由于raw2tiff.c中存在多个潜在的整数溢出，libtiff中发现了一个漏洞。此缺陷允许远程攻击者造成拒绝服务或可能通过精心设计的tiff图像执行任意代码，从而触发基于堆的缓冲区溢出。

LibTIFF容易受到整数溢出的影响。此缺陷允许远程攻击者造成拒绝服务（应用程序崩溃）或可能通过精心设计的tiff图像执行任意代码，从而触发基于堆的缓冲区溢出。

A use-after-free vulnerability in the Linux Kernel Performance Events system can be exploited to achieve local privilege escalation. The perf_group_detach function did not check the event's siblings' attach_state before calling add_event_to_groups(), but remove_on_exec made it possible to call list_del_event() on before detaching from their group, making it possible to use a dangling pointer causing a use-after-free vulnerability. We recommend upgrading past commit fd0815f632c24878e325821943edccc7fde947a2.

在3.8.18之前的Python、3.9.18之前的3.9.x、3.10.13之前的3.10.x和3.11.5之前的3.11.x中发现了一个问题。它主要影响使用TLS客户端身份验证的服务器（例如HTTP服务器）。如果创建了TLS服务器端套接字，将数据接收到套接字缓冲区，然后快速关闭，则会出现一个简短的窗口，其中SSLSocket实例将检测套接字为未连接并且不会启动握手，但缓冲数据仍可从套接字缓冲区读取。如果服务器端TLS对等方期望客户端证书身份验证，并且与有效的TLS流数据无法区分，则该数据将不会被身份验证。数据大小限制为适合缓冲区的数量。（TLS连接不能直接用于数据泄露，因为易受攻击的代码路径要求在初始化SSLSocket时关闭连接。）

Binutilsobjdump3.37中的函数bfd_getl32中基于堆的缓冲区溢出。

BT SDP dissector memory leak in Wireshark 4.0.0 to 4.0.7 and 3.6.0 to 3.6.15 allows denial of service via packet injection or crafted capture file

CBOR dissector crash in Wireshark 4.0.0 to 4.0.6 allows denial of service via packet injection or crafted capture file

BT SDP dissector infinite loop in Wireshark 4.0.0 to 4.0.7 and 3.6.0 to 3.6.15 allows denial of service via packet injection or crafted capture file

iperf3 before 3.14 allows peers to cause an integer overflow and heap corruption via a crafted length field.

A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `process.binding('spawn_sync')` run arbitrary code, outside of the limits defined in a `policy.json` file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution.

2.40之前的GNUBinutils被发现包含内存泄漏漏洞，即dwarf2.c中的函数find_abstract_instance。

2.40之前的GNUBinutils通过dwarf2.c中的函数bfd_dwarf2_find_nearest_line_with_alt被发现包含内存消耗过多的漏洞。攻击者可以提供精心设计的ELF文件并引发DNS攻击。

2.40之前的GNUBinutils通过dwarf2.c的load_separate_debug_files函数被发现包含内存消耗过多的漏洞。攻击者可以提供精心设计的ELF文件并引发DNS攻击。

2.39.3之前的Binutilsobjdump发现了一个问题，允许攻击者通过函数compare_symbols造成拒绝服务或其他未指定的影响。

在2.39.3之前发现的Binutilsobjdump问题允许攻击者通过match-o.c中的函数bfd_mach_o_get_synthetic_symtab造成拒绝服务或其他未指定的影响。

在2.39.3之前的Binutilsaddr2line中发现了一个问题，函数parse_module包含多个越界读取，可能会导致拒绝服务或其他未指定的影响。

Python3.11到3.11.4中发现了一个问题。如果将包含\\0字节的路径传递给os.path.normpath()，则该路径将在第一个\\0字节处被意外截断。在某些情况下，应用程序在Python3.10.x或更早版本中出于安全原因会拒绝某个文件名，但在Python3.11.x中不再拒绝该文件名。

memcached 1.6.7 allows a Denial of Service via multi-packet uploads in UDP.

An issue was discovered in compare_digest in Lib/hmac.py in Python through 3.9.1. Constant-time-defeating optimisations were possible in the accumulator variable in hmac.compare_digest.

A use-after-free exists in Python through 3.9 via heappushpop in heapq.

