Fedora Fedora Project Fedora

Do you want an email whenever new security vulnerabilities are reported in Fedora Project Fedora?

By the Year

In 2024 there have been 71 vulnerabilities in Fedora Project Fedora with an average score of 7.0 out of ten. Last year Fedora had 542 security vulnerabilities published. Right now, Fedora is on track to have less security vulnerabilities in 2024 than it did last year. However, the average CVE base score of the vulnerabilities in 2024 is greater by 0.20.

Year Vulnerabilities Average Score
2024 71 6.96
2023 542 6.76
2022 976 7.13
2021 1147 7.11
2020 842 6.83
2019 626 7.09
2018 71 7.19

It may take a day or so for new Fedora vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Fedora Project Fedora Security Vulnerabilities

In PuTTY 0.68 through 0.80 before 0.81, biased ECDSA nonce generation

CVE-2024-31497 5.9 - Medium - April 15, 2024

In PuTTY 0.68 through 0.80 before 0.81, biased ECDSA nonce generation allows an attacker to recover a user's NIST P-521 secret key via a quick attack in approximately 60 signatures. This is especially important in a scenario where an adversary is able to read messages signed by PuTTY or Pageant. The required set of signed messages may be publicly readable because they are stored in a public Git service that supports use of SSH for commit signing, and the signatures were made by Pageant through an agent-forwarding mechanism. In other words, an adversary may already have enough signature information to compromise a victim's private key, even if there is no further use of vulnerable PuTTY versions. After a key compromise, an adversary may be able to conduct supply-chain attacks on software maintained in Git. A second, independent scenario is that the adversary is an operator of an SSH server to which the victim authenticates (for remote login or file copy), even though this server is not fully trusted by the victim, and the victim uses the same private key for SSH connections to other services operated by other entities. Here, the rogue server operator (who would otherwise have no way to determine the victim's private key) can derive the victim's private key, and then use it for unauthorized access to those other services. If the other services include Git services, then again it may be possible to conduct supply-chain attacks on software maintained in Git. This also affects, for example, FileZilla before 3.67.0, WinSCP before 6.3.3, TortoiseGit before 2.15.0.1, and TortoiseSVN through 1.14.6.

PRNG

Object lifecycle issue in V8 in Google Chrome prior to 123.0.6312.58

CVE-2024-2625 8.8 - High - March 20, 2024

Object lifecycle issue in V8 in Google Chrome prior to 123.0.6312.58 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High)

Out of bounds read in Swiftshader in Google Chrome prior to 123.0.6312.58

CVE-2024-2626 6.5 - Medium - March 20, 2024

Out of bounds read in Swiftshader in Google Chrome prior to 123.0.6312.58 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Medium)

Out-of-bounds Read

Use after free in Canvas in Google Chrome prior to 123.0.6312.58

CVE-2024-2627 8.8 - High - March 20, 2024

Use after free in Canvas in Google Chrome prior to 123.0.6312.58 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

Dangling pointer

Inappropriate implementation in Downloads in Google Chrome prior to 123.0.6312.58

CVE-2024-2628 4.3 - Medium - March 20, 2024

Inappropriate implementation in Downloads in Google Chrome prior to 123.0.6312.58 allowed a remote attacker to perform UI spoofing via a crafted URL. (Chromium security severity: Medium)

Incorrect security UI in iOS in Google Chrome prior to 123.0.6312.58

CVE-2024-2629 4.3 - Medium - March 20, 2024

Incorrect security UI in iOS in Google Chrome prior to 123.0.6312.58 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

Inappropriate implementation in iOS in Google Chrome prior to 123.0.6312.58

CVE-2024-2630 6.5 - Medium - March 20, 2024

Inappropriate implementation in iOS in Google Chrome prior to 123.0.6312.58 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

Inappropriate implementation in iOS in Google Chrome prior to 123.0.6312.58

CVE-2024-2631 4.3 - Medium - March 20, 2024

Inappropriate implementation in iOS in Google Chrome prior to 123.0.6312.58 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

Heap Buffer Overflow vulnerability in qpdf 11.9.0

CVE-2024-24246 5.5 - Medium - February 29, 2024

Heap Buffer Overflow vulnerability in qpdf 11.9.0 allows attackers to crash the application via the std::__shared_count() function at /bits/shared_ptr_base.h.

Memory Corruption

The implementation of PEAP in wpa_supplicant through 2.10 allows authentication bypass

CVE-2023-52160 6.5 - Medium - February 22, 2024

The implementation of PEAP in wpa_supplicant through 2.10 allows authentication bypass. For a successful attack, wpa_supplicant must be configured to not verify the network's TLS certificate during Phase 1 authentication, and an eap_peap_decrypt vulnerability can then be abused to skip Phase 2 authentication. The attack vector is sending an EAP-TLV Success packet instead of starting Phase 2. This allows an adversary to impersonate Enterprise Wi-Fi networks.

authentification

pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE

CVE-2024-1597 9.8 - Critical - February 19, 2024

pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.28 are affected.

