admin/nvd-json-data-feeds
1
0
Fork 0
mirror of https://github.com/fkie-cad/nvd-json-data-feeds.git synced 2025-06-19 17:31:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

Auto-Update: 2024-10-13T02:00:16.486465+00:00

Browse Source
This commit is contained in:
cad-safe-bot 2024-10-13 02:03:17 +00:00
parent 59ebb40fcc
commit 2a24fd719a
732 changed files with 2762 additions and 1090 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
CVE-2016/CVE-2016-62xx/CVE-2016-6298.json
View File

@ -3,7 +3,7 @@
"sourceIdentifier": "secalert@redhat.com",
"published": "2016-09-01T23:59:01.160",
"lastModified": "2016-11-28T20:31:14.547",
"vulnStatus": "Modified",
"vulnStatus": "Undergoing Analysis",
"cveTags": [],
"descriptions": [
{

4
CVE-2021/CVE-2021-471xx/CVE-2021-47181.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: musb: tusb6010: check return value after calling platform_get_resource()\n\nIt will cause null-ptr-deref if platform_get_resource() returns NULL,\nwe need check the return value."
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: usb: musb: tusb6010: verificar el valor de retorno despu\u00e9s de llamar a platform_get_resource() Causar\u00e1 null-ptr-deref si platform_get_resource() devuelve NULL, necesitamos verificar el valor de retorno."
}
],
"metrics": {},

4
CVE-2021/CVE-2021-471xx/CVE-2021-47182.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: Fix scsi_mode_sense() buffer length handling\n\nSeveral problems exist with scsi_mode_sense() buffer length handling:\n\n 1) The allocation length field of the MODE SENSE(10) command is 16-bits,\n occupying bytes 7 and 8 of the CDB. With this command, access to mode\n pages larger than 255 bytes is thus possible. However, the CDB\n allocation length field is set by assigning len to byte 8 only, thus\n truncating buffer length larger than 255.\n\n 2) If scsi_mode_sense() is called with len smaller than 8 with\n sdev->use_10_for_ms set, or smaller than 4 otherwise, the buffer length\n is increased to 8 and 4 respectively, and the buffer is zero filled\n with these increased values, thus corrupting the memory following the\n buffer.\n\nFix these 2 problems by using put_unaligned_be16() to set the allocation\nlength field of MODE SENSE(10) CDB and by returning an error when len is\ntoo small.\n\nFurthermore, if len is larger than 255B, always try MODE SENSE(10) first,\neven if the device driver did not set sdev->use_10_for_ms. In case of\ninvalid opcode error for MODE SENSE(10), access to mode pages larger than\n255 bytes are not retried using MODE SENSE(6). To avoid buffer length\noverflows for the MODE_SENSE(10) case, check that len is smaller than 65535\nbytes.\n\nWhile at it, also fix the folowing:\n\n * Use get_unaligned_be16() to retrieve the mode data length and block\n descriptor length fields of the mode sense reply header instead of using\n an open coded calculation.\n\n * Fix the kdoc dbd argument explanation: the DBD bit stands for Disable\n Block Descriptor, which is the opposite of what the dbd argument\n description was."
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: scsi: core: Fix scsi_mode_sense() buffer length management Existen varios problemas con el manejo de la longitud del b\u00fafer de scsi_mode_sense(): 1) El campo de longitud de asignaci\u00f3n del comando MODE SENSE(10) es de 16 bits y ocupa los bytes 7 y 8 del CDB. Con este comando, es posible acceder a p\u00e1ginas de modo mayores de 255 bytes. Sin embargo, el campo de longitud de asignaci\u00f3n del CDB se establece asignando len solo al byte 8, truncando as\u00ed la longitud del b\u00fafer mayor de 255. 2) Si se llama a scsi_mode_sense() con len menor que 8 con sdev->use_10_for_ms establecido, o menor que 4 en caso contrario, la longitud del b\u00fafer aumenta a 8 y 4 respectivamente, y el b\u00fafer se rellena con ceros con estos valores aumentados, corrompiendo as\u00ed la memoria que sigue al b\u00fafer. Solucione estos 2 problemas usando put_unaligned_be16() para configurar el campo de longitud de asignaci\u00f3n de MODE SENSE(10) CDB y devolviendo un error cuando len sea demasiado peque\u00f1o. Adem\u00e1s, si len es mayor que 255B, siempre intente MODE SENSE(10) primero, incluso si el controlador del dispositivo no configur\u00f3 sdev->use_10_for_ms. En caso de error de c\u00f3digo de operaci\u00f3n no v\u00e1lido para MODE SENSE(10), el acceso a p\u00e1ginas de modo mayores a 255 bytes no se vuelve a intentar usando MODE SENSE(6). Para evitar desbordamientos de longitud de b\u00fafer para el caso de MODE_SENSE(10), verifique que len sea menor a 65535 bytes. Mientras lo hace, tambi\u00e9n solucione lo siguiente: * Use get_unaligned_be16() para recuperar los campos de longitud de datos de modo y longitud de descriptor de bloque del encabezado de respuesta de sentido de modo en lugar de usar un c\u00e1lculo de c\u00f3digo abierto. * Corregir la explicaci\u00f3n del argumento dbd de kdoc: el bit DBD significa Deshabilitar descriptor de bloque, que es lo opuesto a lo que era la descripci\u00f3n del argumento dbd."
}
],
"metrics": {},

4
CVE-2021/CVE-2021-471xx/CVE-2021-47183.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix link down processing to address NULL pointer dereference\n\nIf an FC link down transition while PLOGIs are outstanding to fabric well\nknown addresses, outstanding ABTS requests may result in a NULL pointer\ndereference. Driver unload requests may hang with repeated \"2878\" log\nmessages.\n\nThe Link down processing results in ABTS requests for outstanding ELS\nrequests. The Abort WQEs are sent for the ELSs before the driver had set\nthe link state to down. Thus the driver is sending the Abort with the\nexpectation that an ABTS will be sent on the wire. The Abort request is\nstalled waiting for the link to come up. In some conditions the driver may\nauto-complete the ELSs thus if the link does come up, the Abort completions\nmay reference an invalid structure.\n\nFix by ensuring that Abort set the flag to avoid link traffic if issued due\nto conditions where the link failed."
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: scsi: lpfc: Se soluciona el procesamiento de enlace inactivo para abordar la desreferencia de puntero NULL Si una transici\u00f3n de enlace inactivo FC mientras hay PLOGI pendientes para direcciones conocidas de Fabric, las solicitudes ABTS pendientes pueden resultar en una desreferencia de puntero NULL. Las solicitudes de descarga del controlador pueden bloquearse con mensajes de registro \"2878\" repetidos. El procesamiento de enlace inactivo da como resultado solicitudes ABTS para solicitudes ELS pendientes. Los WQE de cancelaci\u00f3n se env\u00edan para los ELS antes de que el controlador haya establecido el estado del enlace en inactivo. Por lo tanto, el controlador env\u00eda la cancelaci\u00f3n con la expectativa de que se env\u00ede una ABTS en el cable. La solicitud de cancelaci\u00f3n se detiene esperando que se active el enlace. En algunas condiciones, el controlador puede completar autom\u00e1ticamente los ELS, por lo que si el enlace se activa, las finalizaciones de cancelaci\u00f3n pueden hacer referencia a una estructura no v\u00e1lida. Se soluciona asegur\u00e1ndose de que la cancelaci\u00f3n establezca el indicador para evitar el tr\u00e1fico de enlace si se emite debido a condiciones en las que el enlace fall\u00f3."
}
],
"metrics": {},

4
CVE-2021/CVE-2021-471xx/CVE-2021-47184.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Fix NULL ptr dereference on VSI filter sync\n\nRemove the reason of null pointer dereference in sync VSI filters.\nAdded new I40E_VSI_RELEASING flag to signalize deleting and releasing\nof VSI resources to sync this thread with sync filters subtask.\nWithout this patch it is possible to start update the VSI filter list\nafter VSI is removed, that's causing a kernel oops."
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: i40e: Corregir la desreferencia de puntero nulo en la sincronizaci\u00f3n de filtros VSI Eliminar el motivo de la desreferencia de puntero nulo en los filtros VSI de sincronizaci\u00f3n. Se ha a\u00f1adido el nuevo indicador I40E_VSI_RELEASING para se\u00f1alar la eliminaci\u00f3n y liberaci\u00f3n de recursos VSI para sincronizar este hilo con la subtarea de filtros de sincronizaci\u00f3n. Sin este parche, es posible comenzar a actualizar la lista de filtros VSI despu\u00e9s de que se elimine VSI, lo que provoca un error en el kernel."
}
],
"metrics": {},

4
CVE-2021/CVE-2021-471xx/CVE-2021-47185.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: tty_buffer: Fix the softlockup issue in flush_to_ldisc\n\nWhen running ltp testcase(ltp/testcases/kernel/pty/pty04.c) with arm64, there is a soft lockup,\nwhich look like this one:\n\n Workqueue: events_unbound flush_to_ldisc\n Call trace:\n dump_backtrace+0x0/0x1ec\n show_stack+0x24/0x30\n dump_stack+0xd0/0x128\n panic+0x15c/0x374\n watchdog_timer_fn+0x2b8/0x304\n __run_hrtimer+0x88/0x2c0\n __hrtimer_run_queues+0xa4/0x120\n hrtimer_interrupt+0xfc/0x270\n arch_timer_handler_phys+0x40/0x50\n handle_percpu_devid_irq+0x94/0x220\n __handle_domain_irq+0x88/0xf0\n gic_handle_irq+0x84/0xfc\n el1_irq+0xc8/0x180\n slip_unesc+0x80/0x214 [slip]\n tty_ldisc_receive_buf+0x64/0x80\n tty_port_default_receive_buf+0x50/0x90\n flush_to_ldisc+0xbc/0x110\n process_one_work+0x1d4/0x4b0\n worker_thread+0x180/0x430\n kthread+0x11c/0x120\n\nIn the testcase pty04, The first process call the write syscall to send\ndata to the pty master. At the same time, the workqueue will do the\nflush_to_ldisc to pop data in a loop until there is no more data left.\nWhen the sender and workqueue running in different core, the sender sends\ndata fastly in full time which will result in workqueue doing work in loop\nfor a long time and occuring softlockup in flush_to_ldisc with kernel\nconfigured without preempt. So I add need_resched check and cond_resched\nin the flush_to_ldisc loop to avoid it."
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: tty: tty_buffer: soluciona el problema de bloqueo suave en flush_to_ldisc Al ejecutar ltp testcase(ltp/testcases/kernel/pty/pty04.c) con arm64, hay un bloqueo suave, que se parece a este: Workqueue: events_unbound flush_to_ldisc Rastreo de llamadas: dump_backtrace+0x0/0x1ec show_stack+0x24/0x30 dump_stack+0xd0/0x128 panic+0x15c/0x374 watchdog_timer_fn+0x2b8/0x304 __run_hrtimer+0x88/0x2c0 __hrtimer_run_queues+0xa4/0x120 hrtimer_interrupt+0xfc/0x270 arch_timer_handler_phys+0x40/0x50 handle_percpu_devid_irq+0x94/0x220 __handle_domain_irq+0x88/0xf0 gic_handle_irq+0x84/0xfc el1_irq+0xc8/0x180 slip_unesc+0x80/0x214 [slip] tty_ldisc_receive_buf+0x64/0x80 tty_port_default_receive_buf+0x50/0x90 flush_to_ldisc+0xbc/0x110 process_one_work+0x1d4/0x4b0 worker_thread+0x180/0x430 kthread+0x11c/0x120 En el caso de prueba pty04, el primer proceso llama a la escritura Llamada al sistema para enviar datos al maestro pty. Al mismo tiempo, la cola de trabajo ejecutar\u00e1 el comando flush_to_ldisc para extraer los datos en un bucle hasta que no queden m\u00e1s datos. Cuando el remitente y la cola de trabajo se ejecutan en n\u00facleos diferentes, el remitente env\u00eda datos r\u00e1pidamente en tiempo completo, lo que har\u00e1 que la cola de trabajo realice el trabajo en bucle durante mucho tiempo y se produzca un bloqueo suave en flush_to_ldisc con el n\u00facleo configurado sin interrupci\u00f3n. Por lo tanto, agrego la comprobaci\u00f3n need_resched y cond_resched en el bucle flush_to_ldisc para evitarlo."
}
],
"metrics": {},

4
CVE-2021/CVE-2021-471xx/CVE-2021-47187.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: dts: qcom: msm8998: Fix CPU/L2 idle state latency and residency\n\nThe entry/exit latency and minimum residency in state for the idle\nstates of MSM8998 were ..bad: first of all, for all of them the\ntimings were written for CPU sleep but the min-residency-us param\nwas miscalculated (supposedly, while porting this from downstream);\nThen, the power collapse states are setting PC on both the CPU\ncluster *and* the L2 cache, which have different timings: in the\nspecific case of L2 the times are higher so these ones should be\ntaken into account instead of the CPU ones.\n\nThis parameter misconfiguration was not giving particular issues\nbecause on MSM8998 there was no CPU scaling at all, so cluster/L2\npower collapse was rarely (if ever) hit.\nWhen CPU scaling is enabled, though, the wrong timings will produce\nSoC unstability shown to the user as random, apparently error-less,\nsudden reboots and/or lockups.\n\nThis set of parameters are stabilizing the SoC when CPU scaling is\nON and when power collapse is frequently hit."
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: arm64: dts: qcom: msm8998: Se corrige la latencia y residencia del estado inactivo de la CPU/L2 La latencia de entrada/salida y la residencia m\u00ednima en el estado para los estados inactivos de MSM8998 eran... malas: en primer lugar, para todos ellos, los tiempos se escribieron para el sue\u00f1o de la CPU, pero el par\u00e1metro min-residency-us se calcul\u00f3 mal (supuestamente, al portar esto desde el lado descendente); luego, los estados de colapso de energ\u00eda est\u00e1n configurando PC tanto en el cl\u00faster de la CPU *como* en el cach\u00e9 L2, que tienen diferentes tiempos: en el caso espec\u00edfico de L2, los tiempos son m\u00e1s altos, por lo que estos deben tenerse en cuenta en lugar de los de la CPU. Esta configuraci\u00f3n incorrecta de par\u00e1metros no estaba dando problemas particulares porque en MSM8998 no hab\u00eda escalamiento de la CPU en absoluto, por lo que el colapso de energ\u00eda del cl\u00faster/L2 rara vez (o nunca) se ve\u00eda afectado. Sin embargo, cuando el escalado de CPU est\u00e1 habilitado, los tiempos incorrectos producir\u00e1n inestabilidad del SoC, que se mostrar\u00e1 al usuario como reinicios y/o bloqueos repentinos aleatorios, aparentemente sin errores. Este conjunto de par\u00e1metros estabiliza el SoC cuando el escalado de CPU est\u00e1 activado y cuando se producen ca\u00eddas de energ\u00eda con frecuencia."
}
],
"metrics": {},

4
CVE-2021/CVE-2021-471xx/CVE-2021-47188.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: Improve SCSI abort handling\n\nThe following has been observed on a test setup:\n\nWARNING: CPU: 4 PID: 250 at drivers/scsi/ufs/ufshcd.c:2737 ufshcd_queuecommand+0x468/0x65c\nCall trace:\n ufshcd_queuecommand+0x468/0x65c\n scsi_send_eh_cmnd+0x224/0x6a0\n scsi_eh_test_devices+0x248/0x418\n scsi_eh_ready_devs+0xc34/0xe58\n scsi_error_handler+0x204/0x80c\n kthread+0x150/0x1b4\n ret_from_fork+0x10/0x30\n\nThat warning is triggered by the following statement:\n\n\tWARN_ON(lrbp->cmd);\n\nFix this warning by clearing lrbp->cmd from the abort handler."
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: scsi: ufs: core: Mejorar el manejo de la interrupci\u00f3n de SCSI Se ha observado lo siguiente en una configuraci\u00f3n de prueba: ADVERTENCIA: CPU: 4 PID: 250 en drivers/scsi/ufs/ufshcd.c:2737 ufshcd_queuecommand+0x468/0x65c Rastreo de llamadas: ufshcd_queuecommand+0x468/0x65c scsi_send_eh_cmnd+0x224/0x6a0 scsi_eh_test_devices+0x248/0x418 scsi_eh_ready_devs+0xc34/0xe58 scsi_error_handler+0x204/0x80c kthread+0x150/0x1b4 ret_from_fork+0x10/0x30 Esa advertencia se activa por lo siguiente: declaraci\u00f3n: WARN_ON(lrbp->cmd); Corrija esta advertencia borrando lrbp->cmd del controlador de aborto."
}
],
"metrics": {},

