Fedora Fedora Project Fedora

Do you want an email whenever new security vulnerabilities are reported in Fedora Project Fedora?

By the Year

In 2023 there have been 119 vulnerabilities in Fedora Project Fedora with an average score of 6.8 out of ten. Last year Fedora had 971 security vulnerabilities published. Right now, Fedora is on track to have less security vulnerabilities in 2023 than it did last year. Last year, the average CVE base score was greater by 0.38

Year Vulnerabilities Average Score
2023 119 6.75
2022 971 7.13
2021 1147 7.11
2020 841 6.83
2019 624 7.09
2018 70 7.22

It may take a day or so for new Fedora vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Fedora Project Fedora Security Vulnerabilities

A vulnerability was found in the avahi library

CVE-2023-1981 5.5 - Medium - May 26, 2023

A vulnerability was found in the avahi library. This flaw allows an unprivileged user to make a dbus call, causing the avahi daemon to crash.

Resource Exhaustion

Requests is a HTTP library

CVE-2023-32681 6.1 - Medium - May 26, 2023

Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.

Bottles before 51.0 mishandles YAML load, which

CVE-2023-22970 7.8 - High - May 26, 2023

Bottles before 51.0 mishandles YAML load, which allows remote code execution via a crafted file.

c-ares is an asynchronous resolver library

CVE-2023-32067 7.5 - High - May 25, 2023

c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patched in version 1.19.1.

Resource Exhaustion

c-ares is an asynchronous resolver library

CVE-2023-31130 6.4 - Medium - May 25, 2023

c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1.

c-ares is an asynchronous resolver library

CVE-2023-31147 6.5 - Medium - May 25, 2023

c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1.

Use of Insufficiently Random Values

c-ares is an asynchronous resolver library

CVE-2023-31124 6.5 - Medium - May 25, 2023

c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1.

Use of Insufficiently Random Values

A NULL pointer dereference flaw was found in Libtiff's LZWDecode() function in the libtiff/tif_lzw.c file

CVE-2023-2731 5.5 - Medium - May 17, 2023

A NULL pointer dereference flaw was found in Libtiff's LZWDecode() function in the libtiff/tif_lzw.c file. This flaw allows a local attacker to craft specific input data that can cause the program to dereference a NULL pointer when decompressing a TIFF format file, resulting in a program crash or denial of service.

NULL Pointer Dereference

cups-filters contains backends

CVE-2023-24805 8.8 - High - May 17, 2023

cups-filters contains backends, filters, and other software required to get the cups printing service working on operating systems other than macos. If you use the Backend Error Handler (beh) to create an accessible network printer, this security vulnerability can cause remote code execution. `beh.c` contains the line `retval = system(cmdline) >> 8;` which calls the `system` command with the operand `cmdline`. `cmdline` contains multiple user controlled, unsanitized values. As a result an attacker with network access to the hosted print server can exploit this vulnerability to inject system commands which are executed in the context of the running server. This issue has been addressed in commit `8f2740357` and is expected to be bundled in the next release. Users are advised to upgrade when possible and to restrict access to network printers in the meantime.

Shell injection

Inappropriate implementation in WebApp Installs in Google Chrome prior to 113.0.5672.126

CVE-2023-2726 8.8 - High - May 16, 2023

Inappropriate implementation in WebApp Installs in Google Chrome prior to 113.0.5672.126 allowed an attacker who convinced a user to install a malicious web app to bypass install dialog via a crafted HTML page. (Chromium security severity: Medium)

Use after free in Guest View in Google Chrome prior to 113.0.5672.126

CVE-2023-2725 8.8 - High - May 16, 2023

Use after free in Guest View in Google Chrome prior to 113.0.5672.126 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Dangling pointer

Type confusion in V8 in Google Chrome prior to 113.0.5672.126

CVE-2023-2724 8.8 - High - May 16, 2023

Type confusion in V8 in Google Chrome prior to 113.0.5672.126 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Object Type Confusion

Use after free in DevTools in Google Chrome prior to 113.0.5672.126

CVE-2023-2723 8.8 - High - May 16, 2023

Use after free in DevTools in Google Chrome prior to 113.0.5672.126 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Dangling pointer

Use after free in Navigation in Google Chrome prior to 113.0.5672.126

CVE-2023-2721 8.8 - High - May 16, 2023

Use after free in Navigation in Google Chrome prior to 113.0.5672.126 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)

Dangling pointer

Use after free in Autofill UI in Google Chrome on Android prior to 113.0.5672.126

CVE-2023-2722 8.8 - High - May 16, 2023

Use after free in Autofill UI in Google Chrome on Android prior to 113.0.5672.126 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Dangling pointer

A flaw was found in LibRaw

CVE-2023-1729 6.5 - Medium - May 15, 2023

A flaw was found in LibRaw. A heap-buffer-overflow in raw2image_ex() caused by a maliciously crafted file may lead to an application crash.