SQL Injection

Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs)

CVE-2023-50387 7.5 - High - February 14, 2024

Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.

Allocation of Resources Without Limits or Throttling

dm_table_create in drivers/md/dm-table.c in the Linux kernel through 6.7.4 can attempt to (in alloc_targets) allocate more than INT_MAX bytes, and crash

CVE-2023-52429 5.5 - Medium - February 12, 2024

dm_table_create in drivers/md/dm-table.c in the Linux kernel through 6.7.4 can attempt to (in alloc_targets) allocate more than INT_MAX bytes, and crash, because of a missing check for struct dm_ioctl.target_count.

Improper Check for Unusual or Exceptional Conditions

A use-after-free flaw was found in the Linux kernel's Memory Management subsystem when a user wins two races at the same time with a fail in the mas_prev_slot function

CVE-2024-1312 4.7 - Medium - February 08, 2024

A use-after-free flaw was found in the Linux kernel's Memory Management subsystem when a user wins two races at the same time with a fail in the mas_prev_slot function. This issue could allow a local user to crash the system.

Dangling pointer

A vulnerability in the OLE2 file format parser of ClamAV could

CVE-2024-20290 7.5 - High - February 07, 2024

A vulnerability in the OLE2 file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to an incorrect check for end-of-string values during scanning, which may result in a heap buffer over-read. An attacker could exploit this vulnerability by submitting a crafted file containing OLE2 content to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to terminate, resulting in a DoS condition on the affected software and consuming available system resources. For a description of this vulnerability, see the ClamAV blog .

Out-of-bounds Read

Heap buffer overflow in Skia in Google Chrome prior to 121.0.6167.160

CVE-2024-1283 9.8 - Critical - February 07, 2024

Heap buffer overflow in Skia in Google Chrome prior to 121.0.6167.160 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Memory Corruption

Use after free in Mojo in Google Chrome prior to 121.0.6167.160

CVE-2024-1284 9.8 - Critical - February 07, 2024

Use after free in Mojo in Google Chrome prior to 121.0.6167.160 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Dangling pointer

A flaw was found in the grub2-set-bootflag utility of grub2

CVE-2024-1048 3.3 - Low - February 06, 2024

A flaw was found in the grub2-set-bootflag utility of grub2. After the fix of CVE-2019-14865, grub2-set-bootflag will create a temporary file with the new grubenv content and rename it to the original grubenv file. If the program is killed before the rename operation, the temporary file will not be removed and may fill the filesystem when invoked multiple times, resulting in a filesystem out of free inodes or blocks.

Insufficient Cleanup

An information disclosure flaw was found in ansible-core due to a failure to respect the ANSIBLE_NO_LOG configuration in some scenarios

CVE-2024-0690 5.5 - Medium - February 06, 2024

An information disclosure flaw was found in ansible-core due to a failure to respect the ANSIBLE_NO_LOG configuration in some scenarios. Information is still included in the output in certain tasks, such as loop items. Depending on the task, this issue may include sensitive information, such as decrypted secret values.

Output Sanitization

runc is a CLI tool for spawning and running containers on Linux according to the OCI specification

CVE-2024-21626 8.6 - High - January 31, 2024

runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue.

Exposure of Resource to Wrong Sphere

A heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library

CVE-2023-6246 7.8 - High - January 31, 2024

A heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when the openlog function was not called, or called with the ident argument set to NULL, and the program name (the basename of argv[0]) is bigger than 1024 bytes, resulting in an application crash or local privilege escalation. This issue affects glibc 2.36 and newer.

Memory Corruption

An off-by-one heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library

CVE-2023-6779 7.5 - High - January 31, 2024

An off-by-one heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a message bigger than INT_MAX bytes, leading to an incorrect calculation of the buffer size to store the message, resulting in an application crash. This issue affects glibc 2.37 and newer.

Memory Corruption

An integer overflow was found in the __vsyslog_internal function of the glibc library

CVE-2023-6780 5.3 - Medium - January 31, 2024

An integer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a very long message, leading to an incorrect calculation of the buffer size to store the message, resulting in undefined behavior. This issue affects glibc 2.37 and newer.