在Binutils2.34至2.38中，stabs.c中的函数parse_stab_struct_fields发现了一个问题，该问题允许攻击者因内存泄漏而导致拒绝服务。

Binutils2.34至2.38中的prdbg.c中的函数pr_function_type发现了一个问题，该问题允许攻击者因内存泄漏而导致拒绝服务。

Binutils2.34至2.38中的bucomm.c中的函数make_tempdir和make_tempname发现了一个问题，允许攻击者因内存泄漏而导致拒绝服务。

在Binutils2.34至2.38中，stabs.c中的函数Stab_demangle_v3_arg发现了一个问题，该问题允许攻击者因内存泄漏而导致拒绝服务。

2.40之前的binutilsreadelf中存在堆缓冲区溢出漏洞，通过文件readelf.c中的函数display_debug_section实现。

2.40之前的binutilsreadelf中存在堆缓冲区溢出漏洞，通过文件readelf.c中的函数find_section_in_set实现。

Stack overflow vulnerability in ast_selectors.cpp in function Sass::CompoundSelector::has_real_parent_ref in libsass:3.6.5-8-g210218, which can be exploited by attackers to causea denial of service (DoS). Also affects the command line driver for libsass, sassc 3.6.2.

An issue was discovered in function ciMethodBlocks::make_block_at in Oracle JDK (HotSpot VM) 11, 17 and OpenJDK (HotSpot VM) 8, 11, 17, allows attackers to cause a denial of service.

An issue was discovered in function TIFFReadDirectory libtiff before 4.4.0 allows attackers to cause a denial of service via crafted TIFF file.

Null pointer dereference vulnerability in Binutils readelf 2.38.50 via function read_and_display_attr_value in file dwarf.c.

Binutilsreadelf2.38.50中发现了一个问题，函数display_debug_names中的可达断言失败允许攻击者导致拒绝服务。

Buffer overflow vulnerability in quote_for_pmake in asm/nasm.c in nasm before 2.15.05 allows attackers to cause a denial of service via crafted file.

Stack Overflow vulnerability in libsass 3.6.5 via the CompoundSelector::has_real_parent_ref function.

Stack overflow vulnerability in OpenSC smart card middleware before 0.23 via crafted responses to APDUs.

VSFTPD 3.0.3 allows attackers to cause a denial of service due to limited number of connections allowed.

libjpeg-turbo version 2.0.90 has a heap-based buffer over-read (2 bytes) in decompress_smooth_data in jdcoefct.c.

GNU Binutils before 2.34 has an uninitialized-heap vulnerability in function tic4x_print_cond (file opcodes/tic4x-dis.c) which could allow attackers to make an information leak.

A Use After Free vulnerability in Fedora Linux kernel 5.9.0-rc9 allows attackers to obatin sensitive information via vgacon_invert_region() function.

Uncontrolled Recursion in pdfinfo, and pdftops in poppler 0.89.0 allows remote attackers to cause a denial of service via crafted input.

An issue was discovered in spice-server spice-server-0.14.0-6.el7_6.1.x86_64 of Redhat's VDI product. There is a security vulnerablility that can restart KVMvirtual machine without any authorization. It is not yet known if there will be other other effects.

Memcached 1.6.0 before 1.6.3 allows remote attackers to cause a denial of service (daemon crash) via a crafted meta command.

Buffer Overflow vulnerability in function bitwriter_grow_ in flac before 1.4.0 allows remote attackers to run arbitrary code via crafted input to the encoder.

Buffer overflow vulnerability in c-ares before 1_16_1 thru 1_17_0 via function ares_parse_soa_reply in ares_parse_soa_reply.c.

Buffer Overflow vulnerability in clj_media_size function in devices/gdevclj.c in Artifex Ghostscript 9.50 allows remote attackers to cause a denial of service or other unspecified impact(s) via opening of crafted PDF document.

A stack-use-after-scope issue discovered in expand_mmac_params function in preproc.c in nasm before 2.15.04 allows remote attackers to cause a denial of service via crafted asm file.

An issue was discovered in binutils libbfd.c 2.36 relating to the auxiliary symbol data allows attackers to read or write to system memory or cause a denial of service.

A memory consumption issue in get_data function in binutils/nm.c in GNU nm before 2.34 allows attackers to cause a denial of service via crafted command.

Buffer Overflow vulnerability in tEXtToDataBuf function in pngimage.cpp in Exiv2 0.27.1 allows remote attackers to cause a denial of service and other unspecified impacts via use of crafted file.

The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.\n\nThis vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x.\n\nPlease note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

Improper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath Injection) vulnerability in Apache Software Foundation Apache Ivy.This issue affects any version of Apache Ivy prior to 2.5.2.\n\nWhen Apache Ivy prior to 2.5.2 parses XML files - either its own configuration, Ivy files or Apache Maven POMs - it will allow downloading external document type definitions and expand any entity references contained therein when used.\n\nThis can be used to exfiltrate data, access resources only the machine running Ivy has access to or disturb the execution of Ivy in different ways.\n\nStarting with Ivy 2.5.2 DTD processing is disabled by default except when parsing Maven POMs where the default is to allow DTD processing but only to include a DTD snippet shipping with Ivy that is needed to deal with existing Maven POMs that are not valid XML files but are nevertheless accepted by Maven. Access can be be made more lenient via newly introduced system properties where needed.\n\nUsers of Ivy prior to version 2.5.2 can use Java system properties to restrict processing of external DTDs, see the section about "JAXP Properties for External Access restrictions" inside Oracle's "Java API for XML Processing (JAXP) Security Guide".

