Vulnerabilities

Navidrome is an open source web-based music collection server and streamer. In affected versions of Navidrome are subject to a parameter tampering vulnerability where an attacker has the ability to manipulate parameter values in the HTTP requests. The attacker is able to change the parameter values in the body and successfully impersonate another user. In this case, the attacker created a playlist, added song, posted arbitrary comment, set the playlist to be public, and put the admin as the owner of the playlist. The attacker must be able to intercept http traffic for this attack. Each known user is impacted. An attacker can obtain the ownerId from shared playlist information, meaning every user who has shared a playlist is also impacted, as they can be impersonated. This issue has been addressed in version 0.52.0 and users are advised to upgrade. There are no known workarounds for this vulnerability.<br />

Zitadel is an open source identity management system. In case ZITADEL could not connect to the database, connection information including db name, username and db host name could be returned to the user. This has been addressed in all supported release branches in a point release. There is no workaround since a patch is already available. Users are advised to upgrade.

RIOT is a real-time multi-threading operating system that supports a range of devices that are typically 8-bit, 16-bit and 32-bit microcontrollers. The size check in the `gcoap_dns_server_proxy_get()` function contains a small typo that may lead to a buffer overflow in the subsequent `strcpy()`. In detail, the length of the `_uri` string is checked instead of the length of the `_proxy` string. The `_gcoap_forward_proxy_copy_options()` function does not implement an explicit size check before copying data to the `cep-&gt;req_etag` buffer that is `COAP_ETAG_LENGTH_MAX` bytes long. If an attacker can craft input so that `optlen` becomes larger than `COAP_ETAG_LENGTH_MAX`, they can cause a buffer overflow. If the input above is attacker-controlled and crosses a security boundary, the impact of the buffer overflow vulnerabilities could range from denial of service to arbitrary code execution. This issue has yet to be patched. Users are advised to add manual bounds checking.

RIOT is a real-time multi-threading operating system that supports a range of devices that are typically 8-bit, 16-bit and 32-bit microcontrollers. Most codebases define assertion macros which compile to a no-op on non-debug builds. If assertions are the only line of defense against untrusted input, the software may be exposed to attacks that leverage the lack of proper input checks. In detail, in the `nimble_scanlist_update()` function below, `len` is checked in an assertion and subsequently used in a call to `memcpy()`. If an attacker is able to provide a larger `len` value while assertions are compiled-out, they can write past the end of the fixed-length `e-&gt;ad` buffer. If the unchecked input above is attacker-controlled and crosses a security boundary, the impact of the buffer overflow vulnerability could range from denial of service to arbitrary code execution. This issue has not yet been patched. Users are advised to add manual `len` checking.

librespeed/speedtest is an open source, self-hosted speed test for HTML5. In affected versions missing neutralization of the ISP information in a speedtest result leads to stored Cross-site scripting in the JSON API. The `processedString` field in the `ispinfo` parameter is missing neutralization. It is stored when a user submits a speedtest result to the telemetry API (`results/telemetry.php`) and returned in the JSON API (`results/json.php`). This vulnerability has been introduced in commit 3937b94. This vulnerability affects LibreSpeed speedtest instances running version 5.2.5 or higher which have telemetry enabled and has been addressed in version 5.3.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

MyBB is a free and open source forum software. The backup management module of the Admin CP may accept `.htaccess` as the name of the backup file to be deleted, which may expose the stored backup files over HTTP on Apache servers. MyBB 1.8.38 resolves this issue. Users are advised to upgrade. There are no known workarounds for this vulnerability

MyBB is a free and open source forum software. The default list of disallowed remote hosts does not contain the `127.0.0.0/8` block, which may result in a Server-Side Request Forgery (SSRF) vulnerability. The Configuration File&amp;#39;s _Disallowed Remote Addresses_ list (`$config[&amp;#39;disallowed_remote_addresses&amp;#39;]`) contains the address `127.0.0.1`, but does not include the complete block `127.0.0.0/8`. MyBB 1.8.38 resolves this issue in default installations. Administrators of installed boards should update the existing configuration (`inc/config.php`) to include all addresses blocked by default. Additionally, users are advised to verify that it includes any other IPv4 addresses resolving to the server and other internal resources. Users unable to upgrade may manually add 127.0.0.0/8&amp;#39; to their disallowed address list.

