Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/xe: prevent UAF around preempt fence<br /> <br /> The fence lock is part of the queue, therefore in the current design<br /> anything locking the fence should then also hold a ref to the queue to<br /> prevent the queue from being freed.<br /> <br /> However, currently it looks like we signal the fence and then drop the<br /> queue ref, but if something is waiting on the fence, the waiter is<br /> kicked to wake up at some later point, where upon waking up it first<br /> grabs the lock before checking the fence state. But if we have already<br /> dropped the queue ref, then the lock might already be freed as part of<br /> the queue, leading to uaf.<br /> <br /> To prevent this, move the fence lock into the fence itself so we don&amp;#39;t<br /> run into lifetime issues. Alternative might be to have device level<br /> lock, or only release the queue in the fence release callback, however<br /> that might require pushing to another worker to avoid locking issues.<br /> <br /> References: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/2454<br /> References: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/2342<br /> References: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/2020<br /> (cherry picked from commit 7116c35aacedc38be6d15bd21b2fc936eed0008b)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ethtool: check device is present when getting link settings<br /> <br /> A sysfs reader can race with a device reset or removal, attempting to<br /> read device state when the device is not actually present. eg:<br /> <br /> [exception RIP: qed_get_current_link+17]<br /> #8 [ffffb9e4f2907c48] qede_get_link_ksettings at ffffffffc07a994a [qede]<br /> #9 [ffffb9e4f2907cd8] __rh_call_get_link_ksettings at ffffffff992b01a3<br /> #10 [ffffb9e4f2907d38] __ethtool_get_link_ksettings at ffffffff992b04e4<br /> #11 [ffffb9e4f2907d90] duplex_show at ffffffff99260300<br /> #12 [ffffb9e4f2907e38] dev_attr_show at ffffffff9905a01c<br /> #13 [ffffb9e4f2907e50] sysfs_kf_seq_show at ffffffff98e0145b<br /> #14 [ffffb9e4f2907e68] seq_read at ffffffff98d902e3<br /> #15 [ffffb9e4f2907ec8] vfs_read at ffffffff98d657d1<br /> #16 [ffffb9e4f2907f00] ksys_read at ffffffff98d65c3f<br /> #17 [ffffb9e4f2907f38] do_syscall_64 at ffffffff98a052fb<br /> <br /> crash&gt; struct net_device.state ffff9a9d21336000<br /> state = 5,<br /> <br /> state 5 is __LINK_STATE_START (0b1) and __LINK_STATE_NOCARRIER (0b100).<br /> The device is not present, note lack of __LINK_STATE_PRESENT (0b10).<br /> <br /> This is the same sort of panic as observed in commit 4224cfd7fb65<br /> ("net-sysfs: add check for netdevice being present to speed_show").<br /> <br /> There are many other callers of __ethtool_get_link_ksettings() which<br /> don&amp;#39;t have a device presence check.<br /> <br /> Move this check into ethtool to protect all callers.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: aacraid: Fix double-free on probe failure<br /> <br /> aac_probe_one() calls hardware-specific init functions through the<br /> aac_driver_ident::init pointer, all of which eventually call down to<br /> aac_init_adapter().<br /> <br /> If aac_init_adapter() fails after allocating memory for aac_dev::queues,<br /> it frees the memory but does not clear that member.<br /> <br /> After the hardware-specific init function returns an error,<br /> aac_probe_one() goes down an error path that frees the memory pointed to<br /> by aac_dev::queues, resulting.in a double-free.

Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.<br /> <br /> Specifically, an application is vulnerable when both of the following are true:<br /> <br /> * the web application uses RouterFunctions to serve static resources<br /> * resource handling is explicitly configured with a FileSystemResource location<br /> <br /> <br /> However, malicious requests are blocked and rejected when any of the following is true:<br /> <br /> * the Spring Security HTTP Firewall https://docs.spring.io/spring-security/reference/servlet/exploits/firewall.html  is in use<br /> * the application runs on Tomcat or Jetty

The WPFactory Helper plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.7.0. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

IBM Concert 1.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.

A vulnerability was found in code-projects Crud Operation System 1.0. It has been classified as critical. This affects an unknown part of the file /updatedata.php. The manipulation of the argument sid leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

A vulnerability in the MSC800 allows an unauthenticated attacker to modify the product’s IP<br /> address over Sopas ET. <br /> This can lead to Denial of Service. <br /> Users are recommended to upgrade both<br /> MSC800 and MSC800 LFT to version V4.26 and S2.93.20 respectively which fixes this issue.

The Rockwell Automation affected product contains a vulnerability that allows a threat actor to view sensitive information and change settings. The vulnerability exists due to having an incorrect privilege matrix that allows users to have access to functions they should not.

A path traversal vulnerability exists in the Rockwell Automation affected product. If exploited, the threat actor could upload arbitrary files to the server that could result in a remote code execution.

whatsapp-api-js is a TypeScript server agnostic Whatsapp&amp;#39;s Official API framework. It&amp;#39;s possible to check the payload validation using the WhatsAppAPI.verifyRequestSignature and expect false when the signature is valid. Incorrect Access Control, anyone using the post or verifyRequestSignature methods to handle messages is impacted. This vulnerability is fixed in 4.0.3.

A denial-of-service vulnerability exists in the Rockwell Automation affected products when specially crafted packets are sent to the CIP Security Object. If exploited the device will become unavailable and require a factory reset to recover.