4
CVE-2021/CVE-2021-471xx/CVE-2021-47189.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix memory ordering between normal and ordered work functions\n\nOrdered work functions aren't guaranteed to be handled by the same thread\nwhich executed the normal work functions. The only way execution between\nnormal/ordered functions is synchronized is via the WORK_DONE_BIT,\nunfortunately the used bitops don't guarantee any ordering whatsoever.\n\nThis manifested as seemingly inexplicable crashes on ARM64, where\nasync_chunk::inode is seen as non-null in async_cow_submit which causes\nsubmit_compressed_extents to be called and crash occurs because\nasync_chunk::inode suddenly became NULL. The call trace was similar to:\n\n pc : submit_compressed_extents+0x38/0x3d0\n lr : async_cow_submit+0x50/0xd0\n sp : ffff800015d4bc20\n\n <registers omitted for brevity>\n\n Call trace:\n submit_compressed_extents+0x38/0x3d0\n async_cow_submit+0x50/0xd0\n run_ordered_work+0xc8/0x280\n btrfs_work_helper+0x98/0x250\n process_one_work+0x1f0/0x4ac\n worker_thread+0x188/0x504\n kthread+0x110/0x114\n ret_from_fork+0x10/0x18\n\nFix this by adding respective barrier calls which ensure that all\naccesses preceding setting of WORK_DONE_BIT are strictly ordered before\nsetting the flag. At the same time add a read barrier after reading of\nWORK_DONE_BIT in run_ordered_work which ensures all subsequent loads\nwould be strictly ordered after reading the bit. This in turn ensures\nare all accesses before WORK_DONE_BIT are going to be strictly ordered\nbefore any access that can occur in ordered_func."
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: btrfs: arreglo del ordenamiento de memoria entre funciones de trabajo normales y ordenadas No se garantiza que las funciones de trabajo ordenadas sean manejadas por el mismo hilo que ejecut\u00f3 las funciones de trabajo normales. La \u00fanica forma de sincronizar la ejecuci\u00f3n entre funciones normales/ordenadas es a trav\u00e9s de WORK_DONE_BIT, desafortunadamente los bitops utilizados no garantizan ning\u00fan orden. Esto se manifest\u00f3 como fallas aparentemente inexplicables en ARM64, donde async_chunk::inode se ve como no nulo en async_cow_submit, lo que hace que se llame a submission_compressed_extents y se produce una falla porque async_chunk::inode de repente se volvi\u00f3 NULL. El seguimiento de llamadas fue similar a: pc : submission_compressed_extents+0x38/0x3d0 lr : async_cow_submit+0x50/0xd0 sp : ffff800015d4bc20 Seguimiento de llamadas: submission_compressed_extents+0x38/0x3d0 async_cow_submit+0x50/0xd0 run_ordered_work+0xc8/0x280 btrfs_work_helper+0x98/0x250 process_one_work+0x1f0/0x4ac worker_thread+0x188/0x504 kthread+0x110/0x114 ret_from_fork+0x10/0x18 Solucione esto agregando las llamadas de barrera respectivas que garantizan que todos los accesos anteriores a la configuraci\u00f3n de Los bits WORK_DONE_BIT se ordenan estrictamente antes de establecer la bandera. Al mismo tiempo, agregue una barrera de lectura despu\u00e9s de la lectura de WORK_DONE_BIT en run_ordered_work que garantiza que todas las cargas posteriores se ordenar\u00e1n estrictamente despu\u00e9s de leer el bit. Esto, a su vez, garantiza que todos los accesos antes de WORK_DONE_BIT se ordenar\u00e1n estrictamente antes de cualquier acceso que pueda ocurrir en ordered_func."
}
],
"metrics": {},

4
CVE-2021/CVE-2021-471xx/CVE-2021-47190.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf bpf: Avoid memory leak from perf_env__insert_btf()\n\nperf_env__insert_btf() doesn't insert if a duplicate BTF id is\nencountered and this causes a memory leak. Modify the function to return\na success/error value and then free the memory if insertion didn't\nhappen.\n\nv2. Adds a return -1 when the insertion error occurs in\n perf_env__fetch_btf. This doesn't affect anything as the result is\n never checked."
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: perf bpf: Evitar p\u00e9rdida de memoria de perf_env__insert_btf() perf_env__insert_btf() no se inserta si se encuentra un ID de BTF duplicado y esto provoca una p\u00e9rdida de memoria. Modifique la funci\u00f3n para que devuelva un valor de \u00e9xito/error y luego libere la memoria si la inserci\u00f3n no ocurri\u00f3. v2. Agrega un retorno -1 cuando ocurre el error de inserci\u00f3n en perf_env__fetch_btf. Esto no afecta a nada ya que el resultado nunca se verifica."
}
],
"metrics": {},

4
CVE-2021/CVE-2021-471xx/CVE-2021-47191.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: scsi_debug: Fix out-of-bound read in resp_readcap16()\n\nThe following warning was observed running syzkaller:\n\n[ 3813.830724] sg_write: data in/out 65466/242 bytes for SCSI command 0x9e-- guessing data in;\n[ 3813.830724] program syz-executor not setting count and/or reply_len properly\n[ 3813.836956] ==================================================================\n[ 3813.839465] BUG: KASAN: stack-out-of-bounds in sg_copy_buffer+0x157/0x1e0\n[ 3813.841773] Read of size 4096 at addr ffff8883cf80f540 by task syz-executor/1549\n[ 3813.846612] Call Trace:\n[ 3813.846995] dump_stack+0x108/0x15f\n[ 3813.847524] print_address_description+0xa5/0x372\n[ 3813.848243] kasan_report.cold+0x236/0x2a8\n[ 3813.849439] check_memory_region+0x240/0x270\n[ 3813.850094] memcpy+0x30/0x80\n[ 3813.850553] sg_copy_buffer+0x157/0x1e0\n[ 3813.853032] sg_copy_from_buffer+0x13/0x20\n[ 3813.853660] fill_from_dev_buffer+0x135/0x370\n[ 3813.854329] resp_readcap16+0x1ac/0x280\n[ 3813.856917] schedule_resp+0x41f/0x1630\n[ 3813.858203] scsi_debug_queuecommand+0xb32/0x17e0\n[ 3813.862699] scsi_dispatch_cmd+0x330/0x950\n[ 3813.863329] scsi_request_fn+0xd8e/0x1710\n[ 3813.863946] __blk_run_queue+0x10b/0x230\n[ 3813.864544] blk_execute_rq_nowait+0x1d8/0x400\n[ 3813.865220] sg_common_write.isra.0+0xe61/0x2420\n[ 3813.871637] sg_write+0x6c8/0xef0\n[ 3813.878853] __vfs_write+0xe4/0x800\n[ 3813.883487] vfs_write+0x17b/0x530\n[ 3813.884008] ksys_write+0x103/0x270\n[ 3813.886268] __x64_sys_write+0x77/0xc0\n[ 3813.886841] do_syscall_64+0x106/0x360\n[ 3813.887415] entry_SYSCALL_64_after_hwframe+0x44/0xa9\n\nThis issue can be reproduced with the following syzkaller log:\n\nr0 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\\x00', 0x26e1, 0x0)\nr1 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000000)='fd/3\\x00')\nopen_by_handle_at(r1, &(0x7f00000003c0)=ANY=[@ANYRESHEX], 0x602000)\nr2 = syz_open_dev$sg(&(0x7f0000000000), 0x0, 0x40782)\nwrite$binfmt_aout(r2, &(0x7f0000000340)=ANY=[@ANYBLOB=\"00000000deff000000000000000000000000000000000000000000000000000047f007af9e107a41ec395f1bded7be24277a1501ff6196a83366f4e6362bc0ff2b247f68a972989b094b2da4fb3607fcf611a22dd04310d28c75039d\"], 0x126)\n\nIn resp_readcap16() we get \"int alloc_len\" value -1104926854, and then pass\nthe huge arr_len to fill_from_dev_buffer(), but arr is only 32 bytes. This\nleads to OOB in sg_copy_buffer().\n\nTo solve this issue, define alloc_len as u32."
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: scsi: scsi_debug: Se corrige la lectura fuera de los l\u00edmites en resp_readcap16(). Se observ\u00f3 la siguiente advertencia al ejecutar syzkaller: [ 3813.830724] sg_write: datos de entrada/salida 65466/242 bytes para el comando SCSI 0x9e-- adivinando datos de entrada; [ 3813.830724] El programa syz-executor no establece count y/o reply_len correctamente [ 3813.836956] ====================================================================== [ 3813.839465] ERROR: KASAN: pila fuera de los l\u00edmites en sg_copy_buffer+0x157/0x1e0 [ 3813.841773] Lectura de tama\u00f1o 4096 en la direcci\u00f3n ffff8883cf80f540 por la tarea syz-executor/1549 [ 3813.846612] Seguimiento de llamadas: [ 3813.846995] dump_stack+0x108/0x15f [ 3813.847524] print_address_description+0xa5/0x372 [ 3813.848243] kasan_report.cold+0x236/0x2a8 [ 3813.849439] check_memory_region+0x240/0x270 [ 3813.850094] memcpy+0x30/0x80 [ 3813.850553] sg_copy_buffer+0x157/0x1e0 [ 3813.853032] sg_copy_from_buffer+0x13/0x20 [ 3813.853660] llenar_desde_buffer_dev+0x135/0x370 [ 3813.854329] resp_readcap16+0x1ac/0x280 [ 3813.856917] schedule_resp+0x41f/0x1630 [ 3813.858203] comando_cola_de_depuraci\u00f3n_scsi+0xb32/0x17e0 [ 3813.862699] comando_env\u00edo_scsi+0x330/0x950 [ 3813.863329] funci\u00f3n_solicitud_scsi+0xd8e/0x1710 [ 3813.863946] cola_ejecuci\u00f3n_blk+0x10b/0x230 [ 3813.864544] blk_execute_rq_nowait+0x1d8/0x400 [ 3813.865220] sg_common_write.isra.0+0xe61/0x2420 [ 3813.871637] sg_write+0x6c8/0xef0 [ 3813.878853] __vfs_write+0xe4/0x800 [ 3813.883487] vfs_write+0x17b/0x530 [ 3813.884008] ksys_write+0x103/0x270 [ 3813.886268] __x64_sys_write+0x77/0xc0 [ 3813.886841] do_syscall_64+0x106/0x360 [ 3813.887415] entry_SYSCALL_64_after_hwframe+0x44/0xa9 Este problema se puede reproducir con el siguiente registro de syzkaller: r0 = openat(0xffffffffffffff9c, &amp;(0x7f0000000040)='./file0\\x00', 0x26e1, 0x0) r1 = syz_open_procfs(0xffffffffffffffff, &amp;(0x7f0000000000)='fd/3\\x00') open_by_handle_at(r1, &amp;(0x7f00000003c0)=ANY=[@ANYRESHEX], 0x602000) r2 = syz_open_dev$sg(&amp;(0x7f0000000000), 0x0, 0x40782) escribir$binfmt_aout(r2, &amp;(0x7f0000000340)=ANY=[@ANYBLOB=\"00000000deff000000000000000000000000000000000000000000000000000000000000047f007af9e107a41ec395f1bded7be24277a1501ff6196a83366f4e6362bc0ff2b247f68a972989b094b2da4fb3607fcf611a22dd04310d28c75039d\"], 0x126) En resp_readcap16() obtenemos el valor \"int alloc_len\" -1104926854, y luego pasamos la enorme arr_len se usa para fill_from_dev_buffer(), pero arr solo tiene 32 bytes. Esto genera OOB en sg_copy_buffer(). Para resolver este problema, defina alloc_len como u32."
}
],
"metrics": {},

4
CVE-2021/CVE-2021-471xx/CVE-2021-47192.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: sysfs: Fix hang when device state is set via sysfs\n\nThis fixes a regression added with:\n\ncommit f0f82e2476f6 (\"scsi: core: Fix capacity set to zero after\nofflinining device\")\n\nThe problem is that after iSCSI recovery, iscsid will call into the kernel\nto set the dev's state to running, and with that patch we now call\nscsi_rescan_device() with the state_mutex held. If the SCSI error handler\nthread is just starting to test the device in scsi_send_eh_cmnd() then it's\ngoing to try to grab the state_mutex.\n\nWe are then stuck, because when scsi_rescan_device() tries to send its I/O\nscsi_queue_rq() calls -> scsi_host_queue_ready() -> scsi_host_in_recovery()\nwhich will return true (the host state is still in recovery) and I/O will\njust be requeued. scsi_send_eh_cmnd() will then never be able to grab the\nstate_mutex to finish error handling.\n\nTo prevent the deadlock move the rescan-related code to after we drop the\nstate_mutex.\n\nThis also adds a check for if we are already in the running state. This\nprevents extra scans and helps the iscsid case where if the transport class\nhas already onlined the device during its recovery process then we don't\nneed userspace to do it again plus possibly block that daemon."
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: scsi: core: sysfs: Fix hang when device state is set via sysfs Esto corrige una regresi\u00f3n agregada con: commit f0f82e2476f6 (\"scsi: core: Fix capacity set to zero after offlinining device\") El problema es que despu\u00e9s de la recuperaci\u00f3n de iSCSI, iscsid llamar\u00e1 al kernel para establecer el estado del dev en running, y con ese parche ahora llamamos a scsi_rescan_device() con el state_mutex retenido. Si el hilo del controlador de errores SCSI est\u00e1 empezando a probar el dispositivo en scsi_send_eh_cmnd() entonces va a intentar capturar el state_mutex. Entonces estamos atascados, porque cuando scsi_rescan_device() intenta enviar su E/S, scsi_queue_rq() llama a -&gt; scsi_host_queue_ready() -&gt; scsi_host_in_recovery() que devolver\u00e1 verdadero (el estado del host todav\u00eda est\u00e1 en recuperaci\u00f3n) y la E/S simplemente se volver\u00e1 a poner en cola. scsi_send_eh_cmnd() nunca podr\u00e1 tomar el state_mutex para finalizar el manejo de errores. Para evitar el punto muerto, mueva el c\u00f3digo relacionado con el rescan a despu\u00e9s de que eliminemos el state_mutex. Esto tambi\u00e9n agrega una verificaci\u00f3n para ver si ya estamos en el estado de ejecuci\u00f3n. Esto evita escaneos adicionales y ayuda al caso iscsid donde si la clase de transporte ya ha puesto en l\u00ednea el dispositivo durante su proceso de recuperaci\u00f3n, entonces no necesitamos espacio de usuario para hacerlo nuevamente y posiblemente bloquear ese daemon."
}
],
"metrics": {},