Memory Corruption

A vulnerability was found in libvirt

CVE-2023-2700 5.5 - Medium - May 15, 2023

A vulnerability was found in libvirt. This security flaw ouccers due to repeatedly querying an SR-IOV PCI device's capabilities that exposes a memory leak caused by a failure to free the virPCIVirtualFunction array within the parent struct's g_autoptr cleanup.

Memory Leak

A flaw was found in the networking subsystem of the Linux kernel within the handling of the RPL protocol

CVE-2023-2156 7.5 - High - May 09, 2023

A flaw was found in the networking subsystem of the Linux kernel within the handling of the RPL protocol. This issue results from the lack of proper handling of user-supplied data, which can lead to an assertion failure. This may allow an unauthenticated remote attacker to create a denial of service condition on the system.

assertion failure

In Django 3.2 before 3.2.19

CVE-2023-31047 9.8 - Critical - May 07, 2023

In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise.

Improper Input Validation

A Segmentation fault caused by a floating point exception exists in libheif 1.15.1 using crafted heif images

CVE-2023-29659 6.5 - Medium - May 05, 2023

A Segmentation fault caused by a floating point exception exists in libheif 1.15.1 using crafted heif images via the heif::Fraction::round() function in box.cc, which causes a denial of service.

Divide By Zero

Inappropriate implementation in PictureInPicture in Google Chrome prior to 113.0.5672.63

CVE-2023-2468 4.3 - Medium - May 03, 2023

Inappropriate implementation in PictureInPicture in Google Chrome prior to 113.0.5672.63 allowed a remote attacker who had compromised the renderer process to obfuscate the security UI via a crafted HTML page. (Chromium security severity: Low)

Inappropriate implementation in Prompts in Google Chrome on Android prior to 113.0.5672.63

CVE-2023-2467 4.3 - Medium - May 03, 2023

Inappropriate implementation in Prompts in Google Chrome on Android prior to 113.0.5672.63 allowed a remote attacker to bypass permissions restrictions via a crafted HTML page. (Chromium security severity: Low)

Inappropriate implementation in Prompts in Google Chrome prior to 113.0.5672.63

CVE-2023-2466 4.3 - Medium - May 03, 2023

Inappropriate implementation in Prompts in Google Chrome prior to 113.0.5672.63 allowed a remote attacker to spoof the contents of the security UI via a crafted HTML page. (Chromium security severity: Low)

Inappropriate implementation in CORS in Google Chrome prior to 113.0.5672.63

CVE-2023-2465 4.3 - Medium - May 03, 2023

Inappropriate implementation in CORS in Google Chrome prior to 113.0.5672.63 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

Inappropriate implementation in PictureInPicture in Google Chrome prior to 113.0.5672.63

CVE-2023-2464 4.3 - Medium - May 03, 2023

Inappropriate implementation in PictureInPicture in Google Chrome prior to 113.0.5672.63 allowed an attacker who convinced a user to install a malicious extension to perform an origin spoof in the security UI via a crafted HTML page. (Chromium security severity: Medium)

Inappropriate implementation in Full Screen Mode in Google Chrome on Android prior to 113.0.5672.63

CVE-2023-2463 4.3 - Medium - May 03, 2023

Inappropriate implementation in Full Screen Mode in Google Chrome on Android prior to 113.0.5672.63 allowed a remote attacker to hide the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Medium)

Inappropriate implementation in Prompts in Google Chrome prior to 113.0.5672.63

CVE-2023-2462 4.3 - Medium - May 03, 2023

Inappropriate implementation in Prompts in Google Chrome prior to 113.0.5672.63 allowed a remote attacker to obfuscate main origin data via a crafted HTML page. (Chromium security severity: Medium)

Use after free in OS Inputs in Google Chrome on ChromeOS prior to 113.0.5672.63

CVE-2023-2461 8.8 - High - May 03, 2023

Use after free in OS Inputs in Google Chrome on ChromeOS prior to 113.0.5672.63 allowed a remote attacker who convinced a user to enage in specific UI interaction to potentially exploit heap corruption via crafted UI interaction. (Chromium security severity: Medium)

Dangling pointer

Insufficient validation of untrusted input in Extensions in Google Chrome prior to 113.0.5672.63

CVE-2023-2460 7.1 - High - May 03, 2023

Insufficient validation of untrusted input in Extensions in Google Chrome prior to 113.0.5672.63 allowed an attacker who convinced a user to install a malicious extension to bypass file access checks via a crafted HTML page. (Chromium security severity: Medium)

Improper Input Validation

Inappropriate implementation in Prompts in Google Chrome prior to 113.0.5672.63

CVE-2023-2459 6.5 - Medium - May 03, 2023

Inappropriate implementation in Prompts in Google Chrome prior to 113.0.5672.63 allowed a remote attacker to bypass permission restrictions via a crafted HTML page. (Chromium security severity: Medium)

The vulnerability was found Moodle

CVE-2023-30944 7.3 - High - May 02, 2023

The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in external Wiki method for listing pages. A remote attacker can send a specially crafted request to the affected application and execute limited SQL commands within the application database.