RIOT is a real-time multi-threading operating system that supports a range of devices that are typically 8-bit, 16-bit and 32-bit microcontrollers. The `_on_rd_init()` function does not implement a size check before copying data to the `_result_buf` static buffer. If an attacker can craft a long enough payload, they could cause a buffer overflow. If the unchecked input above is attacker-controlled and crosses a security boundary, the impact of the buffer overflow vulnerability could range from denial of service to arbitrary code execution. This issue has yet to be patched. Users are advised to add manual bounds checking.

Static Web Server (SWS) is a tiny and fast production-ready web server suitable to serve static web files or assets. In affected versions if directory listings are enabled for a directory that an untrusted user has upload privileges for, a malicious file name like `.txt` will allow JavaScript code execution in the context of the web server’s domain. SWS generally does not perform escaping of HTML entities on any values inserted in the directory listing. At the very least `file_name` and `current_path` could contain malicious data however. `file_uri` could also be malicious but the relevant scenarios seem to be all caught by hyper. For any web server that allow users to upload files or create directories under a name of their choosing this becomes a stored Cross-site Scripting vulnerability. Users are advised to upgrade. There are no known workarounds for this vulnerability.

The Geo Controller WordPress plugin before 8.6.5 unserializes user input via some of its AJAX actions and REST API routes, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fork: defer linking file vma until vma is fully initialized<br /> <br /> Thorvald reported a WARNING [1]. And the root cause is below race:<br /> <br /> CPU 1 CPU 2<br /> fork hugetlbfs_fallocate<br /> dup_mmap hugetlbfs_punch_hole<br /> i_mmap_lock_write(mapping);<br /> vma_interval_tree_insert_after -- Child vma is visible through i_mmap tree.<br /> i_mmap_unlock_write(mapping);<br /> hugetlb_dup_vma_private -- Clear vma_lock outside i_mmap_rwsem!<br /> i_mmap_lock_write(mapping);<br /> hugetlb_vmdelete_list<br /> vma_interval_tree_foreach<br /> hugetlb_vma_trylock_write -- Vma_lock is cleared.<br /> tmp-&gt;vm_ops-&gt;open -- Alloc new vma_lock outside i_mmap_rwsem!<br /> hugetlb_vma_unlock_write -- Vma_lock is assigned!!!<br /> i_mmap_unlock_write(mapping);<br /> <br /> hugetlb_dup_vma_private() and hugetlb_vm_op_open() are called outside<br /> i_mmap_rwsem lock while vma lock can be used in the same time. Fix this<br /> by deferring linking file vma until vma is fully initialized. Those vmas<br /> should be initialized first before they can be used.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5e: Prevent deadlock while disabling aRFS<br /> <br /> When disabling aRFS under the `priv-&gt;state_lock`, any scheduled<br /> aRFS works are canceled using the `cancel_work_sync` function,<br /> which waits for the work to end if it has already started.<br /> However, while waiting for the work handler, the handler will<br /> try to acquire the `state_lock` which is already acquired.<br /> <br /> The worker acquires the lock to delete the rules if the state<br /> is down, which is not the worker&amp;#39;s responsibility since<br /> disabling aRFS deletes the rules.<br /> <br /> Add an aRFS state variable, which indicates whether the aRFS is<br /> enabled and prevent adding rules when the aRFS is disabled.