4
CVE-2021/CVE-2021-471xx/CVE-2021-47196.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/core: Set send and receive CQ before forwarding to the driver\n\nPreset both receive and send CQ pointers prior to call to the drivers and\noverwrite it later again till the mlx4 is going to be changed do not\noverwrite ibqp properties.\n\nThis change is needed for mlx5, because in case of QP creation failure, it\nwill go to the path of QP destroy which relies on proper CQ pointers.\n\n BUG: KASAN: use-after-free in create_qp.cold+0x164/0x16e [mlx5_ib]\n Write of size 8 at addr ffff8880064c55c0 by task a.out/246\n\n CPU: 0 PID: 246 Comm: a.out Not tainted 5.15.0+ #291\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n Call Trace:\n dump_stack_lvl+0x45/0x59\n print_address_description.constprop.0+0x1f/0x140\n kasan_report.cold+0x83/0xdf\n create_qp.cold+0x164/0x16e [mlx5_ib]\n mlx5_ib_create_qp+0x358/0x28a0 [mlx5_ib]\n create_qp.part.0+0x45b/0x6a0 [ib_core]\n ib_create_qp_user+0x97/0x150 [ib_core]\n ib_uverbs_handler_UVERBS_METHOD_QP_CREATE+0x92c/0x1250 [ib_uverbs]\n ib_uverbs_cmd_verbs+0x1c38/0x3150 [ib_uverbs]\n ib_uverbs_ioctl+0x169/0x260 [ib_uverbs]\n __x64_sys_ioctl+0x866/0x14d0\n do_syscall_64+0x3d/0x90\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n Allocated by task 246:\n kasan_save_stack+0x1b/0x40\n __kasan_kmalloc+0xa4/0xd0\n create_qp.part.0+0x92/0x6a0 [ib_core]\n ib_create_qp_user+0x97/0x150 [ib_core]\n ib_uverbs_handler_UVERBS_METHOD_QP_CREATE+0x92c/0x1250 [ib_uverbs]\n ib_uverbs_cmd_verbs+0x1c38/0x3150 [ib_uverbs]\n ib_uverbs_ioctl+0x169/0x260 [ib_uverbs]\n __x64_sys_ioctl+0x866/0x14d0\n do_syscall_64+0x3d/0x90\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n Freed by task 246:\n kasan_save_stack+0x1b/0x40\n kasan_set_track+0x1c/0x30\n kasan_set_free_info+0x20/0x30\n __kasan_slab_free+0x10c/0x150\n slab_free_freelist_hook+0xb4/0x1b0\n kfree+0xe7/0x2a0\n create_qp.part.0+0x52b/0x6a0 [ib_core]\n ib_create_qp_user+0x97/0x150 [ib_core]\n ib_uverbs_handler_UVERBS_METHOD_QP_CREATE+0x92c/0x1250 [ib_uverbs]\n ib_uverbs_cmd_verbs+0x1c38/0x3150 [ib_uverbs]\n ib_uverbs_ioctl+0x169/0x260 [ib_uverbs]\n __x64_sys_ioctl+0x866/0x14d0\n do_syscall_64+0x3d/0x90\n entry_SYSCALL_64_after_hwframe+0x44/0xae"
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: RDMA/core: Establecer el CQ de env\u00edo y recepci\u00f3n antes de reenviar al controlador Preestablecer los punteros CQ de env\u00edo y recepci\u00f3n antes de llamar a los controladores y sobrescribirlos m\u00e1s tarde nuevamente hasta que se vaya a cambiar mlx4 no sobrescribir las propiedades ibqp. Este cambio es necesario para mlx5, porque en caso de falla en la creaci\u00f3n de QP, ir\u00e1 a la ruta de destrucci\u00f3n de QP que depende de punteros CQ adecuados. BUG: KASAN: use-after-free in create_qp.cold+0x164/0x16e [mlx5_ib] Write of size 8 at addr ffff8880064c55c0 by task a.out/246 CPU: 0 PID: 246 Comm: a.out Not tainted 5.15.0+ #291 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Call Trace: dump_stack_lvl+0x45/0x59 print_address_description.constprop.0+0x1f/0x140 kasan_report.cold+0x83/0xdf create_qp.cold+0x164/0x16e [mlx5_ib] mlx5_ib_create_qp+0x358/0x28a0 [mlx5_ib] create_qp.part.0+0x45b/0x6a0 [ib_core] ib_create_qp_user+0x97/0x150 [ib_core] ib_uverbs_handler_UVERBS_METHOD_QP_CREATE+0x92c/0x1250 [ib_uverbs] ib_uverbs_cmd_verbs+0x1c38/0x3150 [ib_uverbs] ib_uverbs_ioctl+0x169/0x260 [ib_uverbs] __x64_sys_ioctl+0x866/0x14d0 do_syscall_64+0x3d/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae Allocated by task 246: kasan_save_stack+0x1b/0x40 __kasan_kmalloc+0xa4/0xd0 create_qp.part.0+0x92/0x6a0 [ib_core] ib_create_qp_user+0x97/0x150 [ib_core] ib_uverbs_handler_UVERBS_METHOD_QP_CREATE+0x92c/0x1250 [ib_uverbs] ib_uverbs_cmd_verbs+0x1c38/0x3150 [ib_uverbs] ib_uverbs_ioctl+0x169/0x260 [ib_uverbs] __x64_sys_ioctl+0x866/0x14d0 do_syscall_64+0x3d/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae Freed by task 246: kasan_save_stack+0x1b/0x40 kasan_set_track+0x1c/0x30 kasan_set_free_info+0x20/0x30 __kasan_slab_free+0x10c/0x150 slab_free_freelist_hook+0xb4/0x1b0 kfree+0xe7/0x2a0 create_qp.part.0+0x52b/0x6a0 [ib_core] ib_create_qp_user+0x97/0x150 [ib_core] ib_uverbs_handler_UVERBS_METHOD_QP_CREATE+0x92c/0x1250 [ib_uverbs] ib_uverbs_cmd_verbs+0x1c38/0x3150 [ib_uverbs] ib_uverbs_ioctl+0x169/0x260 [ib_uverbs] __x64_sys_ioctl+0x866/0x14d0 do_syscall_64+0x3d/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae "
}
],
"metrics": {},

4
CVE-2021/CVE-2021-471xx/CVE-2021-47197.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: nullify cq->dbg pointer in mlx5_debug_cq_remove()\n\nPrior to this patch in case mlx5_core_destroy_cq() failed it proceeds\nto rest of destroy operations. mlx5_core_destroy_cq() could be called again\nby user and cause additional call of mlx5_debug_cq_remove().\ncq->dbg was not nullify in previous call and cause the crash.\n\nFix it by nullify cq->dbg pointer after removal.\n\nAlso proceed to destroy operations only if FW return 0\nfor MLX5_CMD_OP_DESTROY_CQ command.\n\ngeneral protection fault, probably for non-canonical address 0x2000300004058: 0000 [#1] SMP PTI\nCPU: 5 PID: 1228 Comm: python Not tainted 5.15.0-rc5_for_upstream_min_debug_2021_10_14_11_06 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nRIP: 0010:lockref_get+0x1/0x60\nCode: 5d e9 53 ff ff ff 48 8d 7f 70 e8 0a 2e 48 00 c7 85 d0 00 00 00 02\n00 00 00 c6 45 70 00 fb 5d c3 c3 cc cc cc cc cc cc cc cc 53 <48> 8b 17\n48 89 fb 85 d2 75 3d 48 89 d0 bf 64 00 00 00 48 89 c1 48\nRSP: 0018:ffff888137dd7a38 EFLAGS: 00010206\nRAX: 0000000000000000 RBX: ffff888107d5f458 RCX: 00000000fffffffe\nRDX: 000000000002c2b0 RSI: ffffffff8155e2e0 RDI: 0002000300004058\nRBP: ffff888137dd7a88 R08: 0002000300004058 R09: ffff8881144a9f88\nR10: 0000000000000000 R11: 0000000000000000 R12: ffff8881141d4000\nR13: ffff888137dd7c68 R14: ffff888137dd7d58 R15: ffff888137dd7cc0\nFS: 00007f4644f2a4c0(0000) GS:ffff8887a2d40000(0000)\nknlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000055b4500f4380 CR3: 0000000114f7a003 CR4: 0000000000170ea0\nCall Trace:\n simple_recursive_removal+0x33/0x2e0\n ? debugfs_remove+0x60/0x60\n debugfs_remove+0x40/0x60\n mlx5_debug_cq_remove+0x32/0x70 [mlx5_core]\n mlx5_core_destroy_cq+0x41/0x1d0 [mlx5_core]\n devx_obj_cleanup+0x151/0x330 [mlx5_ib]\n ? __pollwait+0xd0/0xd0\n ? xas_load+0x5/0x70\n ? xa_load+0x62/0xa0\n destroy_hw_idr_uobject+0x20/0x80 [ib_uverbs]\n uverbs_destroy_uobject+0x3b/0x360 [ib_uverbs]\n uobj_destroy+0x54/0xa0 [ib_uverbs]\n ib_uverbs_cmd_verbs+0xaf2/0x1160 [ib_uverbs]\n ? uverbs_finalize_object+0xd0/0xd0 [ib_uverbs]\n ib_uverbs_ioctl+0xc4/0x1b0 [ib_uverbs]\n __x64_sys_ioctl+0x3e4/0x8e0"
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/mlx5e: anular el puntero cq-&gt;dbg en mlx5_debug_cq_remove() Antes de este parche, en caso de que mlx5_core_destroy_cq() fallara, se proced\u00eda al resto de las operaciones de destrucci\u00f3n. El usuario pod\u00eda volver a llamar a mlx5_core_destroy_cq() y provocar una llamada adicional de mlx5_debug_cq_remove(). cq-&gt;dbg no se anul\u00f3 en la llamada anterior y provoc\u00f3 el bloqueo. Arr\u00e9glelo anulando el puntero cq-&gt;dbg despu\u00e9s de la eliminaci\u00f3n. Tambi\u00e9n proceda a destruir las operaciones solo si el firmware devuelve 0 para el comando MLX5_CMD_OP_DESTROY_CQ. Fallo de protecci\u00f3n general, probablemente por direcci\u00f3n no can\u00f3nica 0x2000300004058:0000 [#1] SMP PTI CPU: 5 PID: 1228 Comm: python No contaminado 5.15.0-rc5_for_upstream_min_debug_2021_10_14_11_06 #1 Nombre del hardware: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:lockref_get+0x1/0x60 C\u00f3digo: 5d e9 53 ff ff ff 48 8d 7f 70 e8 0a 2e 48 00 c7 85 d0 00 00 00 02 00 00 00 c6 45 70 00 fb 5d c3 c3 cc cc cc cc cc cc cc cc 53 &lt;48&gt; 8b 17 48 89 fb 85 d2 75 3d 48 89 d0 bf 64 00 00 00 48 89 c1 48 RSP: 0018:ffff888137dd7a38 EFLAGS: 00010206 RAX: 000000000000000 RBX: ffff888107d5f458 RCX: 00000000fffffffe RDX: 00000000002c2b0 RSI: ffffffff8155e2e0 RDI: 0002000300004058 RBP: ffff888137dd7a88 R08: 0002000300004058 R09: ffff8881144a9f88 R10: 0000000000000000 R11: 0000000000000000 R12: ffff8881141d4000 R13: ffff888137dd7c68 R14: ffff888137dd7d58 R15: ffff888137dd7cc0 FS: 00007f4644f2a4c0(0000) GS:ffff8887a2d40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055b4500f4380 CR3: 0000000114f7a003 CR4: 0000000000170ea0 Seguimiento de llamadas: simple_recursive_removal+0x33/0x2e0 ? debugfs_remove+0x60/0x60 debugfs_remove+0x40/0x60 mlx5_debug_cq_remove+0x32/0x70 [mlx5_core] mlx5_core_destroy_cq+0x41/0x1d0 [mlx5_core] devx_obj_cleanup+0x151/0x330 [mlx5_ib] ? __pollwait+0xd0/0xd0 ? xas_load+0x5/0x70 ? uverbs_destruir_uobject+0x3b/0x360 [ib_uverbs] uobj_destruir+0x54/0xa0 [ib_uverbs] ib_uverbs_cmd_verbs+0xaf2/0x1160 [ib_uverbs] ? uverbs_finalizar_objeto+0xd0/0xd0 [ib_uverbs] ib_uverbs_ioctl+0xc4/0x1b0 [ib_uverbs] __x64_sys_ioctl+0x3e4/0x8e0"
}
],
"metrics": {},

4
CVE-2021/CVE-2021-471xx/CVE-2021-47199.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: CT, Fix multiple allocations and memleak of mod acts\n\nCT clear action offload adds additional mod hdr actions to the\nflow's original mod actions in order to clear the registers which\nhold ct_state.\nWhen such flow also includes encap action, a neigh update event\ncan cause the driver to unoffload the flow and then reoffload it.\n\nEach time this happens, the ct clear handling adds that same set\nof mod hdr actions to reset ct_state until the max of mod hdr\nactions is reached.\n\nAlso the driver never releases the allocated mod hdr actions and\ncausing a memleak.\n\nFix above two issues by moving CT clear mod acts allocation\ninto the parsing actions phase and only use it when offloading the rule.\nThe release of mod acts will be done in the normal flow_put().\n\n backtrace:\n [<000000007316e2f3>] krealloc+0x83/0xd0\n [<00000000ef157de1>] mlx5e_mod_hdr_alloc+0x147/0x300 [mlx5_core]\n [<00000000970ce4ae>] mlx5e_tc_match_to_reg_set_and_get_id+0xd7/0x240 [mlx5_core]\n [<0000000067c5fa17>] mlx5e_tc_match_to_reg_set+0xa/0x20 [mlx5_core]\n [<00000000d032eb98>] mlx5_tc_ct_entry_set_registers.isra.0+0x36/0xc0 [mlx5_core]\n [<00000000fd23b869>] mlx5_tc_ct_flow_offload+0x272/0x1f10 [mlx5_core]\n [<000000004fc24acc>] mlx5e_tc_offload_fdb_rules.part.0+0x150/0x620 [mlx5_core]\n [<00000000dc741c17>] mlx5e_tc_encap_flows_add+0x489/0x690 [mlx5_core]\n [<00000000e92e49d7>] mlx5e_rep_update_flows+0x6e4/0x9b0 [mlx5_core]\n [<00000000f60f5602>] mlx5e_rep_neigh_update+0x39a/0x5d0 [mlx5_core]"
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/mlx5e: CT, corrige asignaciones m\u00faltiples y fuga de memoria de actos mod La descarga de la acci\u00f3n CT clear agrega acciones mod hdr adicionales a las acciones mod originales del flujo para borrar los registros que contienen ct_state. Cuando dicho flujo tambi\u00e9n incluye la acci\u00f3n encap, un evento de actualizaci\u00f3n vecinal puede hacer que el controlador descargue el flujo y luego lo vuelva a descargar. Cada vez que esto sucede, el manejo de ct clear agrega ese mismo conjunto de acciones mod hdr para restablecer ct_state hasta que se alcanza el m\u00e1ximo de acciones mod hdr. Adem\u00e1s, el controlador nunca libera las acciones mod hdr asignadas y causa una fuga de memoria. Corrija los dos problemas anteriores moviendo la asignaci\u00f3n de actos mod de CT clear a la fase de acciones de an\u00e1lisis y solo \u00faselo al descargar la regla. La liberaci\u00f3n de actos mod se realizar\u00e1 en el flow_put() normal. seguimiento inverso: [&lt;000000007316e2f3&gt;] krealloc+0x83/0xd0 [&lt;00000000ef157de1&gt;] mlx5e_mod_hdr_alloc+0x147/0x300 [mlx5_core] [&lt;00000000970ce4ae&gt;] mlx5e_tc_match_to_reg_set_and_get_id+0xd7/0x240 [mlx5_core] [&lt;0000000067c5fa17&gt;] mlx5e_tc_match_to_reg_set+0xa/0x20 [mlx5_core] [&lt;00000000d032eb98&gt;] mlx5_tc_ct_entry_set_registers.isra.0+0x36/0xc0 [mlx5_core] [&lt;00000000fd23b869&gt;] mlx5_tc_ct_flow_offload+0x272/0x1f10 [mlx5_core] [&lt;000000004fc24acc&gt;] mlx5e_tc_offload_fdb_rules.part.0+0x150/0x620 [mlx5_core] [&lt;00000000dc741c17&gt;] mlx5e_tc_encap_flows_add+0x489/0x690 [mlx5_core] [&lt;00000000e92e49d7&gt;] mlx5e_rep_actualizaci\u00f3n_flujos+0x6e4/0x9b0 [mlx5_core] [&lt;00000000f60f5602&gt;] mlx5e_rep_neigh_actualizaci\u00f3n+0x39a/0x5d0 [mlx5_core]"
}
],
"metrics": {},

4
CVE-2021/CVE-2021-472xx/CVE-2021-47200.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/prime: Fix use after free in mmap with drm_gem_ttm_mmap\n\ndrm_gem_ttm_mmap() drops a reference to the gem object on success. If\nthe gem object's refcount == 1 on entry to drm_gem_prime_mmap(), that\ndrop will free the gem object, and the subsequent drm_gem_object_get()\nwill be a UAF. Fix by grabbing a reference before calling the mmap\nhelper.\n\nThis issue was forseen when the reference dropping was adding in\ncommit 9786b65bc61ac (\"drm/ttm: fix mmap refcounting\"):\n \"For that to work properly the drm_gem_object_get() call in\n drm_gem_ttm_mmap() must be moved so it happens before calling\n obj->funcs->mmap(), otherwise the gem refcount would go down\n to zero.\""
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/prime: Arreglar el use-after-free en mmap con drm_gem_ttm_mmap drm_gem_ttm_mmap() elimina una referencia al objeto gema en caso de \u00e9xito. Si el refcount del objeto gema == 1 en la entrada a drm_gem_prime_mmap(), esa eliminaci\u00f3n liberar\u00e1 el objeto gema y el drm_gem_object_get() posterior ser\u00e1 un UAF. Se soluciona tomando una referencia antes de llamar al ayudante mmap. Este problema se previ\u00f3 cuando se agreg\u00f3 la eliminaci\u00f3n de referencia en el commit 9786b65bc61ac (\"drm/ttm: corregir el recuento de referencias mmap\"): \"Para que eso funcione correctamente, la llamada drm_gem_object_get() en drm_gem_ttm_mmap() debe moverse para que suceda antes de llamar a obj-&gt;funcs-&gt;mmap(), de lo contrario, el recuento de referencias de la gema bajar\u00eda a cero\"."
}
],
"metrics": {},