SQL Injection

The vulnerability was found Moodle which exists because the application

CVE-2023-30943 5.3 - Medium - May 02, 2023

The vulnerability was found Moodle which exists because the application allows a user to control path of the older to create in TinyMCE loaders. A remote user can send a specially crafted HTTP request and create arbitrary folders on the system.

Externally Controlled Reference to a Resource in Another Sphere

Sensitive data could be exposed in logs of cloud-init before version 23.1.2

CVE-2023-1786 5.5 - Medium - April 26, 2023

Sensitive data could be exposed in logs of cloud-init before version 23.1.2. An attacker could use this information to find hashed passwords and possibly escalate their privilege.

Insertion of Sensitive Information into Log File

Git is a revision control system

CVE-2023-29007 7.8 - High - April 25, 2023

Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted `.gitmodules` file with submodule URLs that are longer than 1024 characters can used to exploit a bug in `config.c::git_config_copy_or_rename_section_in_file()`. This bug can be used to inject arbitrary configuration into a user's `$GIT_DIR/config` when attempting to remove the configuration section associated with that submodule. When the attacker injects configuration values which specify executables to run (such as `core.pager`, `core.editor`, `core.sshCommand`, etc.) this can lead to a remote code execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running `git submodule deinit` on untrusted repositories or without prior inspection of any submodule sections in `$GIT_DIR/config`.

Injection

A denial of service problem was found

CVE-2023-2269 4.4 - Medium - April 25, 2023

A denial of service problem was found, due to a possible recursive locking scenario, resulting in a deadlock in table_clear in drivers/md/dm-ioctl.c in the Linux Kernel Device Mapper-Multipathing sub-component.

Improper Locking

In Git for Windows, the Windows port of Git, no localized messages are shipped with the installer

CVE-2023-25815 2.2 - Low - April 25, 2023

In Git for Windows, the Windows port of Git, no localized messages are shipped with the installer. As a consequence, Git is expected not to localize messages at all, and skips the gettext initialization. However, due to a change in MINGW-packages, the `gettext()` function's implicit initialization no longer uses the runtime prefix but uses the hard-coded path `C:\mingw64\share\locale` to look for localized messages. And since any authenticated user has the permission to create folders in `C:\` (and since `C:\mingw64` does not typically exist), it is possible for low-privilege users to place fake messages in that location where `git.exe` will pick them up in version 2.40.1. This vulnerability is relatively hard to exploit and requires social engineering. For example, a legitimate message at the end of a clone could be maliciously modified to ask the user to direct their web browser to a malicious website, and the user might think that the message comes from Git and is legitimate. It does require local write access by the attacker, though, which makes this attack vector less likely. Version 2.40.1 contains a patch for this issue. Some workarounds are available. Do not work on a Windows machine with shared accounts, or alternatively create a `C:\mingw64` folder and leave it empty. Users who have administrative rights may remove the permission to create folders in `C:\`.

Directory traversal

Git is a revision control system

CVE-2023-25652 7.5 - High - April 25, 2023

Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid using `git apply` with `--reject` when applying patches from an untrusted source. Use `git apply --stat` to inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the `*.rej` file exists.

Directory traversal

x86 shadow paging arbitrary pointer dereference In environments where host assisted address translation is necessary but Hardware Assisted Paging (HAP) is unavailable

CVE-2022-42335 7.8 - High - April 25, 2023

x86 shadow paging arbitrary pointer dereference In environments where host assisted address translation is necessary but Hardware Assisted Paging (HAP) is unavailable, Xen will run guests in so called shadow mode. Due to too lax a check in one of the hypervisor routines used for shadow page handling it is possible for a guest with a PCI device passed through to cause the hypervisor to access an arbitrary pointer partially under guest control.

