Vulnerabilidades

*** Pendiente de traducción *** immich is a high performance self-hosted photo and video management solution. Prior to 1.132.0, immich is vulnerable to account hijacking through oauth2, because the state parameter is not being checked. The oauth2 state parameter is similar to a csrf token, so when the user starts the login flow this unpredictable token is generated and somehow saved in the browser session and passed to the identity provider, which will return the state parameter when redirecting the user back to immich. Before the user is logged in that parameter needs to be verified to make sure the login was actively initiated by the user in this browser session. On it's own, this wouldn't be too bad, but when immich uses the /user-settings page as a redirect_uri, it will automatically link the accounts if the user was already logged in. This means that if someone has an immich instance with a public oauth provider (like google), an attacker can - for example - embed a hidden iframe in a webpage or even just send the victim a forged oauth login url with a code that logs the victim into the attackers oauth account and redirects back to immich and links the accounts. After this, the attacker can log into the victims account using their own oauth credentials. This vulnerability is fixed in 1.132.0.

*** Pendiente de traducción *** Meshtastic is an open source mesh networking solution. Prior to 2.5.1, traceroute responses from the remote node are not rate limited. Given that there are SNR measurements attributed to each received transmission, this is a guaranteed way to get a remote station to reliably and continuously respond. You could easily get 100 samples in a short amount of time (estimated 2 minutes), whereas passively doing the same could take hours or days. There are secondary effects that non-ratelimited traceroute does also allow a 2:1 reflected DoS of the network as well, but these concerns are less than the problem with positional confidentiality (other DoS routes exist). This vulnerability is fixed in 2.5.1.

*** Pendiente de traducción *** A vulnerability in the Software SMI handler (SwSmiInputValue 0xB2) allows a local attacker to control both the read and write addresses used by the CommandRcx1 function. The write target is derived from an unvalidated UEFI NVRAM variable (SetupXtuBufferAddress), while the write content is read from an attacker-controlled pointer based on the RBX register. This dual-pointer dereference enables arbitrary memory writes within System Management RAM (SMRAM), leading to potential SMM privilege escalation and firmware compromise.

*** Pendiente de traducción *** A vulnerability in the Software SMI handler (SwSmiInputValue 0x20) allows a local attacker to supply a crafted pointer (FuncBlock) through RBX and RCX register values. This pointer is passed unchecked into multiple flash management functions (ReadFlash, WriteFlash, EraseFlash, and GetFlashInfo) that dereference both the structure and its nested members, such as BufAddr. This enables arbitrary read/write access to System Management RAM (SMRAM), allowing an attacker to corrupt firmware memory, exfiltrate SMRAM content via flash, or install persistent implants.

*** Pendiente de traducción *** A vulnerability in the Software SMI handler (SwSmiInputValue 0xB2) allows a local attacker to control the RBX register, which is used to derive pointers (OcHeader, OcData) passed into power and thermal configuration logic. These buffers are not validated before performing multiple structured memory writes based on OcSetup NVRAM values, enabling arbitrary SMRAM corruption and potential SMM privilege escalation.

*** Pendiente de traducción *** A Missing Release of Memory after Effective Lifetime vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows a local, low privileged user to cause an impact to the availability of the device.<br /> <br /> When RIB sharding is enabled and a user executes one of several routing related &amp;#39;show&amp;#39; commands, a certain amount of memory is leaked. When all available memory has been consumed rpd will crash and restart.<br /> <br /> The leak can be monitored with the CLI command:<br /> <br /> <br /> <br /> show task memory detail | match task_shard_mgmt_cookie<br /> <br /> <br /> <br /> where the allocated memory in bytes can be seen to continuously increase with each exploitation.<br /> <br /> <br /> <br /> This issue affects:<br /> <br /> Junos OS:<br /> <br /> * all versions before 21.2R3-S9,<br /> * 21.4 versions before 21.4R3-S11,<br /> * 22.2 versions before 22.2R3-S7,<br /> * 22.4 versions before 22.4R3-S7,<br /> * 23.2 versions before 23.2R2-S4, <br /> * 23.4 versions before 23.4R2-S4,<br /> * 24.2 versions before 24.2R2,<br /> * 24.4 versions before 24.4R1-S2, 24.4R2;<br /> <br /> <br /> Junos OS Evolved:<br /> <br /> * all versions before 22.2R3-S7-EVO<br /> * 22.4-EVO versions before 22.4R3-S7-EVO,<br /> * 23.2-EVO versions before 23.2R2-S4-EVO,<br /> * 23.4-EVO versions before 23.4R2-S4-EVO,<br /> * 24.2-EVO versions before 24.2R2-EVO, <br /> * 24.4-EVO versions before 24.4R2-EVO.