4
CVE-2021/CVE-2021-472xx/CVE-2021-47201.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niavf: free q_vectors before queues in iavf_disable_vf\n\niavf_free_queues() clears adapter->num_active_queues, which\niavf_free_q_vectors() relies on, so swap the order of these two function\ncalls in iavf_disable_vf(). This resolves a panic encountered when the\ninterface is disabled and then later brought up again after PF\ncommunication is restored."
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: iavf: libera q_vectors antes de las colas en iavf_disable_vf iavf_free_queues() borra adaptador-&gt;num_active_queues, del que depende iavf_free_q_vectors(), por lo que se debe intercambiar el orden de estas dos llamadas de funci\u00f3n en iavf_disable_vf(). Esto resuelve un p\u00e1nico que se produce cuando se deshabilita la interfaz y luego se vuelve a activar despu\u00e9s de que se restablece la comunicaci\u00f3n PF."
}
],
"metrics": {},

4
CVE-2021/CVE-2021-472xx/CVE-2021-47202.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal: Fix NULL pointer dereferences in of_thermal_ functions\n\nof_parse_thermal_zones() parses the thermal-zones node and registers a\nthermal_zone device for each subnode. However, if a thermal zone is\nconsuming a thermal sensor and that thermal sensor device hasn't probed\nyet, an attempt to set trip_point_*_temp for that thermal zone device\ncan cause a NULL pointer dereference. Fix it.\n\n console:/sys/class/thermal/thermal_zone87 # echo 120000 > trip_point_0_temp\n ...\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020\n ...\n Call trace:\n of_thermal_set_trip_temp+0x40/0xc4\n trip_point_temp_store+0xc0/0x1dc\n dev_attr_store+0x38/0x88\n sysfs_kf_write+0x64/0xc0\n kernfs_fop_write_iter+0x108/0x1d0\n vfs_write+0x2f4/0x368\n ksys_write+0x7c/0xec\n __arm64_sys_write+0x20/0x30\n el0_svc_common.llvm.7279915941325364641+0xbc/0x1bc\n do_el0_svc+0x28/0xa0\n el0_svc+0x14/0x24\n el0_sync_handler+0x88/0xec\n el0_sync+0x1c0/0x200\n\nWhile at it, fix the possible NULL pointer dereference in other\nfunctions as well: of_thermal_get_temp(), of_thermal_set_emul_temp(),\nof_thermal_get_trend()."
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: thermal: Fix NULL pointer dereferences in of_thermal_ functions of_parse_thermal_zones() analiza el nodo thermal-zones y registra un dispositivo thermal_zone para cada subnodo. Sin embargo, si una zona t\u00e9rmica est\u00e1 consumiendo un sensor t\u00e9rmico y ese dispositivo de sensor t\u00e9rmico a\u00fan no ha realizado la prueba, un intento de establecer trip_point_*_temp para ese dispositivo de zona t\u00e9rmica puede provocar una desreferencia de puntero NULL. Arr\u00e9glelo. console:/sys/class/thermal/thermal_zone87 # echo 120000 &gt; trip_point_0_temp ... No se puede manejar la desreferencia del puntero NULL del n\u00facleo en la direcci\u00f3n virtual 0000000000000020 ... Seguimiento de llamadas: of_thermal_set_trip_temp+0x40/0xc4 trip_point_temp_store+0xc0/0x1dc dev_attr_store+0x38/0x88 sysfs_kf_write+0x64/0xc0 kernfs_fop_write_iter+0x108/0x1d0 vfs_write+0x2f4/0x368 ksys_write+0x7c/0xec __arm64_sys_write+0x20/0x30 el0_svc_common.llvm.7279915941325364641+0xbc/0x1bc do_el0_svc+0x28/0xa0 el0_svc+0x14/0x24 el0_sync_handler+0x88/0xec el0_sync+0x1c0/0x200 Mientras tanto, corrija tambi\u00e9n la posible desreferencia del puntero NULL en otras funciones: of_thermal_get_temp(), of_thermal_set_emul_temp(), of_thermal_get_trend()."
}
],
"metrics": {},

4
CVE-2021/CVE-2021-472xx/CVE-2021-47203.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix list_add() corruption in lpfc_drain_txq()\n\nWhen parsing the txq list in lpfc_drain_txq(), the driver attempts to pass\nthe requests to the adapter. If such an attempt fails, a local \"fail_msg\"\nstring is set and a log message output. The job is then added to a\ncompletions list for cancellation.\n\nProcessing of any further jobs from the txq list continues, but since\n\"fail_msg\" remains set, jobs are added to the completions list regardless\nof whether a wqe was passed to the adapter. If successfully added to\ntxcmplq, jobs are added to both lists resulting in list corruption.\n\nFix by clearing the fail_msg string after adding a job to the completions\nlist. This stops the subsequent jobs from being added to the completions\nlist unless they had an appropriate failure."
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: scsi: lpfc: Se corrige la corrupci\u00f3n de list_add() en lpfc_drain_txq() Al analizar la lista txq en lpfc_drain_txq(), el controlador intenta pasar las solicitudes al adaptador. Si dicho intento falla, se establece una cadena \"fail_msg\" local y se genera un mensaje de registro. Luego, el trabajo se agrega a una lista de finalizaciones para su cancelaci\u00f3n. El procesamiento de cualquier otro trabajo de la lista txq contin\u00faa, pero como \"fail_msg\" permanece establecido, los trabajos se agregan a la lista de finalizaciones independientemente de si se pas\u00f3 un wqe al adaptador. Si se agrega correctamente a txcmplq, los trabajos se agregan a ambas listas, lo que da como resultado la corrupci\u00f3n de la lista. Se soluciona borrando la cadena fail_msg despu\u00e9s de agregar un trabajo a la lista de finalizaciones. Esto evita que los trabajos posteriores se agreguen a la lista de finalizaciones a menos que hayan tenido una falla apropiada."
}
],
"metrics": {},

4
CVE-2021/CVE-2021-472xx/CVE-2021-47204.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dpaa2-eth: fix use-after-free in dpaa2_eth_remove\n\nAccess to netdev after free_netdev() will cause use-after-free bug.\nMove debug log before free_netdev() call to avoid it."
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: dpaa2-eth: se ha corregido el error use-after-free en dpaa2_eth_remove. El acceso a netdev despu\u00e9s de free_netdev() provocar\u00e1 un error use-after-free. Mueva el registro de depuraci\u00f3n antes de la llamada free_netdev() para evitarlo."
}
],
"metrics": {},

4
CVE-2021/CVE-2021-472xx/CVE-2021-47205.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: sunxi-ng: Unregister clocks/resets when unbinding\n\nCurrently, unbinding a CCU driver unmaps the device's MMIO region, while\nleaving its clocks/resets and their providers registered. This can cause\na page fault later when some clock operation tries to perform MMIO. Fix\nthis by separating the CCU initialization from the memory allocation,\nand then using a devres callback to unregister the clocks and resets.\n\nThis also fixes a memory leak of the `struct ccu_reset`, and uses the\ncorrect owner (the specific platform driver) for the clocks and resets.\n\nEarly OF clock providers are never unregistered, and limited error\nhandling is possible, so they are mostly unchanged. The error reporting\nis made more consistent by moving the message inside of_sunxi_ccu_probe."
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: clk: sunxi-ng: Anular el registro de relojes/reinicios al desvincular Actualmente, desvincular un controlador CCU anula la asignaci\u00f3n de la regi\u00f3n MMIO del dispositivo, mientras que deja sus relojes/reinicios y sus proveedores registrados. Esto puede causar una falla de p\u00e1gina m\u00e1s adelante cuando alguna operaci\u00f3n de reloj intenta realizar MMIO. Solucione esto separando la inicializaci\u00f3n de CCU de la asignaci\u00f3n de memoria y luego usando una devoluci\u00f3n de llamada devres para anular el registro de los relojes y reinicios. Esto tambi\u00e9n corrige una p\u00e9rdida de memoria de `struct ccu_reset` y usa el propietario correcto (el controlador de plataforma espec\u00edfico) para los relojes y reinicios. Los primeros proveedores de reloj OF nunca se anulan del registro y es posible un manejo de errores limitado, por lo que en su mayor\u00eda no se modifican. El informe de errores se hace m\u00e1s consistente moviendo el mensaje dentro de of_sunxi_ccu_probe."
}
],
"metrics": {},

4
CVE-2021/CVE-2021-472xx/CVE-2021-47206.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: host: ohci-tmio: check return value after calling platform_get_resource()\n\nIt will cause null-ptr-deref if platform_get_resource() returns NULL,\nwe need check the return value."
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: usb: host: ohci-tmio: verificar el valor de retorno despu\u00e9s de llamar a platform_get_resource() Causar\u00e1 null-ptr-deref si platform_get_resource() devuelve NULL, necesitamos verificar el valor de retorno."
}
],
"metrics": {},

4
CVE-2021/CVE-2021-472xx/CVE-2021-47207.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: gus: fix null pointer dereference on pointer block\n\nThe pointer block return from snd_gf1_dma_next_block could be\nnull, so there is a potential null pointer dereference issue.\nFix this by adding a null check before dereference."
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ALSA: gus: corrige la desreferencia de puntero nulo en el bloque de puntero El bloque de puntero devuelto por snd_gf1_dma_next_block podr\u00eda ser nulo, por lo que existe un posible problema de desreferencia de puntero nulo. Solucione esto agregando una verificaci\u00f3n nula antes de la desreferencia."
}
],
"metrics": {},

4
CVE-2021/CVE-2021-472xx/CVE-2021-47209.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/fair: Prevent dead task groups from regaining cfs_rq's\n\nKevin is reporting crashes which point to a use-after-free of a cfs_rq\nin update_blocked_averages(). Initial debugging revealed that we've\nlive cfs_rq's (on_list=1) in an about to be kfree()'d task group in\nfree_fair_sched_group(). However, it was unclear how that can happen.\n\nHis kernel config happened to lead to a layout of struct sched_entity\nthat put the 'my_q' member directly into the middle of the object\nwhich makes it incidentally overlap with SLUB's freelist pointer.\nThat, in combination with SLAB_FREELIST_HARDENED's freelist pointer\nmangling, leads to a reliable access violation in form of a #GP which\nmade the UAF fail fast.\n\nMichal seems to have run into the same issue[1]. He already correctly\ndiagnosed that commit a7b359fc6a37 (\"sched/fair: Correctly insert\ncfs_rq's to list on unthrottle\") is causing the preconditions for the\nUAF to happen by re-adding cfs_rq's also to task groups that have no\nmore running tasks, i.e. also to dead ones. His analysis, however,\nmisses the real root cause and it cannot be seen from the crash\nbacktrace only, as the real offender is tg_unthrottle_up() getting\ncalled via sched_cfs_period_timer() via the timer interrupt at an\ninconvenient time.\n\nWhen unregister_fair_sched_group() unlinks all cfs_rq's from the dying\ntask group, it doesn't protect itself from getting interrupted. If the\ntimer interrupt triggers while we iterate over all CPUs or after\nunregister_fair_sched_group() has finished but prior to unlinking the\ntask group, sched_cfs_period_timer() will execute and walk the list of\ntask groups, trying to unthrottle cfs_rq's, i.e. re-add them to the\ndying task group. These will later -- in free_fair_sched_group() -- be\nkfree()'ed while still being linked, leading to the fireworks Kevin\nand Michal are seeing.\n\nTo fix this race, ensure the dying task group gets unlinked first.\nHowever, simply switching the order of unregistering and unlinking the\ntask group isn't sufficient, as concurrent RCU walkers might still see\nit, as can be seen below:\n\n CPU1: CPU2:\n : timer IRQ:\n : do_sched_cfs_period_timer():\n : :\n : distribute_cfs_runtime():\n : rcu_read_lock();\n : :\n : unthrottle_cfs_rq():\n sched_offline_group(): :\n : walk_tg_tree_from(\u2026,tg_unthrottle_up,\u2026):\n list_del_rcu(&tg->list); :\n (1) : list_for_each_entry_rcu(child, &parent->children, siblings)\n : :\n (2) list_del_rcu(&tg->siblings); :\n : tg_unthrottle_up():\n unregister_fair_sched_group(): struct cfs_rq *cfs_rq = tg->cfs_rq[cpu_of(rq)];\n : :\n list_del_leaf_cfs_rq(tg->cfs_rq[cpu]); :\n : :\n : if (!cfs_rq_is_decayed(cfs_rq) || cfs_rq->nr_running)\n (3) : list_add_leaf_cfs_rq(cfs_rq);\n : :\n : :\n : :\n : :\n : \n---truncated---"
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: sched/fair: Evitar que los grupos de tareas inactivos recuperen cfs_rq Kevin informa fallos que apuntan a un use-after-free de un cfs_rq en update_blocked_averages(). La depuraci\u00f3n inicial revel\u00f3 que tenemos cfs_rq activos (on_list=1) en un grupo de tareas a punto de ser kfree() en free_fair_sched_group(). Sin embargo, no estaba claro c\u00f3mo puede suceder eso. Su configuraci\u00f3n del kernel result\u00f3 en un dise\u00f1o de struct sched_entity que coloca el miembro 'my_q' directamente en el medio del objeto, lo que hace que se superponga incidentalmente con el puntero de lista libre de SLUB. Eso, en combinaci\u00f3n con la manipulaci\u00f3n del puntero de lista libre de SLAB_FREELIST_HARDENED, conduce a una violaci\u00f3n de acceso confiable en forma de un #GP que hizo que el UAF fallara r\u00e1pidamente. Michal parece haberse topado con el mismo problema[1]. \u00c9l ya diagnostic\u00f3 correctamente que el commit a7b359fc6a37 (\"sched/fair: Insertar correctamente cfs_rq en la lista al desregular\") est\u00e1 causando que se cumplan las condiciones previas para que se produzca la UAF al volver a agregar cfs_rq tambi\u00e9n a los grupos de tareas que ya no tienen tareas en ejecuci\u00f3n, es decir, tambi\u00e9n a los que est\u00e1n inactivos. Sin embargo, su an\u00e1lisis no detecta la causa ra\u00edz real y no se puede ver solo desde el backtrace del bloqueo, ya que el verdadero infractor es tg_unthrottle_up() que se llama a trav\u00e9s de sched_cfs_period_timer() mediante la interrupci\u00f3n del temporizador en un momento inconveniente. Cuando unregister_fair_sched_group() desvincula todos los cfs_rq del grupo de tareas que est\u00e1 inactivo, no se protege a s\u00ed mismo de ser interrumpido. Si la interrupci\u00f3n del temporizador se activa mientras iteramos sobre todas las CPU o despu\u00e9s de que unregister_fair_sched_group() haya terminado pero antes de desvincular el grupo de tareas, sched_cfs_period_timer() se ejecutar\u00e1 y recorrer\u00e1 la lista de grupos de tareas, intentando liberar cfs_rq, es decir, volver a agregarlos al grupo de tareas moribundo. Estos ser\u00e1n posteriormente -- en free_fair_sched_group() -- kfree()'ed mientras siguen vinculados, lo que lleva a los fuegos artificiales que Kevin y Michal est\u00e1n viendo. Para solucionar esta ejecuci\u00f3n, aseg\u00farese de que el grupo de tareas moribundo se desvincule primero. Sin embargo, simplemente cambiar el orden de anulaci\u00f3n del registro y desvinculaci\u00f3n del grupo de tareas no es suficiente, ya que los caminantes de RCU concurrentes a\u00fan podr\u00edan verlo, como se puede ver a continuaci\u00f3n: CPU1: CPU2: : timer IRQ: : do_sched_cfs_period_timer(): : : : distributed_cfs_runtime(): : rcu_read_lock(); : : : unthrottle_cfs_rq(): sched_offline_group(): : : walk_tg_tree_from(\u2026,tg_unthrottle_up,\u2026): list_del_rcu(&amp;tg-&gt;list); : (1) : list_for_each_entry_rcu(child, &amp;parent-&gt;children, brothers) : : (2) list_del_rcu(&amp;tg-&gt;siblings); : : tg_unthrottle_up(): anular_registro_justo_sched_group(): struct cfs_rq *cfs_rq = tg-&gt;cfs_rq[cpu_of(rq)]; : : list_del_leaf_cfs_rq(tg-&gt;cfs_rq[cpu]); : : : : si (!cfs_rq_est\u00e1_deca\u00eddo(cfs_rq) || cfs_rq-&gt;nr_en_ejecuci\u00f3n) (3) : lista_agregar_hoja_cfs_rq(cfs_rq); : : : : : : : : : ---truncado---"
}
],
"metrics": {},

