Red Hat Enterprise Linux Ibm Z Systems

Yelp GNOME Help Viewer RCE: Arbitrary Script Exec via Help Docs
CVE-2025-3155 7.4 - High - April 03, 2025

A flaw was found in Yelp. The Gnome user help application allows the help document to execute arbitrary scripts. This vulnerability allows malicious users to input help documents, which may exfiltrate user files to an external environment.

Open Redirect

libsoup Heap Buffer Over-read via HTTP Skip Insight Whitespace
CVE-2025-2784 7 - High - April 03, 2025

A flaw was found in libsoup. The package is vulnerable to a heap buffer over-read when sniffing content via the skip_insight_whitespace() function. Libsoup clients may read one byte out-of-bounds in response to a crafted HTTP response by an HTTP server.

Out-of-bounds Read

MongoDB Compass <1.42.1 LPE via Crafted Node_modules File
CVE-2025-1755 7.8 - High - February 27, 2025

MongoDB Compass may be susceptible to local privilege escalation under certain conditions potentially enabling unauthorized actions on a user's system with elevated privileges, when a crafted file is stored in C:\node_modules\. This issue affects MongoDB Compass prior to 1.42.1

Untrusted Path

mongosh <2.3.0: LPE via crafted file in C:\node_modules
CVE-2025-1756 7.8 - High - February 27, 2025

mongosh may be susceptible to local privilege escalation under certain conditions potentially enabling unauthorized actions on a user's system with elevated privilege, when a crafted file is stored in C:\node_modules\. This issue affects mongosh prior to 2.3.0

Untrusted Path

Rsync: Checksum Length Manipulation Enables Stack Data Leak
CVE-2024-12085 7.5 - High - January 14, 2025

A flaw was found in rsync which could be triggered when rsync compares file checksums. This flaw allows an attacker to manipulate the checksum length (s2length) to cause a comparison between a checksum and uninitialized memory and leak one byte of uninitialized stack data at a time.

Use of Uninitialized Resource

Path traversal in rsync via --inc-recursive option
CVE-2024-12087 6.5 - Medium - January 14, 2025

A path traversal vulnerability exists in rsync. It stems from behavior enabled by the `--inc-recursive` option, a default-enabled option for many client options and can be enabled by the server even if not explicitly enabled by the client. When using the `--inc-recursive` option, a lack of proper symlink verification coupled with deduplication checks occurring on a per-file-list basis could allow a server to write files outside of the client's intended destination directory. A malicious server could write malicious files to arbitrary locations named after valid directories/paths on the client.

Directory traversal

Rsync --safe-links Path Traversal, Arbitrary File Write
CVE-2024-12088 6.5 - Medium - January 14, 2025

A flaw was found in rsync. When using the `--safe-links` option, the rsync client fails to properly verify if a symbolic link destination sent from the server contains another symbolic link within it. This results in a path traversal vulnerability, which may lead to arbitrary file write outside the desired directory.

Directory traversal

Symlink Traversal via containers/storage leads Podman/CRIO OOM CVE20249676
CVE-2024-9676 6.5 - Medium - October 15, 2024

A vulnerability was found in Podman, Buildah, and CRI-O. A symlink traversal vulnerability in the containers/storage library can cause Podman, Buildah, and CRI-O to hang and result in a denial of service via OOM kill when running a malicious image using an automatically assigned user namespace (`--userns=auto` in Podman and Buildah). The containers/storage library will read /etc/passwd inside the container, but does not properly validate if that file is a symlink, which can be used to cause the library to read an arbitrary file on the host.

Directory traversal

Buildah Cache Mount Path Traversal via RUN Instruction
CVE-2024-9675 7.8 - High - October 09, 2024

A vulnerability was found in Buildah. Cache mounts do not properly validate that user-specified paths for the cache are within our cache directory, allowing a `RUN` instruction in a Container file to mount an arbitrary directory from the host (read/write) into the container as long as those files can be accessed by the user running Buildah.

Directory traversal

OpenSSH Race Condition leading to RCE, known as regreSSHion
CVE-2024-6387 8.1 - High - July 01, 2024

A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.

Signal Handler Race Condition

Booth Ticket Manager Allows Invalid HMAC Via Hash Injection
CVE-2024-3049 5.9 - Medium - June 06, 2024

A flaw was found in Booth, a cluster ticket manager. If a specially-crafted hash is passed to gcry_md_get_algo_dlen(), it may allow an invalid HMAC to be accepted by the Booth server.

Insufficient Verification of Data Authenticity

SSSD Race Condition Allows Improper User Authorization
CVE-2023-3758 7.1 - High - April 18, 2024

A race condition flaw was found in sssd where the GPO policy is not consistently applied for authenticated users. This may lead to improper authorization issues, granting or denying access to resources inappropriately.

Race Condition

Index Buffer Overflow in NETSNMPVACMMIB (netsnmp <5.9.2)
CVE-2022-24805 8.8 - High - April 16, 2024

net-snmp provides various tools relating to the Simple Network Management Protocol. Prior to version 5.9.2, a buffer overflow in the handling of the `INDEX` of `NET-SNMP-VACM-MIB` can cause an out-of-bounds memory access. A user with read-only credentials can exploit the issue. Version 5.9.2 contains a patch. Users should use strong SNMPv3 credentials and avoid sharing the credentials. Those who must use SNMPv1 or SNMPv2c should use a complex community string and enhance the protection by restricting access to a given IP address range.