linux内核vmxnet3模块中vmxnet3_rq_cleanup存在空指针解引用，可导致DOS，影响版本2.6.32-rc5<=版本<5.18，我们的5.10已经修复过了，4.19还没修

适用于Linux版本1.9.30之前的英特尔(R)以太网控制器RDMA驱动程序中的访问控制不当可能会允许未经身份验证的用户通过网络访问实现权限升级。

某些AMD处理器上的除零错误可能会返回推测数据，从而导致机密性丢失。

Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.4.

Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit prior to 2.6.4.

Cargo downloads the Rust project’s dependencies and compiles the project. Cargo prior to version 0.72.2, bundled with Rust prior to version 1.71.1, did not respect the umask when extracting crate archives on UNIX-like systems. If the user downloaded a crate containing files writeable by any local user, another local user could exploit this to change the source code compiled and executed by the current user. To prevent existing cached extractions from being exploitable, the Cargo binary version 0.72.2 included in Rust 1.71.1 or later will purge caches generated by older Cargo versions automatically. As a workaround, configure one's system to prevent other local users from accessing the Cargo directory, usually located in `~/.cargo`.

A use-after-free flaw was found in btrfs_get_dev_args_from_path in fs/btrfs/volumes.c in btrfs file-system in the Linux Kernel. This flaw allows a local attacker with special privileges to cause a system crash or leak internal kernel information

Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.4.

由于引用计数双减，Linux内核中btrfs文件系统的fs/btrfs/disk-io.c中的btrfs_get_root_ref中发现了一个缺陷。此问题可能允许具有用户权限的本地攻击者使系统崩溃，或者可能导致内部内核信息泄露。

Linux内核中VMwarevmxnet3以太网网卡驱动程序的drivers/net/vmxnet3/vmxnet3_drv.c中的vmxnet3_rq_alloc_rx_buf中发现了释放后使用缺陷。此问题可能允许本地攻击者在清理vmxnet3_rq_cleanup_all时由于双重释放而导致系统崩溃，这也可能导致内核信息泄漏问题。

在Linux内核的日志文件系统(JFS)的fs/jfs/jfs_dmap.c中的dbFree中发现了NULL指针取消引用缺陷。由于缺少健全性检查，此问题可能允许本地攻击者导致系统崩溃。

Jenkins NodeJS Plugin 1.6.0 and earlier does not properly mask (i.e., replace with asterisks) credentials specified in the Npm config file in Pipeline build logs.

.NET and Visual Studio Denial of Service Vulnerability

.NET and Visual Studio Remote Code Execution Vulnerability

1.21.2之前的MITKerberos5（又名krb5）1.21中的kdc/do_tgs_req.c具有双重释放，如果经过身份验证的用户可以触发授权数据处理失败，则可以访问该双重释放。错误的数据从一张票复制到另一张票。

The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.\n\nThis vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x.\n\nPlease note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model. This flaw relates to improper handling of Buffers in file system APIs causing a traversal path to bypass when verifying file permissions.\n\nThis vulnerability affects all users using the experimental permission model in Node.js 20.\n\nPlease note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

`fs.mkdtemp()` and `fs.mkdtempSync()` can be used to bypass the permission model check using a path traversal attack. This flaw arises from a missing check in the fs.mkdtemp() API and the impact is a malicious actor could create an arbitrary directory.\n\nThis vulnerability affects all users using the experimental permission model in Node.js 20.\n\nPlease note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.4.3.

From the upstream fix below: The watchdog_timer can schedule tx_timeout_task and watchdog_work can also arm watchdog_timer [..] Although del_timer_sync() and cancel_work_sync() are called in cyttsp4_remove(), the timer and workqueue could still be rearmed. As a result, the possible use after free bugs could happen.\n\nUpstream commit:\nhttps://github.com/torvalds/linux/commit/dbe836576f12743a7d2d170ad4ad4fd324c4d47a

A use-after-free vulnerability was found in the cxgb4 driver in the Linux kernel. The bug occurs when the cxgb4 device is detaching due to a possible rearming of the flower_stats_timer from the work queue. This flaw allows a local user to crash the system, causing a denial of service condition.

QEMU到8.0.4会访问hw/nvme/ctrl.c中nvme_directive_receive中的NULL指针，因为在检查是否启用灵活数据放置之前不会检查是否配置了耐力组。

xterm before 380 supports ReGIS reporting for character-set names even if they have unexpected characters (i.e., neither alphanumeric nor underscore), aka a pointer/overflow issue. This can only occur for xterm installations that are configured at compile time to use a certain experimental feature.