4
CVE-2021/CVE-2021-472xx/CVE-2021-47210.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: tipd: Remove WARN_ON in tps6598x_block_read\n\nCalling tps6598x_block_read with a higher than allowed len can be\nhandled by just returning an error. There's no need to crash systems\nwith panic-on-warn enabled."
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: usb: typec: tipd: Eliminar WARN_ON en tps6598x_block_read Llamar a tps6598x_block_read con una longitud mayor que la permitida se puede solucionar simplemente devolviendo un error. No es necesario bloquear los sistemas con la funci\u00f3n de p\u00e1nico al advertir habilitada."
}
],
"metrics": {},

4
CVE-2021/CVE-2021-472xx/CVE-2021-47211.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: fix null pointer dereference on pointer cs_desc\n\nThe pointer cs_desc return from snd_usb_find_clock_source could\nbe null, so there is a potential null pointer dereference issue.\nFix this by adding a null check before dereference."
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ALSA: usb-audio: se corrige la desreferencia de puntero nulo en el puntero cs_desc El puntero cs_desc devuelto por snd_usb_find_clock_source podr\u00eda ser nulo, por lo que existe un posible problema de desreferencia de puntero nulo. Solucione esto agregando una comprobaci\u00f3n de nulo antes de la desreferencia."
}
],
"metrics": {},

4
CVE-2021/CVE-2021-472xx/CVE-2021-47212.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Update error handler for UCTX and UMEM\n\nIn the fast unload flow, the device state is set to internal error,\nwhich indicates that the driver started the destroy process.\nIn this case, when a destroy command is being executed, it should return\nMLX5_CMD_STAT_OK.\nFix MLX5_CMD_OP_DESTROY_UCTX and MLX5_CMD_OP_DESTROY_UMEM to return OK\ninstead of EIO.\n\nThis fixes a call trace in the umem release process -\n[ 2633.536695] Call Trace:\n[ 2633.537518] ib_uverbs_remove_one+0xc3/0x140 [ib_uverbs]\n[ 2633.538596] remove_client_context+0x8b/0xd0 [ib_core]\n[ 2633.539641] disable_device+0x8c/0x130 [ib_core]\n[ 2633.540615] __ib_unregister_device+0x35/0xa0 [ib_core]\n[ 2633.541640] ib_unregister_device+0x21/0x30 [ib_core]\n[ 2633.542663] __mlx5_ib_remove+0x38/0x90 [mlx5_ib]\n[ 2633.543640] auxiliary_bus_remove+0x1e/0x30 [auxiliary]\n[ 2633.544661] device_release_driver_internal+0x103/0x1f0\n[ 2633.545679] bus_remove_device+0xf7/0x170\n[ 2633.546640] device_del+0x181/0x410\n[ 2633.547606] mlx5_rescan_drivers_locked.part.10+0x63/0x160 [mlx5_core]\n[ 2633.548777] mlx5_unregister_device+0x27/0x40 [mlx5_core]\n[ 2633.549841] mlx5_uninit_one+0x21/0xc0 [mlx5_core]\n[ 2633.550864] remove_one+0x69/0xe0 [mlx5_core]\n[ 2633.551819] pci_device_remove+0x3b/0xc0\n[ 2633.552731] device_release_driver_internal+0x103/0x1f0\n[ 2633.553746] unbind_store+0xf6/0x130\n[ 2633.554657] kernfs_fop_write+0x116/0x190\n[ 2633.555567] vfs_write+0xa5/0x1a0\n[ 2633.556407] ksys_write+0x4f/0xb0\n[ 2633.557233] do_syscall_64+0x5b/0x1a0\n[ 2633.558071] entry_SYSCALL_64_after_hwframe+0x65/0xca\n[ 2633.559018] RIP: 0033:0x7f9977132648\n[ 2633.559821] Code: 89 02 48 c7 c0 ff ff ff ff eb b3 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 8d 05 55 6f 2d 00 8b 00 85 c0 75 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 41 54 49 89 d4 55\n[ 2633.562332] RSP: 002b:00007fffb1a83888 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\n[ 2633.563472] RAX: ffffffffffffffda RBX: 000000000000000c RCX: 00007f9977132648\n[ 2633.564541] RDX: 000000000000000c RSI: 000055b90546e230 RDI: 0000000000000001\n[ 2633.565596] RBP: 000055b90546e230 R08: 00007f9977406860 R09: 00007f9977a54740\n[ 2633.566653] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f99774056e0\n[ 2633.567692] R13: 000000000000000c R14: 00007f9977400880 R15: 000000000000000c\n[ 2633.568725] ---[ end trace 10b4fe52945e544d ]---"
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/mlx5: Actualizar el controlador de errores para UCTX y UMEM En el flujo de descarga r\u00e1pida, el estado del dispositivo se establece en error interno, lo que indica que el controlador inici\u00f3 el proceso de destrucci\u00f3n. En este caso, cuando se ejecuta un comando de destrucci\u00f3n, debe devolver MLX5_CMD_STAT_OK. Corrija MLX5_CMD_OP_DESTROY_UCTX y MLX5_CMD_OP_DESTROY_UMEM para que devuelvan OK en lugar de EIO. Esto corrige un seguimiento de llamadas en el proceso de lanzamiento de umem - [ 2633.536695] Seguimiento de llamadas: [ 2633.537518] ib_uverbs_remove_one+0xc3/0x140 [ib_uverbs] [ 2633.538596] remove_client_context+0x8b/0xd0 [ib_core] [ 2633.539641] deshabilitar_device+0x8c/0x130 [ib_core] [ 2633.540615] __ib_unregister_device+0x35/0xa0 [ib_core] [ 2633.541640] ib_unregister_device+0x21/0x30 [ib_core] [ 2633.542663] __mlx5_ib_remove+0x38/0x90 [mlx5_ib] [ 2633.543640] bus_auxiliar_eliminar+0x1e/0x30 [auxiliar] [ 2633.544661] dispositivo_liberaci\u00f3n_controlador_interno+0x103/0x1f0 [ 2633.545679] bus_eliminar_dispositivo+0xf7/0x170 [ 2633.546640] dispositivo_del+0x181/0x410 [ 2633.547606] mlx5_rescan_drivers_locked.part.10+0x63/0x160 [mlx5_core] [ 2633.548777] mlx5_anular_registro_dispositivo+0x27/0x40 [mlx5_core] [ 2633.549841] mlx5_uninit_one+0x21/0xc0 [mlx5_core] [ 2633.550864] remove_one+0x69/0xe0 [mlx5_core] [ 2633.551819] pci_device_remove+0x3b/0xc0 [ 2633.552731] device_release_driver_internal+0x103/0x1f0 [ 2633.553746] unbind_store+0xf6/0x130 [ 2633.554657] kernfs_fop_write+0x116/0x190 [ 2633.555567] vfs_write+0xa5/0x1a0 [ 2633.556407] ksys_write+0x4f/0xb0 [ 2633.557233] do_syscall_64+0x5b/0x1a0 [ 2633.558071] entry_SYSCALL_64_after_hwframe+0x65/0xca [ 2633.559018] RIP: 0033:0x7f9977132648 [ 2633.559821] C\u00f3digo: 89 02 48 c7 c0 ff ff ff ff eb b3 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 8d 05 55 6f 2d 00 8b 00 85 c0 75 17 b8 01 00 00 00 0f 05 &lt;48&gt; 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 41 54 49 89 d4 55 [ 2633.562332] RSP: 002b:00007fffb1a83888 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 2633.563472] RAX: ffffffffffffffda RBX: 000000000000000c RCX: 00007f9977132648 [ 2633.564541] RDX: 000000000000000c RSI: 000055b90546e230 RDI: 0000000000000001 [ 2633.565596] RBP: 000055b90546e230 R08: 00007f9977406860 R09: 00007f9977a54740 [ 2633.566653] R10: 000000000000000 R11: 0000000000000246 R12: 00007f99774056e0 [ 2633.567692] R13: 000000000000000c R14: 00007f9977400880 R15: 000000000000000c [ 2633.568725] ---[ fin de seguimiento 10b4fe52945e544d ]---"
}
],
"metrics": {},

4
CVE-2021/CVE-2021-472xx/CVE-2021-47214.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhugetlb, userfaultfd: fix reservation restore on userfaultfd error\n\nCurrently in the is_continue case in hugetlb_mcopy_atomic_pte(), if we\nbail out using \"goto out_release_unlock;\" in the cases where idx >=\nsize, or !huge_pte_none(), the code will detect that new_pagecache_page\n== false, and so call restore_reserve_on_error(). In this case I see\nrestore_reserve_on_error() delete the reservation, and the following\ncall to remove_inode_hugepages() will increment h->resv_hugepages\ncausing a 100% reproducible leak.\n\nWe should treat the is_continue case similar to adding a page into the\npagecache and set new_pagecache_page to true, to indicate that there is\nno reservation to restore on the error path, and we need not call\nrestore_reserve_on_error(). Rename new_pagecache_page to\npage_in_pagecache to make that clear."
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: hugetlb, userfaultfd: se corrige el error de restauraci\u00f3n de reserva en userfaultfd Actualmente, en el caso is_continue en hugetlb_mcopy_atomic_pte(), si salimos usando \"goto out_release_unlock;\" en los casos donde idx &gt;= size, o !huge_pte_none(), el c\u00f3digo detectar\u00e1 que new_pagecache_page == false, y por lo tanto llamar\u00e1 a restore_reserve_on_error(). En este caso, veo que restore_reserve_on_error() elimina la reserva, y la siguiente llamada a remove_inode_hugepages() incrementar\u00e1 h-&gt;resv_hugepages causando una fuga 100% reproducible. Deber\u00edamos tratar el caso is_continue de forma similar a agregar una p\u00e1gina al pagecache y establecer new_pagecache_page en true, para indicar que no hay ninguna reserva para restaurar en la ruta del error, y no necesitamos llamar a restore_reserve_on_error(). Cambie el nombre new_pagecache_page a page_in_pagecache para que quede claro."
}
],
"metrics": {},

4
CVE-2021/CVE-2021-472xx/CVE-2021-47215.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: kTLS, Fix crash in RX resync flow\n\nFor the TLS RX resync flow, we maintain a list of TLS contexts\nthat require some attention, to communicate their resync information\nto the HW.\nHere we fix list corruptions, by protecting the entries against\nmovements coming from resync_handle_seq_match(), until their resync\nhandling in napi is fully completed."
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/mlx5e: kTLS, se corrige un fallo en el flujo de resincronizaci\u00f3n RX Para el flujo de resincronizaci\u00f3n RX de TLS, mantenemos una lista de contextos TLS que requieren cierta atenci\u00f3n para comunicar su informaci\u00f3n de resincronizaci\u00f3n al hardware. Aqu\u00ed corregimos las corrupciones de la lista al proteger las entradas contra los movimientos provenientes de resync_handle_seq_match(), hasta que se complete por completo su manejo de resincronizaci\u00f3n en napi."
}
],
"metrics": {},

4
CVE-2021/CVE-2021-472xx/CVE-2021-47216.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: advansys: Fix kernel pointer leak\n\nPointers should be printed with %p or %px rather than cast to 'unsigned\nlong' and printed with %lx.\n\nChange %lx to %p to print the hashed pointer."
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: scsi: advansys: Fix kernel pointer leak Los punteros se deben imprimir con %p o %px en lugar de convertirse en 'unsigned long' e imprimirse con %lx. Cambie %lx a %p para imprimir el puntero con hash."
}
],
"metrics": {},

4
CVE-2021/CVE-2021-472xx/CVE-2021-47217.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/hyperv: Fix NULL deref in set_hv_tscchange_cb() if Hyper-V setup fails\n\nCheck for a valid hv_vp_index array prior to derefencing hv_vp_index when\nsetting Hyper-V's TSC change callback. If Hyper-V setup failed in\nhyperv_init(), the kernel will still report that it's running under\nHyper-V, but will have silently disabled nearly all functionality.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000010\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] SMP\n CPU: 4 PID: 1 Comm: swapper/0 Not tainted 5.15.0-rc2+ #75\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n RIP: 0010:set_hv_tscchange_cb+0x15/0xa0\n Code: <8b> 04 82 8b 15 12 17 85 01 48 c1 e0 20 48 0d ee 00 01 00 f6 c6 08\n ...\n Call Trace:\n kvm_arch_init+0x17c/0x280\n kvm_init+0x31/0x330\n vmx_init+0xba/0x13a\n do_one_initcall+0x41/0x1c0\n kernel_init_freeable+0x1f2/0x23b\n kernel_init+0x16/0x120\n ret_from_fork+0x22/0x30"
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: x86/hyperv: Se corrige la desreferencia NULL en set_hv_tscchange_cb() si falla la configuraci\u00f3n de Hyper-V. Verifique si hay una matriz hv_vp_index v\u00e1lida antes de desreferenciar hv_vp_index al configurar la devoluci\u00f3n de llamada de cambio de TSC de Hyper-V. Si la configuraci\u00f3n de Hyper-V fall\u00f3 en hyperv_init(), el kernel a\u00fan informar\u00e1 que se est\u00e1 ejecutando bajo Hyper-V, pero habr\u00e1 deshabilitado silenciosamente casi todas las funciones. ERROR: desreferencia de puntero NULL del kernel, direcci\u00f3n: 0000000000000010 #PF: acceso de lectura del supervisor en modo kernel #PF: error_code(0x0000) - p\u00e1gina no presente PGD 0 P4D 0 Oops: 0000 [#1] SMP CPU: 4 PID: 1 Comm: swapper/0 No contaminado 5.15.0-rc2+ #75 Nombre del hardware: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:set_hv_tscchange_cb+0x15/0xa0 C\u00f3digo: &lt;8b&gt; 04 82 8b 15 12 17 85 01 48 c1 e0 20 48 0d ee 00 01 00 f6 c6 08 ... Seguimiento de llamadas: kvm_arch_init+0x17c/0x280 kvm_init+0x31/0x330 vmx_init+0xba/0x13a do_one_initcall+0x41/0x1c0 kernel_init_freeable+0x1f2/0x23b kernel_init+0x16/0x120 ret_from_fork+0x22/0x30"
}
],
"metrics": {},

4
CVE-2021/CVE-2021-472xx/CVE-2021-47218.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nselinux: fix NULL-pointer dereference when hashtab allocation fails\n\nWhen the hash table slot array allocation fails in hashtab_init(),\nh->size is left initialized with a non-zero value, but the h->htable\npointer is NULL. This may then cause a NULL pointer dereference, since\nthe policydb code relies on the assumption that even after a failed\nhashtab_init(), hashtab_map() and hashtab_destroy() can be safely called\non it. Yet, these detect an empty hashtab only by looking at the size.\n\nFix this by making sure that hashtab_init() always leaves behind a valid\nempty hashtab when the allocation fails."
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: selinux: corregir la desreferencia de puntero NULL cuando falla la asignaci\u00f3n de hashtab Cuando la asignaci\u00f3n de la matriz de ranuras de la tabla hash falla en hashtab_init(), h-&gt;size se deja inicializado con un valor distinto de cero, pero el puntero h-&gt;htable es NULL. Esto puede causar una desreferencia de puntero NULL, ya que el c\u00f3digo policydb se basa en la suposici\u00f3n de que incluso despu\u00e9s de un hashtab_init() fallido, se pueden llamar hashtab_map() y hashtab_destroy() de forma segura. Sin embargo, estos detectan un hashtab vac\u00edo solo mirando el tama\u00f1o. Solucione esto asegur\u00e1ndose de que hashtab_init() siempre deje atr\u00e1s un hashtab vac\u00edo v\u00e1lido cuando falla la asignaci\u00f3n."
}
],
"metrics": {},

