Fedora Fedora Project Fedora

Do you want an email whenever new security vulnerabilities are reported in Fedora Project Fedora?

By the Year

In 2023 there have been 469 vulnerabilities in Fedora Project Fedora with an average score of 6.7 out of ten. Last year Fedora had 973 security vulnerabilities published. Right now, Fedora is on track to have less security vulnerabilities in 2023 than it did last year. Last year, the average CVE base score was greater by 0.38

Year Vulnerabilities Average Score
2023 469 6.74
2022 973 7.13
2021 1147 7.11
2020 841 6.83
2019 625 7.10
2018 70 7.22

It may take a day or so for new Fedora vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Fedora Project Fedora Security Vulnerabilities

Type Confusion in Spellcheck in Google Chrome prior to 119.0.6045.199

CVE-2023-6348 8.8 - High - November 29, 2023

Type Confusion in Spellcheck in Google Chrome prior to 119.0.6045.199 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Object Type Confusion

Use after free in libavif in Google Chrome prior to 119.0.6045.199

CVE-2023-6351 8.8 - High - November 29, 2023

Use after free in libavif in Google Chrome prior to 119.0.6045.199 allowed a remote attacker to potentially exploit heap corruption via a crafted avif file. (Chromium security severity: High)

Dangling pointer

Integer overflow in Skia in Google Chrome prior to 119.0.6045.199

CVE-2023-6345 9.6 - Critical - November 29, 2023

Integer overflow in Skia in Google Chrome prior to 119.0.6045.199 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a malicious file. (Chromium security severity: High)

Integer Overflow or Wraparound

Use after free in WebAudio in Google Chrome prior to 119.0.6045.199

CVE-2023-6346 8.8 - High - November 29, 2023

Use after free in WebAudio in Google Chrome prior to 119.0.6045.199 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Dangling pointer

Use after free in Mojo in Google Chrome prior to 119.0.6045.199

CVE-2023-6347 8.8 - High - November 29, 2023

Use after free in Mojo in Google Chrome prior to 119.0.6045.199 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Dangling pointer

Use after free in libavif in Google Chrome prior to 119.0.6045.199

CVE-2023-6350 8.8 - High - November 29, 2023

Use after free in libavif in Google Chrome prior to 119.0.6045.199 allowed a remote attacker to potentially exploit heap corruption via a crafted avif file. (Chromium security severity: High)

Dangling pointer

A vulnerability was found

CVE-2023-5981 5.9 - Medium - November 28, 2023

A vulnerability was found that the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding.

Side Channel Attack

An out-of-memory flaw was found in libtiff

CVE-2023-6277 6.5 - Medium - November 24, 2023

An out-of-memory flaw was found in libtiff. Passing a crafted tiff file to TIFFOpen() API may allow a remote attacker to cause a denial of service via a craft input with size smaller than 379 KB.

Resource Exhaustion

A null pointer dereference flaw was found in the nft_inner.c functionality of netfilter in the Linux kernel

CVE-2023-5972 7.8 - High - November 23, 2023

A null pointer dereference flaw was found in the nft_inner.c functionality of netfilter in the Linux kernel. This issue could allow a local user to crash the system or escalate their privileges on the system.

NULL Pointer Dereference

A buffer overflow vulnerability was found in the NVM Express (NVMe) driver in the Linux kernel

CVE-2023-6238 7.8 - High - November 21, 2023

A buffer overflow vulnerability was found in the NVM Express (NVMe) driver in the Linux kernel. An unprivileged user could specify a small meta buffer and let the device perform larger Direct Memory Access (DMA) into the same buffer, overwriting unrelated kernel memory, causing random kernel crashes and memory corruption.

Classic Buffer Overflow

A heap use-after-free flaw was found in coders/bmp.c in ImageMagick.

CVE-2023-5341 5.5 - Medium - November 19, 2023

A heap use-after-free flaw was found in coders/bmp.c in ImageMagick.

