Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: dwc3: core: Prevent USB core invalid event buffer address access<br /> <br /> This commit addresses an issue where the USB core could access an<br /> invalid event buffer address during runtime suspend, potentially causing<br /> SMMU faults and other memory issues in Exynos platforms. The problem<br /> arises from the following sequence.<br /> 1. In dwc3_gadget_suspend, there is a chance of a timeout when<br /> moving the USB core to the halt state after clearing the<br /> run/stop bit by software.<br /> 2. In dwc3_core_exit, the event buffer is cleared regardless of<br /> the USB core&amp;#39;s status, which may lead to an SMMU faults and<br /> other memory issues. if the USB core tries to access the event<br /> buffer address.<br /> <br /> To prevent this hardware quirk on Exynos platforms, this commit ensures<br /> that the event buffer address is not cleared by software when the USB<br /> core is active during runtime suspend by checking its status before<br /> clearing the buffer address.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nfc: pn533: Add poll mod list filling check<br /> <br /> In case of im_protocols value is 1 and tm_protocols value is 0 this<br /> combination successfully passes the check<br /> &amp;#39;if (!im_protocols &amp;&amp; !tm_protocols)&amp;#39; in the nfc_start_poll().<br /> But then after pn533_poll_create_mod_list() call in pn533_start_poll()<br /> poll mod list will remain empty and dev-&gt;poll_mod_count will remain 0<br /> which lead to division by zero.<br /> <br /> Normally no im protocol has value 1 in the mask, so this combination is<br /> not expected by driver. But these protocol values actually come from<br /> userspace via Netlink interface (NFC_CMD_START_POLL operation). So a<br /> broken or malicious program may pass a message containing a "bad"<br /> combination of protocol parameter values so that dev-&gt;poll_mod_count<br /> is not incremented inside pn533_poll_create_mod_list(), thus leading<br /> to division by zero.<br /> Call trace looks like:<br /> nfc_genl_start_poll()<br /> nfc_start_poll()<br /> -&gt;start_poll()<br /> pn533_start_poll()<br /> <br /> Add poll mod list filling check.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with SVACE.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> gtp: fix a potential NULL pointer dereference<br /> <br /> When sockfd_lookup() fails, gtp_encap_enable_socket() returns a<br /> NULL pointer, but its callers only check for error pointers thus miss<br /> the NULL pointer case.<br /> <br /> Fix it by returning an error pointer with the error code carried from<br /> sockfd_lookup().<br /> <br /> (I found this bug during code inspection.)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/xe: prevent UAF around preempt fence<br /> <br /> The fence lock is part of the queue, therefore in the current design<br /> anything locking the fence should then also hold a ref to the queue to<br /> prevent the queue from being freed.<br /> <br /> However, currently it looks like we signal the fence and then drop the<br /> queue ref, but if something is waiting on the fence, the waiter is<br /> kicked to wake up at some later point, where upon waking up it first<br /> grabs the lock before checking the fence state. But if we have already<br /> dropped the queue ref, then the lock might already be freed as part of<br /> the queue, leading to uaf.<br /> <br /> To prevent this, move the fence lock into the fence itself so we don&amp;#39;t<br /> run into lifetime issues. Alternative might be to have device level<br /> lock, or only release the queue in the fence release callback, however<br /> that might require pushing to another worker to avoid locking issues.<br /> <br /> References: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/2454<br /> References: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/2342<br /> References: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/2020<br /> (cherry picked from commit 7116c35aacedc38be6d15bd21b2fc936eed0008b)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ethtool: check device is present when getting link settings<br /> <br /> A sysfs reader can race with a device reset or removal, attempting to<br /> read device state when the device is not actually present. eg:<br /> <br /> [exception RIP: qed_get_current_link+17]<br /> #8 [ffffb9e4f2907c48] qede_get_link_ksettings at ffffffffc07a994a [qede]<br /> #9 [ffffb9e4f2907cd8] __rh_call_get_link_ksettings at ffffffff992b01a3<br /> #10 [ffffb9e4f2907d38] __ethtool_get_link_ksettings at ffffffff992b04e4<br /> #11 [ffffb9e4f2907d90] duplex_show at ffffffff99260300<br /> #12 [ffffb9e4f2907e38] dev_attr_show at ffffffff9905a01c<br /> #13 [ffffb9e4f2907e50] sysfs_kf_seq_show at ffffffff98e0145b<br /> #14 [ffffb9e4f2907e68] seq_read at ffffffff98d902e3<br /> #15 [ffffb9e4f2907ec8] vfs_read at ffffffff98d657d1<br /> #16 [ffffb9e4f2907f00] ksys_read at ffffffff98d65c3f<br /> #17 [ffffb9e4f2907f38] do_syscall_64 at ffffffff98a052fb<br /> <br /> crash&gt; struct net_device.state ffff9a9d21336000<br /> state = 5,<br /> <br /> state 5 is __LINK_STATE_START (0b1) and __LINK_STATE_NOCARRIER (0b100).<br /> The device is not present, note lack of __LINK_STATE_PRESENT (0b10).<br /> <br /> This is the same sort of panic as observed in commit 4224cfd7fb65<br /> ("net-sysfs: add check for netdevice being present to speed_show").<br /> <br /> There are many other callers of __ethtool_get_link_ksettings() which<br /> don&amp;#39;t have a device presence check.<br /> <br /> Move this check into ethtool to protect all callers.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: aacraid: Fix double-free on probe failure<br /> <br /> aac_probe_one() calls hardware-specific init functions through the<br /> aac_driver_ident::init pointer, all of which eventually call down to<br /> aac_init_adapter().<br /> <br /> If aac_init_adapter() fails after allocating memory for aac_dev::queues,<br /> it frees the memory but does not clear that member.<br /> <br /> After the hardware-specific init function returns an error,<br /> aac_probe_one() goes down an error path that frees the memory pointed to<br /> by aac_dev::queues, resulting.in a double-free.

Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.<br /> <br /> Specifically, an application is vulnerable when both of the following are true:<br /> <br /> * the web application uses RouterFunctions to serve static resources<br /> * resource handling is explicitly configured with a FileSystemResource location<br /> <br /> <br /> However, malicious requests are blocked and rejected when any of the following is true:<br /> <br /> * the Spring Security HTTP Firewall https://docs.spring.io/spring-security/reference/servlet/exploits/firewall.html  is in use<br /> * the application runs on Tomcat or Jetty

The WPFactory Helper plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.7.0. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

IBM Concert 1.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.

A vulnerability was found in code-projects Crud Operation System 1.0. It has been classified as critical. This affects an unknown part of the file /updatedata.php. The manipulation of the argument sid leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

A vulnerability in the MSC800 allows an unauthenticated attacker to modify the product’s IP<br /> address over Sopas ET. <br /> This can lead to Denial of Service. <br /> Users are recommended to upgrade both<br /> MSC800 and MSC800 LFT to version V4.26 and S2.93.20 respectively which fixes this issue.

The Rockwell Automation affected product contains a vulnerability that allows a threat actor to view sensitive information and change settings. The vulnerability exists due to having an incorrect privilege matrix that allows users to have access to functions they should not.