Vulnerabilidades

*** Pendiente de traducción *** Brocade SANnav OVA before SANnav 2.3.1b enables SHA1 deprecated setting for SSH for port 22.

*** Pendiente de traducción *** Implementation of the Simple Network <br /> Management Protocol (SNMP) operating on the Brocade 6547 (FC5022) <br /> embedded switch blade, makes internal script calls to system.sh from <br /> within the SNMP binary. An authenticated attacker could perform command <br /> or parameter injection on SNMP operations that are only enabled on the <br /> Brocade 6547 (FC5022) embedded switch. This injection could allow the <br /> authenticated attacker to issue commands as Root.

*** Pendiente de traducción *** If Brocade Fabric OS before Fabric OS 9.2.0 configuration settings are not set to encrypt SNMP passwords, then the SNMP privsecret / authsecret fields can be exposed in plaintext. The plaintext passwords can be exposed in a configupload capture or a supportsave capture if encryption of passwords is not enabled. An attacker can use these passwords to fetch values of the supported OIDs via SNMPv3 queries. There are also a limited number of MIB objects that can be modified.

*** Pendiente de traducción *** The vulnerability may allow a remote low priviledged attacker to run arbitrary shell commands by manipulating the firmware file and uploading it to the device.

*** Pendiente de traducción *** The vulnerability may allow a remote low priviledged attacker to run arbitrary shell commands by using lower-level functions to interact with the device.

*** Pendiente de traducción *** For a brief summary of Xapi terminology, see:<br /> <br /> https://xapi-project.github.io/xen-api/overview.html#object-model-overview <br /> <br /> Xapi contains functionality to backup and restore metadata about Virtual<br /> Machines and Storage Repositories (SRs).<br /> <br /> The metadata itself is stored in a Virtual Disk Image (VDI) inside an<br /> SR. This is used for two purposes; a general backup of metadata<br /> (e.g. to recover from a host failure if the filer is still good), and<br /> Portable SRs (e.g. using an external hard drive to move VMs to another<br /> host).<br /> <br /> Metadata is only restored as an explicit administrator action, but<br /> occurs in cases where the host has no information about the SR, and must<br /> locate the metadata VDI in order to retrieve the metadata.<br /> <br /> The metadata VDI is located by searching (in UUID alphanumeric order)<br /> each VDI, mounting it, and seeing if there is a suitable metadata file<br /> present. The first matching VDI is deemed to be the metadata VDI, and<br /> is restored from.<br /> <br /> In the general case, the content of VDIs are controlled by the VM owner,<br /> and should not be trusted by the host administrator.<br /> <br /> A malicious guest can manipulate its disk to appear to be a metadata<br /> backup.<br /> <br /> A guest cannot choose the UUIDs of its VDIs, but a guest with one disk<br /> has a 50% chance of sorting ahead of the legitimate metadata backup. A<br /> guest with two disks has a 75% chance, etc.

*** Pendiente de traducción *** Unprotected alternative channel of return branch target prediction in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.

*** Pendiente de traducción *** Generation of weak initialization vector in an Intel(R) IPP Cryptography software library before version 2021.5 may allow an unauthenticated user to potentially enable information disclosure via local access.

*** Pendiente de traducción *** Label Studio is an open source data labeling tool. Prior to version 1.16.0, Label Studio&amp;#39;s `/projects/upload-example` endpoint allows injection of arbitrary HTML through a `GET` request with an appropriately crafted `label_config` query parameter. By crafting a specially formatted XML label config with inline task data containing malicious HTML/JavaScript, an attacker can achieve Cross-Site Scripting (XSS). While the application has a Content Security Policy (CSP), it is only set in report-only mode, making it ineffective at preventing script execution. The vulnerability exists because the upload-example endpoint renders user-provided HTML content without proper sanitization on a GET request. This allows attackers to inject and execute arbitrary JavaScript in victims&amp;#39; browsers by getting them to visit a maliciously crafted URL. This is considered vulnerable because it enables attackers to execute JavaScript in victims&amp;#39; contexts, potentially allowing theft of sensitive data, session hijacking, or other malicious actions. Version 1.16.0 contains a patch for the issue.

*** Pendiente de traducción *** Label Studio is an open source data labeling tool. Prior to version 1.16.0, Label Studio&amp;#39;s S3 storage integration feature contains a Server-Side Request Forgery (SSRF) vulnerability in its endpoint configuration. When creating an S3 storage connection, the application allows users to specify a custom S3 endpoint URL via the s3_endpoint parameter. This endpoint URL is passed directly to the boto3 AWS SDK without proper validation or restrictions on the protocol or destination. The vulnerability allows an attacker to make the application send HTTP requests to arbitrary internal services by specifying them as the S3 endpoint. When the storage sync operation is triggered, the application attempts to make S3 API calls to the specified endpoint, effectively making HTTP requests to the target service and returning the response in error messages. This SSRF vulnerability enables attackers to bypass network segmentation and access internal services that should not be accessible from the external network. The vulnerability is particularly severe because error messages from failed requests contain the full response body, allowing data exfiltration from internal services. Version 1.16.0 contains a patch for the issue.

*** Pendiente de traducción *** Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Prior to version 5.26.0 of vega and 5.4.2 of vega-selections, the `vlSelectionTuples` function can be used to call JavaScript functions, leading to cross-site scripting.`vlSelectionTuples` calls multiple functions that can be controlled by an attacker, including one call with an attacker-controlled argument. This can be used to call `Function()` with arbitrary JavaScript and the resulting function can be called with `vlSelectionTuples` or using a type coercion to call `toString` or `valueOf`. Version 5.26.0 of vega and 5.4.2 of vega-selections fix this issue.

*** Pendiente de traducción *** @octokit/request-error is an error class for Octokit request errors. Starting in version 1.0.0 and prior to version 6.1.7, a Regular Expression Denial of Service (ReDoS) vulnerability exists in the processing of HTTP request headers. By sending an authorization header containing an excessively long sequence of spaces followed by a newline and "@", an attacker can exploit inefficient regular expression processing, leading to excessive resource consumption. This can significantly degrade server performance or cause a denial-of-service (DoS) condition, impacting availability. Version 6.1.7 contains a fix for the issue.