Dangling pointer

Vim is an open source command line text editor

CVE-2023-48232 4.3 - Medium - November 16, 2023

Vim is an open source command line text editor. A floating point exception may occur when calculating the line offset for overlong lines and smooth scrolling is enabled and the cpo-settings include the 'n' flag. This may happen when a window border is present and when the wrapped line continues on the next physical line directly in the window border because the 'cpo' setting includes the 'n' flag. Only users with non-default settings are affected and the exception should only result in a crash. This issue has been addressed in commit `cb0b99f0` which has been included in release version 9.0.2107. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Vim is an open source command line text editor

CVE-2023-48233 4.3 - Medium - November 16, 2023

Vim is an open source command line text editor. If the count after the :s command is larger than what fits into a (signed) long variable, abort with e_value_too_large. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `ac6378773` which has been included in release version 9.0.2108. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Vim is an open source command line text editor

CVE-2023-48234 4.3 - Medium - November 16, 2023

Vim is an open source command line text editor. When getting the count for a normal mode z command, it may overflow for large counts given. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `58f9befca1` which has been included in release version 9.0.2109. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Vim is an open source command line text editor

CVE-2023-48235 4.3 - Medium - November 16, 2023

Vim is an open source command line text editor. When parsing relative ex addresses one may unintentionally cause an overflow. Ironically this happens in the existing overflow check, because the line number becomes negative and LONG_MAX - lnum will cause the overflow. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `060623e` which has been included in release version 9.0.2110. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Vim is an open source command line text editor

CVE-2023-48236 4.3 - Medium - November 16, 2023

Vim is an open source command line text editor. When using the z= command, the user may overflow the count with values larger than MAX_INT. Impact is low, user interaction is required and a crash may not even happen in all situations. This vulnerability has been addressed in commit `73b2d379` which has been included in release version 9.0.2111. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Vim is an open source command line text editor

CVE-2023-48237 4.3 - Medium - November 16, 2023

Vim is an open source command line text editor. In affected versions when shifting lines in operator pending mode and using a very large value, it may be possible to overflow the size of integer. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `6bf131888` which has been included in version 9.0.2112. Users are advised to upgrade. There are no known workarounds for this vulnerability.

A security issue was discovered in Kubernetes where a user

CVE-2023-5528 8.8 - High - November 14, 2023

A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they are using an in-tree storage plugin for Windows nodes.

Using the --fragment option in certain configuration setups OpenVPN version 2.6.0 to 2.6.6

CVE-2023-46849 7.5 - High - November 11, 2023

Using the --fragment option in certain configuration setups OpenVPN version 2.6.0 to 2.6.6 allows an attacker to trigger a divide by zero behaviour which could cause an application crash, leading to a denial of service.

Divide By Zero

Use after free in OpenVPN version 2.6.0 to 2.6.6 may lead to undefined behavoir

CVE-2023-46850 9.8 - Critical - November 11, 2023

Use after free in OpenVPN version 2.6.0 to 2.6.6 may lead to undefined behavoir, leaking memory buffers or remote execution when sending network buffers to a remote peer.

Dangling pointer

When duplicating a BigBlueButton activity, the original meeting ID was also duplicated instead of using a new ID for the new activity

CVE-2023-5543 3.3 - Low - November 09, 2023

When duplicating a BigBlueButton activity, the original meeting ID was also duplicated instead of using a new ID for the new activity. This could provide unintended access to the original meeting.

Separate Groups mode restrictions were not honoured in the forum summary report, which would display users

CVE-2023-5551 3.3 - Low - November 09, 2023

Separate Groups mode restrictions were not honoured in the forum summary report, which would display users from other groups.

In a shared hosting environment

CVE-2023-5550 9.8 - Critical - November 09, 2023

In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user who also has direct access to the web server outside of the Moodle webroot could utilise a local file include to achieve remote code execution.

A remote code execution risk was identified in the IMSCP activity

CVE-2023-5540 8.8 - High - November 09, 2023

A remote code execution risk was identified in the IMSCP activity. By default this was only available to teachers and managers.

Code Injection

Students in "Only see own membership" groups could see other students in the group

CVE-2023-5542 4.3 - Medium - November 09, 2023

Students in "Only see own membership" groups could see other students in the group, which should be hidden.

Exposure of Resource to Wrong Sphere

H5P metadata automatically populated the author with the user's username

CVE-2023-5545 5.3 - Medium - November 09, 2023

H5P metadata automatically populated the author with the user's username, which could be sensitive information.

Exposure of Resource to Wrong Sphere

Stronger revision number limitations were required on file serving endpoints to improve cache poisoning protection.

CVE-2023-5548 5.3 - Medium - November 09, 2023

Stronger revision number limitations were required on file serving endpoints to improve cache poisoning protection.

