Vulnerabilities

2N Access Commander version 3.4.1 and prior is vulnerable to log pollution. Certain parameters sent over API may be included in the logs without prior validation or sanitisation.<br /> This vulnerability can only be exploited after authenticating with administrator privileges.

Improper validation of API end-point in 2N Access Commander version 3.4.2 and prior allows attacker to bypass password policy for backup file encryption.<br /> This vulnerability can only be exploited after authenticating with administrator privileges.

2N Access Commander version 3.4.2 and prior improperly invalidates session tokens, allowing multiple session cookies to remain active after logout in web application.

2N Access Commander application version 3.4.2 and prior returns HTTP 500 Internal Server Error responses when receiving malformed or manipulated requests, indicating improper handling of invalid input and potential security or availability impacts.

A vulnerability has been identified within the Rancher Backup Operator, resulting in the leakage of S3 tokens (both accessKey and secretKey) into the rancher-backup-operator pod&amp;#39;s logs.

API endpoint for user synchronization in 2N Access Commander version 3.4.1 did not have a sufficient input validation allowing for OS command injection. <br /> This vulnerability can only be exploited after authenticating with administrator privileges.

A vulnerability was recently discovered in the rpc.mountd daemon in the nfs-utils package for Linux, that allows a NFSv3 client to escalate the<br /> privileges assigned to it in the /etc/exports file at mount time. In particular, it allows the client to access any subdirectory or subtree of an exported directory, regardless of the set file permissions, and regardless of any &amp;#39;root_squash&amp;#39; or &amp;#39;all_squash&amp;#39; attributes that would normally be expected to apply to that client.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fbdev: smscufx: properly copy ioctl memory to kernelspace<br /> <br /> The UFX_IOCTL_REPORT_DAMAGE ioctl does not properly copy data from<br /> userspace to kernelspace, and instead directly references the memory,<br /> which can cause problems if invalid data is passed from userspace. Fix<br /> this all up by correctly copying the memory before accessing it within<br /> the kernel.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> romfs: check sb_set_blocksize() return value<br /> <br /> romfs_fill_super() ignores the return value of sb_set_blocksize(), which<br /> can fail if the requested block size is incompatible with the block<br /> device&amp;#39;s configuration.<br /> <br /> This can be triggered by setting a loop device&amp;#39;s block size larger than<br /> PAGE_SIZE using ioctl(LOOP_SET_BLOCK_SIZE, 32768), then mounting a romfs<br /> filesystem on that device.<br /> <br /> When sb_set_blocksize(sb, ROMBSIZE) is called with ROMBSIZE=4096 but the<br /> device has logical_block_size=32768, bdev_validate_blocksize() fails<br /> because the requested size is smaller than the device&amp;#39;s logical block<br /> size. sb_set_blocksize() returns 0 (failure), but romfs ignores this and<br /> continues mounting.<br /> <br /> The superblock&amp;#39;s block size remains at the device&amp;#39;s logical block size<br /> (32768). Later, when sb_bread() attempts I/O with this oversized block<br /> size, it triggers a kernel BUG in folio_set_bh():<br /> <br /> kernel BUG at fs/buffer.c:1582!<br /> BUG_ON(size &gt; PAGE_SIZE);<br /> <br /> Fix by checking the return value of sb_set_blocksize() and failing the<br /> mount with -EINVAL if it returns 0.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> platform/x86: classmate-laptop: Add missing NULL pointer checks<br /> <br /> In a few places in the Classmate laptop driver, code using the accel<br /> object may run before that object&amp;#39;s address is stored in the driver<br /> data of the input device using it.<br /> <br /> For example, cmpc_accel_sensitivity_store_v4() is the "show" method<br /> of cmpc_accel_sensitivity_attr_v4 which is added in cmpc_accel_add_v4(),<br /> before calling dev_set_drvdata() for inputdev-&gt;dev. If the sysfs<br /> attribute is accessed prematurely, the dev_get_drvdata(&amp;inputdev-&gt;dev)<br /> call in in cmpc_accel_sensitivity_store_v4() returns NULL which<br /> leads to a NULL pointer dereference going forward.<br /> <br /> Moreover, sysfs attributes using the input device are added before<br /> initializing that device by cmpc_add_acpi_notify_device() and if one<br /> of them is accessed before running that function, a NULL pointer<br /> dereference will occur.<br /> <br /> For example, cmpc_accel_sensitivity_attr_v4 is added before calling<br /> cmpc_add_acpi_notify_device() and if it is read prematurely, the<br /> dev_get_drvdata(&amp;acpi-&gt;dev) call in cmpc_accel_sensitivity_show_v4()<br /> returns NULL which leads to a NULL pointer dereference going forward.<br /> <br /> Fix this by adding NULL pointer checks in all of the relevant places.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: fix out-of-bounds access in sysfs attribute read/write<br /> <br /> Some f2fs sysfs attributes suffer from out-of-bounds memory access and<br /> incorrect handling of integer values whose size is not 4 bytes.<br /> <br /> For example:<br /> vm:~# echo 65537 &gt; /sys/fs/f2fs/vde/carve_out<br /> vm:~# cat /sys/fs/f2fs/vde/carve_out<br /> 65537<br /> vm:~# echo 4294967297 &gt; /sys/fs/f2fs/vde/atgc_age_threshold<br /> vm:~# cat /sys/fs/f2fs/vde/atgc_age_threshold<br /> 1<br /> <br /> carve_out maps to {struct f2fs_sb_info}-&gt;carve_out, which is a 8-bit<br /> integer. However, the sysfs interface allows setting it to a value<br /> larger than 255, resulting in an out-of-range update.<br /> <br /> atgc_age_threshold maps to {struct atgc_management}-&gt;age_threshold,<br /> which is a 64-bit integer, but its sysfs interface cannot correctly set<br /> values larger than UINT_MAX.<br /> <br /> The root causes are:<br /> 1. __sbi_store() treats all default values as unsigned int, which<br /> prevents updating integers larger than 4 bytes and causes out-of-bounds<br /> writes for integers smaller than 4 bytes.<br /> <br /> 2. f2fs_sbi_show() also assumes all default values are unsigned int,<br /> leading to out-of-bounds reads and incorrect access to integers larger<br /> than 4 bytes.<br /> <br /> This patch introduces {struct f2fs_attr}-&gt;size to record the actual size<br /> of the integer associated with each sysfs attribute. With this<br /> information, sysfs read and write operations can correctly access and<br /> update values according to their real data size, avoiding memory<br /> corruption and truncation.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: fix to avoid UAF in f2fs_write_end_io()<br /> <br /> As syzbot reported an use-after-free issue in f2fs_write_end_io().<br /> <br /> It is caused by below race condition:<br /> <br /> loop device umount<br /> - worker_thread<br /> - loop_process_work<br /> - do_req_filebacked<br /> - lo_rw_aio<br /> - lo_rw_aio_complete<br /> - blk_mq_end_request<br /> - blk_update_request<br /> - f2fs_write_end_io<br /> - dec_page_count<br /> - folio_end_writeback<br /> - kill_f2fs_super<br /> - kill_block_super<br /> - f2fs_put_super<br /> : free(sbi)<br /> : get_pages(, F2FS_WB_CP_DATA)<br /> accessed sbi which is freed<br /> <br /> In kill_f2fs_super(), we will drop all page caches of f2fs inodes before<br /> call free(sbi), it guarantee that all folios should end its writeback, so<br /> it should be safe to access sbi before last folio_end_writeback().<br /> <br /> Let&amp;#39;s relocate ckpt thread wakeup flow before folio_end_writeback() to<br /> resolve this issue.