Incorrect Calculation of Buffer Size

Use after free in Network in Google Chrome prior to 121.0.6167.139

CVE-2024-1077 8.8 - High - January 30, 2024

Use after free in Network in Google Chrome prior to 121.0.6167.139 allowed a remote attacker to potentially exploit heap corruption via a malicious file. (Chromium security severity: High)

Dangling pointer

Use after free in Canvas in Google Chrome prior to 121.0.6167.139

CVE-2024-1060 8.8 - High - January 30, 2024

Use after free in Canvas in Google Chrome prior to 121.0.6167.139 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Dangling pointer

Use after free in Peer Connection in Google Chrome prior to 121.0.6167.139

CVE-2024-1059 8.8 - High - January 30, 2024

Use after free in Peer Connection in Google Chrome prior to 121.0.6167.139 allowed a remote attacker to potentially exploit stack corruption via a crafted HTML page. (Chromium security severity: High)

Dangling pointer

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python

CVE-2024-23334 7.5 - High - January 29, 2024

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this issue.

Directory traversal

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python

CVE-2024-23829 6.5 - Medium - January 29, 2024

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to protect against injection of additional requests. Additionally, validation could trigger exceptions that were not handled consistently with processing of other malformed input. Being more lenient than internet standards require could, depending on deployment environment, assist in request smuggling. The unhandled exception could cause excessive resource consumption on the application server and/or its logging facilities. This vulnerability exists due to an incomplete fix for CVE-2023-47627. Version 3.9.2 fixes this vulnerability.

HTTP Request Smuggling

A flaw was found in the MZ binary format in Shim

CVE-2023-40551 5.1 - Medium - January 29, 2024

A flaw was found in the MZ binary format in Shim. An out-of-bounds read may occur, leading to a crash or possible exposure of sensitive data during the system's boot phase.

Out-of-bounds Read

An out-of-bounds read flaw was found in Shim due to the lack of proper boundary verification during the load of a PE binary

CVE-2023-40549 5.5 - Medium - January 29, 2024

An out-of-bounds read flaw was found in Shim due to the lack of proper boundary verification during the load of a PE binary. This flaw allows an attacker to load a crafted PE binary, triggering the issue and crashing Shim, resulting in a denial of service.

Out-of-bounds Read

An out-of-bounds read flaw was found in Shim when it tried to validate the SBAT information

CVE-2023-40550 5.5 - Medium - January 29, 2024

An out-of-bounds read flaw was found in Shim when it tried to validate the SBAT information. This issue may expose sensitive data during the system's boot phase.

Out-of-bounds Read

A flaw was found in Shim when an error happened while creating a new ESL variable

CVE-2023-40546 5.5 - Medium - January 29, 2024

A flaw was found in Shim when an error happened while creating a new ESL variable. If Shim fails to create the new variable, it tries to print an error message to the user; however, the number of parameters used by the logging function doesn't match the format string used by it, leading to a crash under certain circumstances.

NULL Pointer Dereference

A buffer overflow was found in Shim in the 32-bit system

CVE-2023-40548 7.4 - High - January 29, 2024

A buffer overflow was found in Shim in the 32-bit system. The overflow happens due to an addition operation involving a user-controlled value parsed from the PE binary being used by Shim. This value is further used for memory allocation operations, leading to a heap-based buffer overflow. This flaw causes memory corruption and can lead to a crash or data integrity issues during the boot phase.

Memory Corruption

Transmit requests in Xen's virtual network protocol can consist of multiple parts

CVE-2023-46838 7.5 - High - January 29, 2024

Transmit requests in Xen's virtual network protocol can consist of multiple parts. While not really useful, except for the initial part any of them may be of zero length, i.e. carry no data at all. Besides a certain initial portion of the to be transferred data, these parts are directly translated into what Linux calls SKB fragments. Such converted request parts can, when for a particular SKB they are all of length zero, lead to a de-reference of NULL in core networking code.

NULL Pointer Dereference

Inappropriate implementation in Downloads in Google Chrome prior to 121.0.6167.85

CVE-2024-0805 4.3 - Medium - January 24, 2024

Inappropriate implementation in Downloads in Google Chrome prior to 121.0.6167.85 allowed a remote attacker to perform domain spoofing via a crafted domain name. (Chromium security severity: Medium)

Incorrect security UI in Payments in Google Chrome prior to 121.0.6167.85

CVE-2024-0814 6.5 - Medium - January 24, 2024

Incorrect security UI in Payments in Google Chrome prior to 121.0.6167.85 allowed a remote attacker to potentially spoof security UI via a crafted HTML page. (Chromium security severity: Medium)

Origin Validation Error

Use after free in Reading Mode in Google Chrome prior to 121.0.6167.85

CVE-2024-0813 8.8 - High - January 24, 2024

Use after free in Reading Mode in Google Chrome prior to 121.0.6167.85 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via specific UI interaction. (Chromium security severity: Medium)

Dangling pointer

Inappropriate implementation in Accessibility in Google Chrome prior to 121.0.6167.85

CVE-2024-0812 8.8 - High - January 24, 2024

Inappropriate implementation in Accessibility in Google Chrome prior to 121.0.6167.85 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High)

