Vulnerabilidades

*** Pendiente de traducción *** UnQLite versions through 0.06 for Perl uses a potentially insecure version of the UnQLite library.<br /> <br /> UnQLite for Perl embeds the UnQLite library. Version 0.06 and earlier of the Perl module uses a version of the library from 2014 that may be vulnerable to a heap-based overflow.

*** Pendiente de traducción *** Compress::Raw::Zlib versions through 2.219 for Perl use potentially insecure versions of zlib.<br /> <br /> Compress::Raw::Zlib includes a copy of the zlib library. Compress::Raw::Zlib version 2.220 includes zlib 1.3.2, which addresses findings fron the 7ASecurity audit of zlib. The includes fixs for CVE-2026-27171.

*** Pendiente de traducción *** International Data Casting (IDC) SFX2100 satellite receiver comes with the `/bin/date` utility installed with the setuid bit set. This configuration grants elevated privileges to any local user who can execute the binary. A local actor is able to use the GTFObins resource to preform privileged file reads as the root user on the local file system. This allows an actor to be able to read any root read-only files, such as the /etc/shadow file or other configuration/secrets carrier files.

*** Pendiente de traducción *** A SUID root-owned binary in /home/xd/terminal/XDTerminal in International Data Casting (IDC) SFX2100 on Linux allows a local actor to potentially preform local privilege escalation depending on conditions of the system via execution of the affected SUID binary. This can be via PATH hijacking, symlink abuse or shared object hijacking.

*** Pendiente de traducción *** Multiple SUID root-owned binaries are found in /home/monitor/terminal, /home/monitor/kore-terminal, /home/monitor/IDE-DPack/terminal-dpack, and /home/monitor/IDE-DPack/terminal-dpack2 in International Data Casting (IDC) SFX2100 Satellite Receiver, which may lead to local privlidge escalation from the `monitor` user to root

*** Pendiente de traducción *** IDC SFX2100 Satalite Recievers set the `/etc/resolv.conf` file to be world-writable by any local user, allowing DNS resolver tampering that can redirect network communications, facilitate man-in-the-middle attacks, and cause denial of service.

*** Pendiente de traducción *** Incorrect permission assignment (world-writable file) in /etc/udhcpc/default.script in International Data Casting (IDC) SFX2100 Satellite Receiver allows a local unprivileged attacker to potentially execute arbitrary commands with root privileges (local privilege escalation and persistence) via modification of a root-owned, world-writable BusyBox udhcpc DHCP event script, which is executed when a DHCP lease is obtained, renewed, or lost.

*** Pendiente de traducción *** Plack::Middleware::Session::Simple versions through 0.04 for Perl generates session ids insecurely.<br /> <br /> The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.<br /> <br /> Predicable session ids could allow an attacker to gain access to systems.<br /> <br /> Plack::Middleware::Session::Simple is intended to be compatible with Plack::Middleware::Session, which had a similar security issue CVE-2025-40923.

*** Pendiente de traducción *** Apache::Session::Generate::MD5 versions through 1.94 for Perl create insecure session id.<br /> <br /> Apache::Session::Generate::MD5 generates session ids insecurely. The default session id generator returns a MD5 hash seeded with the built-in rand() function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems.

*** Pendiente de traducción *** International Data Casting (IDC) SFX2100 satellite receiver comes with the `/sbin/ip` utility installed with the setuid bit set. This configuration grants elevated privileges to any local user who can execute the binary. A local actor is able to use the GTFObins resource to preform privileged file reads as the root user on the local file system and may potentially lead to other avenues for preforming privileged actions.

*** Pendiente de traducción *** A cache poisoning vulnerability has been found in the Pingora HTTP proxy framework’s default cache key construction. The issue occurs because the default HTTP cache key implementation generates cache keys using only the URI path, excluding critical factors such as the host header (authority). Operators relying on the default are vulnerable to cache poisoning, and cross-origin responses may be improperly served to users.<br /> <br /> <br /> Impact<br /> <br /> This vulnerability affects users of Pingora&amp;#39;s alpha proxy caching feature who relied on the default CacheKey implementation. An attacker could exploit this for:<br /> <br /> * Cross-tenant data leakage: In multi-tenant deployments, poison the cache so that users from one tenant receive cached responses from another tenant<br /> <br /> <br /> * Cache poisoning attacks: Serve malicious content to legitimate users by poisoning shared cache entries<br /> <br /> <br /> <br /> <br /> Cloudflare&amp;#39;s CDN infrastructure was not affected by this vulnerability, as Cloudflare&amp;#39;s default cache key implementation uses multiple factors to prevent cache key poisoning and never made use of the previously provided default.<br /> <br /> <br /> Mitigation:<br /> <br /> We strongly recommend Pingora users to upgrade to Pingora v0.8.0 or higher, which removes the insecure default cache key implementation. Users must now explicitly implement their own callback that includes appropriate factors such as Host header, origin server HTTP scheme, and other attributes their cache should vary on.<br /> <br /> <br /> Pingora users on previous versions may also remove any of their default CacheKey usage and implement their own that should at minimum include the host header / authority and upstream peer’s HTTP scheme.

*** Pendiente de traducción *** An HTTP request smuggling vulnerability (CWE-444) was found in Pingora&amp;#39;s handling of HTTP/1.1 connection upgrades. The issue occurs when a Pingora proxy reads a request containing an Upgrade header, causing the proxy to pass through the rest of the bytes on the connection to a backend before the backend has accepted the upgrade. An attacker can thus directly forward a malicious payload after a request with an Upgrade header to that backend in a way that may be interpreted as a subsequent request header, bypassing proxy-level security controls and enabling cross-user session hijacking.<br /> <br /> Impact<br /> <br /> This vulnerability primarily affects standalone Pingora deployments where a Pingora proxy is exposed to external traffic. An attacker could exploit this to:<br /> <br /> * Bypass proxy-level ACL controls and WAF logic<br /> <br /> <br /> <br /> <br /> * Poison caches and upstream connections, causing subsequent requests from legitimate users to receive responses intended for smuggled requests<br /> <br /> <br /> <br /> <br /> * Perform cross-user attacks by hijacking sessions or smuggling requests that appear to originate from the trusted proxy IP<br /> <br /> <br /> <br /> <br /> Cloudflare&amp;#39;s CDN infrastructure was not affected by this vulnerability, as ingress proxies in the CDN stack maintain proper HTTP parsing boundaries and do not prematurely switch to upgraded connection forwarding mode.<br /> <br /> <br /> Mitigation:<br /> <br /> Pingora users should upgrade to Pingora v0.8.0 or higher<br /> <br /> <br /> As a workaround, users may return an error on requests with the Upgrade header present in their request filter logic in order to stop processing bytes beyond the request header and disable downstream connection reuse.