Insufficient Verification of Data Authenticity

Insufficient web service capability checks made it possible to move categories a user had permission to manage

CVE-2023-5549 5.3 - Medium - November 09, 2023

Insufficient web service capability checks made it possible to move categories a user had permission to manage, to a parent category they did not have the capability to manage.

Improper Privilege Management

A race condition was found in the QXL driver in the Linux kernel

CVE-2023-39198 6.4 - Medium - November 09, 2023

A race condition was found in the QXL driver in the Linux kernel. The qxl_mode_dumb_create() function dereferences the qobj returned by the qxl_gem_object_create_with_handle(), but the handle is the only one holding a reference to it. This flaw allows an attacker to guess the returned handle value and trigger a use-after-free issue, potentially leading to a denial of service or privilege escalation.

Dangling pointer

A remote code execution risk was identified in the Lesson activity

CVE-2023-5539 8.8 - High - November 09, 2023

A remote code execution risk was identified in the Lesson activity. By default this was only available to teachers and managers.

Code Injection

Wiki comments required additional sanitizing and access restrictions to prevent a stored XSS risk and potential IDOR risk.

CVE-2023-5544 5.4 - Medium - November 09, 2023

Wiki comments required additional sanitizing and access restrictions to prevent a stored XSS risk and potential IDOR risk.

XSS

ID numbers displayed in the quiz grading report required additional sanitizing to prevent a stored XSS risk.

CVE-2023-5546 5.4 - Medium - November 09, 2023

ID numbers displayed in the quiz grading report required additional sanitizing to prevent a stored XSS risk.

XSS

The course upload preview contained an XSS risk for users uploading unsafe data.

CVE-2023-5547 6.1 - Medium - November 09, 2023

The course upload preview contained an XSS risk for users uploading unsafe data.

XSS

Use after free in WebAudio in Google Chrome prior to 119.0.6045.123

CVE-2023-5996 8.8 - High - November 08, 2023

Use after free in WebAudio in Google Chrome prior to 119.0.6045.123 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Dangling pointer

A path traversal vulnerability was identified in Samba when processing client pipe names connecting to Unix domain sockets within a private directory

CVE-2023-3961 9.8 - Critical - November 03, 2023

A path traversal vulnerability was identified in Samba when processing client pipe names connecting to Unix domain sockets within a private directory. Samba typically uses this mechanism to connect SMB clients to remote procedure call (RPC) services like SAMR LSA or SPOOLSS, which Samba initiates on demand. However, due to inadequate sanitization of incoming client pipe names, allowing a client to send a pipe name containing Unix directory traversal characters (../). This could result in SMB clients connecting as root to Unix domain sockets outside the private directory. If an attacker or client managed to send a pipe name resolving to an external service using an existing Unix domain socket, it could potentially lead to unauthorized access to the service and consequential adverse events, including compromise or service crashes.

Directory traversal

An out-of-bounds (OOB) memory read flaw was found in parse_lease_state in the KSMBD implementation of the in-kernel samba server and CIFS in the Linux kernel

CVE-2023-1194 8.1 - High - November 03, 2023

An out-of-bounds (OOB) memory read flaw was found in parse_lease_state in the KSMBD implementation of the in-kernel samba server and CIFS in the Linux kernel. When an attacker sends the CREATE command with a malformed payload to KSMBD, due to a missing check of `NameOffset` in the `parse_lease_state()` function, the `create_context` object can access invalid memory.

Out-of-bounds Read

A flaw was found in Samba

CVE-2023-42670 6.5 - Medium - November 03, 2023

A flaw was found in Samba. It is susceptible to a vulnerability where multiple incompatible RPC listeners can be initiated, causing disruptions in the AD DC service. When Samba's RPC server experiences a high load or unresponsiveness, servers intended for non-AD DC purposes (for example, NT4-emulation "classic DCs") can erroneously start and compete for the same unix domain sockets. This issue leads to partial query responses from the AD DC, causing issues such as "The procedure number is out of range" when using tools like Active Directory Users. This flaw allows an attacker to disrupt AD DC services.

A vulnerability was discovered in Samba, where the flaw

CVE-2023-4091 6.5 - Medium - November 03, 2023

A vulnerability was discovered in Samba, where the flaw allows SMB clients to truncate files, even with read-only permissions when the Samba VFS module "acl_xattr" is configured with "acl_xattr:ignore system acls = yes". The SMB protocol allows opening files when the client requests read-only access but then implicitly truncates the opened file to 0 bytes if the client specifies a separate OVERWRITE create disposition request. The issue arises in configurations that bypass kernel file system permissions checks, relying solely on Samba's permissions.