NULL Pointer Dereference

Laminas Diactoros provides PSR HTTP Message implementations

CVE-2023-29530 6.5 - Medium - April 24, 2023

Laminas Diactoros provides PSR HTTP Message implementations. In versions 2.18.0 and prior, 2.19.0, 2.20.0, 2.21.0, 2.22.0, 2.23.0, 2.24.0, and 2.25.0, users who create HTTP requests or responses using laminas/laminas-diactoros, when providing a newline at the start or end of a header key or value, can cause an invalid message. This can lead to denial of service vectors or application errors. The problem has been patched in following versions 2.18.1, 2.19.1, 2.20.1, 2.21.1, 2.22.1, 2.23.1, 2.24.1, and 2.25.1. As a workaround, validate HTTP header keys and/or values, and if using user-supplied values, filter them to strip off leading or trailing newline characters before calling `withHeader()`.

Improper Input Validation

An out-of-bounds write vulnerability was found in the Linux kernel's SLIMpro I2C device driver

CVE-2023-2194 6.7 - Medium - April 20, 2023

An out-of-bounds write vulnerability was found in the Linux kernel's SLIMpro I2C device driver. The userspace "data->block[0]" variable was not capped to a number between 0-255 and was used as the size of a memcpy, possibly writing beyond the end of dma_buffer. This flaw could allow a local privileged user to crash the system or potentially achieve code execution.

Memory Corruption

Out of bounds memory access in Service Worker API in Google Chrome prior to 112.0.5615.137

CVE-2023-2133 8.8 - High - April 19, 2023

Out of bounds memory access in Service Worker API in Google Chrome prior to 112.0.5615.137 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Memory Corruption

Out of bounds memory access in Service Worker API in Google Chrome prior to 112.0.5615.137

CVE-2023-2134 8.8 - High - April 19, 2023

Out of bounds memory access in Service Worker API in Google Chrome prior to 112.0.5615.137 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Memory Corruption

Use after free in DevTools in Google Chrome prior to 112.0.5615.137

CVE-2023-2135 7.5 - High - April 19, 2023

Use after free in DevTools in Google Chrome prior to 112.0.5615.137 allowed a remote attacker who convinced a user to enable specific preconditions to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Dangling pointer

Integer overflow in Skia in Google Chrome prior to 112.0.5615.137

CVE-2023-2136 9.6 - Critical - April 19, 2023

Integer overflow in Skia in Google Chrome prior to 112.0.5615.137 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Integer Overflow or Wraparound

Heap buffer overflow in sqlite in Google Chrome prior to 112.0.5615.137

CVE-2023-2137 8.8 - High - April 19, 2023

Heap buffer overflow in sqlite in Google Chrome prior to 112.0.5615.137 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

Memory Corruption

Redis is an open source, in-memory database that persists on disk

CVE-2023-28856 6.5 - Medium - April 18, 2023

Redis is an open source, in-memory database that persists on disk. Authenticated users can use the `HINCRBYFLOAT` command to create an invalid hash field that will crash Redis on access in affected versions. This issue has been addressed in in versions 7.0.11, 6.2.12, and 6.0.19. Users are advised to upgrade. There are no known workarounds for this issue.

assertion failure

guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP

CVE-2023-29197 7.5 - High - April 17, 2023

guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Affected versions are subject to improper header parsing. An attacker could sneak in a newline (\n) into both the header names and values. While the specification states that \r\n\r\n is used to terminate the header list, many servers in the wild will also accept \n\n. This is a follow-up to CVE-2022-24775 where the fix was incomplete. The issue has been patched in versions 1.9.1 and 2.4.5. There are no known workarounds for this vulnerability. Users are advised to upgrade.

Interpretation Conflict

In lldpd before 1.0.13, when decoding SONMP packets in the sonmp_decode function, it's possible to trigger an out-of-bounds heap read

CVE-2021-43612 7.5 - High - April 15, 2023

In lldpd before 1.0.13, when decoding SONMP packets in the sonmp_decode function, it's possible to trigger an out-of-bounds heap read via short SONMP packets.

Memory Corruption

A heap-based buffer overflow issue was discovered in ImageMagick's ImportMultiSpectralQuantum() function in MagickCore/quantum-import.c

CVE-2023-1906 5.5 - Medium - April 12, 2023

A heap-based buffer overflow issue was discovered in ImageMagick's ImportMultiSpectralQuantum() function in MagickCore/quantum-import.c. An attacker could pass specially crafted file to convert, triggering an out-of-bounds read error, allowing an application to crash, resulting in a denial of service.

