Vulnerabilities

Missing authorization vulnerability in BeeDrive in Synology BeeDrive for desktop before 1.4.2-13960 allows remote attackers to delete arbitrary files via unspecified vectors.

Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in BeeDrive in Synology BeeDrive for desktop before 1.4.2-13960 allows local users to execute arbitrary code via unspecified vectors.

Directory Traversal vulnerability in ComposioHQ v.0.7.20 allows a remote attacker to obtain sensitive information via the _download_file_or_dir function.

Incorrect access control in the component ApiPayController.java of platform v1.0.0 allows attackers to access sensitive information via unspecified vectors.

Incorrect access control in the component ApiOrderService.java of platform v1.0.0 allows attackers to access sensitive information via a crafted request.

Incorrect access control in the component orderService.queryObject of platform v1.0.0 allows attackers to access sensitive information via a crafted request.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> vfat: fix missing sb_min_blocksize() return value checks<br /> <br /> When emulating an nvme device on qemu with both logical_block_size and<br /> physical_block_size set to 8 KiB, but without format, a kernel panic<br /> was triggered during the early boot stage while attempting to mount a<br /> vfat filesystem.<br /> <br /> [95553.682035] EXT4-fs (nvme0n1): unable to set blocksize<br /> [95553.684326] EXT4-fs (nvme0n1): unable to set blocksize<br /> [95553.686501] EXT4-fs (nvme0n1): unable to set blocksize<br /> [95553.696448] ISOFS: unsupported/invalid hardware sector size 8192<br /> [95553.697117] ------------[ cut here ]------------<br /> [95553.697567] kernel BUG at fs/buffer.c:1582!<br /> [95553.697984] Oops: invalid opcode: 0000 [#1] SMP NOPTI<br /> [95553.698602] CPU: 0 UID: 0 PID: 7212 Comm: mount Kdump: loaded Not tainted 6.18.0-rc2+ #38 PREEMPT(voluntary)<br /> [95553.699511] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014<br /> [95553.700534] RIP: 0010:folio_alloc_buffers+0x1bb/0x1c0<br /> [95553.701018] Code: 48 8b 15 e8 93 18 02 65 48 89 35 e0 93 18 02 48 83 c4 10 5b 41 5c 41 5d 41 5e 41 5f 5d 31 d2 31 c9 31 f6 31 ff c3 cc cc cc cc 0b 90 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f<br /> [95553.702648] RSP: 0018:ffffd1b0c676f990 EFLAGS: 00010246<br /> [95553.703132] RAX: ffff8cfc4176d820 RBX: 0000000000508c48 RCX: 0000000000000001<br /> [95553.703805] RDX: 0000000000002000 RSI: 0000000000000000 RDI: 0000000000000000<br /> [95553.704481] RBP: ffffd1b0c676f9c8 R08: 0000000000000000 R09: 0000000000000000<br /> [95553.705148] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001<br /> [95553.705816] R13: 0000000000002000 R14: fffff8bc8257e800 R15: 0000000000000000<br /> [95553.706483] FS: 