Vulnerabilidades

*** Pendiente de traducción *** NVIDIA CUDA Toolkit for all platforms contains a vulnerability in the nvdisasm binary where a user may cause an out-of-bounds read by passing a malformed ELF file to nvdisasm. A successful exploit of this vulnerability may lead to a partial denial of service.

*** Pendiente de traducción *** NVIDIA CUDA Toolkit for all platforms contains a vulnerability in nvdisasm where an attacker may cause a heap-based buffer overflow by getting the user to run nvdisasm on a malicious ELF file. A successful exploit of this vulnerability may lead to arbitrary code execution at the privilege level of the user running nvdisasm.

*** Pendiente de traducción *** NVIDIA CUDA Toolkit for all platforms contains a vulnerability in the nvdisasm binary where a user may cause an out-of-bounds read by passing a malformed ELF file to nvdisasm. A successful exploit of this vulnerability may lead to a partial denial of service.

*** Pendiente de traducción *** NVIDIA CUDA Toolkit for all platforms contains a vulnerability in the cuobjdump binary where a user may cause an out-of-bounds read by passing a malformed ELF file to cuobjdump. A successful exploit of this vulnerability may lead to a partial denial of service.

*** Pendiente de traducción *** The Themify Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in all versions up to, and including, 7.6.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 7.6.9.

nncp antes de 8.12.0 permite salto de ruta (para lectura o escritura) durante la frecuencia y el guardado de archivos a través de una ruta especialmente diseñada en los datos del paquete.

*** Pendiente de traducción *** A flaw has been found in Magnetism Studios Endurance up to 3.3.0 on macOS. This affects the function loadModuleNamed:WithReply of the file /Applications/Endurance.app/Contents/Library/LaunchServices/com.MagnetismStudios.endurance.helper of the component NSXPC Interface. Executing manipulation can lead to missing authentication. The attack needs to be launched locally. The exploit has been published and may be used.

*** Pendiente de traducción *** The MultiLoca - WooCommerce Multi Locations Inventory Management plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'wcmlim_settings_ajax_handler' function in all versions up to, and including, 4.2.8. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: l2cap: Check encryption key size on incoming connection<br /> <br /> This is required for passing GAP/SEC/SEM/BI-04-C PTS test case:<br /> Security Mode 4 Level 4, Responder - Invalid Encryption Key Size<br /> - 128 bit<br /> <br /> This tests the security key with size from 1 to 15 bytes while the<br /> Security Mode 4 Level 4 requests 16 bytes key size.<br /> <br /> Currently PTS fails with the following logs:<br /> - expected:Connection Response:<br /> Code: [3 (0x03)] Code<br /> Identifier: (lt)WildCard: Exists(gt)<br /> Length: [8 (0x0008)]<br /> Destination CID: (lt)WildCard: Exists(gt)<br /> Source CID: [64 (0x0040)]<br /> Result: [3 (0x0003)] Connection refused - Security block<br /> Status: (lt)WildCard: Exists(gt),<br /> but received:Connection Response:<br /> Code: [3 (0x03)] Code<br /> Identifier: [1 (0x01)]<br /> Length: [8 (0x0008)]<br /> Destination CID: [64 (0x0040)]<br /> Source CID: [64 (0x0040)]<br /> Result: [0 (0x0000)] Connection Successful<br /> Status: [0 (0x0000)] No further information available<br /> <br /> And HCI logs:<br /> HCI Event: Command Complete (0x0e) plen 7<br /> Read Encryption Key Size (0x05|0x0008) ncmd 1<br /> Status: Success (0x00)<br /> Handle: 14 Address: 00:1B:DC:F2:24:10 (Vencer Co., Ltd.)<br /> Key size: 7<br /> &gt; ACL Data RX: Handle 14 flags 0x02 dlen 12<br /> L2CAP: Connection Request (0x02) ident 1 len 4<br /> PSM: 4097 (0x1001)<br /> Source CID: 64<br />

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: ath12k: fix memory leak in ath12k_service_ready_ext_event<br /> <br /> Currently, in ath12k_service_ready_ext_event(), svc_rdy_ext.mac_phy_caps<br /> is not freed in the failure case, causing a memory leak. The following<br /> trace is observed in kmemleak:<br /> <br /> unreferenced object 0xffff8b3eb5789c00 (size 1024):<br /> comm "softirq", pid 0, jiffies 4294942577<br /> hex dump (first 32 bytes):<br /> 00 00 00 00 01 00 00 00 00 00 00 00 7b 00 00 10 ............{...<br /> 01 00 00 00 00 00 00 00 01 00 00 00 1f 38 00 00 .............8..<br /> backtrace (crc 44e1c357):<br /> __kmalloc_noprof+0x30b/0x410<br /> ath12k_wmi_mac_phy_caps_parse+0x84/0x100 [ath12k]<br /> ath12k_wmi_tlv_iter+0x5e/0x140 [ath12k]<br /> ath12k_wmi_svc_rdy_ext_parse+0x308/0x4c0 [ath12k]<br /> ath12k_wmi_tlv_iter+0x5e/0x140 [ath12k]<br /> ath12k_service_ready_ext_event.isra.0+0x44/0xd0 [ath12k]<br /> ath12k_wmi_op_rx+0x2eb/0xd70 [ath12k]<br /> ath12k_htc_rx_completion_handler+0x1f4/0x330 [ath12k]<br /> ath12k_ce_recv_process_cb+0x218/0x300 [ath12k]<br /> ath12k_pci_ce_workqueue+0x1b/0x30 [ath12k]<br /> process_one_work+0x219/0x680<br /> bh_worker+0x198/0x1f0<br /> tasklet_action+0x13/0x30<br /> handle_softirqs+0xca/0x460<br /> __irq_exit_rcu+0xbe/0x110<br /> irq_exit_rcu+0x9/0x30<br /> <br /> Free svc_rdy_ext.mac_phy_caps in the error case to fix this memory leak.<br /> <br /> Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: hci_core: Disable works on hci_unregister_dev<br /> <br /> This make use of disable_work_* on hci_unregister_dev since the hci_dev is<br /> about to be freed new submissions are not disarable.

Una comprobación de permisos incorrecta en el AdminServer de ZooKeeper permite a clientes autorizados ejecutar el comando de instantánea y restauración con permisos insuficientes.<br /> <br /> Este problema afecta a Apache ZooKeeper: desde 3.9.0 hasta antes de 3.9.4.<br /> <br /> Se recomienda a los usuarios actualizar a la versión 3.9.4, que corrige el problema.<br /> <br /> El problema puede mitigarse deshabilitando ambos comandos (a través de admin.snapshot.enabled y admin.restore.enabled), deshabilitando toda la interfaz del AdminServer (a través de admin.enableServer), o asegurando que la ACL raíz no proporcione permisos abiertos. (Nótese que las ACL de ZooKeeper no son recursivas, por lo que esto no impacta las operaciones en nodos hijos, además de las notificaciones de los observadores recursivos.)