Memory Corruption

Use after free in Vulkan in Google Chrome prior to 112.0.5615.49

CVE-2023-1818 8.8 - High - April 04, 2023

Use after free in Vulkan in Google Chrome prior to 112.0.5615.49 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

Dangling pointer

Heap buffer overflow in Visuals in Google Chrome prior to 112.0.5615.49

CVE-2023-1810 8.8 - High - April 04, 2023

Heap buffer overflow in Visuals in Google Chrome prior to 112.0.5615.49 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Memory Corruption

Use after free in Frames in Google Chrome prior to 112.0.5615.49

CVE-2023-1811 8.8 - High - April 04, 2023

Use after free in Frames in Google Chrome prior to 112.0.5615.49 allowed a remote attacker who convinced a user to engage in specific UI interaction to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Dangling pointer

Out of bounds memory access in DOM Bindings in Google Chrome prior to 112.0.5615.49

CVE-2023-1812 8.8 - High - April 04, 2023

Out of bounds memory access in DOM Bindings in Google Chrome prior to 112.0.5615.49 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Medium)

Buffer Overflow

Inappropriate implementation in Extensions in Google Chrome prior to 112.0.5615.49

CVE-2023-1813 6.5 - Medium - April 04, 2023

Inappropriate implementation in Extensions in Google Chrome prior to 112.0.5615.49 allowed an attacker who convinced a user to install a malicious extension to bypass file access restrictions via a crafted HTML page. (Chromium security severity: Medium)

Insufficient validation of untrusted input in Safe Browsing in Google Chrome prior to 112.0.5615.49

CVE-2023-1814 6.5 - Medium - April 04, 2023

Insufficient validation of untrusted input in Safe Browsing in Google Chrome prior to 112.0.5615.49 allowed a remote attacker to bypass download checking via a crafted HTML page. (Chromium security severity: Medium)

Improper Input Validation

Use after free in Networking APIs in Google Chrome prior to 112.0.5615.49

CVE-2023-1815 8.8 - High - April 04, 2023

Use after free in Networking APIs in Google Chrome prior to 112.0.5615.49 allowed a remote attacker who convinced a user to engage in specific UI interaction to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

Dangling pointer

Incorrect security UI in Picture In Picture in Google Chrome prior to 112.0.5615.49

CVE-2023-1816 6.5 - Medium - April 04, 2023

Incorrect security UI in Picture In Picture in Google Chrome prior to 112.0.5615.49 allowed a remote attacker to potentially perform navigation spoofing via a crafted HTML page. (Chromium security severity: Medium)

Insufficient policy enforcement in Intents in Google Chrome on Android prior to 112.0.5615.49

CVE-2023-1817 6.5 - Medium - April 04, 2023

Insufficient policy enforcement in Intents in Google Chrome on Android prior to 112.0.5615.49 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)

Out of bounds read in Accessibility in Google Chrome prior to 112.0.5615.49

CVE-2023-1819 6.5 - Medium - April 04, 2023

Out of bounds read in Accessibility in Google Chrome prior to 112.0.5615.49 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium)

Out-of-bounds Read

Heap buffer overflow in Browser History in Google Chrome prior to 112.0.5615.49

CVE-2023-1820 8.8 - High - April 04, 2023

Heap buffer overflow in Browser History in Google Chrome prior to 112.0.5615.49 allowed a remote attacker who convinced a user to engage in specific UI interaction to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

Memory Corruption

Inappropriate implementation in WebShare in Google Chrome prior to 112.0.5615.49

CVE-2023-1821 6.5 - Medium - April 04, 2023

Inappropriate implementation in WebShare in Google Chrome prior to 112.0.5615.49 allowed a remote attacker to potentially hide the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Low)

Incorrect security UI in Navigation in Google Chrome prior to 112.0.5615.49

CVE-2023-1822 6.5 - Medium - April 04, 2023

Incorrect security UI in Navigation in Google Chrome prior to 112.0.5615.49 allowed a remote attacker to perform domain spoofing via a crafted HTML page. (Chromium security severity: Low)

Inappropriate implementation in FedCM in Google Chrome prior to 112.0.5615.49

CVE-2023-1823 6.5 - Medium - April 04, 2023

Inappropriate implementation in FedCM in Google Chrome prior to 112.0.5615.49 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)

A use-after-free flaw was found in btrfs_search_slot in fs/btrfs/ctree.c in btrfs in the Linux Kernel.This flaw

CVE-2023-1611 6.3 - Medium - April 03, 2023

A use-after-free flaw was found in btrfs_search_slot in fs/btrfs/ctree.c in btrfs in the Linux Kernel.This flaw allows an attacker to crash the system and possibly cause a kernel information lea

Dangling pointer

An issue was discovered in MediaWiki before 1.35.10, 1.36.x through 1.38.x before 1.38.6, and 1.39.x before 1.39.3

CVE-2023-29141 9.8 - Critical - March 31, 2023

An issue was discovered in MediaWiki before 1.35.10, 1.36.x through 1.38.x before 1.38.6, and 1.39.x before 1.39.3. An auto-block can occur for an untrusted X-Forwarded-For header.