000072ee77315840(0000) GS:ffff8cfdd2c8d000(0000) knlGS:0000000000000000<br /> [95553.707248] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [95553.707782] CR2: 00007d8f2a9e5a20 CR3: 0000000039d0c006 CR4: 0000000000772ef0<br /> [95553.708439] PKRU: 55555554<br /> [95553.708734] Call Trace:<br /> [95553.709015] <br /> [95553.709266] __getblk_slow+0xd2/0x230<br /> [95553.709641] ? find_get_block_common+0x8b/0x530<br /> [95553.710084] bdev_getblk+0x77/0xa0<br /> [95553.710449] __bread_gfp+0x22/0x140<br /> [95553.710810] fat_fill_super+0x23a/0xfc0<br /> [95553.711216] ? __pfx_setup+0x10/0x10<br /> [95553.711580] ? __pfx_vfat_fill_super+0x10/0x10<br /> [95553.712014] vfat_fill_super+0x15/0x30<br /> [95553.712401] get_tree_bdev_flags+0x141/0x1e0<br /> [95553.712817] get_tree_bdev+0x10/0x20<br /> [95553.713177] vfat_get_tree+0x15/0x20<br /> [95553.713550] vfs_get_tree+0x2a/0x100<br /> [95553.713910] vfs_cmd_create+0x62/0xf0<br /> [95553.714273] __do_sys_fsconfig+0x4e7/0x660<br /> [95553.714669] __x64_sys_fsconfig+0x20/0x40<br /> [95553.715062] x64_sys_call+0x21ee/0x26a0<br /> [95553.715453] do_syscall_64+0x80/0x670<br /> [95553.715816] ? __fs_parse+0x65/0x1e0<br /> [95553.716172] ? fat_parse_param+0x103/0x4b0<br /> [95553.716587] ? vfs_parse_fs_param_source+0x21/0xa0<br /> [95553.717034] ? __do_sys_fsconfig+0x3d9/0x660<br /> [95553.717548] ? __x64_sys_fsconfig+0x20/0x40<br /> [95553.717957] ? x64_sys_call+0x21ee/0x26a0<br /> [95553.718360] ? do_syscall_64+0xb8/0x670<br /> [95553.718734] ? __x64_sys_fsconfig+0x20/0x40<br /> [95553.719141] ? x64_sys_call+0x21ee/0x26a0<br /> [95553.719545] ? do_syscall_64+0xb8/0x670<br /> [95553.719922] ? x64_sys_call+0x1405/0x26a0<br /> [95553.720317] ? do_syscall_64+0xb8/0x670<br /> [95553.720702] ? __x64_sys_close+0x3e/0x90<br /> [95553.721080] ? x64_sys_call+0x1b5e/0x26a0<br /> [95553.721478] ? do_syscall_64+0xb8/0x670<br /> [95553.721841] ? irqentry_exit+0x43/0x50<br /> [95553.722211] ? exc_page_fault+0x90/0x1b0<br /> [95553.722681] entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> [95553.723166] RIP: 0033:0x72ee774f3afe<br /> [95553.723562] Code: 73 01 c3 48 8b 0d 0a 33 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 49 89 ca b8 af 01 00 00 0f 05 3d 01 f0 ff ff 73 01 c3 48 8b 0d da 32 0f 00 f7 d8 64 89 01 48<br /> [95553.725188] RSP: 002b:00007ffe97148978 EFLAGS: 00000246 ORIG_RAX: 00000000000001af<br /> [95553.725892] RAX: ffffffffffffffda RBX: <br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> KVM: arm64: Check the untrusted offset in FF-A memory share<br /> <br /> Verify the offset to prevent OOB access in the hypervisor<br /> FF-A buffer in case an untrusted large enough value<br /> [U32_MAX - sizeof(struct ffa_composite_mem_region) + 1, U32_MAX]<br /> is set from the host kernel.