Incorrect Default Permissions

In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uri_to_iri() is subject to a potential DoS (denial of service) attack

CVE-2023-41164 7.5 - High - November 03, 2023

In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uri_to_iri() is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.

Improper Validation of Specified Quantity in Input

In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack

CVE-2023-43665 7.5 - High - November 03, 2023

In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232.

Improper Validation of Specified Quantity in Input

SchedMD Slurm 23.02.x before 23.02.6 and 22.05.x before 22.05.10

CVE-2023-41914 7 - High - November 03, 2023

SchedMD Slurm 23.02.x before 23.02.6 and 22.05.x before 22.05.10 allows filesystem race conditions for gaining ownership of a file, overwriting a file, or deleting files.

Race Condition

Inappropriate implementation in Payments in Google Chrome prior to 119.0.6045.105

CVE-2023-5480 6.1 - Medium - November 01, 2023

Inappropriate implementation in Payments in Google Chrome prior to 119.0.6045.105 allowed a remote attacker to bypass XSS preventions via a malicious file. (Chromium security severity: High)

XSS

Insufficient data validation in USB in Google Chrome prior to 119.0.6045.105

CVE-2023-5482 8.8 - High - November 01, 2023

Insufficient data validation in USB in Google Chrome prior to 119.0.6045.105 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

Insufficient Verification of Data Authenticity

Integer overflow in USB in Google Chrome prior to 119.0.6045.105

CVE-2023-5849 8.8 - High - November 01, 2023

Integer overflow in USB in Google Chrome prior to 119.0.6045.105 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Integer Overflow or Wraparound

Incorrect security UI in Downloads in Google Chrome prior to 119.0.6045.105

CVE-2023-5850 4.3 - Medium - November 01, 2023

Incorrect security UI in Downloads in Google Chrome prior to 119.0.6045.105 allowed a remote attacker to perform domain spoofing via a crafted domain name. (Chromium security severity: Medium)

Inappropriate implementation in Downloads in Google Chrome prior to 119.0.6045.105

CVE-2023-5851 4.3 - Medium - November 01, 2023

Inappropriate implementation in Downloads in Google Chrome prior to 119.0.6045.105 allowed a remote attacker to obfuscate security UI via a crafted HTML page. (Chromium security severity: Medium)

Origin Validation Error

Use after free in Printing in Google Chrome prior to 119.0.6045.105

CVE-2023-5852 8.8 - High - November 01, 2023

Use after free in Printing in Google Chrome prior to 119.0.6045.105 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via specific UI gestures. (Chromium security severity: Medium)

Dangling pointer

Incorrect security UI in Downloads in Google Chrome prior to 119.0.6045.105

CVE-2023-5853 4.3 - Medium - November 01, 2023

Incorrect security UI in Downloads in Google Chrome prior to 119.0.6045.105 allowed a remote attacker to obfuscate security UI via a crafted HTML page. (Chromium security severity: Medium)

Origin Validation Error

Use after free in Profiles in Google Chrome prior to 119.0.6045.105

CVE-2023-5854 8.8 - High - November 01, 2023

Use after free in Profiles in Google Chrome prior to 119.0.6045.105 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via specific UI gestures. (Chromium security severity: Medium)

Dangling pointer

Use after free in Reading Mode in Google Chrome prior to 119.0.6045.105

CVE-2023-5855 8.8 - High - November 01, 2023

Use after free in Reading Mode in Google Chrome prior to 119.0.6045.105 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via specific UI gestures. (Chromium security severity: Medium)

Dangling pointer

Use after free in Side Panel in Google Chrome prior to 119.0.6045.105

CVE-2023-5856 8.8 - High - November 01, 2023

Use after free in Side Panel in Google Chrome prior to 119.0.6045.105 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

Dangling pointer

Inappropriate implementation in Downloads in Google Chrome prior to 119.0.6045.105

CVE-2023-5857 8.8 - High - November 01, 2023

Inappropriate implementation in Downloads in Google Chrome prior to 119.0.6045.105 allowed a remote attacker to potentially execute arbitrary code via a malicious file. (Chromium security severity: Medium)

Inappropriate implementation in WebApp Provider in Google Chrome prior to 119.0.6045.105