Inappropriate implementation in Extensions API in Google Chrome prior to 121.0.6167.85

CVE-2024-0811 4.3 - Medium - January 24, 2024

Inappropriate implementation in Extensions API in Google Chrome prior to 121.0.6167.85 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension. (Chromium security severity: Low)

Inappropriate implementation in Autofill in Google Chrome prior to 121.0.6167.85

CVE-2024-0809 4.3 - Medium - January 24, 2024

Inappropriate implementation in Autofill in Google Chrome prior to 121.0.6167.85 allowed a remote attacker to bypass Autofill restrictions via a crafted HTML page. (Chromium security severity: Low)

Integer underflow in WebUI in Google Chrome prior to 121.0.6167.85

CVE-2024-0808 9.8 - Critical - January 24, 2024

Integer underflow in WebUI in Google Chrome prior to 121.0.6167.85 allowed a remote attacker to potentially exploit heap corruption via a malicious file. (Chromium security severity: High)

Integer underflow

Use after free in Web Audio in Google Chrome prior to 121.0.6167.85

CVE-2024-0807 8.8 - High - January 24, 2024

Use after free in Web Audio in Google Chrome prior to 121.0.6167.85 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Dangling pointer

Use after free in Passwords in Google Chrome prior to 121.0.6167.85

CVE-2024-0806 8.8 - High - January 24, 2024

Use after free in Passwords in Google Chrome prior to 121.0.6167.85 allowed a remote attacker to potentially exploit heap corruption via specific UI interaction. (Chromium security severity: Medium)

Dangling pointer

Insufficient policy enforcement in iOS Security UI in Google Chrome prior to 121.0.6167.85

CVE-2024-0804 7.5 - High - January 24, 2024

Insufficient policy enforcement in iOS Security UI in Google Chrome prior to 121.0.6167.85 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

An out-of-bounds read vulnerability was found in Netfilter Connection Tracking (conntrack) in the Linux kernel

CVE-2023-39197 7.5 - High - January 23, 2024

An out-of-bounds read vulnerability was found in Netfilter Connection Tracking (conntrack) in the Linux kernel. This flaw allows a remote user to disclose sensitive information via the DCCP protocol.

Out-of-bounds Read

JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook and Architecture

CVE-2024-22420 6.1 - Medium - January 19, 2024

JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook and Architecture. This vulnerability depends on user interaction by opening a malicious Markdown file using JupyterLab preview feature. A malicious user can access any data that the attacked user has access to as well as perform arbitrary requests acting as the attacked user. JupyterLab version 4.0.11 has been patched. Users are advised to upgrade. Users unable to upgrade should disable the table of contents extension.

XSS

JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook and Architecture

CVE-2024-22421 6.5 - Medium - January 19, 2024

JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook and Architecture. Users of JupyterLab who click on a malicious link may get their `Authorization` and `XSRFToken` tokens exposed to a third party when running an older `jupyter-server` version. JupyterLab versions 4.1.0b2, 4.0.11, and 3.6.7 are patched. No workaround has been identified, however users should ensure to upgrade `jupyter-server` to version 2.7.2 or newer which includes a redirect vulnerability fix.

Information Disclosure

A flaw was found in the X.Org server

CVE-2024-0408 5.5 - Medium - January 18, 2024

A flaw was found in the X.Org server. The GLX PBuffer code does not call the XACE hook when creating the buffer, leaving it unlabeled. When the client issues another request to access that resource (as with a GetGeometry) or when it creates another resource that needs to access that buffer, such as a GC, the XSELINUX code will try to use an object that was never labeled and crash because the SID is NULL.

A flaw was found in the Netfilter subsystem in the Linux kernel

CVE-2024-0607 6.6 - Medium - January 18, 2024

A flaw was found in the Netfilter subsystem in the Linux kernel. The issue is in the nft_byteorder_eval() function, where the code iterates through a loop and writes to the `dst` array. On each iteration, 8 bytes are written, but `dst` is an array of u32, so each element only has space for 4 bytes. That means every iteration overwrites part of the previous element corrupting this array of u32. This flaw allows a local user to cause a denial of service or potentially break NetFilter functionality.

A flaw was found in the X.Org server

CVE-2024-0409 7.8 - High - January 18, 2024

A flaw was found in the X.Org server. The cursor code in both Xephyr and Xwayland uses the wrong type of private at creation. It uses the cursor bits type with the cursor as private, and when initiating the cursor, that overwrites the XSELINUX context.

Memory Corruption

A flaw was found in X.Org server

CVE-2023-6816 9.8 - Critical - January 18, 2024

A flaw was found in X.Org server. Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for each logical button currently down. Buttons can be arbitrarily mapped to any value up to 255, but the X.Org Server was only allocating space for the device's particular number of buttons, leading to a heap overflow if a bigger value was used.