Missing authentication for critical function vulnerability in BeeDrive in Synology BeeDrive for desktop before 1.4.2-13960 allows local users to execute arbitrary code via unspecified vectors.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nvme: nvme-fc: Ensure -&gt;ioerr_work is cancelled in nvme_fc_delete_ctrl()<br /> <br /> nvme_fc_delete_assocation() waits for pending I/O to complete before<br /> returning, and an error can cause -&gt;ioerr_work to be queued after<br /> cancel_work_sync() had been called. Move the call to cancel_work_sync() to<br /> be after nvme_fc_delete_association() to ensure -&gt;ioerr_work is not running<br /> when the nvme_fc_ctrl object is freed. Otherwise the following can occur:<br /> <br /> [ 1135.911754] list_del corruption, ff2d24c8093f31f8-&gt;next is NULL<br /> [ 1135.917705] ------------[ cut here ]------------<br /> [ 1135.922336] kernel BUG at lib/list_debug.c:52!<br /> [ 1135.926784] Oops: invalid opcode: 0000 [#1] SMP NOPTI<br /> [ 1135.931851] CPU: 48 UID: 0 PID: 726 Comm: kworker/u449:23 Kdump: loaded Not tainted 6.12.0 #1 PREEMPT(voluntary)<br /> [ 1135.943490] Hardware name: Dell Inc. PowerEdge R660/0HGTK9, BIOS 2.5.4 01/16/2025<br /> [ 1135.950969] Workqueue: 0x0 (nvme-wq)<br /> [ 1135.954673] RIP: 0010:__list_del_entry_valid_or_report.cold+0xf/0x6f<br /> [ 1135.961041] Code: c7 c7 98 68 72 94 e8 26 45 fe ff 0f 0b 48 c7 c7 70 68 72 94 e8 18 45 fe ff 0f 0b 48 89 fe 48 c7 c7 80 69 72 94 e8 07 45 fe ff 0b 48 89 d1 48 c7 c7 a0 6a 72 94 48 89 c2 e8 f3 44 fe ff 0f 0b<br /> [ 1135.979788] RSP: 0018:ff579b19482d3e50 EFLAGS: 00010046<br /> [ 1135.985015] RAX: 0000000000000033 RBX: ff2d24c8093f31f0 RCX: 0000000000000000<br /> [ 1135.992148] RDX: 0000000000000000 RSI: ff2d24d6bfa1d0c0 RDI: ff2d24d6bfa1d0c0<br /> [ 1135.999278] RBP: ff2d24c8093f31f8 R08: 0000000000000000 R09: ffffffff951e2b08<br /> [ 1136.006413] R10: ffffffff95122ac8 R11: 0000000000000003 R12: ff2d24c78697c100<br /> [ 1136.013546] R13: fffffffffffffff8 R14: 0000000000000000 R15: ff2d24c78697c0c0<br /> [ 1136.020677] FS: 0000000000000000(0000) GS:ff2d24d6bfa00000(0000) knlGS:0000000000000000<br /> [ 1136.028765] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 1136.034510] CR2: 00007fd207f90b80 CR3: 000000163ea22003 CR4: 0000000000f73ef0<br /> [ 1136.041641] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> [ 1136.048776] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400<br /> [ 1136.055910] PKRU: 55555554<br /> [ 1136.058623] Call Trace:<br /> [ 1136.061074] <br /> [ 1136.063179] ? show_trace_log_lvl+0x1b0/0x2f0<br /> [ 1136.067540] ? show_trace_log_lvl+0x1b0/0x2f0<br /> [ 1136.071898] ? move_linked_works+0x4a/0xa0<br /> [ 1136.075998] ? __list_del_entry_valid_or_report.cold+0xf/0x6f<br /> [ 1136.081744] ? __die_body.cold+0x8/0x12<br /> [ 1136.085584] ? die+0x2e/0x50<br /> [ 1136.088469] ? do_trap+0xca/0x110<br /> [ 1136.091789] ? do_error_trap+0x65/0x80<br /> [ 1136.095543] ? __list_del_entry_valid_or_report.cold+0xf/0x6f<br /> [ 1136.101289] ? exc_invalid_op+0x50/0x70<br /> [ 1136.105127] ? __list_del_entry_valid_or_report.cold+0xf/0x6f<br /> [ 1136.110874] ? asm_exc_invalid_op+0x1a/0x20<br /> [ 1136.115059] ? __list_del_entry_valid_or_report.cold+0xf/0x6f<br /> [ 1136.120806] move_linked_works+0x4a/0xa0<br /> [ 1136.124733] worker_thread+0x216/0x3a0<br /> [ 1136.128485] ? __pfx_worker_thread+0x10/0x10<br /> [ 1136.132758] kthread+0xfa/0x240<br /> [ 1136.135904] ? __pfx_kthread+0x10/0x10<br /> [ 1136.139657] ret_from_fork+0x31/0x50<br /> [ 1136.143236] ? __pfx_kthread+0x10/0x10<br /> [ 1136.146988] ret_from_fork_asm+0x1a/0x30<br /> [ 1136.150915]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Input: imx_sc_key - fix memory corruption on unload<br /> <br /> This is supposed to be "priv" but we accidentally pass "&amp;priv" which is<br /> an address in the stack and so it will lead to memory corruption when<br /> the imx_sc_key_action() function is called. Remove the &amp;.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Input: cros_ec_keyb - fix an invalid memory access<br /> <br /> If cros_ec_keyb_register_matrix() isn&amp;#39;t called (due to<br /> `buttons_switches_only`) in cros_ec_keyb_probe(), `ckdev-&gt;idev` remains<br /> NULL. An invalid memory access is observed in cros_ec_keyb_process()<br /> when receiving an EC_MKBP_EVENT_KEY_MATRIX event in cros_ec_keyb_work()<br /> in such case.<br /> <br /> Unable to handle kernel read from unreadable memory at virtual address 0000000000000028<br /> ...<br /> x3 : 0000000000000000 x2 : 0000000000000000<br /> x1 : 0000000000000000 x0 : 0000000000000000<br /> Call trace:<br /> input_event<br /> cros_ec_keyb_work<br /> blocking_notifier_call_chain<br /> ec_irq_thread<br /> <br /> It&amp;#39;s still unknown about why the kernel receives such malformed event,<br /> in any cases, the kernel shouldn&amp;#39;t access `ckdev-&gt;idev` and friends if<br /> the driver doesn&amp;#39;t intend to initialize them.