CVE-2023-5858 4.3 - Medium - November 01, 2023

Inappropriate implementation in WebApp Provider in Google Chrome prior to 119.0.6045.105 allowed a remote attacker to obfuscate security UI via a crafted HTML page. (Chromium security severity: Low)

Origin Validation Error

Incorrect security UI in Picture In Picture in Google Chrome prior to 119.0.6045.105

CVE-2023-5859 4.3 - Medium - November 01, 2023

Incorrect security UI in Picture In Picture in Google Chrome prior to 119.0.6045.105 allowed a remote attacker to perform domain spoofing via a crafted local HTML page. (Chromium security severity: Low)

Origin Validation Error

A memory leak flaw was found in ruby-magick, an interface between Ruby and ImageMagick

CVE-2023-5349 3.3 - Low - October 30, 2023

A memory leak flaw was found in ruby-magick, an interface between Ruby and ImageMagick. This issue can lead to a denial of service (DOS) by memory exhaustion.

Memory Leak

A use-after-free flaw was found in the xorg-x11-server

CVE-2023-5380 4.7 - Medium - October 25, 2023

A use-after-free flaw was found in the xorg-x11-server. An X server crash may occur in a very specific and legacy configuration (a multi-screen setup with multiple protocol screens, also known as Zaphod mode) if the pointer is warped from within a window on one screen to the root window of the other screen and if the original window is destroyed followed by another window being destroyed.

Dangling pointer

A out-of-bounds write flaw was found in the xorg-x11-server

CVE-2023-5367 7.8 - High - October 25, 2023

A out-of-bounds write flaw was found in the xorg-x11-server. This issue occurs due to an incorrect calculation of a buffer offset when copying data stored in the heap in the XIChangeDeviceProperty function in Xi/xiproperty.c and in RRChangeOutputProperty function in randr/rrproperty.c, allowing for possible escalation of privileges or denial of service.

Memory Corruption

Use after free in Profiles in Google Chrome prior to 118.0.5993.117

CVE-2023-5472 8.8 - High - October 25, 2023

Use after free in Profiles in Google Chrome prior to 118.0.5993.117 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Dangling pointer

Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.This issue affects Apache HTTP Server: through 2.4.57.

CVE-2023-31122 7.5 - High - October 23, 2023

Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.This issue affects Apache HTTP Server: through 2.4.57.

Out-of-bounds Read

When a HTTP/2 stream was reset (RST frame) by a client

CVE-2023-45802 5.9 - Medium - October 23, 2023

When a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connection busy and open and causing the memory footprint to keep on growing. On connection close, all resources were reclaimed, but the process might run out of memory before that. This was found by the reporter during testing of CVE-2023-44487 (HTTP/2 Rapid Reset Exploit) with their own test client. During "normal" HTTP/2 use, the probability to hit this bug is very low. The kept memory would not become noticeable before the connection closes or times out. Users are recommended to upgrade to version 2.4.58, which fixes the issue.

Resource Exhaustion

Redis is an in-memory database that persists on disk

CVE-2023-45145 3.6 - Low - October 18, 2023

Redis is an in-memory database that persists on disk. On startup, Redis begins listening on a Unix socket before adjusting its permissions to the user-provided configuration. If a permissive umask(2) is used, this creates a race condition that enables, during a short period of time, another process to establish an otherwise unauthorized connection. This problem has existed since Redis 2.6.0-RC1. This issue has been addressed in Redis versions 7.2.2, 7.0.14 and 6.2.14. Users are advised to upgrade. For users unable to upgrade, it is possible to work around the problem by disabling Unix sockets, starting Redis with a restrictive umask, or storing the Unix socket file in a protected directory.

Exposure of Resource to Wrong Sphere

Various `node:fs` functions allow specifying paths as either strings or `Uint8Array` objects

CVE-2023-39332 9.8 - Critical - October 18, 2023

Various `node:fs` functions allow specifying paths as either strings or `Uint8Array` objects. In Node.js environments, the `Buffer` class extends the `Uint8Array` class. Node.js prevents path traversal through strings (see CVE-2023-30584) and `Buffer` objects (see CVE-2023-32004), but not through non-`Buffer` `Uint8Array` objects. This is distinct from CVE-2023-32004 which only referred to `Buffer` objects. However, the vulnerability follows the same pattern using `Uint8Array` instead of `Buffer`. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

Directory traversal

urllib3 is a user-friendly HTTP client library for Python

CVE-2023-45803 4.2 - Medium - October 17, 2023

urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren't expecting to respond with redirects with `redirects=False` and disable automatic redirects with `redirects=False` and handle 301, 302, and 303 redirects manually by stripping the HTTP request body.