A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1

CVE-2023-28756 5.3 - Medium - March 31, 2023

A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.

ReDoS

A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1

CVE-2023-28755 5.3 - Medium - March 31, 2023

A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.

ReDoS

A flaw was found in X.Org Server Overlay Window

CVE-2023-1393 7.8 - High - March 30, 2023

A flaw was found in X.Org Server Overlay Window. A Use-After-Free may lead to local privilege escalation. If a client explicitly destroys the compositor overlay window (aka COW), the Xserver would leave a dangling pointer to that window in the CompScreen structure, which will trigger a use-after-free later.

Dangling pointer

An authentication bypass vulnerability exists in libcurl prior to v8.0.0 where it reuses a previously established SSH connection despite the fact

CVE-2023-27538 5.5 - Medium - March 30, 2023

An authentication bypass vulnerability exists in libcurl prior to v8.0.0 where it reuses a previously established SSH connection despite the fact that an SSH option was modified, which should have prevented reuse. libcurl maintains a pool of previously used connections to reuse them for subsequent transfers if the configurations match. However, two SSH settings were omitted from the configuration check, allowing them to match easily, potentially leading to the reuse of an inappropriate connection.

authentification

An authentication bypass vulnerability exists libcurl <8.0.0 in the connection reuse feature

CVE-2023-27536 7.5 - High - March 30, 2023

An authentication bypass vulnerability exists libcurl <8.0.0 in the connection reuse feature which can reuse previously established connections with incorrect user permissions due to a failure to check for changes in the CURLOPT_GSSAPI_DELEGATION option. This vulnerability affects krb5/kerberos/negotiate/GSSAPI transfers and could potentially result in unauthorized access to sensitive information. The safest option is to not reuse connections if the CURLOPT_GSSAPI_DELEGATION option has been changed.

authentification

An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP connection reuse feature

CVE-2023-27535 7.5 - High - March 30, 2023

An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created connections are kept in a connection pool for reuse if they match the current setup. However, certain FTP settings such as CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC, and CURLOPT_USE_SSL were not included in the configuration match checks, causing them to match too easily. This could lead to libcurl using the wrong credentials when performing a transfer, potentially allowing unauthorized access to sensitive information.

authentification

A flaw was found in the QEMU Guest Agent service for Windows

CVE-2023-0664 7.8 - High - March 29, 2023

A flaw was found in the QEMU Guest Agent service for Windows. A local unprivileged user may be able to manipulate the QEMU Guest Agent's Windows installer via repair custom actions to elevate their privileges on the system.

Improper Privilege Management

A buffer overflow vulnerability was found in the Netfilter subsystem in the Linux Kernel

CVE-2023-0179 7.8 - High - March 27, 2023

A buffer overflow vulnerability was found in the Netfilter subsystem in the Linux Kernel. This issue could allow the leakage of both stack and heap addresses, and potentially allow Local Privilege Escalation to the root user via arbitrary code execution.

Integer Overflow or Wraparound

A vulnerability was found in X.Org

CVE-2023-0494 7.8 - High - March 27, 2023

A vulnerability was found in X.Org. This issue occurs due to a dangling pointer in DeepCopyPointerClasses that can be exploited by ProcXkbSetDeviceInfo() and ProcXkbGetDeviceInfo() to read and write into freed memory. This can lead to local privilege elevation on systems where the X server runs privileged and remote code execution for ssh X forwarding sessions.

Dangling pointer

A memory corruption flaw was found in the Linux kernels human interface device (HID) subsystem in how a user inserts a malicious USB device

CVE-2023-1073 6.6 - Medium - March 27, 2023

A memory corruption flaw was found in the Linux kernels human interface device (HID) subsystem in how a user inserts a malicious USB device. This flaw allows a local user to crash or potentially escalate their privileges on the system.

Memory Corruption

A flaw was found in the Linux kernel's implementation of RDMA over infiniband

CVE-2021-3923 2.3 - Low - March 27, 2023

A flaw was found in the Linux kernel's implementation of RDMA over infiniband. An attacker with a privileged local account can leak kernel stack information when issuing commands to the /dev/infiniband/rdma_cm device node. While this access is unlikely to leak sensitive user information, it can be further used to defeat existing kernel protection mechanisms.

Dino before 0.2.3, 0.3.x before 0.3.2, and 0.4.x before 0.4.2 allows attackers to modify the personal bookmark store via a crafted message

CVE-2023-28686 7.1 - High - March 24, 2023

Dino before 0.2.3, 0.3.x before 0.3.2, and 0.4.x before 0.4.2 allows attackers to modify the personal bookmark store via a crafted message. The attacker can change the display of group chats or force a victim to join a group chat; the victim may then be tricked into disclosing sensitive information.

