Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5e: nullify cq-&gt;dbg pointer in mlx5_debug_cq_remove()<br /> <br /> Prior to this patch in case mlx5_core_destroy_cq() failed it proceeds<br /> to rest of destroy operations. mlx5_core_destroy_cq() could be called again<br /> by user and cause additional call of mlx5_debug_cq_remove().<br /> cq-&gt;dbg was not nullify in previous call and cause the crash.<br /> <br /> Fix it by nullify cq-&gt;dbg pointer after removal.<br /> <br /> Also proceed to destroy operations only if FW return 0<br /> for MLX5_CMD_OP_DESTROY_CQ command.<br /> <br /> general protection fault, probably for non-canonical address 0x2000300004058: 0000 [#1] SMP PTI<br /> CPU: 5 PID: 1228 Comm: python Not tainted 5.15.0-rc5_for_upstream_min_debug_2021_10_14_11_06 #1<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014<br /> RIP: 0010:lockref_get+0x1/0x60<br /> Code: 5d e9 53 ff ff ff 48 8d 7f 70 e8 0a 2e 48 00 c7 85 d0 00 00 00 02<br /> 00 00 00 c6 45 70 00 fb 5d c3 c3 cc cc cc cc cc cc cc cc 53 8b 17<br /> 48 89 fb 85 d2 75 3d 48 89 d0 bf 64 00 00 00 48 89 c1 48<br /> RSP: 0018:ffff888137dd7a38 EFLAGS: 00010206<br /> RAX: 0000000000000000 RBX: ffff888107d5f458 RCX: 00000000fffffffe<br /> RDX: 000000000002c2b0 RSI: ffffffff8155e2e0 RDI: 0002000300004058<br /> RBP: ffff888137dd7a88 R08: 0002000300004058 R09: ffff8881144a9f88<br /> R10: 0000000000000000 R11: 0000000000000000 R12: ffff8881141d4000<br /> R13: ffff888137dd7c68 R14: ffff888137dd7d58 R15: ffff888137dd7cc0<br /> FS: 00007f4644f2a4c0(0000) GS:ffff8887a2d40000(0000)<br /> knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 000055b4500f4380 CR3: 0000000114f7a003 CR4: 0000000000170ea0<br /> Call Trace:<br /> simple_recursive_removal+0x33/0x2e0<br /> ? debugfs_remove+0x60/0x60<br /> debugfs_remove+0x40/0x60<br /> mlx5_debug_cq_remove+0x32/0x70 [mlx5_core]<br /> mlx5_core_destroy_cq+0x41/0x1d0 [mlx5_core]<br /> devx_obj_cleanup+0x151/0x330 [mlx5_ib]<br /> ? __pollwait+0xd0/0xd0<br /> ? xas_load+0x5/0x70<br /> ? xa_load+0x62/0xa0<br /> destroy_hw_idr_uobject+0x20/0x80 [ib_uverbs]<br /> uverbs_destroy_uobject+0x3b/0x360 [ib_uverbs]<br /> uobj_destroy+0x54/0xa0 [ib_uverbs]<br /> ib_uverbs_cmd_verbs+0xaf2/0x1160 [ib_uverbs]<br /> ? uverbs_finalize_object+0xd0/0xd0 [ib_uverbs]<br /> ib_uverbs_ioctl+0xc4/0x1b0 [ib_uverbs]<br /> __x64_sys_ioctl+0x3e4/0x8e0