Information Disclosure

Improper Input Validation vulnerability in Apache Traffic Server with malformed HTTP/2 frames.This issue affects Apache Traffic Server:

CVE-2023-39456 7.5 - High - October 17, 2023

Improper Input Validation vulnerability in Apache Traffic Server with malformed HTTP/2 frames.This issue affects Apache Traffic Server: from 9.0.0 through 9.2.2. Users are recommended to upgrade to version 9.2.3, which fixes the issue.

Improper Input Validation

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Traffic Server.This issue affects Apache Traffic Server:

CVE-2023-41752 7.5 - High - October 17, 2023

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Traffic Server.This issue affects Apache Traffic Server: from 8.0.0 through 8.1.8, from 9.0.0 through 9.2.2. Users are recommended to upgrade to version 8.1.9 or 9.2.3, which fixes the issue.

Information Disclosure

A vulnerability was found in libXpm where a vulnerability exists due to a boundary condition, a local user

CVE-2023-43789 5.5 - Medium - October 12, 2023

A vulnerability was found in libXpm where a vulnerability exists due to a boundary condition, a local user can trigger an out-of-bounds read error and read contents of memory on the system.

Out-of-bounds Read

Use after free in Site Isolation in Google Chrome prior to 118.0.5993.70

CVE-2023-5218 8.8 - High - October 11, 2023

Use after free in Site Isolation in Google Chrome prior to 118.0.5993.70 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)

Dangling pointer

Inappropriate implementation in DevTools in Google Chrome prior to 118.0.5993.70

CVE-2023-5475 6.5 - Medium - October 11, 2023

Inappropriate implementation in DevTools in Google Chrome prior to 118.0.5993.70 allowed an attacker who convinced a user to install a malicious extension to bypass discretionary access control via a crafted Chrome Extension. (Chromium security severity: Medium)

Inappropriate implementation in Navigation in Google Chrome prior to 118.0.5993.70

CVE-2023-5484 6.5 - Medium - October 11, 2023

Inappropriate implementation in Navigation in Google Chrome prior to 118.0.5993.70 allowed a remote attacker to spoof security UI via a crafted HTML page. (Chromium security severity: Medium)

Inappropriate implementation in Fullscreen in Google Chrome prior to 118.0.5993.70

CVE-2023-5487 6.5 - Medium - October 11, 2023

Inappropriate implementation in Fullscreen in Google Chrome prior to 118.0.5993.70 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension. (Chromium security severity: Medium)

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption

CVE-2023-39325 7.5 - High - October 11, 2023

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.

Resource Exhaustion

Use After Free in GitHub repository vim/vim prior to v9.0.2010.

CVE-2023-5535 7.8 - High - October 11, 2023

Use After Free in GitHub repository vim/vim prior to v9.0.2010.

Dangling pointer

An integer overflow in xerces-c++ 3.2.3 in BigFix Platform

CVE-2023-37536 8.8 - High - October 11, 2023

An integer overflow in xerces-c++ 3.2.3 in BigFix Platform allows remote attackers to cause out-of-bound access via HTTP request.

Integer Overflow or Wraparound

Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation

CVE-2023-45129 4.9 - Medium - October 10, 2023

Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. Prior to version 1.94.0, a malicious server ACL event can impact performance temporarily or permanently leading to a persistent denial of service. Homeservers running on a closed federation (which presumably do not need to use server ACLs) are not affected. Server administrators are advised to upgrade to Synapse 1.94.0 or later. As a workaround, rooms with malicious server ACL events can be purged and blocked using the admin API.

Allocation of Resources Without Limits or Throttling

The HTTP/2 protocol

CVE-2023-44487 7.5 - High - October 10, 2023

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Resource Exhaustion

A vulnerability was found in libXpm due to a boundary condition within the XpmCreateXpmImageFromBuffer() function

CVE-2023-43788 5.5 - Medium - October 10, 2023

A vulnerability was found in libXpm due to a boundary condition within the XpmCreateXpmImageFromBuffer() function. This flaw allows a local attacker to trigger an out-of-bounds read error and read the contents of memory on the system.

