Vulnerabilities

Buildroot before 0b2967e lacks the sticky bit for the /dev/shm directory. A fix was released in 2024.02.2.

TwoNav 2.1.13 contains an SSRF vulnerability via the url paramater to index.php?c=api&method=read_data&type=connectivity_test (which reaches /system/api.php).

IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 264939.

In Extreme XOS through 22.6.1.4, a read-only user can escalate privileges to root via a crafted HTTP POST request to the python method of the Machine-to-Machine Interface (MMI).

Kliqqi-CMS 2.0.2 is vulnerable to SQL Injection in load_data.php via the userid parameter.

Pterodactyl wings is the server control plane for Pterodactyl Panel. If the Wings token is leaked either by viewing the node configuration or posting it accidentally somewhere, an attacker can use it to gain arbitrary file write and read access on the node the token is associated to. This issue has been addressed in version 1.11.12 and users are advised to upgrade. Users unable to upgrade may enable the `ignore_panel_config_updates` option as a workaround.

Pterodactyl is a free, open-source game server management panel built with PHP, React, and Go. Importing a malicious egg or gaining access to wings instance could lead to cross site scripting (XSS) on the panel, which could be used to gain an administrator account on the panel. Specifically, the following things are impacted: Egg Docker images and Egg variables: Name, Environment variable, Default value, Description, Validation rules. Additionally, certain fields would reflect malicious input, but it would require the user knowingly entering such input to have an impact. To iterate, this would require an administrator to perform actions and can't be triggered by a normal panel user. This issue has has been addressed in version 1.11.6 and users are advised to upgrade. No workaround is available other than updating to the latest version of the panel.

Pterodactyl wings is the server control plane for Pterodactyl Panel. An authenticated user who has access to a game server is able to bypass the previously implemented access control (GHSA-6rg3-8h8x-5xfv) that prevents accessing internal endpoints of the node hosting Wings in the pull endpoint. This would allow malicious users to potentially access resources on local networks that would otherwise be inaccessible. This issue has been addressed in version 1.11.2 and users are advised to upgrade. Users unable to upgrade may enable the `api.disable_remote_download` option as a workaround.

kurwov is a fast, dependency-free library for creating Markov Chains. An unsafe sanitization of dataset contents on the `MarkovData#getNext` method used in `Markov#generate` and `Markov#choose` allows a maliciously crafted string on the dataset to throw and stop the function from running properly. If a string contains a forbidden substring (i.e. `__proto__`) followed by a space character, the code will access a special property in `MarkovData#finalData` by removing the last character of the string, bypassing the dataset sanitization (as it is supposed to be already sanitized before this function is called). Any dataset can be contaminated with the substring making it unable to properly generate anything in some cases. This issue has been addressed in version 3.2.5 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ice: Fix DMA mappings leak<br /> <br /> Fix leak, when user changes ring parameters.<br /> During reallocation of RX buffers, new DMA mappings are created for<br /> those buffers. New buffers with different RX ring count should<br /> substitute older ones, but those buffers were freed in ice_vsi_cfg_rxq<br /> and reallocated again with ice_alloc_rx_buf. kfree on rx_buf caused<br /> leak of already mapped DMA.<br /> Reallocate ZC with xdp_buf struct, when BPF program loads. Reallocate<br /> back to rx_buf, when BPF program unloads.<br /> If BPF program is loaded/unloaded and XSK pools are created, reallocate<br /> RX queues accordingly in XDP_SETUP_XSK_POOL handler.<br /> <br /> Steps for reproduction:<br /> while :<br /> do<br /> for ((i=0; i

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: mpt3sas: Fix use-after-free warning<br /> <br /> Fix the following use-after-free warning which is observed during<br /> controller reset:<br /> <br /> refcount_t: underflow; use-after-free.<br /> WARNING: CPU: 23 PID: 5399 at lib/refcount.c:28 refcount_warn_saturate+0xa6/0xf0

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/radeon: add a force flush to delay work when radeon<br /> <br /> Although radeon card fence and wait for gpu to finish processing current batch rings,<br /> there is still a corner case that radeon lockup work queue may not be fully flushed,<br /> and meanwhile the radeon_suspend_kms() function has called pci_set_power_state() to<br /> put device in D3hot state.<br /> Per PCI spec rev 4.0 on 5.3.1.4.1 D3hot State.<br /> &gt; Configuration and Message requests are the only TLPs accepted by a Function in<br /> &gt; the D3hot state. All other received Requests must be handled as Unsupported Requests,<br /> &gt; and all received Completions may optionally be handled as Unexpected Completions.<br /> This issue will happen in following logs:<br /> Unable to handle kernel paging request at virtual address 00008800e0008010<br /> CPU 0 kworker/0:3(131): Oops 0<br /> pc = [] ra = [] ps = 0000 Tainted: G W<br /> pc is at si_gpu_check_soft_reset+0x3c/0x240<br /> ra is at si_dma_is_lockup+0x34/0xd0<br /> v0 = 0000000000000000 t0 = fff08800e0008010 t1 = 0000000000010000<br /> t2 = 0000000000008010 t3 = fff00007e3c00000 t4 = fff00007e3c00258<br /> t5 = 000000000000ffff t6 = 0000000000000001 t7 = fff00007ef078000<br /> s0 = fff00007e3c016e8 s1 = fff00007e3c00000 s2 = fff00007e3c00018<br /> s3 = fff00007e3c00000 s4 = fff00007fff59d80 s5 = 0000000000000000<br /> s6 = fff00007ef07bd98<br /> a0 = fff00007e3c00000 a1 = fff00007e3c016e8 a2 = 0000000000000008<br /> a3 = 0000000000000001 a4 = 8f5c28f5c28f5c29 a5 = ffffffff810f4338<br /> t8 = 0000000000000275 t9 = ffffffff809b66f8 t10 = ff6769c5d964b800<br /> t11= 000000000000b886 pv = ffffffff811bea20 at = 0000000000000000<br /> gp = ffffffff81d89690 sp = 00000000aa814126<br /> Disabling lock debugging due to kernel taint<br /> Trace:<br /> [] si_dma_is_lockup+0x34/0xd0<br /> [] radeon_fence_check_lockup+0xd0/0x290<br /> [] process_one_work+0x280/0x550<br /> [] worker_thread+0x70/0x7c0<br /> [] worker_thread+0x130/0x7c0<br /> [] kthread+0x200/0x210<br /> [] worker_thread+0x0/0x7c0<br /> [] kthread+0x14c/0x210<br /> [] ret_from_kernel_thread+0x18/0x20<br /> [] kthread+0x0/0x210<br /> Code: ad3e0008 43f0074a ad7e0018 ad9e0020 8c3001e8 40230101<br /> 4821ed21<br /> So force lockup work queue flush to fix this problem.