*** Pendiente de traducción *** An Improper Neutralization of Special Elements used in an OS Command (&amp;#39;OS Command Injection&amp;#39;) vulnerability in the CLI of Juniper Networks Junos OS and Junos OS Evolved allows a high privileged, local attacker to escalated their privileges to root.<br /> <br /> When a user provides specifically crafted arguments to the &amp;#39;request system logout&amp;#39; command, these will be executed as root on the shell, which can completely compromise the device.<br /> This issue affects:<br /> <br /> Junos OS: <br /> <br /> <br /> <br /> * all versions before 21.2R3-S9,<br /> * 21.4 versions before 21.4R3-S8,<br /> * 22.2 versions before 22.2R3-S6,<br /> * 22.3 versions before 22.3R3-S3,<br /> * 22.4 versions before 22.4R3-S6,<br /> * 23.2 versions before 23.2R2-S1,<br /> * 23.4 versions before 23.4R1-S2, 23.4R2;<br /> <br /> <br /> <br /> <br /> Junos OS Evolved:<br /> <br /> <br /> <br /> * all versions before 22.4R3-S6-EVO,<br /> * 23.2-EVO versions before 23.2R2-S1-EVO,<br /> * 23.4-EVO versions before 23.4R1-S2-EVO, 23.4R2-EVO.

*** Pendiente de traducción *** An Improper Neutralization of Delimiters vulnerability in the UI of Juniper Networks Junos OS and Junos OS Evolved allows a local, authenticated attacker with high privileges to modify the system configuration.<br /> <br /> <br /> <br /> A user with limited configuration and commit permissions, using a specifically crafted annotate configuration command, can change any part of the device configuration.<br /> <br /> <br /> <br /> <br /> This issue affects:<br /> <br />  Junos OS: <br /> <br /> <br /> <br /> * all versions before 22.2R3-S7,<br /> * 22.4 versions before 22.4R3-S7,<br /> * 23.2 versions before 23.2R2-S4,<br /> * 23.4 versions before 23.4R2-S4,<br /> * 24.2 versions before 24.2R2-S1,<br /> * 24.4 versions before 24.4R1-S2, 24.4R2;<br /> <br /> <br /> <br /> <br /> Junos OS Evolved:<br /> <br /> <br /> <br /> * all versions before 22.4R3-S7-EVO,<br /> * 23.2-EVO versions before 23.2R2-S4-EVO,<br /> * 23.4-EVO versions before 23.4R2-S5-EVO, <br /> * 24.2-EVO versions before 24.2R2-S1-EVO<br /> <br /> <br /> <br /> * 24.4-EVO versions before 24.4R2-EVO.

*** Pendiente de traducción *** An Incorrect Authorization vulnerability in the web server of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to reach the <br /> <br /> Juniper Web Device Manager<br /> <br /> (J-Web).<br /> <br /> When Juniper Secure connect (JSC) is enabled on specific interfaces, or multiple interfaces are configured for J-Web, the J-Web UI is reachable over more than the intended interfaces.<br /> This issue affects Junos OS:<br /> <br /> <br /> <br /> * all versions before 21.4R3-S9,<br /> * 22.2 versions before 22.2R3-S5,<br /> * 22.4 versions before 22.4R3-S5,<br /> * 23.2 versions before 23.2R2-S3,<br /> * 23.4 versions before 23.4R2-S5,<br /> * 24.2 versions before 24.2R2.

*** Pendiente de traducción *** A vulnerability in the Software SMI handler (SwSmiInputValue 0xB2) allows a local attacker to control the RBX register, which is used as an unchecked pointer in the CommandRcx0 function. If the contents at RBX match certain expected values (e.g., &amp;#39;$DB$&amp;#39; or &amp;#39;2DB$&amp;#39;), the function performs arbitrary writes to System Management RAM (SMRAM), leading to potential privilege escalation to System Management Mode (SMM) and persistent firmware compromise.

*** Pendiente de traducción *** An Improper Check for Unusual or Exceptional Conditions vulnerability in the flow processing daemon (flowd) of Juniper Networks Junos OS on <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> SRX1600, SRX2300, SRX 4000 Series, and SRX5000 Series with SPC3<br /> <br /> <br /> <br /> allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS).<br /> <br /> If a sequence of specific PIM packets is received, this will cause a flowd crash and restart.<br /> <br /> <br /> This issue affects Junos OS:<br /> <br /> <br /> <br /> * all versions before 21.2R3-S9,<br /> * 21.4 versions before 21.4R3-S11,<br /> * 22.2 versions before 22.2R3-S7,<br /> * 22.4 versions before 22.4R3-S6,<br /> * 23.2 versions before 23.2R2-S4,<br /> * 23.4 versions before 23.4R2-S4,<br /> * 24.2 versions before 24.2R2.<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> This is a similar, but different vulnerability than the issue reported as<br /> <br /> CVE-2024-47503, published in JSA88133.

*** Pendiente de traducción *** An Improper Resource Shutdown or Release vulnerability in the SIP ALG of Juniper Networks Junos OS on MX Series with MS-MPC allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS).<br /> <br /> When an MX Series device with an MS-MPC is configured with two or more service sets which are both processing SIP calls, a specific sequence of call events will lead to a crash and restart of the MS-MPC.<br /> This issue affects Junos OS:<br /> <br /> <br /> <br /> * all versions before 21.2R3-S9,<br /> * 21.4 versions from 21.4R1,<br /> * 22.2 versions before 22.2R3-S6,<br /> * 22.4 versions before 22.4R3-S6.<br /> <br /> <br /> <br /> <br /> As the MS-MPC is EoL after Junos OS 22.4, later versions are not affected.<br /> <br /> This issue does not affect MX-SPC3 or SRX Series devices.