Insecure Direct Object Reference / IDOR

The Mustache pix helper contained a potential Mustache injection risk if combined with user input (note: This did not appear to be implemented/exploitable anywhere in the core Moodle LMS).

CVE-2023-28333 9.8 - Critical - March 23, 2023

The Mustache pix helper contained a potential Mustache injection risk if combined with user input (note: This did not appear to be implemented/exploitable anywhere in the core Moodle LMS).

Code Injection

A flaw was found in KVM

CVE-2023-1513 3.3 - Low - March 23, 2023

A flaw was found in KVM. When calling the KVM_GET_DEBUGREGS ioctl, on 32-bit systems, there might be some uninitialized portions of the kvm_debugregs structure that could be copied to userspace, causing an information leak.

Improper Initialization

An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service

CVE-2023-0056 6.5 - Medium - March 23, 2023

An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability.

Resource Exhaustion

Insufficient filtering of grade report history made it possible for teachers to access the names of users they could not otherwise access.

CVE-2023-28336 4.3 - Medium - March 23, 2023

Insufficient filtering of grade report history made it possible for teachers to access the names of users they could not otherwise access.

Exposure of Resource to Wrong Sphere

A vulnerability was discovered in ImageMagick where a specially created SVG file loads itself and causes a segmentation fault

CVE-2023-1289 5.5 - Medium - March 23, 2023

A vulnerability was discovered in ImageMagick where a specially created SVG file loads itself and causes a segmentation fault. This flaw allows a remote attacker to pass a specially crafted SVG file that leads to a segmentation fault, generating many trash files in "/tmp," resulting in a denial of service. When ImageMagick crashes, it generates a lot of trash files. These trash files can be large if the SVG file contains many render actions. In a denial of service attack, if a remote attacker uploads an SVG file of size t, ImageMagick generates files of size 103*t. If an attacker uploads a 100M SVG, the server will generate about 10G.

Improper Input Validation

A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device

CVE-2023-1544 6.3 - Medium - March 23, 2023

A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to allocate and initialize a huge number of page tables to be used as a ring of descriptors for CQ and async events, potentially leading to an out-of-bounds read and crash of QEMU.

Allocation of Resources Without Limits or Throttling

x86 shadow plus log-dirty mode use-after-free In environments where host assisted address translation is necessary but Hardware Assisted Paging (HAP) is unavailable

CVE-2022-42332 7.8 - High - March 21, 2023

x86 shadow plus log-dirty mode use-after-free In environments where host assisted address translation is necessary but Hardware Assisted Paging (HAP) is unavailable, Xen will run guests in so called shadow mode. Shadow mode maintains a pool of memory used for both shadow page tables as well as auxiliary data structures. To migrate or snapshot guests, Xen additionally runs them in so called log-dirty mode. The data structures needed by the log-dirty tracking are part of aformentioned auxiliary data. In order to keep error handling efforts within reasonable bounds, for operations which may require memory allocations shadow mode logic ensures up front that enough memory is available for the worst case requirements. Unfortunately, while page table memory is properly accounted for on the code path requiring the potential establishing of new shadows, demands by the log-dirty infrastructure were not taken into consideration. As a result, just established shadow page tables could be freed again immediately, while other code is still accessing them on the assumption that they would remain allocated.

Dangling pointer

x86: speculative vulnerability in 32bit SYSCALL path Due to an oversight in the very original Spectre/Meltdown security work (XSA-254)

CVE-2022-42331 5.5 - Medium - March 21, 2023

x86: speculative vulnerability in 32bit SYSCALL path Due to an oversight in the very original Spectre/Meltdown security work (XSA-254), one entrypath performs its speculation-safety actions too late. In some configurations, there is an unprotected RET instruction which can be attacked with a variety of speculative attacks.

x86/HVM pinned cache attributes mis-handling T[his CNA information record relates to multiple CVEs; the text explains

CVE-2022-42334 6.5 - Medium - March 21, 2023

x86/HVM pinned cache attributes mis-handling T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] To allow cachability control for HVM guests with passed through devices, an interface exists to explicitly override defaults which would otherwise be put in place. While not exposed to the affected guests themselves, the interface specifically exists for domains controlling such guests. This interface may therefore be used by not fully privileged entities, e.g. qemu running deprivileged in Dom0 or qemu running in a so called stub-domain. With this exposure it is an issue that - the number of the such controlled regions was unbounded (CVE-2022-42333), - installation and removal of such regions was not properly serialized (CVE-2022-42334).