4
CVE-2021/CVE-2021-472xx/CVE-2021-47219.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: scsi_debug: Fix out-of-bound read in resp_report_tgtpgs()\n\nThe following issue was observed running syzkaller:\n\nBUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:377 [inline]\nBUG: KASAN: slab-out-of-bounds in sg_copy_buffer+0x150/0x1c0 lib/scatterlist.c:831\nRead of size 2132 at addr ffff8880aea95dc8 by task syz-executor.0/9815\n\nCPU: 0 PID: 9815 Comm: syz-executor.0 Not tainted 4.19.202-00874-gfc0fe04215a9 #2\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014\nCall Trace:\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0xe4/0x14a lib/dump_stack.c:118\n print_address_description+0x73/0x280 mm/kasan/report.c:253\n kasan_report_error mm/kasan/report.c:352 [inline]\n kasan_report+0x272/0x370 mm/kasan/report.c:410\n memcpy+0x1f/0x50 mm/kasan/kasan.c:302\n memcpy include/linux/string.h:377 [inline]\n sg_copy_buffer+0x150/0x1c0 lib/scatterlist.c:831\n fill_from_dev_buffer+0x14f/0x340 drivers/scsi/scsi_debug.c:1021\n resp_report_tgtpgs+0x5aa/0x770 drivers/scsi/scsi_debug.c:1772\n schedule_resp+0x464/0x12f0 drivers/scsi/scsi_debug.c:4429\n scsi_debug_queuecommand+0x467/0x1390 drivers/scsi/scsi_debug.c:5835\n scsi_dispatch_cmd+0x3fc/0x9b0 drivers/scsi/scsi_lib.c:1896\n scsi_request_fn+0x1042/0x1810 drivers/scsi/scsi_lib.c:2034\n __blk_run_queue_uncond block/blk-core.c:464 [inline]\n __blk_run_queue+0x1a4/0x380 block/blk-core.c:484\n blk_execute_rq_nowait+0x1c2/0x2d0 block/blk-exec.c:78\n sg_common_write.isra.19+0xd74/0x1dc0 drivers/scsi/sg.c:847\n sg_write.part.23+0x6e0/0xd00 drivers/scsi/sg.c:716\n sg_write+0x64/0xa0 drivers/scsi/sg.c:622\n __vfs_write+0xed/0x690 fs/read_write.c:485\nkill_bdev:block_device:00000000e138492c\n vfs_write+0x184/0x4c0 fs/read_write.c:549\n ksys_write+0x107/0x240 fs/read_write.c:599\n do_syscall_64+0xc2/0x560 arch/x86/entry/common.c:293\n entry_SYSCALL_64_after_hwframe+0x49/0xbe\n\nWe get 'alen' from command its type is int. If userspace passes a large\nlength we will get a negative 'alen'.\n\nSwitch n, alen, and rlen to u32."
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: scsi: scsi_debug: Corregir lectura fuera de los l\u00edmites en resp_report_tgtpgs() Se observ\u00f3 el siguiente problema al ejecutar syzkaller: ERROR: KASAN: slab-out-of-bounds en memcpy include/linux/string.h:377 [en l\u00ednea] ERROR: KASAN: slab-out-of-bounds en sg_copy_buffer+0x150/0x1c0 lib/scatterlist.c:831 Lectura de tama\u00f1o 2132 en la direcci\u00f3n ffff8880aea95dc8 por la tarea syz-executor.0/9815 CPU: 0 PID: 9815 Comm: syz-executor.0 No contaminado 4.19.202-00874-gfc0fe04215a9 #2 Nombre del hardware: PC est\u00e1ndar QEMU (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 01/04/2014 Seguimiento de llamadas: __dump_stack lib/dump_stack.c:77 [en l\u00ednea] dump_stack+0xe4/0x14a lib/dump_stack.c:118 print_address_description+0x73/0x280 mm/kasan/report.c:253 kasan_report_error mm/kasan/report.c:352 [en l\u00ednea] kasan_report+0x272/0x370 mm/kasan/report.c:410 memcpy+0x1f/0x50 mm/kasan/kasan.c:302 memcpy include/linux/string.h:377 [en l\u00ednea] sg_copy_buffer+0x150/0x1c0 lib/scatterlist.c:831 rellenar_desde_buffer_dev+0x14f/0x340 drivers/scsi/scsi_debug.c:1021 resp_report_tgtpgs+0x5aa/0x770 drivers/scsi/scsi_debug.c:1772 schedule_resp+0x464/0x12f0 drivers/scsi/scsi_debug.c:4429 scsi_debug_queuecommand+0x467/0x1390 drivers/scsi/scsi_debug.c:5835 scsi_dispatch_cmd+0x3fc/0x9b0 drivers/scsi/scsi_lib.c:1896 scsi_request_fn+0x1042/0x1810 drivers/scsi/scsi_lib.c:2034 __blk_run_queue_uncond bloque/blk-core.c:464 [en l\u00ednea] __blk_run_queue+0x1a4/0x380 bloque/blk-core.c:484 blk_execute_rq_nowait+0x1c2/0x2d0 bloque/blk-exec.c:78 sg_common_write.isra.19+0xd74/0x1dc0 drivers/scsi/sg.c:847 sg_write.part.23+0x6e0/0xd00 drivers/scsi/sg.c:716 sg_write+0x64/0xa0 drivers/scsi/sg.c:622 __vfs_write+0xed/0x690 fs/read_write.c:485 kill_bdev:block_device:00000000e138492c vfs_write+0x184/0x4c0 fs/read_write.c:549 ksys_write+0x107/0x240 fs/read_write.c:599 do_syscall_64+0xc2/0x560 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe Obtenemos 'alen' del comando, su tipo es int. Si el espacio de usuario pasa una longitud grande, obtendremos un 'alen' negativo. Cambie n, alen y rlen a u32."
}
],
"metrics": {},

2
CVE-2023/CVE-2023-205xx/CVE-2023-20570.json
View File

@ -3,7 +3,7 @@
"sourceIdentifier": "psirt@amd.com",
"published": "2024-02-13T18:15:47.233",
"lastModified": "2024-02-13T18:23:02.393",
"vulnStatus": "Awaiting Analysis",
"vulnStatus": "Undergoing Analysis",
"cveTags": [],
"descriptions": [
{

2
CVE-2023/CVE-2023-251xx/CVE-2023-25189.json
View File

@ -3,7 +3,7 @@
"sourceIdentifier": "cve@mitre.org",
"published": "2024-09-25T16:15:06.827",
"lastModified": "2024-09-26T13:32:02.803",
"vulnStatus": "Undergoing Analysis",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{

2
CVE-2023/CVE-2023-255xx/CVE-2023-25535.json
View File

@ -3,7 +3,7 @@
"sourceIdentifier": "security_alert@emc.com",
"published": "2024-02-14T08:15:08.597",
"lastModified": "2024-02-14T13:59:35.580",
"vulnStatus": "Awaiting Analysis",
"vulnStatus": "Undergoing Analysis",
"cveTags": [],
"descriptions": [
{

4
CVE-2023/CVE-2023-255xx/CVE-2023-25581.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "pac4j is a security framework for Java. `pac4j-core` prior to version 4.0.0 is affected by a Java deserialization vulnerability. The vulnerability affects systems that store externally controlled values in attributes of the `UserProfile` class from pac4j-core. It can be exploited by providing an attribute that contains a serialized Java object with a special prefix `{#sb64}` and Base64 encoding. This issue may lead to Remote Code Execution (RCE) in the worst case. Although a `RestrictedObjectInputStream` is in place, that puts some restriction on what classes can be deserialized, it still allows a broad range of java packages and potentially exploitable with different gadget chains. pac4j versions 4.0.0 and greater are not affected by this issue. Users are advised to upgrade. There are no known workarounds for this vulnerability."
},
{
"lang": "es",
"value": "pac4j es un framework de seguridad para Java. `pac4j-core` anterior a la versi\u00f3n 4.0.0 se ve afectado por una vulnerabilidad de deserializaci\u00f3n de Java. La vulnerabilidad afecta a los sistemas que almacenan valores controlados externamente en atributos de la clase `UserProfile` de pac4j-core. Se puede explotar proporcionando un atributo que contenga un objeto Java serializado con un prefijo especial `{#sb64}` y codificaci\u00f3n Base64. Este problema puede provocar la ejecuci\u00f3n remota de c\u00f3digo (RCE) en el peor de los casos. Aunque existe un `RestrictedObjectInputStream`, que impone algunas restricciones sobre qu\u00e9 clases se pueden deserializar, a\u00fan permite una amplia gama de paquetes de Java y es potencialmente explotable con diferentes cadenas de gadgets. Las versiones 4.0.0 y posteriores de pac4j no se ven afectadas por este problema. Se recomienda a los usuarios que actualicen. No existen workarounds para esta vulnerabilidad."
}
],
"metrics": {

2
CVE-2023/CVE-2023-265xx/CVE-2023-26562.json
View File

@ -3,7 +3,7 @@
"sourceIdentifier": "cve@mitre.org",
"published": "2024-02-13T16:15:08.187",
"lastModified": "2024-02-13T18:23:02.393",
"vulnStatus": "Awaiting Analysis",
"vulnStatus": "Undergoing Analysis",
"cveTags": [],
"descriptions": [
{

2
CVE-2023/CVE-2023-280xx/CVE-2023-28018.json
View File

@ -3,7 +3,7 @@
"sourceIdentifier": "psirt@hcl.com",
"published": "2024-02-12T23:15:08.100",
"lastModified": "2024-02-13T14:01:49.147",
"vulnStatus": "Awaiting Analysis",
"vulnStatus": "Undergoing Analysis",
"cveTags": [],
"descriptions": [
{

2
CVE-2023/CVE-2023-392xx/CVE-2023-39249.json
View File

@ -3,7 +3,7 @@
"sourceIdentifier": "security_alert@emc.com",
"published": "2024-02-14T08:15:09.013",
"lastModified": "2024-02-14T13:59:35.580",
"vulnStatus": "Awaiting Analysis",
"vulnStatus": "Undergoing Analysis",
"cveTags": [],
"descriptions": [
{

2
CVE-2023/CVE-2023-417xx/CVE-2023-41703.json
View File

@ -3,7 +3,7 @@
"sourceIdentifier": "security@open-xchange.com",
"published": "2024-02-12T09:15:10.480",
"lastModified": "2024-02-16T14:15:07.827",
"vulnStatus": "Awaiting Analysis",
"vulnStatus": "Undergoing Analysis",
"cveTags": [],
"descriptions": [
{

2
CVE-2023/CVE-2023-417xx/CVE-2023-41704.json
View File

@ -3,7 +3,7 @@
"sourceIdentifier": "security@open-xchange.com",
"published": "2024-02-12T09:15:10.697",
"lastModified": "2024-02-16T14:15:07.930",
"vulnStatus": "Awaiting Analysis",
"vulnStatus": "Undergoing Analysis",
"cveTags": [],
"descriptions": [
{

2
CVE-2023/CVE-2023-442xx/CVE-2023-44283.json
View File

@ -3,7 +3,7 @@
"sourceIdentifier": "security_alert@emc.com",
"published": "2024-02-14T08:15:09.347",
"lastModified": "2024-02-14T13:59:35.580",
"vulnStatus": "Awaiting Analysis",
"vulnStatus": "Undergoing Analysis",
"cveTags": [],
"descriptions": [
{

2
CVE-2023/CVE-2023-442xx/CVE-2023-44293.json
View File

@ -3,7 +3,7 @@
"sourceIdentifier": "security_alert@emc.com",
"published": "2024-02-14T08:15:09.683",
"lastModified": "2024-02-14T13:59:35.580",
"vulnStatus": "Awaiting Analysis",
"vulnStatus": "Undergoing Analysis",
"cveTags": [],
"descriptions": [
{

2
CVE-2023/CVE-2023-442xx/CVE-2023-44294.json
View File

@ -3,7 +3,7 @@
"sourceIdentifier": "security_alert@emc.com",
"published": "2024-02-14T09:15:35.743",
"lastModified": "2024-02-14T13:59:35.580",
"vulnStatus": "Awaiting Analysis",
"vulnStatus": "Undergoing Analysis",
"cveTags": [],
"descriptions": [
{

2
CVE-2023/CVE-2023-456xx/CVE-2023-45698.json
View File

@ -3,7 +3,7 @@
"sourceIdentifier": "psirt@hcl.com",
"published": "2024-02-10T04:15:07.280",
"lastModified": "2024-02-11T22:29:15.837",
"vulnStatus": "Awaiting Analysis",
"vulnStatus": "Undergoing Analysis",
"cveTags": [],
"descriptions": [
{

4
CVE-2023/CVE-2023-468xx/CVE-2023-46842.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "Unlike 32-bit PV guests, HVM guests may switch freely between 64-bit and\nother modes. This in particular means that they may set registers used\nto pass 32-bit-mode hypercall arguments to values outside of the range\n32-bit code would be able to set them to.\n\nWhen processing of hypercalls takes a considerable amount of time,\nthe hypervisor may choose to invoke a hypercall continuation. Doing so\ninvolves putting (perhaps updated) hypercall arguments in respective\nregisters. For guests not running in 64-bit mode this further involves\na certain amount of translation of the values.\n\nUnfortunately internal sanity checking of these translated values\nassumes high halves of registers to always be clear when invoking a\nhypercall. When this is found not to be the case, it triggers a\nconsistency check in the hypervisor and causes a crash.\n"
},
{
"lang": "es",
"value": "A diferencia de los hu\u00e9spedes PV de 32 bits, los hu\u00e9spedes HVM pueden cambiar libremente entre 64 bits y otros modos. Esto significa en particular que pueden configurar los registros utilizados para pasar argumentos de hiperllamada en modo de 32 bits a valores fuera del rango en el que el c\u00f3digo de 32 bits podr\u00eda configurarlos. Cuando el procesamiento de hiperllamadas toma una cantidad considerable de tiempo, el hipervisor puede optar por invocar una continuaci\u00f3n de hiperllamada. Hacerlo implica colocar argumentos de hiperllamada (quiz\u00e1s actualizados) en los registros respectivos. Para los hu\u00e9spedes que no se ejecutan en modo de 64 bits, esto implica adem\u00e1s una cierta cantidad de traducci\u00f3n de los valores. Desafortunadamente, la comprobaci\u00f3n de cordura interna de estos valores traducidos supone que las mitades altas de los registros siempre est\u00e1n limpias al invocar una hiperllamada. Cuando se descubre que este no es el caso, se activa una comprobaci\u00f3n de coherencia en el hipervisor y se produce un bloqueo."
}
],
"metrics": {},

2
CVE-2023/CVE-2023-484xx/CVE-2023-48432.json
View File

@ -3,7 +3,7 @@
"sourceIdentifier": "cve@mitre.org",
"published": "2024-02-13T16:15:08.380",
"lastModified": "2024-02-13T18:23:02.393",
"vulnStatus": "Awaiting Analysis",
"vulnStatus": "Undergoing Analysis",
"cveTags": [],
"descriptions": [
{

2
CVE-2023/CVE-2023-491xx/CVE-2023-49125.json
View File

@ -3,7 +3,7 @@
"sourceIdentifier": "productcert@siemens.com",
"published": "2024-02-13T09:15:46.173",
"lastModified": "2024-05-14T16:15:47.657",
"vulnStatus": "Awaiting Analysis",
"vulnStatus": "Undergoing Analysis",
"cveTags": [],
"descriptions": [
{

2
CVE-2023/CVE-2023-502xx/CVE-2023-50236.json
View File

@ -3,7 +3,7 @@
"sourceIdentifier": "productcert@siemens.com",
"published": "2024-02-13T09:15:46.633",
"lastModified": "2024-05-15T08:15:08.960",
"vulnStatus": "Awaiting Analysis",
"vulnStatus": "Undergoing Analysis",
"cveTags": [],
"descriptions": [
{

2
CVE-2023/CVE-2023-508xx/CVE-2023-50808.json
View File

@ -3,7 +3,7 @@
"sourceIdentifier": "cve@mitre.org",
"published": "2024-02-13T18:15:47.320",
"lastModified": "2024-08-19T15:35:01.787",
"vulnStatus": "Awaiting Analysis",
"vulnStatus": "Undergoing Analysis",
"cveTags": [],
"descriptions": [
{