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: lpfc: Fix use-after-free in lpfc_unreg_rpi() routine<br /> <br /> An error is detected with the following report when unloading the driver:<br /> "KASAN: use-after-free in lpfc_unreg_rpi+0x1b1b"<br /> <br /> The NLP_REG_LOGIN_SEND nlp_flag is set in lpfc_reg_fab_ctrl_node(), but the<br /> flag is not cleared upon completion of the login.<br /> <br /> This allows a second call to lpfc_unreg_rpi() to proceed with nlp_rpi set<br /> to LPFC_RPI_ALLOW_ERROR. This results in a use after free access when used<br /> as an rpi_ids array index.<br /> <br /> Fix by clearing the NLP_REG_LOGIN_SEND nlp_flag in<br /> lpfc_mbx_cmpl_fc_reg_login().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: lpfc: Fix link down processing to address NULL pointer dereference<br /> <br /> If an FC link down transition while PLOGIs are outstanding to fabric well<br /> known addresses, outstanding ABTS requests may result in a NULL pointer<br /> dereference. Driver unload requests may hang with repeated "2878" log<br /> messages.<br /> <br /> The Link down processing results in ABTS requests for outstanding ELS<br /> requests. The Abort WQEs are sent for the ELSs before the driver had set<br /> the link state to down. Thus the driver is sending the Abort with the<br /> expectation that an ABTS will be sent on the wire. The Abort request is<br /> stalled waiting for the link to come up. In some conditions the driver may<br /> auto-complete the ELSs thus if the link does come up, the Abort completions<br /> may reference an invalid structure.<br /> <br /> Fix by ensuring that Abort set the flag to avoid link traffic if issued due<br /> to conditions where the link failed.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: pm80xx: Fix memory leak during rmmod<br /> <br /> Driver failed to release all memory allocated. This would lead to memory<br /> leak during driver removal.<br /> <br /> Properly free memory when the module is removed.

Cross-Site Request Forgery (CSRF) vulnerability in Octolize USPS Shipping for WooCommerce – Live Rates.This issue affects USPS Shipping for WooCommerce – Live Rates: from n/a through 1.9.2.<br /> <br />

Cross-Site Request Forgery (CSRF) vulnerability in Octolize WooCommerce UPS Shipping – Live Rates and Access Points.This issue affects WooCommerce UPS Shipping – Live Rates and Access Points: from n/a through 2.2.4.<br /> <br />

Traccar is an open source GPS tracking system. Traccar versions 5.1 through 5.12 allow arbitrary files to be uploaded through the device image upload API. Attackers have full control over the file contents, full control over the directory where the file is stored, full control over the file extension, and partial control over the file name. While it&amp;#39;s not for an attacker to overwrite an existing file, an attacker can create new files with certain names and attacker-controlled extensions anywhere on the file system. This can potentially lead to remote code execution, XSS, DOS, etc. The default install of Traccar makes this vulnerability more severe. Self-registration is enabled by default, allowing anyone to create an account to exploit this vulnerability. Traccar also runs by default with root/system privileges, allowing files to be placed anywhere on the file system. Version 6.0 contains a fix for the issue. One may also turn off self-registration by default, as that would make most vulnerabilities in the application much harder to exploit by default and reduce the severity considerably.<br />

Missing Authorization vulnerability in ShortPixel ShortPixel Adaptive Images.This issue affects ShortPixel Adaptive Images: from n/a through 3.8.2.<br /> <br />

Missing Authorization vulnerability in Bricksforge.This issue affects Bricksforge: from n/a through 2.0.17.<br /> <br />

Plane, an open-source project management tool, has a Server-Side Request Forgery (SSRF) vulnerability in versions prior to 0.17-dev. This issue may allow an attacker to send arbitrary requests from the server hosting the application, potentially leading to unauthorized access to internal systems. The impact of this vulnerability includes, but is not limited to, unauthorized access to internal services accessible from the server, potential leakage of sensitive information from internal services, manipulation of internal systems by interacting with internal APIs. Version 0.17-dev contains a patch for this issue. Those who are unable to update immediately may mitigate the issue by restricting outgoing network connections from servers hosting the application to essential services only and/or implementing strict input validation on URLs or parameters that are used to generate server-side requests.

The huggingface/transformers library is vulnerable to arbitrary code execution through deserialization of untrusted data within the `load_repo_checkpoint()` function of the `TFPreTrainedModel()` class. Attackers can execute arbitrary code and commands by crafting a malicious serialized payload, exploiting the use of `pickle.load()` on data from potentially untrusted sources. This vulnerability allows for remote code execution (RCE) by deceiving victims into loading a seemingly harmless checkpoint during a normal training process, thereby enabling attackers to execute arbitrary code on the targeted machine.

A Denial of Service (DoS) vulnerability exists in the mintplex-labs/anything-llm repository when the application is running in &amp;#39;just me&amp;#39; mode with a password. An attacker can exploit this vulnerability by making a request to the endpoint using the [validatedRequest] middleware with a specially crafted &amp;#39;Authorization:&amp;#39; header. This vulnerability leads to uncontrolled resource consumption, causing a DoS condition.