Allocation of Resources Without Limits or Throttling

x86/HVM pinned cache attributes mis-handling T[his CNA information record relates to multiple CVEs; the text explains

CVE-2022-42333 8.6 - High - March 21, 2023

x86/HVM pinned cache attributes mis-handling T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] To allow cachability control for HVM guests with passed through devices, an interface exists to explicitly override defaults which would otherwise be put in place. While not exposed to the affected guests themselves, the interface specifically exists for domains controlling such guests. This interface may therefore be used by not fully privileged entities, e.g. qemu running deprivileged in Dom0 or qemu running in a so called stub-domain. With this exposure it is an issue that - the number of the such controlled regions was unbounded (CVE-2022-42333), - installation and removal of such regions was not properly serialized (CVE-2022-42334).

Allocation of Resources Without Limits or Throttling

NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.1392.

CVE-2023-1264 5.5 - Medium - March 07, 2023

NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.1392.

NULL Pointer Dereference

A flaw was found in the c-ares package

CVE-2022-4904 8.6 - High - March 06, 2023

A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity.

Improper Input Validation

A flaw was found in samba

CVE-2021-20251 5.9 - Medium - March 06, 2023

A flaw was found in samba. A race condition in the password lockout code may lead to the risk of brute force attacks being successful if special conditions are met.

Race Condition

In PostgreSQL, a modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption

CVE-2022-41862 3.7 - Low - March 03, 2023

In PostgreSQL, a modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. In certain conditions a server can cause a libpq client to over-read and report an error message containing uninitialized bytes.

A use-after-free vulnerability in WebCore::RenderLayer::addChild in WebKitGTK before 2.36.8

CVE-2023-25358 8.8 - High - March 02, 2023

A use-after-free vulnerability in WebCore::RenderLayer::addChild in WebKitGTK before 2.36.8 allows attackers to execute code remotely.

Dangling pointer

Divide By Zero in GitHub repository vim/vim prior to 9.0.1367.

CVE-2023-1127 7.8 - High - March 01, 2023

Divide By Zero in GitHub repository vim/vim prior to 9.0.1367.

Divide By Zero

Sudo before 1.9.13p2 has a double free in the per-command chroot feature.

CVE-2023-27320 7.2 - High - February 28, 2023

Sudo before 1.9.13p2 has a double free in the per-command chroot feature.

Double-free

A flaw was found in RHDS 11 and RHDS 12

CVE-2023-1055 5.5 - Medium - February 27, 2023

A flaw was found in RHDS 11 and RHDS 12. While browsing entries LDAP tries to decode the userPassword attribute instead of the userCertificate attribute which could lead into sensitive information leaked. An attacker with a local account where the cockpit-389-ds is running can list the processes and display the hashed passwords. The highest threat from this vulnerability is to data confidentiality.

Improper Certificate Validation

An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the "chained" HTTP compression algorithms, meaning

CVE-2023-23916 6.5 - Medium - February 23, 2023

An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this "decompression chain" wascapped, but the cap was implemented on a per-header basis allowing a maliciousserver to insert a virtually unlimited number of compression steps simply byusing many headers. The use of such a decompression chain could result in a "malloc bomb", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors.

Allocation of Resources Without Limits or Throttling

In Epiphany (aka GNOME Web) through 43.0, untrusted web content can trick users into exfiltrating passwords

CVE-2023-26081 7.5 - High - February 20, 2023

In Epiphany (aka GNOME Web) through 43.0, untrusted web content can trick users into exfiltrating passwords, because autofill occurs in sandboxed contexts.

Exposure of Resource to Wrong Sphere

A timing side-channel in the handling of RSA ClientKeyExchange messages was discovered in GnuTLS

CVE-2023-0361 7.4 - High - February 15, 2023

A timing side-channel in the handling of RSA ClientKeyExchange messages was discovered in GnuTLS. This side-channel can be sufficient to recover the key encrypted in the RSA ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption the attacker would need to send a large amount of specially crafted messages to the vulnerable server. By recovering the secret from the ClientKeyExchange message, the attacker would be able to decrypt the application data exchanged over that connection.

Side Channel Attack

hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0

CVE-2023-25193 7.5 - High - February 04, 2023

hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks.

Allocation of Resources Without Limits or Throttling

A flaw was found in pesign

CVE-2022-3560 5.5 - Medium - February 02, 2023

A flaw was found in pesign. The pesign package provides a systemd service used to start the pesign daemon. This service unit runs a script to set ACLs for /etc/pki/pesign and /run/pesign directories to grant access privileges to users in the 'pesign' group. However, the script doesn't check for symbolic links. This could allow an attacker to gain access to privileged files and directories via a path traversal attack.

Directory traversal

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Red Hat Enterprise Linux (RHEL) or by Fedora Project? Click the Watch button to subscribe.

subscribe