Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> clk: socfpga: Fix memory leak in socfpga_gate_init()<br /> <br /> Free @socfpga_clk and @ops on the error path to avoid memory leak issue.

*** Pendiente de traducción *** feiskyer mcp-kubernetes-server through 0.1.11 does not consider chained commands in the implementation of --disable-write and --disable-delete, e.g., it allows a "kubectl version; kubectl delete pod" command because the first word (i.e., "version") is not a write or delete operation.

*** Pendiente de traducción *** feiskyer mcp-kubernetes-server through 0.1.11 allows OS command injection, even in read-only mode, via /mcp/kubectl because shell=True is used. NOTE: this is unrelated to mcp-server-kubernetes and CVE-2025-53355.

*** Pendiente de traducción *** A flaw has been found in Campcodes Online Job Finder System 1.0. This affects an unknown function of the file /index.php?q=result&amp;searchfor=bycompany. This manipulation of the argument Search causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used.

*** Pendiente de traducción *** An issue was discovered in the methods push.lite.avtech.com.AvtechLib.GetHttpsResponse and push.lite.avtech.com.Push_HttpService.getNewHttpClient in AVTECH EagleEyes 2.0.0. The methods set ALLOW_ALL_HOSTNAME_VERIFIER, bypassing domain validation.

*** Pendiente de traducción *** An issue was discovered in the method push.lite.avtech.com.AvtechLib.GetHttpsResponse in AVTECH EagleEyes Lite 2.0.0, the GetHttpsResponse method transmits sensitive information - including internal server URLs, account IDs, passwords, and device tokens - as plaintext query parameters over HTTPS

*** Pendiente de traducción *** An issue was discovered in the method push.lite.avtech.com.MySSLSocketFactoryNew.checkServerTrusted in AVTECH EagleEyes 2.0.0. The custom X509TrustManager used in checkServerTrusted only checks the certificate&amp;#39;s expiration date, skipping proper TLS chain validation.