Memory Corruption

Type confusion in V8 in Google Chrome prior to 120.0.6099.224

CVE-2024-0518 8.8 - High - January 16, 2024

Type confusion in V8 in Google Chrome prior to 120.0.6099.224 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Object Type Confusion

Out of bounds write in V8 in Google Chrome prior to 120.0.6099.224

CVE-2024-0517 8.8 - High - January 16, 2024

Out of bounds write in V8 in Google Chrome prior to 120.0.6099.224 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Memory Corruption

The Mock software contains a vulnerability wherein an attacker could potentially exploit privilege escalation

CVE-2023-6395 9.8 - Critical - January 16, 2024

The Mock software contains a vulnerability wherein an attacker could potentially exploit privilege escalation, enabling the execution of arbitrary code with root user privileges. This weakness stems from the absence of proper sandboxing during the expansion and execution of Jinja2 templates, which may be included in certain configuration parameters. While the Mock documentation advises treating users added to the mock group as privileged, certain build systems invoking mock on behalf of users might inadvertently permit less privileged users to define configuration tags. These tags could then be passed as parameters to mock during execution, potentially leading to the utilization of Jinja2 templates for remote privilege escalation and the execution of arbitrary code as the root user on the build server.

A heap use-after-free issue has been identified in SQLite in the jsonParseAddNodeArray() function in sqlite3.c

CVE-2024-0232 5.5 - Medium - January 16, 2024

A heap use-after-free issue has been identified in SQLite in the jsonParseAddNodeArray() function in sqlite3.c. This flaw allows a local attacker to leverage a victim to pass specially crafted malicious input to the application, potentially causing a crash and leading to a denial of service.

Dangling pointer

A vulnerability was found in GnuTLS

CVE-2024-0553 7.5 - High - January 16, 2024

A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from the response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981.

Side Channel Attack

An authentication bypass flaw was found in GRUB due to the way

CVE-2023-4001 6.8 - Medium - January 15, 2024

An authentication bypass flaw was found in GRUB due to the way that GRUB uses the UUID of a device to search for the configuration file that contains the password hash for the GRUB password protection feature. An attacker capable of attaching an external drive such as a USB stick containing a file system with a duplicate UUID (the same as in the "/boot/" file system) can bypass the GRUB password protection feature on UEFI systems, which enumerate removable drives before non-removable ones. This issue was introduced in a downstream patch in Red Hat's version of grub2 and does not affect the upstream package.

Authentication Bypass by Spoofing

Relax-and-Recover (aka ReaR) through 2.7 creates a world-readable initrd when using GRUB_RESCUE=y

CVE-2024-23301 5.5 - Medium - January 12, 2024

Relax-and-Recover (aka ReaR) through 2.7 creates a world-readable initrd when using GRUB_RESCUE=y. This allows local attackers to gain access to system secrets otherwise only readable by root.

A flaw was found in the blkgs destruction path in block/blk-cgroup.c in the Linux kernel, leading to a cgroup blkio memory leakage problem

CVE-2024-0443 5.5 - Medium - January 12, 2024

A flaw was found in the blkgs destruction path in block/blk-cgroup.c in the Linux kernel, leading to a cgroup blkio memory leakage problem. When a cgroup is being destroyed, cgroup_rstat_flush() is only called at css_release_work_fn(), which is called when the blkcg reference count reaches 0. This circular dependency will prevent blkcg and some blkgs from being freed after they are made offline. This issue may allow an attacker with a local access to cause system instability, such as an out of memory error.

Exposure of Resource to Wrong Sphere

Insufficient data validation in Extensions in Google Chrome prior to 120.0.6099.216

CVE-2024-0333 5.3 - Medium - January 10, 2024

Insufficient data validation in Extensions in Google Chrome prior to 120.0.6099.216 allowed an attacker in a privileged network position to install a malicious extension via a crafted HTML page. (Chromium security severity: High)

Redis is an in-memory database that persists on disk

CVE-2023-41056 8.1 - High - January 10, 2024

Redis is an in-memory database that persists on disk. Redis incorrectly handles resizing of memory buffers which can result in integer overflow that leads to heap overflow and potential remote code execution. This issue has been patched in version 7.0.15 and 7.2.4.

Integer Overflow or Wraparound

A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA

CVE-2023-5455 6.5 - Medium - January 10, 2024

A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA. This flaw allows an attacker to trick the user into submitting a request that could perform actions as the user, resulting in a loss of confidentiality and system integrity. During community penetration testing it was found that for certain HTTP end-points FreeIPA does not ensure CSRF protection. Due to implementation details one cannot use this flaw for reflection of a cookie representing already logged-in user. An attacker would always have to go through a new authentication attempt.