2
CVE-2023/CVE-2023-524xx/CVE-2023-52428.json
View File

@ -3,7 +3,7 @@
"sourceIdentifier": "cve@mitre.org",
"published": "2024-02-11T05:15:08.383",
"lastModified": "2024-02-11T22:29:15.837",
"vulnStatus": "Awaiting Analysis",
"vulnStatus": "Undergoing Analysis",
"cveTags": [],
"descriptions": [
{

2
CVE-2023/CVE-2023-524xx/CVE-2023-52430.json
View File

@ -3,7 +3,7 @@
"sourceIdentifier": "cve@mitre.org",
"published": "2024-02-12T23:15:08.353",
"lastModified": "2024-02-13T14:01:49.147",
"vulnStatus": "Awaiting Analysis",
"vulnStatus": "Undergoing Analysis",
"cveTags": [],
"descriptions": [
{

4
CVE-2023/CVE-2023-63xx/CVE-2023-6361.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "A vulnerability has been discovered in Winhex affecting version 16.1 SR-1 and 20.4. This vulnerability consists of a buffer overflow controlling the Structured Exception Handler (SEH) registers. This could allow attackers to execute arbitrary code via a long filename argument."
},
{
"lang": "es",
"value": "Se ha descubierto una vulnerabilidad en Winhex que afecta a las versiones 16.1 SR-1 y 20.4. Esta vulnerabilidad consiste en un desbordamiento de b\u00fafer que controla los registros del controlador de excepciones estructurado (SEH). Esto podr\u00eda permitir a los atacantes ejecutar c\u00f3digo arbitrario mediante un argumento de nombre de archivo largo."
}
],
"metrics": {

4
CVE-2023/CVE-2023-63xx/CVE-2023-6362.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "A vulnerability has been discovered in Winhex affecting version 16.1 SR-1 and 20.4. This vulnerability consists of a buffer overflow controlling the Structured Exception Handler (SEH) registers. This could allow attackers to execute arbitrary code via a long filename argument."
},
{
"lang": "es",
"value": "Se ha descubierto una vulnerabilidad en Winhex que afecta a las versiones 16.1 SR-1 y 20.4. Esta vulnerabilidad consiste en un desbordamiento de b\u00fafer que controla los registros del controlador de excepciones estructurado (SEH). Esto podr\u00eda permitir a los atacantes ejecutar c\u00f3digo arbitrario mediante un argumento de nombre de archivo largo."
}
],
"metrics": {

2
CVE-2023/CVE-2023-72xx/CVE-2023-7260.json
View File

@ -3,7 +3,7 @@
"sourceIdentifier": "security@opentext.com",
"published": "2024-08-22T21:15:16.107",
"lastModified": "2024-08-23T16:18:28.547",
"vulnStatus": "Awaiting Analysis",
"vulnStatus": "Undergoing Analysis",
"cveTags": [],
"descriptions": [
{

2
CVE-2024/CVE-2024-02xx/CVE-2024-0229.json
View File

@ -3,7 +3,7 @@
"sourceIdentifier": "secalert@redhat.com",
"published": "2024-02-09T07:16:00.107",
"lastModified": "2024-05-22T17:16:11.003",
"vulnStatus": "Awaiting Analysis",
"vulnStatus": "Undergoing Analysis",
"cveTags": [],
"descriptions": [
{

2
CVE-2024/CVE-2024-10xx/CVE-2024-1082.json
View File

@ -3,7 +3,7 @@
"sourceIdentifier": "product-cna@github.com",
"published": "2024-02-13T19:15:08.793",
"lastModified": "2024-02-13T19:45:42.327",
"vulnStatus": "Awaiting Analysis",
"vulnStatus": "Undergoing Analysis",
"cveTags": [],
"descriptions": [
{

2
CVE-2024/CVE-2024-10xx/CVE-2024-1084.json
View File

@ -3,7 +3,7 @@
"sourceIdentifier": "product-cna@github.com",
"published": "2024-02-13T19:15:09.053",
"lastModified": "2024-02-13T19:45:42.327",
"vulnStatus": "Awaiting Analysis",
"vulnStatus": "Undergoing Analysis",
"cveTags": [],
"descriptions": [
{

2
CVE-2024/CVE-2024-11xx/CVE-2024-1163.json
View File

@ -3,7 +3,7 @@
"sourceIdentifier": "security@huntr.dev",
"published": "2024-02-13T15:15:08.647",
"lastModified": "2024-02-29T15:15:07.473",
"vulnStatus": "Awaiting Analysis",
"vulnStatus": "Undergoing Analysis",
"cveTags": [],
"descriptions": [
{

2
CVE-2024/CVE-2024-13xx/CVE-2024-1309.json
View File

@ -3,7 +3,7 @@
"sourceIdentifier": "psirt@honeywell.com",
"published": "2024-02-13T14:15:46.463",
"lastModified": "2024-04-18T21:15:07.060",
"vulnStatus": "Awaiting Analysis",
"vulnStatus": "Undergoing Analysis",
"cveTags": [],
"descriptions": [
{

2
CVE-2024/CVE-2024-14xx/CVE-2024-1432.json
View File

@ -3,7 +3,7 @@
"sourceIdentifier": "cna@vuldb.com",
"published": "2024-02-11T03:15:08.930",
"lastModified": "2024-08-01T19:15:36.183",
"vulnStatus": "Awaiting Analysis",
"vulnStatus": "Undergoing Analysis",
"cveTags": [
{
"sourceIdentifier": "cna@vuldb.com",

2
CVE-2024/CVE-2024-14xx/CVE-2024-1454.json
View File

@ -3,7 +3,7 @@
"sourceIdentifier": "secalert@redhat.com",
"published": "2024-02-12T23:15:08.410",
"lastModified": "2024-03-23T03:15:10.633",
"vulnStatus": "Awaiting Analysis",
"vulnStatus": "Undergoing Analysis",
"cveTags": [],
"descriptions": [
{

4
CVE-2024/CVE-2024-15xx/CVE-2024-1511.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "The parisneo/lollms-webui repository is susceptible to a path traversal vulnerability due to inadequate validation of user-supplied file paths. This flaw allows an unauthenticated attacker to read, write, and in certain configurations execute arbitrary files on the server by exploiting various endpoints. The vulnerability can be exploited even when the service is bound to localhost, through cross-site requests facilitated by malicious HTML/JS pages."
},
{
"lang": "es",
"value": "El repositorio parisneo/lollms-webui es susceptible a una vulnerabilidad de path traversal debido a una validaci\u00f3n inadecuada de las rutas de archivo proporcionadas por el usuario. Esta falla permite que un atacante no autenticado lea, escriba y, en ciertas configuraciones, ejecute archivos arbitrarios en el servidor mediante la explotaci\u00f3n de varios endpoints. La vulnerabilidad puede explotarse incluso cuando el servicio est\u00e1 vinculado a localhost, a trav\u00e9s de solicitudes entre sitios facilitadas por p\u00e1ginas HTML/JS maliciosas."
}
],
"metrics": {

4
CVE-2024/CVE-2024-15xx/CVE-2024-1520.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "An OS Command Injection vulnerability exists in the '/open_code_folder' endpoint of the parisneo/lollms-webui application, due to improper validation of user-supplied input in the 'discussion_id' parameter. Attackers can exploit this vulnerability by injecting malicious OS commands, leading to unauthorized command execution on the underlying operating system. This could result in unauthorized access, data leakage, or complete system compromise."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de inyecci\u00f3n de comandos del sistema operativo en el endpoint '/open_code_folder' de la aplicaci\u00f3n parisneo/lollms-webui, debido a una validaci\u00f3n incorrecta de la entrada proporcionada por el usuario en el par\u00e1metro 'discussion_id'. Los atacantes pueden aprovechar esta vulnerabilidad inyectando comandos del sistema operativo maliciosos, lo que lleva a la ejecuci\u00f3n no autorizada de comandos en el sistema operativo subyacente. Esto podr\u00eda provocar acceso no autorizado, fuga de datos o la vulneraci\u00f3n total del sistema."
}
],
"metrics": {

4
CVE-2024/CVE-2024-16xx/CVE-2024-1600.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "A Local File Inclusion (LFI) vulnerability exists in the parisneo/lollms-webui application, specifically within the `/personalities` route. An attacker can exploit this vulnerability by crafting a URL that includes directory traversal sequences (`../../`) followed by the desired system file path, URL encoded. Successful exploitation allows the attacker to read any file on the filesystem accessible by the web server. This issue arises due to improper control of filename for include/require statement in the application."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de inclusi\u00f3n de archivos locales (LFI) en la aplicaci\u00f3n parisneo/lollms-webui, espec\u00edficamente dentro de la ruta `/personalities`. Un atacante puede explotar esta vulnerabilidad creando una URL que incluya secuencias de directory traversal (`../../`) seguidas de la ruta de archivo del sistema deseada, codificada en URL. Una explotaci\u00f3n exitosa permite al atacante leer cualquier archivo en el sistema de archivos al que pueda acceder el servidor web. Este problema surge debido a un control inadecuado del nombre de archivo para la declaraci\u00f3n include/require en la aplicaci\u00f3n."
}
],
"metrics": {

4
CVE-2024/CVE-2024-16xx/CVE-2024-1602.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "parisneo/lollms-webui is vulnerable to stored Cross-Site Scripting (XSS) that leads to Remote Code Execution (RCE). The vulnerability arises due to inadequate sanitization and validation of model output data, allowing an attacker to inject malicious JavaScript code. This code can be executed within the user's browser context, enabling the attacker to send a request to the `/execute_code` endpoint and establish a reverse shell to the attacker's host. The issue affects various components of the application, including the handling of user input and model output."
},
{
"lang": "es",
"value": "parisneo/lollms-webui es vulnerable a Cross Site Scripting (XSS) almacenado que conducen a la ejecuci\u00f3n remota de c\u00f3digo (RCE). La vulnerabilidad surge debido a una desinfecci\u00f3n y validaci\u00f3n inadecuadas de los datos de salida del modelo, lo que permite a un atacante inyectar c\u00f3digo JavaScript malicioso. Este c\u00f3digo se puede ejecutar dentro del contexto del navegador del usuario, lo que permite al atacante enviar una solicitud al endpoint `/execute_code` y establecer un shell inverso al host del atacante. El problema afecta a varios componentes de la aplicaci\u00f3n, incluido el manejo de la entrada del usuario y la salida del modelo."
}
],
"metrics": {

4
CVE-2024/CVE-2024-16xx/CVE-2024-1625.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "An Insecure Direct Object Reference (IDOR) vulnerability exists in the lunary-ai/lunary application version 0.3.0, allowing unauthorized deletion of any organization's project. The vulnerability is due to insufficient authorization checks in the project deletion endpoint, where the endpoint fails to verify if the project ID provided in the request belongs to the requesting user's organization. As a result, an attacker can delete projects belonging to any organization by sending a crafted DELETE request with the target project's ID. This issue affects the project deletion functionality implemented in the projects.delete route."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de referencia directa a objetos inseguros (IDOR) en la versi\u00f3n 0.3.0 de la aplicaci\u00f3n lunary-ai/lunary, que permite la eliminaci\u00f3n no autorizada de cualquier proyecto de una organizaci\u00f3n. La vulnerabilidad se debe a comprobaciones de autorizaci\u00f3n insuficientes en el punto de conexi\u00f3n de eliminaci\u00f3n de proyectos, donde el punto de conexi\u00f3n no verifica si el ID del proyecto proporcionado en la solicitud pertenece a la organizaci\u00f3n del usuario solicitante. Como resultado, un atacante puede eliminar proyectos que pertenecen a cualquier organizaci\u00f3n enviando una solicitud DELETE manipulada con el ID del proyecto de destino. Este problema afecta a la funcionalidad de eliminaci\u00f3n de proyectos implementada en la ruta projects.delete."
}
],
"metrics": {

4
CVE-2024/CVE-2024-16xx/CVE-2024-1643.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "By knowing an organization's ID, an attacker can join the organization without permission and gain the ability to read and modify all data within that organization. This vulnerability allows unauthorized access and modification of sensitive information, posing a significant security risk. The flaw is due to insufficient verification of user permissions when joining an organization."
},
{
"lang": "es",
"value": "Al conocer el ID de una organizaci\u00f3n, un atacante puede unirse a la organizaci\u00f3n sin permiso y obtener la capacidad de leer y modificar todos los datos dentro de esa organizaci\u00f3n. Esta vulnerabilidad permite el acceso no autorizado y la modificaci\u00f3n de informaci\u00f3n confidencial, lo que representa un riesgo de seguridad significativo. La falla se debe a una verificaci\u00f3n insuficiente de los permisos de los usuarios al unirse a una organizaci\u00f3n."
}
],
"metrics": {

4
CVE-2024/CVE-2024-17xx/CVE-2024-1740.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "In lunary-ai/lunary version 1.0.1, a vulnerability exists where a user removed from an organization can still read, create, modify, and delete logs by re-using an old authorization token. The lunary web application communicates with the server using an 'Authorization' token in the browser, which does not properly invalidate upon the user's removal from the organization. This allows the removed user to perform unauthorized actions on logs and access project and external user details without valid permissions."
},
{
"lang": "es",
"value": "En la versi\u00f3n 1.0.1 de lunary-ai/lunary, existe una vulnerabilidad en la que un usuario eliminado de una organizaci\u00f3n a\u00fan puede leer, crear, modificar y eliminar registros reutilizando un token de autorizaci\u00f3n antiguo. La aplicaci\u00f3n web lunary se comunica con el servidor mediante un token de \"Autorizaci\u00f3n\" en el navegador, que no se invalida correctamente cuando se elimina al usuario de la organizaci\u00f3n. Esto permite que el usuario eliminado realice acciones no autorizadas en los registros y acceda a los detalles del proyecto y del usuario externo sin permisos v\u00e1lidos."
}
],
"metrics": {

2
CVE-2024/CVE-2024-18xx/CVE-2024-1873.json
View File

@ -3,7 +3,7 @@
"sourceIdentifier": "security@huntr.dev",
"published": "2024-06-06T19:15:51.460",
"lastModified": "2024-06-07T14:56:05.647",
"vulnStatus": "Awaiting Analysis",
"vulnStatus": "Undergoing Analysis",
"cveTags": [],
"descriptions": [
{

4
CVE-2024/CVE-2024-200xx/CVE-2024-20090.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "In vdec, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS09028313; Issue ID: MSV-1703."
},
{
"lang": "es",
"value": "En vdec, existe una posible escritura fuera de los l\u00edmites debido a una verificaci\u00f3n de los l\u00edmites faltante. Esto podr\u00eda provocar una escalada local de privilegios, siendo necesarios los permisos de ejecuci\u00f3n de System. No se necesita interacci\u00f3n del usuario para la explotaci\u00f3n. ID de parche: ALPS09028313; ID de problema: MSV-1703."
}
],
"metrics": {

4
CVE-2024/CVE-2024-200xx/CVE-2024-20092.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "In vdec, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS09028313; Issue ID: MSV-1700."
},
{
"lang": "es",
"value": "En vdec, existe una posible escritura fuera de los l\u00edmites debido a una verificaci\u00f3n de los l\u00edmites faltante. Esto podr\u00eda provocar una escalada local de privilegios, siendo necesarios los permisos de ejecuci\u00f3n de System. No se necesita la interacci\u00f3n del usuario para la explotaci\u00f3n. ID de parche: ALPS09028313; ID de problema: MSV-1700."
}
],
"metrics": {

4
CVE-2024/CVE-2024-200xx/CVE-2024-20094.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "In Modem, there is a possible system crash due to a missing bounds check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY00843282; Issue ID: MSV-1535."
},
{
"lang": "es",
"value": "En Modem, existe un posible bloqueo del sistema debido a la falta de una verificaci\u00f3n de los l\u00edmites. Esto podr\u00eda provocar una denegaci\u00f3n de servicio remota sin necesidad de privilegios de ejecuci\u00f3n adicionales. No se necesita interacci\u00f3n del usuario para la explotaci\u00f3n. ID de parche: MOLY00843282; ID de problema: MSV-1535."
}
],
"metrics": {