*** Pendiente de traducción *** A Cross-Site Request Forgery (CSRF) vulnerability was identified in the Profile Page of the PHPGurukul Student-Result-Management-System-Using-PHP-V2.0. This flaw allows an attacker to trick authenticated users into unintentionally modifying their account details. By crafting a malicious HTML page, an attacker can submit unauthorized requests to the vulnerable endpoint: /create-class.php.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> USB: uhci: fix memory leak with using debugfs_lookup()<br /> <br /> When calling debugfs_lookup() the result must have dput() called on it,<br /> otherwise the memory will leak over time. To make things simpler, just<br /> call debugfs_lookup_and_remove() instead which handles all of the logic<br /> at once.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> raw: Fix NULL deref in raw_get_next().<br /> <br /> Dae R. Jeong reported a NULL deref in raw_get_next() [0].<br /> <br /> It seems that the repro was running these sequences in parallel so<br /> that one thread was iterating on a socket that was being freed in<br /> another netns.<br /> <br /> unshare(0x40060200)<br /> r0 = syz_open_procfs(0x0, &amp;(0x7f0000002080)=&amp;#39;net/raw\x00&amp;#39;)<br /> socket$inet_icmp_raw(0x2, 0x3, 0x1)<br /> pread64(r0, &amp;(0x7f0000000000)=""/10, 0xa, 0x10000000007f)<br /> <br /> After commit 0daf07e52709 ("raw: convert raw sockets to RCU"), we<br /> use RCU and hlist_nulls_for_each_entry() to iterate over SOCK_RAW<br /> sockets. However, we should use spinlock for slow paths to avoid<br /> the NULL deref.<br /> <br /> Also, SOCK_RAW does not use SLAB_TYPESAFE_BY_RCU, and the slab object<br /> is not reused during iteration in the grace period. In fact, the<br /> lockless readers do not check the nulls marker with get_nulls_value().<br /> So, SOCK_RAW should use hlist instead of hlist_nulls.<br /> <br /> Instead of adding an unnecessary barrier by sk_nulls_for_each_rcu(),<br /> let&amp;#39;s convert hlist_nulls to hlist and use sk_for_each_rcu() for<br /> fast paths and sk_for_each() and spinlock for /proc/net/raw.<br /> <br /> [0]:<br /> general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN<br /> KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]<br /> CPU: 2 PID: 20952 Comm: syz-executor.0 Not tainted 6.2.0-g048ec869bafd-dirty #7<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014<br /> RIP: 0010:read_pnet include/net/net_namespace.h:383 [inline]<br /> RIP: 0010:sock_net include/net/sock.h:649 [inline]<br /> RIP: 0010:raw_get_next net/ipv4/raw.c:974 [inline]<br /> RIP: 0010:raw_get_idx net/ipv4/raw.c:986 [inline]<br /> RIP: 0010:raw_seq_start+0x431/0x800 net/ipv4/raw.c:995<br /> Code: ef e8 33 3d 94 f7 49 8b 6d 00 4c 89 ef e8 b7 65 5f f7 49 89 ed 49 83 c5 98 0f 84 9a 00 00 00 48 83 c5 c8 48 89 e8 48 c1 e8 03 80 3c 30 00 74 08 48 89 ef e8 00 3d 94 f7 4c 8b 7d 00 48 89 ef<br /> RSP: 0018:ffffc9001154f9b0 EFLAGS: 00010206<br /> RAX: 0000000000000005 RBX: 1ffff1100302c8fd RCX: 0000000000000000<br /> RDX: 0000000000000028 RSI: ffffc9001154f988 RDI: ffffc9000f77a338<br /> RBP: 0000000000000029 R08: ffffffff8a50ffb4 R09: fffffbfff24b6bd9<br /> R10: fffffbfff24b6bd9 R11: 0000000000000000 R12: ffff88801db73b78<br /> R13: fffffffffffffff9 R14: dffffc0000000000 R15: 0000000000000030<br /> FS: 00007f843ae8e700(0000) GS:ffff888063700000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 000055bb9614b35f CR3: 000000003c672000 CR4: 00000000003506e0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> seq_read_iter+0x4c6/0x10f0 fs/seq_file.c:225<br /> seq_read+0x224/0x320 fs/seq_file.c:162<br /> pde_read fs/proc/inode.c:316 [inline]<br /> proc_reg_read+0x23f/0x330 fs/proc/inode.c:328<br /> vfs_read+0x31e/0xd30 fs/read_write.c:468<br /> ksys_pread64 fs/read_write.c:665 [inline]<br /> __do_sys_pread64 fs/read_write.c:675 [inline]<br /> __se_sys_pread64 fs/read_write.c:672 [inline]<br /> __x64_sys_pread64+0x1e9/0x280 fs/read_write.c:672<br /> do_syscall_x64 arch/x86/entry/common.c:51 [inline]<br /> do_syscall_64+0x4e/0xa0 arch/x86/entry/common.c:82<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> RIP: 0033:0x478d29<br /> Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48<br /> RSP: 002b:00007f843ae8dbe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000011<br /> RAX: ffffffffffffffda RBX: 0000000000791408 RCX: 0000000000478d29<br /> RDX: 000000000000000a RSI: 0000000020000000 RDI: 0000000000000003<br /> RBP: 00000000f477909a R08: 0000000000000000 R09: 0000000000000000<br /> R10: 000010000000007f R11: 0000000000000246 R12: 0000000000791740<br /> R13: 0000000000791414 R14: 0000000000791408 R15: 00007ffc2eb48a50<br /> <br /> Modules linked in:<br /> ---[ end trace 0000000000000000 ]---<br /> RIP: 0010<br /> ---truncated---

