Recent security updates for Ubuntu and Debian have been released to address vulnerabilities in Thunderbird, the popular open-source mail and newsgroup client. The identified vulnerabilities could result in denial of service attacks, unauthorized acce...
Several significant out-of-bounds access vulnerabilities have been found in the X.Org X Server (CVE-2021-4008, CVE-2021-4009, and CVE-2021-4011). These flaws threaten data confidentiality and integrity, as well as system availability, and have received a National Vulnerability Database severity rating of “High”.
Thank you to Ruth Webb for contributing this article.
WordPress stands tall as one of the most popular content management systems (CMS), empowering millions of websites worldwide in the ever-evolving digital landscape. Its flexibility and user-friendliness have made it a top choice for bloggers, businesses, and individuals. However, with great popularity comes great responsibility, and WordPress, like any other platform, is not immune to security vulnerabilities.
Multiple significant security vulnerabilities have been discovered in the Linux kernel, including a remotely exploitable null pointer dereference flaw in the networking protocol (CVE-2023-3338), use-after-free vulnerabilities in kernel's netfilter subsystem in net/netfilter/nf_tables_api.c (CVE-2023-3390) and nft_chain_lookup_byid() (CVE-2023-31248), and an out-of-bounds read/write vulnerability (CVE-2023-35001). These bugs are easy to exploit and pose a severe risk to your system's confidentiality, integrity, and availability. As a result, they have received a National Vulnerability Database severity rating of “High”.
It was discovered that in Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attacks via a vast number of domain name labels of emails and URLs (CVE-2023-36053).
Multiple severe security issues were discovered in the GPAC multimedia framework, including a heap-based Buffer Overflow in the GitHub repository gpac/gpac before V2.1.0-DEV (CVE-2023-0760) and a NULL Pointer Dereference in the GitHub repository gpac/gpac before 2.2.2 (CVE-2023-3012). These vulnerabilities have received a National Vulnerability Database base score of 7.8 out of 10 (“High” severity).
Multiple significant security vulnerabilities have been found in the Linux kernel, including an out-of-bounds memory access flaw in the XFS file system (CVE-2023-2124) and an out-of-boundary read vulnerability in compare_netdev_and_ip in drivers/infiniband/core/cma.c in RDMA in the kernel (CVE-2023-2176). With a low attack complexity and a high confidentiality, integrity, and availability impact, these bugs have received a National Vulnerability Database base score of 7.8 out of 10 (“High” severity).
A type confusion issue that may have been actively exploited has been identified in the WebKitGTK web engine (CVE-2023-32439). With a low attack complexity and a high confidentiality, integrity and availability impact, this vulnerability has received a National Vulnerability Database severity rating of High.
Exploit code will soon become available for a critical vulnerability in the Linux kernel that a security researcher discovered and reported in mid-June. Dubbed StackRot (CVE-2023-3269), this bug impacts the Linux kernel 6.1 through 6.4. The data structure for managing virtual memory spaces in the Linux kernel handles a particular memory management function in a manner that results in use-after-free-by-RCU (UAFBR) issues. The security researcher who discovered StackRot, Ruihan Li, describes the exploit for StackRot as likely the first to successfully exploit a UAFBR bug.
Several important security issues were discovered in the Vim enhanced vi editor, including an out-of-bounds read vulnerability (CVE-2022-0128), improper memory management when recording and using select mode (CVE-2022-0393), and incorrect handling of certain memory operations during a visual block yank (CVE-2022-0407). Due to their high confidentiality, integrity and availability impact, these bugs have received a National Vulnerability Database severity rating of High.
Three important vulnerabilities were discovered in Chromium, including a type confusion in V8 (CVE-2023-3420) and use after frees in Media (CVE-2023-3421) and Guest View (CVE-2023-3422). With a low attack complexity and a high confidentiality, integrity and availability impact, these flaws have received a National Vulnerability Database severity rating of 8.8 out of 10 (“High” severity).
Several remotely exploitable security issues were found in the Bind Internet Domain Name Server. It was discovered that Bind incorrectly handled the cache size limit (CVE-2023-2828) and the recursive-clients quota (CVE-2023-2911). With a low attack complexity and a high availability impact, these bugs have received a National Vulnerability Database severity rating of “High”.
Several security issues were found in the Linux kernel, including an out-of-bounds write vulnerability in the Flower classifier implementation in the kernel (CVE-2023-35788). It was also discovered that for some Intel processors the INVLPG instruction implementation did not properly flush global TLB entries when PCIDs are enabled. With a low attack complexity and a high confidentiality, integrity and availability impact, these flaws have received a National Vulnerability Database severity rating of 7.8 out of 10 (“High” severity).
Multiple SQL injection vulnerabilities have been disclosed in Gentoo Soko that could lead to remote code execution (RCE) on vulnerable systems. "These SQL injections happened despite the use of an Object-Relational Mapping (ORM) library and prepared statements," SonarSource researcher Thomas Chauchefoin said, adding they could result in RCE on Soko because of a "misconfiguration of the database."
Multiple remotely exploitable denial of service (DoS) and code execution vulnerabilities have been found in the VLC multimedia player and streamer. These bugs have been classified as “high-severity” by the National Vulnerability Database due to their high confidentiality, integrity and availability impact.
Four critical security vulnerabilities have been discovered in Chromium, including use after free bugs in Autofill payments, WebRTC and WebXR, and a type confusion flaw in V8.
Several important denial of service (DoS) and information disclosure vulnerabilities have been discovered in the OpenJDK Java runtime. These bugs require no privileges or user interaction to exploit, and have been classified by the National Vulnerability Database as having a high confidentiality, integrity and availability impact on affected systems.
Several important security vulnerabilities have been found in the c-ares fork of the ares library, including a 0-byte UDP payload denial of service (DoS) bug (CVE-2023-32067). With low attack complexity, no privileges or user interaction required to exploit, and a high availability impact, this flaw has received a National Vulnerability Database (NVD) base score of 7.5 out of 10 (“High” severity).
Fourteen important vulnerabilities have been discovered in Chromium, including multiple use-after-free and type confusion bugs. With a low attack complexity and a high confidentiality, integrity and availability impact, these issues have received a National Vulnerability Database severity rating of “High”.
Two important security bugs have been found in Ruby. It was discovered that an HTTP response splitting flaw exists in the Ruby cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 (CVE-2021-3362). It was also discovered that a buffer over-read occurs in String-to-Float conversion in Ruby before 2.6.10, 2.7.x before 2.7.6, 3.x before 3.0.4, and 3.1.x before 3.1.2 (CVE-2022-28739). With a low attack complexity and a high confidentiality and integrity impact, these bugs have received a National Vulnerability Database severity rating of “High”.
An Improper Validation of Array Index vulnerability (CVE-2023-0950) was discovered in the spreadsheet component of The Document Foundation LibreOffice 7.4 versions prior to 7.4.6 and 7.5 versions prior to 7.5.1. With a low attack complexity, no privileges or user interaction required to exploit, and a high confidentiality, integrity and availability impact, this bug has received a National Vulnerability Database (NVD) severity rating of “Critical”.