4
CVE-2024/CVE-2024-200xx/CVE-2024-20098.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "In power, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08996886; Issue ID: MSV-1626."
},
{
"lang": "es",
"value": "En el estado de encendido, es posible que se produzca una escritura fuera de los l\u00edmites debido a la falta de una comprobaci\u00f3n de los l\u00edmites. Esto podr\u00eda provocar una escalada local de privilegios, siendo necesarios los permisos de ejecuci\u00f3n de System. No se necesita la interacci\u00f3n del usuario para la explotaci\u00f3n. ID de parche: ALPS08996886; ID de problema: MSV-1626."
}
],
"metrics": {

4
CVE-2024/CVE-2024-200xx/CVE-2024-20099.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "In power, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08997492; Issue ID: MSV-1625."
},
{
"lang": "es",
"value": "En el estado de encendido, es posible que se produzca una escritura fuera de los l\u00edmites debido a la falta de una comprobaci\u00f3n de los l\u00edmites. Esto podr\u00eda provocar una escalada local de privilegios, siendo necesarios los permisos de ejecuci\u00f3n de System. No se necesita la interacci\u00f3n del usuario para la explotaci\u00f3n. ID de parche: ALPS08997492; ID de problema: MSV-1625."
}
],
"metrics": {

4
CVE-2024/CVE-2024-201xx/CVE-2024-20100.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "In wlan driver, there is a possible out of bounds write due to improper input validation. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08998449; Issue ID: MSV-1603."
},
{
"lang": "es",
"value": "En el controlador WLAN, existe una posible escritura fuera de los l\u00edmites debido a una validaci\u00f3n de entrada incorrecta. Esto podr\u00eda provocar la ejecuci\u00f3n remota de c\u00f3digo sin necesidad de privilegios de ejecuci\u00f3n adicionales. No se necesita interacci\u00f3n del usuario para la explotaci\u00f3n. ID de parche: ALPS08998449; ID de problema: MSV-1603."
}
],
"metrics": {

4
CVE-2024/CVE-2024-201xx/CVE-2024-20101.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "In wlan driver, there is a possible out of bounds write due to improper input validation. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08998901; Issue ID: MSV-1602."
},
{
"lang": "es",
"value": "En el controlador WLAN, existe una posible escritura fuera de los l\u00edmites debido a una validaci\u00f3n de entrada incorrecta. Esto podr\u00eda provocar la ejecuci\u00f3n remota de c\u00f3digo sin necesidad de privilegios de ejecuci\u00f3n adicionales. No se necesita interacci\u00f3n del usuario para la explotaci\u00f3n. ID de parche: ALPS08998901; ID de problema: MSV-1602."
}
],
"metrics": {

4
CVE-2024/CVE-2024-201xx/CVE-2024-20103.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "In wlan firmware, there is a possible out of bounds write due to improper input validation. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS09001358; Issue ID: MSV-1599."
},
{
"lang": "es",
"value": "En el firmware de WLAN, existe la posibilidad de una escritura fuera de los l\u00edmites debido a una validaci\u00f3n de entrada incorrecta. Esto podr\u00eda provocar la ejecuci\u00f3n remota de c\u00f3digo sin necesidad de privilegios de ejecuci\u00f3n adicionales. No se necesita interacci\u00f3n del usuario para la explotaci\u00f3n. ID de parche: ALPS09001358; ID de problema: MSV-1599."
}
],
"metrics": {

2
CVE-2024/CVE-2024-202xx/CVE-2024-20284.json
View File

@ -3,7 +3,7 @@
"sourceIdentifier": "ykramarz@cisco.com",
"published": "2024-08-28T17:15:06.893",
"lastModified": "2024-08-29T13:25:27.537",
"vulnStatus": "Awaiting Analysis",
"vulnStatus": "Undergoing Analysis",
"cveTags": [],
"descriptions": [
{

2
CVE-2024/CVE-2024-202xx/CVE-2024-20285.json
View File

@ -3,7 +3,7 @@
"sourceIdentifier": "ykramarz@cisco.com",
"published": "2024-08-28T17:15:07.687",
"lastModified": "2024-08-29T13:25:27.537",
"vulnStatus": "Awaiting Analysis",
"vulnStatus": "Undergoing Analysis",
"cveTags": [],
"descriptions": [
{

2
CVE-2024/CVE-2024-202xx/CVE-2024-20286.json
View File

@ -3,7 +3,7 @@
"sourceIdentifier": "ykramarz@cisco.com",
"published": "2024-08-28T17:15:08.400",
"lastModified": "2024-08-29T13:25:27.537",
"vulnStatus": "Awaiting Analysis",
"vulnStatus": "Undergoing Analysis",
"cveTags": [],
"descriptions": [
{

2
CVE-2024/CVE-2024-203xx/CVE-2024-20350.json
View File

@ -3,7 +3,7 @@
"sourceIdentifier": "ykramarz@cisco.com",
"published": "2024-09-25T17:15:15.000",
"lastModified": "2024-09-26T13:32:02.803",
"vulnStatus": "Undergoing Analysis",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{

4
CVE-2024/CVE-2024-203xx/CVE-2024-20389.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "A vulnerability in the ConfD CLI and the Cisco Crosswork Network Services Orchestrator CLI could allow an authenticated, low-privileged, local attacker to read and write arbitrary files as root on the underlying operating system.\n\n\nThis vulnerability is due to improper authorization enforcement when specific CLI commands are used. An attacker could exploit this vulnerability by executing an affected CLI command with crafted arguments. A successful exploit could allow the attacker to read or write arbitrary files on the underlying operating system with the privileges of the root user."
},
{
"lang": "es",
"value": "Una vulnerabilidad en la CLI de ConfD y la CLI de Cisco Crosswork Network Services Orchestrator podr\u00eda permitir que un atacante local autenticado y con pocos privilegios lea y escriba archivos arbitrarios como usuario root en el sistema operativo subyacente. Esta vulnerabilidad se debe a una aplicaci\u00f3n incorrecta de la autorizaci\u00f3n cuando se utilizan comandos CLI espec\u00edficos. Un atacante podr\u00eda aprovechar esta vulnerabilidad ejecutando un comando CLI afectado con argumentos creados. Una explotaci\u00f3n exitosa podr\u00eda permitir al atacante leer o escribir archivos arbitrarios en el sistema operativo subyacente con los privilegios del usuario root."
}
],
"metrics": {

2
CVE-2024/CVE-2024-204xx/CVE-2024-20496.json
View File

@ -3,7 +3,7 @@
"sourceIdentifier": "ykramarz@cisco.com",
"published": "2024-09-25T17:15:18.020",
"lastModified": "2024-09-26T13:32:02.803",
"vulnStatus": "Undergoing Analysis",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{

2
CVE-2024/CVE-2024-207xx/CVE-2024-20787.json
View File

@ -3,7 +3,7 @@
"sourceIdentifier": "psirt@adobe.com",
"published": "2024-10-09T09:15:05.000",
"lastModified": "2024-10-10T12:51:56.987",
"vulnStatus": "Awaiting Analysis",
"vulnStatus": "Undergoing Analysis",
"cveTags": [],
"descriptions": [
{

4
CVE-2024/CVE-2024-207xx/CVE-2024-20791.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "Illustrator versions 28.4, 27.9.3 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file."
},
{
"lang": "es",
"value": "Las versiones 28.4, 27.9.3 y anteriores de Illustrator se ven afectadas por una vulnerabilidad de lectura fuera de los l\u00edmites al analizar un archivo manipulado, lo que podr\u00eda provocar una lectura m\u00e1s all\u00e1 del final de una estructura de memoria asignada. Un atacante podr\u00eda aprovechar esta vulnerabilidad para ejecutar c\u00f3digo en el contexto del usuario actual. Para explotar este problema es necesaria la interacci\u00f3n del usuario, ya que la v\u00edctima debe abrir un archivo malicioso."
}
],
"metrics": {

4
CVE-2024/CVE-2024-207xx/CVE-2024-20792.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "Illustrator versions 28.4, 27.9.3 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file."
},
{
"lang": "es",
"value": "Las versiones 28.4, 27.9.3 y anteriores de Illustrator se ven afectadas por una vulnerabilidad de tipo Use After Free que podr\u00eda provocar la ejecuci\u00f3n de c\u00f3digo arbitrario en el contexto del usuario actual. Para explotar este problema es necesaria la interacci\u00f3n del usuario, ya que la v\u00edctima debe abrir un archivo malicioso."
}
],
"metrics": {

4
CVE-2024/CVE-2024-207xx/CVE-2024-20793.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "Illustrator versions 28.4, 27.9.3 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file."
},
{
"lang": "es",
"value": "Las versiones 28.4, 27.9.3 y anteriores de Illustrator se ven afectadas por una vulnerabilidad de lectura fuera de los l\u00edmites que podr\u00eda provocar la divulgaci\u00f3n de memoria confidencial. Un atacante podr\u00eda aprovechar esta vulnerabilidad para eludir mitigaciones como ASLR. La explotaci\u00f3n de este problema requiere la interacci\u00f3n del usuario, ya que la v\u00edctima debe abrir un archivo malicioso."
}
],
"metrics": {

4
CVE-2024/CVE-2024-20xx/CVE-2024-2029.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "A command injection vulnerability exists in the `TranscriptEndpoint` of mudler/localai, specifically within the `audioToWav` function used for converting audio files to WAV format for transcription. The vulnerability arises due to the lack of sanitization of user-supplied filenames before passing them to ffmpeg via a shell command, allowing an attacker to execute arbitrary commands on the host system. Successful exploitation could lead to unauthorized access, data breaches, or other detrimental impacts, depending on the privileges of the process executing the code."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de inyecci\u00f3n de comandos en el `TranscriptEndpoint` de mudler/localai, espec\u00edficamente dentro de la funci\u00f3n `audioToWav` utilizada para convertir archivos de audio al formato WAV para su transcripci\u00f3n. La vulnerabilidad surge debido a la falta de desinfecci\u00f3n de los nombres de archivo proporcionados por el usuario antes de pasarlos a ffmpeg a trav\u00e9s de un comando de shell, lo que permite a un atacante ejecutar comandos arbitrarios en el sistema host. Una explotaci\u00f3n exitosa podr\u00eda provocar acceso no autorizado, violaciones de datos u otros impactos perjudiciales, seg\u00fan los privilegios del proceso que ejecuta el c\u00f3digo."
}
],
"metrics": {

2
CVE-2024/CVE-2024-213xx/CVE-2024-21315.json
View File

@ -3,7 +3,7 @@
"sourceIdentifier": "secure@microsoft.com",
"published": "2024-02-13T18:15:48.403",
"lastModified": "2024-05-29T00:15:17.893",
"vulnStatus": "Awaiting Analysis",
"vulnStatus": "Undergoing Analysis",
"cveTags": [],
"descriptions": [
{

6
CVE-2024/CVE-2024-214xx/CVE-2024-21455.json
View File

@ -3,12 +3,16 @@
"sourceIdentifier": "product-security@qualcomm.com",
"published": "2024-10-07T13:15:10.360",
"lastModified": "2024-10-07T17:47:48.410",
"vulnStatus": "Awaiting Analysis",
"vulnStatus": "Undergoing Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Memory corruption when a compat IOCTL call is followed by another IOCTL call from userspace to a driver."
},
{
"lang": "es",
"value": "Corrupci\u00f3n de memoria cuando una llamada IOCTL de compatibilidad es seguida por otra llamada IOCTL desde el espacio de usuario a un controlador."
}
],
"metrics": {

2
CVE-2024/CVE-2024-214xx/CVE-2024-21491.json
View File

@ -3,7 +3,7 @@
"sourceIdentifier": "report@snyk.io",
"published": "2024-02-13T05:15:08.873",
"lastModified": "2024-03-06T14:15:48.020",
"vulnStatus": "Awaiting Analysis",
"vulnStatus": "Undergoing Analysis",
"cveTags": [],
"descriptions": [
{

4
CVE-2024/CVE-2024-21xx/CVE-2024-2195.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "A critical Remote Code Execution (RCE) vulnerability was identified in the aimhubio/aim project, specifically within the `/api/runs/search/run/` endpoint, affecting versions >= 3.0.0. The vulnerability resides in the `run_search_api` function of the `aim/web/api/runs/views.py` file, where improper restriction of user access to the `RunView` object allows for the execution of arbitrary code via the `query` parameter. This issue enables attackers to execute arbitrary commands on the server, potentially leading to full system compromise."
},
{
"lang": "es",
"value": "Se identific\u00f3 una vulnerabilidad cr\u00edtica de ejecuci\u00f3n remota de c\u00f3digo (RCE) en el proyecto aimhubio/aim, espec\u00edficamente dentro del endpoint `/api/runs/search/run/`, que afecta a las versiones &gt;= 3.0.0. La vulnerabilidad reside en la funci\u00f3n `run_search_api` del archivo `aim/web/api/runs/views.py`, donde la restricci\u00f3n indebida del acceso del usuario al objeto `RunView` permite la ejecuci\u00f3n de c\u00f3digo arbitrario a trav\u00e9s del par\u00e1metro `query`. Este problema permite a los atacantes ejecutar comandos arbitrarios en el servidor, lo que potencialmente puede provocar un compromiso total del sistema."
}
],
"metrics": {

4
CVE-2024/CVE-2024-21xx/CVE-2024-2196.json
View File

@ -9,6 +9,10 @@
{
"lang": "en",
"value": "aimhubio/aim is vulnerable to Cross-Site Request Forgery (CSRF), allowing attackers to perform actions such as deleting runs, updating data, and stealing data like log records and notes without the user's consent. The vulnerability stems from the lack of CSRF and CORS protection in the aim dashboard. An attacker can exploit this by tricking a user into executing a malicious script that sends unauthorized requests to the aim server, leading to potential data loss and unauthorized data manipulation."
},
{
"lang": "es",
"value": "aimhubio/aim es vulnerable a Cross-Site Request Forgery (CSRF), lo que permite a los atacantes realizar acciones como eliminar ejecuciones, actualizar datos y robar datos como registros y notas sin el consentimiento del usuario. La vulnerabilidad se debe a la falta de protecci\u00f3n CSRF y CORS en el panel de control de AIM. Un atacante puede aprovechar esto enga\u00f1ando a un usuario para que ejecute un script malicioso que env\u00eda solicitudes no autorizadas al servidor de AIM, lo que provoca una posible p\u00e9rdida de datos y una manipulaci\u00f3n de datos no autorizada."
}
],
"metrics": {

2
CVE-2024/CVE-2024-220xx/CVE-2024-22074.json
View File

@ -3,7 +3,7 @@
"sourceIdentifier": "cve@mitre.org",
"published": "2024-06-06T21:15:48.180",
"lastModified": "2024-06-07T14:56:05.647",
"vulnStatus": "Awaiting Analysis",
"vulnStatus": "Undergoing Analysis",
"cveTags": [],
"descriptions": [
{

2
CVE-2024/CVE-2024-221xx/CVE-2024-22128.json
View File

@ -3,7 +3,7 @@
"sourceIdentifier": "cna@sap.com",
"published": "2024-02-13T02:15:08.323",
"lastModified": "2024-02-13T14:01:40.577",
"vulnStatus": "Awaiting Analysis",
"vulnStatus": "Undergoing Analysis",
"cveTags": [],
"descriptions": [
{

2
CVE-2024/CVE-2024-221xx/CVE-2024-22129.json
View File

@ -3,7 +3,7 @@
"sourceIdentifier": "cna@sap.com",
"published": "2024-02-13T04:15:08.133",
"lastModified": "2024-02-13T14:01:40.577",
"vulnStatus": "Awaiting Analysis",
"vulnStatus": "Undergoing Analysis",
"cveTags": [],
"descriptions": [
{

2
CVE-2024/CVE-2024-221xx/CVE-2024-22130.json
View File

@ -3,7 +3,7 @@
"sourceIdentifier": "cna@sap.com",
"published": "2024-02-13T03:15:08.163",
"lastModified": "2024-02-13T14:01:40.577",
"vulnStatus": "Awaiting Analysis",
"vulnStatus": "Undergoing Analysis",
"cveTags": [],
"descriptions": [
{

2
CVE-2024/CVE-2024-221xx/CVE-2024-22131.json
View File

@ -3,7 +3,7 @@
"sourceIdentifier": "cna@sap.com",
"published": "2024-02-13T03:15:08.363",
"lastModified": "2024-02-13T14:01:40.577",
"vulnStatus": "Awaiting Analysis",
"vulnStatus": "Undergoing Analysis",
"cveTags": [],
"descriptions": [
{

Some files were not shown because too many files have changed in this diff Show More