<br /> <br /> Kernel log:<br /> <br /> ======================================================<br /> WARNING: possible circular locking dependency detected<br /> 6.7.0-rc4_net_next_mlx5_5483eb2 #1 Tainted: G I<br /> ------------------------------------------------------<br /> ethtool/386089 is trying to acquire lock:<br /> ffff88810f21ce68 ((work_completion)(&amp;rule-&gt;arfs_work)){+.+.}-{0:0}, at: __flush_work+0x74/0x4e0<br /> <br /> but task is already holding lock:<br /> ffff8884a1808cc0 (&amp;priv-&gt;state_lock){+.+.}-{3:3}, at: mlx5e_ethtool_set_channels+0x53/0x200 [mlx5_core]<br /> <br /> which lock already depends on the new lock.<br /> <br /> the existing dependency chain (in reverse order) is:<br /> <br /> -&gt; #1 (&amp;priv-&gt;state_lock){+.+.}-{3:3}:<br /> __mutex_lock+0x80/0xc90<br /> arfs_handle_work+0x4b/0x3b0 [mlx5_core]<br /> process_one_work+0x1dc/0x4a0<br /> worker_thread+0x1bf/0x3c0<br /> kthread+0xd7/0x100<br /> ret_from_fork+0x2d/0x50<br /> ret_from_fork_asm+0x11/0x20<br /> <br /> -&gt; #0 ((work_completion)(&amp;rule-&gt;arfs_work)){+.+.}-{0:0}:<br /> __lock_acquire+0x17b4/0x2c80<br /> lock_acquire+0xd0/0x2b0<br /> __flush_work+0x7a/0x4e0<br /> __cancel_work_timer+0x131/0x1c0<br /> arfs_del_rules+0x143/0x1e0 [mlx5_core]<br /> mlx5e_arfs_disable+0x1b/0x30 [mlx5_core]<br /> mlx5e_ethtool_set_channels+0xcb/0x200 [mlx5_core]<br /> ethnl_set_channels+0x28f/0x3b0<br /> ethnl_default_set_doit+0xec/0x240<br /> genl_family_rcv_msg_doit+0xd0/0x120<br /> genl_rcv_msg+0x188/0x2c0<br /> netlink_rcv_skb+0x54/0x100<br /> genl_rcv+0x24/0x40<br /> netlink_unicast+0x1a1/0x270<br /> netlink_sendmsg+0x214/0x460<br /> __sock_sendmsg+0x38/0x60<br /> __sys_sendto+0x113/0x170<br /> __x64_sys_sendto+0x20/0x30<br /> do_syscall_64+0x40/0xe0<br /> entry_SYSCALL_64_after_hwframe+0x46/0x4e<br /> <br /> other info that might help us debug this:<br /> <br /> Possible unsafe locking scenario:<br /> <br /> CPU0 CPU1<br /> ---- ----<br /> lock(&amp;priv-&gt;state_lock);<br /> lock((work_completion)(&amp;rule-&gt;arfs_work));<br /> lock(&amp;priv-&gt;state_lock);<br /> lock((work_completion)(&amp;rule-&gt;arfs_work));<br /> <br /> *** DEADLOCK ***<br /> <br /> 3 locks held by ethtool/386089:<br /> #0: ffffffff82ea7210 (cb_lock){++++}-{3:3}, at: genl_rcv+0x15/0x40<br /> #1: ffffffff82e94c88 (rtnl_mutex){+.+.}-{3:3}, at: ethnl_default_set_doit+0xd3/0x240<br /> #2: ffff8884a1808cc0 (&amp;priv-&gt;state_lock){+.+.}-{3:3}, at: mlx5e_ethtool_set_channels+0x53/0x200 [mlx5_core]<br /> <br /> stack backtrace:<br /> CPU: 15 PID: 386089 Comm: ethtool Tainted: G I 6.7.0-rc4_net_next_mlx5_5483eb2 #1<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x60/0xa0<br /> check_noncircular+0x144/0x160<br /> __lock_acquire+0x17b4/0x2c80<br /> lock_acquire+0xd0/0x2b0<br /> ? __flush_work+0x74/0x4e0<br /> ? save_trace+0x3e/0x360<br /> ? __flush_work+0x74/0x4e0<br /> __flush_work+0x7a/0x4e0<br /> ? __flush_work+0x74/0x4e0<br /> ? __lock_acquire+0xa78/0x2c80<br /> ? lock_acquire+0xd0/0x2b0<br /> ? mark_held_locks+0x49/0x70<br /> __cancel_work_timer+0x131/0x1c0<br /> ? mark_held_locks+0x49/0x70<br /> arfs_del_rules+0x143/0x1e0 [mlx5_core]<br /> mlx5e_arfs_disable+0x1b/0x30 [mlx5_core]<br /> mlx5e_ethtool_set_channels+0xcb/0x200 [mlx5_core]<br /> ethnl_set_channels+0x28f/0x3b0<br /> ethnl_default_set_doit+0xec/0x240<br /> genl_family_rcv_msg_doit+0xd0/0x120<br /> genl_rcv_msg+0x188/0x2c0<br /> ? ethn<br /> ---truncated---