Session Riding

It was discovered that the eBPF implementation in the Linux kernel did not properly track bounds information for 32 bit registers when performing div and mod operations

CVE-2021-3600 7.8 - High - January 08, 2024

It was discovered that the eBPF implementation in the Linux kernel did not properly track bounds information for 32 bit registers when performing div and mod operations. A local attacker could use this to possibly execute arbitrary code.

Out-of-bounds Read

A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel

CVE-2023-6270 7 - High - January 04, 2024

A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution.

Dangling pointer

Use after free in WebGPU in Google Chrome prior to 120.0.6099.199

CVE-2024-0225 8.8 - High - January 04, 2024

Use after free in WebGPU in Google Chrome prior to 120.0.6099.199 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Dangling pointer

Use after free in WebAudio in Google Chrome prior to 120.0.6099.199

CVE-2024-0224 8.8 - High - January 04, 2024

Use after free in WebAudio in Google Chrome prior to 120.0.6099.199 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Dangling pointer

Heap buffer overflow in ANGLE in Google Chrome prior to 120.0.6099.199

CVE-2024-0223 8.8 - High - January 04, 2024

Heap buffer overflow in ANGLE in Google Chrome prior to 120.0.6099.199 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Memory Corruption

Use after free in ANGLE in Google Chrome prior to 120.0.6099.199

CVE-2024-0222 8.8 - High - January 04, 2024

Use after free in ANGLE in Google Chrome prior to 120.0.6099.199 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Dangling pointer

A use-after-free flaw was found in PackageKitd

CVE-2024-0217 3.3 - Low - January 03, 2024

A use-after-free flaw was found in PackageKitd. In some conditions, the order of cleanup mechanics for a transaction could be impacted. As a result, some memory access could occur on memory regions that were previously freed. Once freed, a memory region can be reused for other allocations and any previously stored data in this memory region is considered lost.

Dangling pointer

A flaw was found in libssh

CVE-2023-6004 4.8 - Medium - January 03, 2024

A flaw was found in libssh. By utilizing the ProxyCommand or ProxyJump feature, users can exploit unchecked hostname syntax on the client. This issue may allow an attacker to inject malicious code into the command of the features mentioned through the hostname parameter.

Injection

A stack based buffer overflow was found in the virtio-net device of QEMU

CVE-2023-6693 5.3 - Medium - January 02, 2024

A stack based buffer overflow was found in the virtio-net device of QEMU. This issue occurs when flushing TX in the virtio_net_flush_tx function if guest features VIRTIO_NET_F_HASH_REPORT, VIRTIO_F_VERSION_1 and VIRTIO_NET_F_MRG_RXBUF are enabled. This could allow a malicious user to overwrite local variables allocated on the stack. Specifically, the `out_sg` variable could be used to read a part of process memory and send it to the wire, causing an information leak.

Memory Corruption

A vulnerability was found in SQLite SQLite3 up to 3.43.0 and classified as critical

CVE-2023-7104 7.3 - High - December 29, 2023

A vulnerability was found in SQLite SQLite3 up to 3.43.0 and classified as critical. This issue affects the function sessionReadRecord of the file ext/session/sqlite3session.c of the component make alltest Handler. The manipulation leads to heap-based buffer overflow. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-248999.

Buffer Overflow

Increasing the resolution of video frames, while performing a multi-threaded encode

CVE-2023-6879 9.8 - Critical - December 27, 2023

Increasing the resolution of video frames, while performing a multi-threaded encode, can result in a heap overflow in av1_loop_restoration_dealloc().

Memory Corruption

Spreadsheet::ParseExcel version 0.65 is a Perl module used for parsing Excel files

CVE-2023-7101 7.8 - High - December 24, 2023

Spreadsheet::ParseExcel version 0.65 is a Perl module used for parsing Excel files. Spreadsheet::ParseExcel is vulnerable to an arbitrary code execution (ACE) vulnerability due to passing unvalidated input from a file into a string-type eval. Specifically, the issue stems from the evaluation of Number format strings (not to be confused with printf-style format strings) within the Excel parsing logic.

Code Injection

OpenSSH through 9.6, when common types of DRAM are used, might

CVE-2023-51767 7 - High - December 24, 2023

OpenSSH through 9.6, when common types of DRAM are used, might allow row hammer attacks (for authentication bypass) because the integer value of authenticated in mm_answer_authpassword does not resist flips of a single bit. NOTE: this is applicable to a certain threat model of attacker-victim co-location in which the attacker has user privileges.

Exim before 4.97.1 allows SMTP smuggling in certain PIPELINING/CHUNKING configurations

CVE-2023-51766 5.3 - Medium - December 24, 2023

Exim before 4.97.1 allows SMTP smuggling in certain PIPELINING/CHUNKING configurations. Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because Exim supports <LF>.<CR><LF> but some other popular e-mail servers do not.

