Reno Robert

**Name of the Vulnerable Software and Affected Versions** vRealize Operations versions (affected versions not specified) **Description** The issue is related to a broken access control vulnerability in the VMware vRealize Operations tool, which can lead to information disclosure. This vulnerability may allow a remote attacker to disclose protected information. The severity of this issue is considered moderate. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** vRealize Operations (vROps) (affected versions not specified) **Description** The issue is related to improper privilege management in vRealize Operations, which can lead to a privilege escalation. This allows a remote attacker to potentially elevate their privileges. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** VMware ESXi (affected versions not specified) **Description** The issue is related to a memory corruption vulnerability in the way VMware ESXi handles a network socket. A malicious actor with local access to ESXi may exploit this issue to corrupt memory, leading to an escape of the ESXi sandbox. This could potentially allow an attacker to execute arbitrary code with elevated privileges. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Parallels Access Agent version 6.5.4 (39316) **Description** This issue allows local attackers to escalate privileges on affected installations. An attacker must first obtain the ability to execute low-privileged code on the target host system in order to exploit this issue. The specific flaw exists within the Parallels service. By creating a symbolic link, an attacker can abuse the service to execute a file. An attacker can leverage this issue to escalate privileges and execute arbitrary code in the context of root. **Recommendations** For Parallels Access Agent version 6.5.4 (39316), consider disabling the Parallels service until a patch is available to prevent exploitation. Restrict access to the service to minimize the risk of privilege escalation. Avoid using the service to execute files from untrusted sources until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Parallels Access Agent version 6.5.4 (39316) **Description** This issue allows local attackers to escalate privileges on affected installations. An attacker must first obtain the ability to execute low-privileged code on the target host system in order to exploit this issue. The specific flaw exists within the Parallels Service, which executes files from an unsecured location. An attacker can leverage this issue to escalate privileges and execute arbitrary code in the context of root. **Recommendations** For Parallels Access Agent version 6.5.4 (39316), consider restricting access to the Parallels Service to minimize the risk of exploitation until a patch is available. As a temporary workaround, disabling the execution of files from unsecured locations by the Parallels Service may help mitigate the risk. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Linux Kernel (affected versions not specified) **Description** The issue results from the lack of proper locking when performing operations on an object within the DPT I2O Controller driver. This can be leveraged by an attacker, in conjunction with other vulnerabilities, to escalate privileges and execute arbitrary code in the context of the kernel. The vulnerability is related to the `virt to bus()` and `bus to virt()` functions of the dpt i2o driver in Linux operating systems. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FreeBSD (affected versions not specified) **Description** The issue is caused by an integer overflow in the `nmreq copyin()` function of the netmap component. This insufficient bounds checking could lead to kernel memory corruption. On systems configured to include netmap in their devfs ruleset, a privileged process running in a jail can affect the host environment. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FreeBSD (affected versions not specified) **Description** The issue is related to a time-of-check to time-of-use bug in the `nmreq copyin()` function of the netmap component in FreeBSD. This bug could lead to kernel memory corruption. On systems configured to include netmap in their devfs ruleset, a privileged process running in a jail can affect the host environment. The vulnerability may allow an attacker to execute arbitrary code in the context of the kernel. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MySQL Cluster versions 7.4.34 and prior MySQL Cluster versions 7.5.24 and prior MySQL Cluster versions 7.6.20 and prior MySQL Cluster versions 8.0.27 and prior **Description** The issue is related to insufficient input validation in the MySQL Cluster product, allowing a high-privileged attacker with access to the physical communication segment to compromise the MySQL Cluster. Successful attacks require human interaction from a person other than the attacker and can result in the takeover of the MySQL Cluster. **Recommendations** For versions 7.4.34 and prior, update to a version later than 7.4.34. For versions 7.5.24 and prior, update to a version later than 7.5.24. For versions 7.6.20 and prior, update to a version later than 7.6.20. For versions 8.0.27 and prior, update to a version later than 8.0.27.

**Name of the Vulnerable Software and Affected Versions** MySQL Cluster versions 7.4.34 and prior MySQL Cluster versions 7.5.24 and prior MySQL Cluster versions 7.6.20 and prior MySQL Cluster versions 8.0.27 and prior **Description** The issue allows a high-privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker and can result in the takeover of MySQL Cluster. **Recommendations** For versions 7.4.34 and prior, update to a version later than 7.4.34. For versions 7.5.24 and prior, update to a version later than 7.5.24. For versions 7.6.20 and prior, update to a version later than 7.6.20. For versions 8.0.27 and prior, update to a version later than 8.0.27.

