Vulnerabilities

A crafted system call argument can cause memory corruption.

If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.

A vulnerability was found in SourceCodester Responsive E-Learning System 1.0. This affects an unknown part of the file /admin/add_teacher.php. The manipulation of the argument Username results in sql injection. It is possible to launch the attack remotely. The exploit has been made public and could be used.

An issue in ClipBucket 5.5.0 and prior versions allows an unauthenticated attacker can exploit the plupload endpoint in photo_uploader.php to upload arbitrary files without any authentication, due to missing access controls in the upload handler

A weakness has been identified in fuyang_lipengjun platform 1.0. Affected is the function BrandController of the file /brand/queryAll. Executing manipulation can lead to improper authorization. The attack can be executed remotely. The exploit has been made available to the public and could be exploited.

IBM Lakehouse (watsonx.data 2.2) is vulnerable to stored cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

IBM Lakehouse (watsonx.data 2.2) could allow an authenticated privileged user to execute arbitrary commands on the system due to improper validation of user supplied input.

IBM Lakehouse (watsonx.data 2.2) could allow an authenticated user to obtain sensitive server component version information which could aid in further attacks against the system.

Cross Site Request Forgery (CSRF) vulnerability in Smartvista BackOffice SmartVista Suite 2.2.22 via crafted GET request.

A vulnerability was identified in fuyang_lipengjun platform 1.0. This affects the function AttributeCategoryController of the file /attributecategory/queryAll. Such manipulation leads to improper authorization. The attack may be launched remotely. The exploit is publicly available and might be used.

A security flaw has been discovered in fuyang_lipengjun platform 1.0. This impacts the function AttributeController of the file /attribute/queryAll. Performing manipulation results in improper authorization. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: don&amp;#39;t reset unchangable mount option in f2fs_remount()<br /> <br /> syzbot reports a bug as below:<br /> <br /> general protection fault, probably for non-canonical address 0xdffffc0000000009: 0000 [#1] PREEMPT SMP KASAN<br /> RIP: 0010:__lock_acquire+0x69/0x2000 kernel/locking/lockdep.c:4942<br /> Call Trace:<br /> lock_acquire+0x1e3/0x520 kernel/locking/lockdep.c:5691<br /> __raw_write_lock include/linux/rwlock_api_smp.h:209 [inline]<br /> _raw_write_lock+0x2e/0x40 kernel/locking/spinlock.c:300<br /> __drop_extent_tree+0x3ac/0x660 fs/f2fs/extent_cache.c:1100<br /> f2fs_drop_extent_tree+0x17/0x30 fs/f2fs/extent_cache.c:1116<br /> f2fs_insert_range+0x2d5/0x3c0 fs/f2fs/file.c:1664<br /> f2fs_fallocate+0x4e4/0x6d0 fs/f2fs/file.c:1838<br /> vfs_fallocate+0x54b/0x6b0 fs/open.c:324<br /> ksys_fallocate fs/open.c:347 [inline]<br /> __do_sys_fallocate fs/open.c:355 [inline]<br /> __se_sys_fallocate fs/open.c:353 [inline]<br /> __x64_sys_fallocate+0xbd/0x100 fs/open.c:353<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> <br /> The root cause is race condition as below:<br /> - since it tries to remount rw filesystem, so that do_remount won&amp;#39;t<br /> call sb_prepare_remount_readonly to block fallocate, there may be race<br /> condition in between remount and fallocate.<br /> - in f2fs_remount(), default_options() will reset mount option to default<br /> one, and then update it based on result of parse_options(), so there is<br /> a hole which race condition can happen.<br /> <br /> Thread A Thread B<br /> - f2fs_fill_super<br /> - parse_options<br /> - clear_opt(READ_EXTENT_CACHE)<br /> <br /> - f2fs_remount<br /> - default_options<br /> - set_opt(READ_EXTENT_CACHE)<br /> - f2fs_fallocate<br /> - f2fs_insert_range<br /> - f2fs_drop_extent_tree<br /> - __drop_extent_tree<br /> - __may_extent_tree<br /> - test_opt(READ_EXTENT_CACHE) return true<br /> - write_lock(&amp;et-&gt;lock) access NULL pointer<br /> - parse_options<br /> - clear_opt(READ_EXTENT_CACHE)