Insufficient Verification of Data Authenticity

Postfix through 3.8.5 allows SMTP smuggling unless configured with smtpd_data_restrictions=reject_unauth_pipelining and smtpd_discard_ehlo_keywords=chunking (or certain other options

CVE-2023-51764 5.3 - Medium - December 24, 2023

Postfix through 3.8.5 allows SMTP smuggling unless configured with smtpd_data_restrictions=reject_unauth_pipelining and smtpd_discard_ehlo_keywords=chunking (or certain other options that exist in recent versions). Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because Postfix supports <LF>.<CR><LF> but some other popular e-mail servers do not. To prevent attack variants (by always disallowing <LF> without <CR>), a different solution is required, such as the smtpd_forbid_bare_newline=yes option with a Postfix minimum version of 3.5.23, 3.6.13, 3.7.9, 3.8.4, or 3.9.

Insufficient Verification of Data Authenticity

Heap buffer overflow in WebRTC in Google Chrome prior to 120.0.6099.129

CVE-2023-7024 8.8 - High - December 21, 2023

Heap buffer overflow in WebRTC in Google Chrome prior to 120.0.6099.129 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Memory Corruption

A race condition was found in the GSM 0710 tty multiplexor in the Linux kernel

CVE-2023-6546 7 - High - December 21, 2023

A race condition was found in the GSM 0710 tty multiplexor in the Linux kernel. This issue occurs when two threads execute the GSMIOC_SETCONF ioctl on the same tty file descriptor with the gsm line discipline enabled, and can lead to a use-after-free problem on a struct gsm_dlci while restarting the gsm mux. This could allow a local unprivileged user to escalate their privileges on the system.

Race Condition

Within tcpreplay's tcprewrite

CVE-2023-4256 5.5 - Medium - December 21, 2023

Within tcpreplay's tcprewrite, a double free vulnerability has been identified in the tcpedit_dlt_cleanup() function within plugins/dlt_plugins.c. This vulnerability can be exploited by supplying a specifically crafted file to the tcprewrite binary. This flaw enables a local attacker to initiate a Denial of Service (DoS) attack.

Double-free

An out-of-bounds write issue has been discovered in the backspace handling of the checkType() function in etc.c within the W3M application

CVE-2023-4255 5.5 - Medium - December 21, 2023

An out-of-bounds write issue has been discovered in the backspace handling of the checkType() function in etc.c within the W3M application. This vulnerability is triggered by supplying a specially crafted HTML file to the w3m binary. Exploitation of this flaw could lead to application crashes, resulting in a denial of service condition.

Memory Corruption

A flaw was found in the libssh implements abstract layer for message digest (MD) operations implemented by different supported crypto backends

CVE-2023-6918 5.3 - Medium - December 19, 2023

A flaw was found in the libssh implements abstract layer for message digest (MD) operations implemented by different supported crypto backends. The return values from these were not properly checked, which could cause low-memory situations failures, NULL dereferences, crashes, or usage of the uninitialized memory as an input for the KDF. In this case, non-matching keys will result in decryption/integrity failures, terminating the connection.

Unchecked Return Value

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such

CVE-2023-48795 5.9 - Medium - December 18, 2023

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.

Improper Validation of Integrity Check Value

Type confusion in V8 in Google Chrome prior to 120.0.6099.109

CVE-2023-6702 8.8 - High - December 14, 2023

Type confusion in V8 in Google Chrome prior to 120.0.6099.109 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Object Type Confusion

A template injection flaw was found in Ansible where a user's controller internal templating operations may remove the unsafe designation

CVE-2023-5764 7.8 - High - December 12, 2023

A template injection flaw was found in Ansible where a user's controller internal templating operations may remove the unsafe designation from template data. This issue could allow an attacker to use a specially crafted file to introduce templating injection when supplying templating data.

When saving HSTS data to an excessively long file name, curl could end up removing all contents, making subsequent requests using

CVE-2023-46219 5.3 - Medium - December 12, 2023

When saving HSTS data to an excessively long file name, curl could end up removing all contents, making subsequent requests using that file unaware of the HSTS status they should otherwise use.

Missing Encryption of Sensitive Data

A null pointer dereference vulnerability was found in dpll_pin_parent_pin_set() in drivers/dpll/dpll_netlink.c in the Digital Phase Locked Loop (DPLL) subsystem in the Linux kernel

CVE-2023-6679 5.5 - Medium - December 11, 2023

A null pointer dereference vulnerability was found in dpll_pin_parent_pin_set() in drivers/dpll/dpll_netlink.c in the Digital Phase Locked Loop (DPLL) subsystem in the Linux kernel. This issue could be exploited to trigger a denial of service.

