Vulnerabilities

A flaw was found in Keycloak. An authenticated user with the uma_protection role can bypass User-Managed Access (UMA) policy validation. This allows the attacker to include resource identifiers owned by other users in a policy creation request, even if the URL path specifies an attacker-owned resource. Consequently, the attacker gains unauthorized permissions to victim-owned resources, enabling them to obtain a Requesting Party Token (RPT) and access sensitive information or perform unauthorized actions.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mark O’Donnell MSTW League Manager allows DOM-Based XSS.This issue affects MSTW League Manager: from n/a through 2.10.

A flaw was found in Keycloak. This issue allows an attacker, who controls another path on the same web server, to bypass the allowed path in redirect Uniform Resource Identifiers (URIs) that use a wildcard. A successful attack may lead to the theft of an access token, resulting in information disclosure.

A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authorization codes. Successful exploitation can lead to the creation of admin-capable access tokens, resulting in privilege escalation.

A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an attacker to delete arbitrary single-use entries, which can enable the replay of consumed action tokens, such as password reset links. This could lead to unauthorized access or account compromise.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Fix constant blinding for PROBE_MEM32 stores<br /> <br /> BPF_ST | BPF_PROBE_MEM32 immediate stores are not handled by<br /> bpf_jit_blind_insn(), allowing user-controlled 32-bit immediates to<br /> survive unblinded into JIT-compiled native code when bpf_jit_harden &gt;= 1.<br /> <br /> The root cause is that convert_ctx_accesses() rewrites BPF_ST|BPF_MEM<br /> to BPF_ST|BPF_PROBE_MEM32 for arena pointer stores during verification,<br /> before bpf_jit_blind_constants() runs during JIT compilation. The<br /> blinding switch only matches BPF_ST|BPF_MEM (mode 0x60), not<br /> BPF_ST|BPF_PROBE_MEM32 (mode 0xa0). The instruction falls through<br /> unblinded.<br /> <br /> Add BPF_ST|BPF_PROBE_MEM32 cases to bpf_jit_blind_insn() alongside the<br /> existing BPF_ST|BPF_MEM cases. The blinding transformation is identical:<br /> load the blinded immediate into BPF_REG_AX via mov+xor, then convert<br /> the immediate store to a register store (BPF_STX).<br /> <br /> The rewritten STX instruction must preserve the BPF_PROBE_MEM32 mode so<br /> the architecture JIT emits the correct arena addressing (R12-based on<br /> x86-64). Cannot use the BPF_STX_MEM() macro here because it hardcodes<br /> BPF_MEM mode; construct the instruction directly instead.