**Name of the Vulnerable Software and Affected Versions** OpenBSD Kernel (affected versions not specified) **Description** This issue allows local attackers to disclose sensitive information on affected installations of OpenBSD Kernel. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this issue. The specific flaw exists within the implementation of multicast routing, resulting from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this in conjunction with other issues to escalate privileges and execute arbitrary code in the context of the kernel. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** OpenBSD Kernel (affected versions not specified) **Description** This issue allows local attackers to disclose sensitive information on affected installations. An attacker must first obtain the ability to execute low-privileged code on the target system. The flaw exists within the implementation of multicast routing, resulting from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this in conjunction with other issues to escalate privileges and execute arbitrary code in the context of the kernel. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** System.DirectoryServices.Protocols version 5.0.0 **Description** A information disclosure issue exists where System.DirectoryServices.Protocols.LdapConnection may send credentials in plain text on Linux. This could allow a remote attacker to disclose protected information. **Recommendations** For System.DirectoryServices.Protocols version 5.0.0, update to version 5.0.1 to resolve the issue. As a temporary workaround, consider restricting the use of `System.DirectoryServices.Protocols` on Linux systems until the update is applied. Avoid using the `LdapConnection` class in sensitive applications until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Parallels Desktop version 16.1.3-49160 Description: This issue allows local attackers to escalate privileges on affected installations. An attacker must first obtain the ability to execute low-privileged code on the target guest system in order to exploit this issue. The specific flaw exists within the Toolgate component. The issue results from the lack of proper validation of user-supplied data, which can result in an uncontrolled memory allocation. An attacker can leverage this issue to escalate privileges and execute arbitrary code in the context of the hypervisor. Recommendations: For Parallels Desktop version 16.1.3-49160, consider disabling the Toolgate component until a patch is available. Restrict access to the Toolgate component to minimize the risk of exploitation. Avoid using user-supplied data in the affected component until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.

Name of the Vulnerable Software and Affected Versions: Parallels Desktop version 16.1.3-49160 Description: This issue allows local attackers to escalate privileges on affected installations. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this issue. The specific flaw exists within the Toolgate component, resulting from the lack of proper validation of user-supplied data, which can lead to an uncontrolled memory allocation. An attacker can leverage this issue to escalate privileges and execute arbitrary code in the context of the hypervisor. Recommendations: For Parallels Desktop version 16.1.3-49160, consider disabling the Toolgate component as a temporary workaround until a patch is available. Restrict access to the Toolgate component to minimize the risk of exploitation. Avoid using user-supplied data in the affected component until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.

Name of the Vulnerable Software and Affected Versions: Parallels Desktop version 16.1.3-49160 Description: This issue allows local attackers to escalate privileges on affected installations. An attacker must first obtain the ability to execute low-privileged code on the target guest system in order to exploit this issue. The specific flaw exists within the Toolgate component. The issue results from the lack of proper validation of user-supplied data, which can result in an uncontrolled memory allocation. An attacker can leverage this issue to escalate privileges and execute arbitrary code in the context of the hypervisor. Recommendations: For Parallels Desktop version 16.1.3-49160, as a temporary workaround, consider disabling the Toolgate component until a patch is available. Restrict access to the Toolgate component to minimize the risk of exploitation. Avoid using user-supplied data in the affected component until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** MySQL Cluster versions 7.4.34 and prior MySQL Cluster versions 7.5.24 and prior MySQL Cluster versions 7.6.20 and prior MySQL Cluster versions 8.0.27 and prior **Description** The issue allows a high-privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker and can result in unauthorized read access to a subset of MySQL Cluster accessible data and unauthorized ability to cause a partial denial of service of MySQL Cluster. The vulnerability is related to a buffer read beyond the boundary in memory. **Recommendations** For versions 7.4.34 and prior, update to a version later than 7.4.34 to resolve the issue. For versions 7.5.24 and prior, update to a version later than 7.5.24 to resolve the issue. For versions 7.6.20 and prior, update to a version later than 7.6.20 to resolve the issue. For versions 8.0.27 and prior, update to a version later than 8.0.27 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** MySQL Cluster versions 7.4.34 and prior MySQL Cluster versions 7.5.24 and prior MySQL Cluster versions 7.6.20 and prior MySQL Cluster versions 8.0.27 and prior **Description** The issue is related to an out-of-bounds read in the memory of the MySQL Cluster system, which can allow a remote attacker to disclose protected information and cause a partial denial of service. The exploitation of this issue requires high privileges and access to the physical communication segment attached to the hardware where the MySQL Cluster executes. It also requires human interaction from a person other than the attacker. Successful attacks can result in unauthorized read access to a subset of MySQL Cluster accessible data and the ability to cause a partial denial of service of MySQL Cluster. **Recommendations** For MySQL Cluster versions 7.4.34 and prior, update to a version later than 7.4.34 to resolve the issue. For MySQL Cluster versions 7.5.24 and prior, update to a version later than 7.5.24 to resolve the issue. For MySQL Cluster versions 7.6.20 and prior, update to a version later than 7.6.20 to resolve the issue. For MySQL Cluster versions 8.0.27 and prior, update to a version later than 8.0.27 to resolve the issue. As a temporary workaround, consider restricting access to the physical communication segment attached to the hardware where the MySQL Cluster executes to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Parallels Desktop version 15.1.5-47309 **Description** This issue allows local attackers to escalate privileges on affected installations. An attacker must first obtain the ability to execute low-privileged code on the target guest system in order to exploit this issue. The specific flaw exists within the Open Tools Gate component. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this issue to escalate privileges and execute arbitrary code in the context of the hypervisor. **Recommendations** For Parallels Desktop version 15.1.5-47309, consider disabling the Open Tools Gate component as a temporary workaround until a patch is available. Restrict access to the component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Parallels Desktop version 15.1.5-47309 **Description** This issue allows local attackers to disclose sensitive information on affected installations. An attacker must first obtain the ability to execute low-privileged code on the target guest system in order to exploit this issue. The specific flaw exists within the Open Tools Gate component, resulting from the lack of proper locking when performing operations on an object. An attacker can leverage this in conjunction with other issues to escalate privileges and execute arbitrary code in the context of the hypervisor. **Recommendations** For Parallels Desktop version 15.1.5-47309, consider disabling the Open Tools Gate component as a temporary workaround until a patch is available. Restrict access to the component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.