NULL Pointer Dereference

Improper Input Validation vulnerability in GStreamer integration of The Document Foundation LibreOffice

CVE-2023-6185 8.8 - High - December 11, 2023

Improper Input Validation vulnerability in GStreamer integration of The Document Foundation LibreOffice allows an attacker to execute arbitrary GStreamer plugins. In affected versions the filename of the embedded video is not sufficiently escaped when passed to GStreamer enabling an attacker to run arbitrary gstreamer plugins depending on what plugins are installed on the target system.

Insufficient macro permission validation of The Document Foundation LibreOffice

CVE-2023-6186 8.8 - High - December 11, 2023

Insufficient macro permission validation of The Document Foundation LibreOffice allows an attacker to execute built-in macros without warning. In affected versions LibreOffice supports hyperlinks with macro or similar built-in command targets that can be executed when activated without warning the user.

Improper Preservation of Permissions

Bluetooth HID Hosts in BlueZ may permit an unauthenticated Peripheral role HID Device to initiate and establish an encrypted connection

CVE-2023-45866 6.3 - Medium - December 08, 2023

Bluetooth HID Hosts in BlueZ may permit an unauthenticated Peripheral role HID Device to initiate and establish an encrypted connection, and accept HID keyboard reports, potentially permitting injection of HID messages when no user interaction has occurred in the Central role to authorize such access. An example affected package is bluez 5.64-0ubuntu1 in Ubuntu 22.04LTS. NOTE: in some cases, a CVE-2020-0556 mitigation would have already addressed this Bluetooth HID Hosts issue.

authentification

This flaw allows a malicious HTTP server to set "super cookies" in curl

CVE-2023-46218 6.5 - Medium - December 07, 2023

This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains. It could do this by exploiting a mixed case flaw in curl's function that verifies a given cookie domain against the Public Suffix List (PSL). For example a cookie could be set with `domain=co.UK` when the URL used a lower case hostname `curl.co.uk`, even though `co.uk` is listed as a PSL domain.

Inappropriate implementation in Autofill in Google Chrome prior to 120.0.6099.62

CVE-2023-6511 4.3 - Medium - December 06, 2023

Inappropriate implementation in Autofill in Google Chrome prior to 120.0.6099.62 allowed a remote attacker to bypass Autofill restrictions via a crafted HTML page. (Chromium security severity: Low)

Use after free in Media Capture in Google Chrome prior to 120.0.6099.62

CVE-2023-6510 8.8 - High - December 06, 2023

Use after free in Media Capture in Google Chrome prior to 120.0.6099.62 allowed a remote attacker who convinced a user to engage in specific UI interaction to potentially exploit heap corruption via specific UI interaction. (Chromium security severity: Medium)

Dangling pointer

Inappropriate implementation in Web Browser UI in Google Chrome prior to 120.0.6099.62

CVE-2023-6512 6.5 - Medium - December 06, 2023

Inappropriate implementation in Web Browser UI in Google Chrome prior to 120.0.6099.62 allowed a remote attacker to potentially spoof the contents of an iframe dialog context menu via a crafted HTML page. (Chromium security severity: Low)

Use after free in Side Panel Search in Google Chrome prior to 120.0.6099.62

CVE-2023-6509 8.8 - High - December 06, 2023

Use after free in Side Panel Search in Google Chrome prior to 120.0.6099.62 allowed a remote attacker who convinced a user to engage in specific UI interaction to potentially exploit heap corruption via specific UI interaction. (Chromium security severity: High)

Dangling pointer

Use after free in Media Stream in Google Chrome prior to 120.0.6099.62

CVE-2023-6508 8.8 - High - December 06, 2023

Use after free in Media Stream in Google Chrome prior to 120.0.6099.62 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Dangling pointer

Integer overflow in Skia in Google Chrome prior to 119.0.6045.199

CVE-2023-6345 9.6 - Critical - November 29, 2023

Integer overflow in Skia in Google Chrome prior to 119.0.6045.199 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a malicious file. (Chromium security severity: High)

Integer Overflow or Wraparound

Type Confusion in Spellcheck in Google Chrome prior to 119.0.6045.199

CVE-2023-6348 8.8 - High - November 29, 2023

Type Confusion in Spellcheck in Google Chrome prior to 119.0.6045.199 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Object Type Confusion

Use after free in libavif in Google Chrome prior to 119.0.6045.199

CVE-2023-6351 8.8 - High - November 29, 2023

Use after free in libavif in Google Chrome prior to 119.0.6045.199 allowed a remote attacker to potentially exploit heap corruption via a crafted avif file. (Chromium security severity: High)

Dangling pointer

Use after free in Mojo in Google Chrome prior to 119.0.6045.199

CVE-2023-6347 8.8 - High - November 29, 2023

Use after free in Mojo in Google Chrome prior to 119.0.6045.199 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Dangling pointer

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Fedora Project Fedora or by Fedora Project? Click the Watch button to subscribe.

subscribe