Out-of-bounds Read

A vulnerability was found in libX11 due to a boundary condition within the _XkbReadKeySyms() function

CVE-2023-43785 5.5 - Medium - October 10, 2023

A vulnerability was found in libX11 due to a boundary condition within the _XkbReadKeySyms() function. This flaw allows a local user to trigger an out-of-bounds read error and read the contents of memory on the system.

Out-of-bounds Read

A vulnerability was found in libX11 due to an integer overflow within the XCreateImage() function

CVE-2023-43787 7.8 - High - October 10, 2023

A vulnerability was found in libX11 due to an integer overflow within the XCreateImage() function. This flaw allows a local user to trigger an integer overflow and execute arbitrary code with elevated privileges.

Integer Overflow or Wraparound

A vulnerability was found in libX11 due to an infinite loop within the PutSubImage() function

CVE-2023-43786 5.5 - Medium - October 10, 2023

A vulnerability was found in libX11 due to an infinite loop within the PutSubImage() function. This flaw allows a local user to consume all available system resources and cause a denial of service condition.

Infinite Loop

libcue provides an API for parsing and extracting data from CUE sheets

CVE-2023-43641 8.8 - High - October 09, 2023

libcue provides an API for parsing and extracting data from CUE sheets. Versions 2.2.1 and prior are vulnerable to out-of-bounds array access. A user of the GNOME desktop environment can be exploited by downloading a cue sheet from a malicious webpage. Because the file is saved to `~/Downloads`, it is then automatically scanned by tracker-miners. And because it has a .cue filename extension, tracker-miners use libcue to parse the file. The file exploits the vulnerability in libcue to gain code execution. This issue is patched in version 2.3.0.

Memory Corruption

A flaw was found in the Netfilter subsystem in the Linux kernel

CVE-2023-39189 6 - Medium - October 09, 2023

A flaw was found in the Netfilter subsystem in the Linux kernel. The nfnl_osf_add_callback function did not validate the user mode controlled opt_num field. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, leading to a crash or information disclosure.

Out-of-bounds Read

A flaw was found in the XFRM subsystem in the Linux kernel

CVE-2023-39194 4.4 - Medium - October 09, 2023

A flaw was found in the XFRM subsystem in the Linux kernel. The specific flaw exists within the processing of state filters, which can result in a read past the end of an allocated buffer. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, potentially leading to an information disclosure.

Out-of-bounds Read

A flaw was found in the Netfilter subsystem in the Linux kernel

CVE-2023-39193 6 - Medium - October 09, 2023

A flaw was found in the Netfilter subsystem in the Linux kernel. The sctp_mt_check did not validate the flag_count field. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, leading to a crash or information disclosure.

Out-of-bounds Read

A flaw was found in the Netfilter subsystem in the Linux kernel

CVE-2023-39192 6 - Medium - October 09, 2023

A flaw was found in the Netfilter subsystem in the Linux kernel. The xt_u32 module did not validate the fields in the xt_u32 structure. This flaw allows a local privileged attacker to trigger an out-of-bounds read by setting the size fields with a value beyond the array boundaries, leading to a crash or information disclosure.

Out-of-bounds Read

Mbed TLS 2.x before 2.28.5 and 3.x before 3.5.0 has a Buffer Overflow.

CVE-2023-43615 7.5 - High - October 07, 2023

Mbed TLS 2.x before 2.28.5 and 3.x before 3.5.0 has a Buffer Overflow.

Classic Buffer Overflow

A lack of input validation exists in tac_plus prior to commit 4fdf178 which, when pre or post auth commands are enabled

CVE-2023-45239 9.8 - Critical - October 06, 2023

A lack of input validation exists in tac_plus prior to commit 4fdf178 which, when pre or post auth commands are enabled, allows an attacker who can control the username, rem-addr, or NAC address sent to tac_plus to inject shell commands and gain remote code execution on the tac_plus server.

A use-after-free vulnerability exists in the MediaRecorder API of Webkit WebKitGTK 2.40.5

CVE-2023-39928 8.8 - High - October 06, 2023

A use-after-free vulnerability exists in the MediaRecorder API of Webkit WebKitGTK 2.40.5. A specially crafted web page can abuse this vulnerability to cause memory corruption and potentially arbitrary code execution. A user would need to to visit a malicious webpage to trigger this vulnerability.

