminal resize request. An authenticated user can trigger this condition after establishing a connection, resulting in the leakage of adjacent stack memory to the pseudo-console output. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions OpenSSL FIPS Module version 3.6 Description Applications utilizing AES-CFB128 encryption or decryption on systems equipped with AVX-512 and VAES support may experience an out-of-bounds read of up to 15 bytes when handling partial cipher blocks. This can lead to a denial of service if the input buffer is at a memory page boundary and the subsequent page is unmapped. The issue occurs only when processing partial blocks and on x86-64 systems with AVX-512 and VAES instruction support. Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions MariaDB Server versions prior to 11.4.10 MariaDB Server versions 11.5.0 through 11.8.5 MariaDB Server versions prior to 12.2.2 Description MariaDB Server is susceptible to a crash when using the caching sha2 password authentication plugin with certain user accounts. This occurs because the `sha256 crypt r` function utilizes `alloca`, and a large packet can trigger a server crash. Recommendations Update MariaDB Server to version 11.4.10 or later. Update MariaDB Server to version 11.8.6 or later. Update MariaDB Server to version 12.2.2 or later.

**Name of the Vulnerable Software and Affected Versions** Apache HTTP Server versions prior to 2.4.66 **Description** A NULL pointer dereference in the `mod dav lock` module may allow an attacker to crash the server by sending a malicious request. A NULL pointer dereference occurs when a program attempts to read or write to a memory address that is NULL, typically leading to an application crash. **Recommendations** Upgrade to version 2.4.66. Remove the `mod dav lock` module.

**Name of the Vulnerable Software and Affected Versions** Apache HTTP Server versions prior to 2.4.67 **Description** A NULL pointer dereference in the mod authn socache module allows an unauthenticated remote user to crash a child process when a caching forward proxy configuration is used. A NULL pointer dereference occurs when a program attempts to read or write to a memory address that is NULL, typically leading to a program crash. **Recommendations** Upgrade to version 2.4.67.

**Name of the Vulnerable Software and Affected Versions** Apache HTTP Server versions 2.4.30 through 2.4.66 **Description** An issue exists in the `mod md` module where resource allocation occurs without limits or throttling when processing OCSP response data. OCSP (Online Certificate Status Protocol) is a protocol used to determine the current revocation status of a digital certificate. **Recommendations** Upgrade to version 2.4.67.

**Name of the Vulnerable Software and Affected Versions** OpenSIPS versions 3.1 through 3.6.3 **Description** The software contains a SQL injection issue within the `jwt db authorize()` function in the auth jwt module when a SQL database backend is used and db mode is enabled. The function incorporates a tag claim from a JWT directly into a SQL query without verifying the signature first. An attacker can craft a malicious JWT with a specially designed tag claim to manipulate the query and bypass authentication, potentially impersonating other users. **Recommendations** Update to version 3.6.4 or later.

**Name of the Vulnerable Software and Affected Versions** Espressif Internet of Things (IOT) Development Framework versions 5.1.6 through 5.5.2 **Description** The Espressif Internet of Things (IOT) Development Framework contains a flaw in the WPS (Wi-Fi Protected Setup) Enrollee implementation. Malformed EAP-WSC packets with truncated payloads can trigger an integer underflow during fragment length calculation. Specifically, when processing EAP-Expanded (WSC) messages, the code calculates `frag len` by subtracting header sizes from the total packet length. An attacker can send a packet where the EAP Length field only covers the header and flags, omitting the expected payload. This causes `frag len` to become negative, which is then implicitly cast to a size t value when passed to the `wpabuf put data()` function, resulting in a large unsigned value. **Recommendations** Update to version 5.5.3 or later. Update to version 5.4.4 or later. Update to version 5.3.5 or later. Update to version 5.2.7 or later. Update to version 5.1.7 or later.

**Name of the Vulnerable Software and Affected Versions** MuPDF versions 1.23.0 through 1.27.0 **Description** MuPDF versions 1.23.0 through 1.27.0 have a double-free issue in the `fz fill pixmap from display list()` function during display list rendering. This occurs when an exception happens, causing the function to incorrectly release a pixmap pointer in its error handling before re-throwing the exception. Subsequent cleanup by callers, including the barcode decoding path in `fz decode barcode from display list()`, also releases the same pixmap, leading to a double-free. This can corrupt the heap and cause the process to crash. The issue impacts applications using MuPDF barcode decoding and can be triggered by specially crafted input that causes a rendering error during barcode decoding. **Recommendations** Update MuPDF to a version later than 1.27.0.

**Name of the Vulnerable Software and Affected Versions** NATS-Server versions prior to 2.11.2 NATS-Server versions prior to 2.12.3 **Description** NATS-Server, a high-performance messaging system, has an issue in its WebSocket implementation. The server handles compressed messages via WebSocket negotiated compression. Prior to versions 2.11.2 and 2.12.3, the implementation only bounded the size of a NATS message but did not independently bound the memory consumption during message construction. This allows an attacker to use a compression bomb, causing excessive memory consumption and potentially terminating the server process. The issue does not require valid NATS credentials to exploit, as compression negotiation occurs before authentication. **Recommendations** Update NATS-Server to version 2.11.2 or later. Update NATS-Server to version 2.12.3 or later.

**Name of the Vulnerable Software and Affected Versions** ESF-IDF versions 5.5.1 through 5.1.6 **Description** ESF-IDF, the Espressif Internet of Things (IOT) Development Framework, contains a flaw in the `avrc vendor msg()` function within the BlueDroid AVRCP stack. The function validates the allocated buffer size using `AVRC MIN CMD LEN` (20 bytes), but the fixed header data written before the vendor payload exceeds this value, totaling 29 bytes before `p msg->p vendor data` is copied. This discrepancy can lead to an out-of-bounds write when `vendor len` approaches the buffer limit, potentially causing memory corruption, crashes, or undefined behavior. The overflow may be larger when assertions are disabled. **Recommendations** Versions 5.1.6 and earlier: Update to a version later than 5.1.6. Versions 5.5.1, 5.4.3, 5.3.4, and 5.2.6: Update to a version later than 5.5.1, 5.4.3, 5.3.4, and 5.2.6 respectively. As a temporary workaround, consider disabling the AVRCP stack or restricting the use of the `avrc vendor msg()` function until a patch is available.