A security flaw has been discovered in efforthye fast-filesystem-mcp up to 3.5.1. The affected element is the function handleGetDiskUsage of the file src/index.ts. Performing a manipulation results in command injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: bpf: defer hook memory release until rcu readers are done<br /> <br /> Yiming Qian reports UaF when concurrent process is dumping hooks via<br /> nfnetlink_hooks:<br /> <br /> BUG: KASAN: slab-use-after-free in nfnl_hook_dump_one.isra.0+0xe71/0x10f0<br /> Read of size 8 at addr ffff888003edbf88 by task poc/79<br /> Call Trace:<br /> <br /> nfnl_hook_dump_one.isra.0+0xe71/0x10f0<br /> netlink_dump+0x554/0x12b0<br /> nfnl_hook_get+0x176/0x230<br /> [..]<br /> <br /> Defer release until after concurrent readers have completed.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> clsact: Fix use-after-free in init/destroy rollback asymmetry<br /> <br /> Fix a use-after-free in the clsact qdisc upon init/destroy rollback asymmetry.<br /> The latter is achieved by first fully initializing a clsact instance, and<br /> then in a second step having a replacement failure for the new clsact qdisc<br /> instance. clsact_init() initializes ingress first and then takes care of the<br /> egress part. This can fail midway, for example, via tcf_block_get_ext(). Upon<br /> failure, the kernel will trigger the clsact_destroy() callback.<br /> <br /> Commit 1cb6f0bae504 ("bpf: Fix too early release of tcx_entry") details the<br /> way how the transition is happening. If tcf_block_get_ext on the q-&gt;ingress_block<br /> ends up failing, we took the tcx_miniq_inc reference count on the ingress<br /> side, but not yet on the egress side. clsact_destroy() tests whether the<br /> {ingress,egress}_entry was non-NULL. However, even in midway failure on the<br /> replacement, both are in fact non-NULL with a valid egress_entry from the<br /> previous clsact instance.<br /> <br /> What we really need to test for is whether the qdisc instance-specific ingress<br /> or egress side previously got initialized. This adds a small helper for checking<br /> the miniq initialization called mini_qdisc_pair_inited, and utilizes that upon<br /> clsact_destroy() in order to fix the use-after-free scenario. Convert the<br /> ingress_destroy() side as well so both are consistent to each other.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tls: Purge async_hold in tls_decrypt_async_wait()<br /> <br /> The async_hold queue pins encrypted input skbs while<br /> the AEAD engine references their scatterlist data. Once<br /> tls_decrypt_async_wait() returns, every AEAD operation<br /> has completed and the engine no longer references those<br /> skbs, so they can be freed unconditionally.<br /> <br /> A subsequent patch adds batch async decryption to<br /> tls_sw_read_sock(), introducing a new call site that<br /> must drain pending AEAD operations and release held<br /> skbs. Move __skb_queue_purge(&amp;ctx-&gt;async_hold) into<br /> tls_decrypt_async_wait() so the purge is centralized<br /> and every caller -- recvmsg&amp;#39;s drain path, the -EBUSY<br /> fallback in tls_do_decryption(), and the new read_sock<br /> batch path -- releases held skbs on synchronization<br /> without each site managing the purge independently.<br /> <br /> This fixes a leak when tls_strp_msg_hold() fails part-way through,<br /> after having added some cloned skbs to the async_hold<br /> queue. tls_decrypt_sg() will then call tls_decrypt_async_wait() to<br /> process all pending decrypts, and drop back to synchronous mode, but<br /> tls_sw_recvmsg() only flushes the async_hold queue when one record has<br /> been processed in "fully-async" mode, which may not be the case here.<br /> <br /> [pabeni@redhat.com: added leak comment]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> futex: Fix UaF between futex_key_to_node_opt() and vma_replace_policy()<br /> <br /> During futex_key_to_node_opt() execution, vma-&gt;vm_policy is read under<br /> speculative mmap lock and RCU. Concurrently, mbind() may call<br /> vma_replace_policy() which frees the old mempolicy immediately via<br /> kmem_cache_free().<br /> <br /> This creates a race where __futex_key_to_node() dereferences a freed<br /> mempolicy pointer, causing a use-after-free read of mpol-&gt;mode.<br /> <br /> [ 151.412631] BUG: KASAN: slab-use-after-free in __futex_key_to_node (kernel/futex/core.c:349)<br /> [ 151.414046] Read of size 2 at addr ffff888001c49634 by task e/87<br /> <br /> [ 151.415969] Call Trace:<br /> <br /> [ 151.416732] __asan_load2 (mm/kasan/generic.c:271)<br /> [ 151.416777] __futex_key_to_node (kernel/futex/core.c:349)<br /> [ 151.416822] get_futex_key (kernel/futex/core.c:374 kernel/futex/core.c:386 kernel/futex/core.c:593)<br /> <br /> Fix by adding rcu to __mpol_put().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/mseal: update VMA end correctly on merge<br /> <br /> Previously we stored the end of the current VMA in curr_end, and then upon<br /> iterating to the next VMA updated curr_start to curr_end to advance to the<br /> next VMA.<br /> <br /> However, this doesn&amp;#39;t take into account the fact that a VMA might be<br /> updated due to a merge by vma_modify_flags(), which can result in curr_end<br /> being stale and thus, upon setting curr_start to curr_end, ending up with<br /> an incorrect curr_start on the next iteration.<br /> <br /> Resolve the issue by setting curr_end to vma-&gt;vm_end unconditionally to<br /> ensure this value remains updated should this occur.<br /> <br /> While we&amp;#39;re here, eliminate this entire class of bug by simply setting<br /> const curr_[start/end] to be clamped to the input range and VMAs, which<br /> also happens to simplify the logic.