Dangling pointer

Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives

CVE-2023-39323 9.8 - Critical - October 05, 2023

Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires the absolute path of the file in which the directive lives, which makes exploiting this issue significantly more complex.

NULL Pointer Dereference in GitHub repository vim/vim prior to 20d161ace307e28690229b68584f2d84556f8960.

CVE-2023-5441 5.5 - Medium - October 05, 2023

NULL Pointer Dereference in GitHub repository vim/vim prior to 20d161ace307e28690229b68584f2d84556f8960.

NULL Pointer Dereference

A vulnerability was found in libtiff due to multiple potential integer overflows in raw2tiff.c

CVE-2023-41175 6.5 - Medium - October 05, 2023

A vulnerability was found in libtiff due to multiple potential integer overflows in raw2tiff.c. This flaw allows remote attackers to cause a denial of service or possibly execute an arbitrary code via a crafted tiff image, which triggers a heap-based buffer overflow.

Integer Overflow or Wraparound

LibTIFF is vulnerable to an integer overflow

CVE-2023-40745 6.5 - Medium - October 05, 2023

LibTIFF is vulnerable to an integer overflow. This flaw allows remote attackers to cause a denial of service (application crash) or possibly execute an arbitrary code via a crafted tiff image, which triggers a heap-based buffer overflow.

Integer Overflow or Wraparound

A NULL pointer dereference flaw was found in the Linux kernel ipv4 stack

CVE-2023-42754 5.5 - Medium - October 05, 2023

A NULL pointer dereference flaw was found in the Linux kernel ipv4 stack. The socket buffer (skb) was assumed to be associated with a device before calling __ip_options_compile, which is not always the case if the skb is re-routed by ipvs. This issue may allow a local user with CAP_NET_ADMIN privileges to crash the system.

NULL Pointer Dereference

Type confusion in V8 in Google Chrome prior to 117.0.5938.149

CVE-2023-5346 8.8 - High - October 05, 2023

Type confusion in V8 in Google Chrome prior to 117.0.5938.149 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Object Type Confusion

A heap-based buffer overflow vulnerability was found in coders/tiff.c in ImageMagick

CVE-2023-3428 5.5 - Medium - October 04, 2023

A heap-based buffer overflow vulnerability was found in coders/tiff.c in ImageMagick. This issue may allow a local attacker to trick the user into opening a specially crafted file, resulting in an application crash and denial of service.

Memory Corruption

An improper input validation flaw was found in the eBPF subsystem in the Linux kernel

CVE-2023-39191 8.2 - High - October 04, 2023

An improper input validation flaw was found in the eBPF subsystem in the Linux kernel. The issue occurs due to a lack of proper validation of dynamic pointers within user-supplied eBPF programs prior to executing them. This may allow an attacker with CAP_BPF privileges to escalate privileges and execute arbitrary code in the context of the kernel.

A memory leak flaw was found in Libtiff's tiffcrop utility

CVE-2023-3576 5.5 - Medium - October 04, 2023

A memory leak flaw was found in Libtiff's tiffcrop utility. This issue occurs when tiffcrop operates on a TIFF image file, allowing an attacker to pass a crafted TIFF image file to tiffcrop utility, which causes this memory leak issue, resulting an application crash, eventually leading to a denial of service.

Memory Leak

A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable

CVE-2023-4911 7.8 - High - October 03, 2023

A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.

Memory Corruption

A use-after-free vulnerability in the Linux kernel's fs/smb/client component can be exploited to achieve local privilege escalation

CVE-2023-5345 7.8 - High - October 03, 2023

A use-after-free vulnerability in the Linux kernel's fs/smb/client component can be exploited to achieve local privilege escalation. In case of an error in smb3_fs_context_parse_param, ctx->password was freed but the field was not set to NULL which could lead to double free. We recommend upgrading past commit e6e43b8aa7cd3c3af686caf0c2e11819a886d705.

Dangling pointer

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1969.

CVE-2023-5344 7.5 - High - October 02, 2023

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1969.

Heap-based Buffer Overflow

VP9 in libvpx before 1.13.1 mishandles widths

CVE-2023-44488 7.5 - High - September 30, 2023

VP9 in libvpx before 1.13.1 mishandles widths, leading to a crash related to encoding.

Improper Handling of Exceptional Conditions

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Fedora Project Fedora or by Fedora Project? Click the Watch button to subscribe.

subscribe