*** Pendiente de traducción *** A vulnerability was detected in Campcodes Online Job Finder System 1.0. The impacted element is an unknown function of the file /eris/applicationform.php. The manipulation of the argument picture results in unrestricted upload. It is possible to launch the attack remotely. The exploit is now public and may be used.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: openvswitch: fix race on port output<br /> <br /> assume the following setup on a single machine:<br /> 1. An openvswitch instance with one bridge and default flows<br /> 2. two network namespaces "server" and "client"<br /> 3. two ovs interfaces "server" and "client" on the bridge<br /> 4. for each ovs interface a veth pair with a matching name and 32 rx and<br /> tx queues<br /> 5. move the ends of the veth pairs to the respective network namespaces<br /> 6. assign ip addresses to each of the veth ends in the namespaces (needs<br /> to be the same subnet)<br /> 7. start some http server on the server network namespace<br /> 8. test if a client in the client namespace can reach the http server<br /> <br /> when following the actions below the host has a chance of getting a cpu<br /> stuck in a infinite loop:<br /> 1. send a large amount of parallel requests to the http server (around<br /> 3000 curls should work)<br /> 2. in parallel delete the network namespace (do not delete interfaces or<br /> stop the server, just kill the namespace)<br /> <br /> there is a low chance that this will cause the below kernel cpu stuck<br /> message. If this does not happen just retry.<br /> Below there is also the output of bpftrace for the functions mentioned<br /> in the output.<br /> <br /> The series of events happening here is:<br /> 1. the network namespace is deleted calling<br /> `unregister_netdevice_many_notify` somewhere in the process<br /> 2. this sets first `NETREG_UNREGISTERING` on both ends of the veth and<br /> then runs `synchronize_net`<br /> 3. it then calls `call_netdevice_notifiers` with `NETDEV_UNREGISTER`<br /> 4. this is then handled by `dp_device_event` which calls<br /> `ovs_netdev_detach_dev` (if a vport is found, which is the case for<br /> the veth interface attached to ovs)<br /> 5. this removes the rx_handlers of the device but does not prevent<br /> packages to be sent to the device<br /> 6. `dp_device_event` then queues the vport deletion to work in<br /> background as a ovs_lock is needed that we do not hold in the<br /> unregistration path<br /> 7. `unregister_netdevice_many_notify` continues to call<br /> `netdev_unregister_kobject` which sets `real_num_tx_queues` to 0<br /> 8. port deletion continues (but details are not relevant for this issue)<br /> 9. at some future point the background task deletes the vport<br /> <br /> If after 7. but before 9. a packet is send to the ovs vport (which is<br /> not deleted at this point in time) which forwards it to the<br /> `dev_queue_xmit` flow even though the device is unregistering.<br /> In `skb_tx_hash` (which is called in the `dev_queue_xmit`) path there is<br /> a while loop (if the packet has a rx_queue recorded) that is infinite if<br /> `dev-&gt;real_num_tx_queues` is zero.<br /> <br /> To prevent this from happening we update `do_output` to handle devices<br /> without carrier the same as if the device is not found (which would<br /> be the code path after 9. is done).<br /> <br /> Additionally we now produce a warning in `skb_tx_hash` if we will hit<br /> the infinite loop.<br /> <br /> bpftrace (first word is function name):<br /> <br /> __dev_queue_xmit server: real_num_tx_queues: 1, cpu: 2, pid: 28024, tid: 28024, skb_addr: 0xffff9edb6f207000, reg_state: 1<br /> netdev_core_pick_tx server: addr: 0xffff9f0a46d4a000 real_num_tx_queues: 1, cpu: 2, pid: 28024, tid: 28024, skb_addr: 0xffff9edb6f207000, reg_state: 1<br /> dp_device_event server: real_num_tx_queues: 1 cpu 9, pid: 21024, tid: 21024, event 2, reg_state: 1<br /> synchronize_rcu_expedited: cpu 9, pid: 21024, tid: 21024<br /> synchronize_rcu_expedited: cpu 9, pid: 21024, tid: 21024<br /> synchronize_rcu_expedited: cpu 9, pid: 21024, tid: 21024<br /> synchronize_rcu_expedited: cpu 9, pid: 21024, tid: 21024<br /> dp_device_event server: real_num_tx_queues: 1 cpu 9, pid: 21024, tid: 21024, event 6, reg_state: 2<br /> ovs_netdev_detach_dev server: real_num_tx_queues: 1 cpu 9, pid: 21024, tid: 21024, reg_state: 2<br /> netdev_rx_handler_unregister server: real_num_tx_queues: 1, cpu: 9, pid: 21024, tid: 21024, reg_state: 2<br /> synchronize_rcu_expedited: cpu 9, pid: 21024, tid: 21024<br /> netdev_rx_handler_unregister ret server: real_num_tx_queues: 1, cpu: 9, pid: 21024, tid: 21024, reg_state: 2<br /> dp_<br /> ---truncated---