A use-after-free issue was addressed with improved memory management. This issue is fixed in iOS 16.4 and iPadOS 16.4, macOS Ventura 13.3. Processing web content may lead to arbitrary code execution.

In multiple functions of mem_protect.c, there is a possible way to access hypervisor memory due to a memory access check in the wrong place. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

An issue was discovered in l2cap_sock_release in net/bluetooth/l2cap_sock.c in the Linux kernel before 6.4.10. There is a use-after-free because the children of an sk are mishandled.

IN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found in PostgreSQL if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or ""). If an administrator has installed files of a vulnerable, trusted, non-bundled extension, an attacker with database-level CREATE privilege can execute arbitrary code as the bootstrap superuser.

The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20

The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the experimental policy mechanism in all active release lines: v16, v18 and, v20. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js

HAProxy至2.0.32、2.1.x和2.2.x至2.2.30、2.3.x和2.4.x至2.4.23、2.6.15之前的2.5.x和2.6.x、2.7.10之前的2.7.x、2.8.2之前的2.8.x转发空的Content-Length标头，违反了RFC9110第8.6节。在极少数情况下，HAProxy后面的HTTP/1服务器可能会将有效负载解释为额外请求。

在4.12之前的Libreswan3.x和4.x中发现了一个问题。当IKEv1ISAKMPSA信息交换数据包包含删除/通知有效负载，后跟作用于ISAKMPSA的进一步通知（例如重复的删除/通知消息）时，删除状态上的NULL指针取消引用会导致pluto守护程序崩溃并重新启动。

4.12之前在Libreswan发现了一个问题。当使用ID_IPV4_ADDR或ID_IPV6_ADDR配置的IKEv1快速模式连接接收到ID_FQDN的IDcr负载时，NULL指针取消引用会导致pluto守护程序崩溃并重新启动。注意：最早受影响的版本是4.6。

4.12之前在Libreswan发现了一个问题。当IKEv2ChildSAREKEY数据包包含无效的IPsec协议ID号0或1时，将发送回错误通知INVALID_SPI。通知有效负载的协议ID是从传入数据包中复制的，但验证传出数据包的代码无法断言协议ID必须是ESP(2)或AH(3)，并导致pluto守护程序崩溃并重新启动。注意：最早受影响的版本是3.20。

In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 various XML functions rely on libxml global state to track configuration variables, like whether external entities are loaded. This state is assumed to be unchanged unless the user explicitly changes it by calling appropriate function. However, since the state is process-global, other modules - such as ImageMagick - may also use this library within the same process, and change that global state for their internal purposes, and leave it in a state where external entities loading is enabled. This can lead to the situation where external XML is parsed with external entities loaded, which can lead to disclosure of any local files accessible to PHP. This vulnerable state may persist in the same process across many requests, until the process is shut down.

某些AMDCPU上的侧通道漏洞可能允许攻击者影响返回地址预测。这可能会导致在攻击者控制的地址处进行推测执行，从而可能导致信息泄露。

Protection mechanism failure for some Intel(R) PROSet/Wireless WiFi software may allow a privileged user to potentially enable escalation of privilege via local access.

Information exposure through microarchitectural state after transient execution in certain vector execution units for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.

Improper access control for some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi software may allow a privileged user to potentially enable escalation of privilege via local access.

Improper access control for some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi software may allow a privileged user to potentially enable escalation of privilege via local access.

A flaw was found in the exFAT driver of the Linux kernel. The vulnerability exists in the implementation of the file name reconstruction function, which is responsible for reading file name entries from a directory index and merging file name parts belonging to one file into a single long file name. Since the file name characters are copied into a stack variable, a local privileged attacker could use this flaw to overflow the kernel stack.

A SQL injection vulnerability exists in the “json walker” feature of the ScienceLogic SL1 that takes unsanitized user?controlled input and passes it directly to a SQL query. This allows for the injection of arbitrary SQL before being executed against the database.

Insufficient validation in the IOCTL (Input Output Control) input buffer in AMD uProf may allow an authenticated user to load an unsigned driver potentially leading to arbitrary kernel execution.

内核的AMDSecureEncryptedVirtualization(SEV)模块存在栈溢出，可导致dos，影响版本5.11-rc1<版本，修复还未合并到主分支，影响我们的5.10版本，影响不大

log_blackbox.c in libqb before 2.0.8 allows a buffer overflow via long log messages because the header size is not considered.

vim/vim中从9.0.1367-1到9.0.1367-3中除以零

lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.

Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.3.

PHP Remote File Inclusion in GitHub repository cockpit-hq/cockpit prior to 2.6.3.