Classic Buffer Overflow

net-snmp <5.9.2 Improper Input Validation via SET OID master+subagent
CVE-2022-24806 5.3 - Medium - April 16, 2024

net-snmp provides various tools relating to the Simple Network Management Protocol. Prior to version 5.9.2, a user with read-write credentials can exploit an Improper Input Validation vulnerability when SETing malformed OIDs in master agent and subagent simultaneously. Version 5.9.2 contains a patch. Users should use strong SNMPv3 credentials and avoid sharing the credentials. Those who must use SNMPv1 or SNMPv2c should use a complex community string and enhance the protection by restricting access to a given IP address range.

OOB via SNMP-VIEW-BASED-ACM-MIB OID in net-snmp <5.9.2
CVE-2022-24807 6.5 - Medium - April 16, 2024

net-snmp provides various tools relating to the Simple Network Management Protocol. Prior to version 5.9.2, a malformed OID in a SET request to `SNMP-VIEW-BASED-ACM-MIB::vacmAccessTable` can cause an out-of-bounds memory access. A user with read-write credentials can exploit the issue. Version 5.9.2 contains a patch. Users should use strong SNMPv3 credentials and avoid sharing the credentials. Those who must use SNMPv1 or SNMPv2c should use a complex community string and enhance the protection by restricting access to a given IP address range.

Classic Buffer Overflow

net-snmp NSLOGTable Null Pointer Deref via Malformed OID (v < 5.9.2)
CVE-2022-24808 6.5 - Medium - April 16, 2024

net-snmp provides various tools relating to the Simple Network Management Protocol. Prior to version 5.9.2, a user with read-write credentials can use a malformed OID in a `SET` request to `NET-SNMP-AGENT-MIB::nsLogTable` to cause a NULL pointer dereference. Version 5.9.2 contains a patch. Users should use strong SNMPv3 credentials and avoid sharing the credentials. Those who must use SNMPv1 or SNMPv2c should use a complex community string and enhance the protection by restricting access to a given IP address range.

NULL Pointer Dereference

net-snmp 5.9.2 NULL pointer deref via OID in nsVacmAccessTable
CVE-2022-24809 6.5 - Medium - April 16, 2024

net-snmp provides various tools relating to the Simple Network Management Protocol. Prior to version 5.9.2, a user with read-only credentials can use a malformed OID in a `GET-NEXT` to the `nsVacmAccessTable` to cause a NULL pointer dereference. Version 5.9.2 contains a patch. Users should use strong SNMPv3 credentials and avoid sharing the credentials. Those who must use SNMPv1 or SNMPv2c should use a complex community string and enhance the protection by restricting access to a given IP address range.

NULL Pointer Dereference

iperf DoS via Insufficient Data from Malicious Client (CVE-2023-7250)
CVE-2023-7250 5.3 - Medium - March 18, 2024

A flaw was found in iperf, a utility for testing network performance using TCP, UDP, and SCTP. A malicious or malfunctioning client can send less than the expected amount of data to the iperf server, which can cause the server to hang indefinitely waiting for the remainder or until the connection gets closed. This will prevent other connections to the server, leading to a denial of service.

Allowlist / Allow List

Unbound Unprivileged Process Alters Runtime Config via Default Permissions
CVE-2024-1488 8 - High - February 15, 2024

A vulnerability was found in Unbound due to incorrect default permissions, allowing any process outside the unbound group to modify the unbound runtime configuration. If a process can connect over localhost to port 8953, it can alter the configuration of unbound.service. This flaw allows an unprivileged attacker to manipulate a running instance, potentially altering forwarders, allowing them to track all queries forwarded by the local resolver, and, in some cases, disrupting resolving altogether.

Incorrect Default Permissions

JWCrypto Library DoS via Computationally Intensive Brute-Force Capability
CVE-2023-6681 5.3 - Medium - February 12, 2024

A vulnerability was found in JWCrypto. This flaw allows an attacker to cause a denial of service (DoS) attack and possible password brute-force and dictionary attacks to be more resource-intensive. This issue can result in a large amount of computational consumption, causing a denial of service attack.

Resource Exhaustion

389 Directory Server DOS via Heap Overflow in log_entry_attr
CVE-2024-1062 5.5 - Medium - February 12, 2024

A heap overflow flaw was found in 389-ds-base. This issue leads to a denial of service when writing a value larger than 256 chars in log_entry_attr.

Heap-based Buffer Overflow

Side-Channel Leak in OpenSC PKCS#1 Padding Removal
CVE-2023-5992 5.6 - Medium - January 31, 2024

A vulnerability was found in OpenSC where PKCS#1 encryption padding removal is not implemented as side-channel resistant. This issue may result in the potential leak of private data.

Side Channel Attack

Linux Kernel netfilter nf_tables Use-After-Free CA PrivEsc via NF_DROP
CVE-2024-1086 7.8 - High - January 31, 2024

A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT. We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660.

Dangling pointer

X.Org Server GLX PBuffer XACE Hook Missing Leading to SELinux Crash
CVE-2024-0408 5.5 - Medium - January 18, 2024

A flaw was found in the X.Org server. The GLX PBuffer code does not call the XACE hook when creating the buffer, leaving it unlabeled. When the client issues another request to access that resource (as with a GetGeometry) or when it creates another resource that needs to access that buffer, such as a GC, the XSELINUX code will try to use an object that was never labeled and crash because the SID is NULL.

X.Org Server cursor flaw overwrites SELinux context
CVE-2024-0409 7.8 - High - January 18, 2024

A flaw was found in the X.Org server. The cursor code in both Xephyr and Xwayland uses the wrong type of private at creation. It uses the cursor bits type with the cursor as private, and when initiating the cursor, that overwrites the XSELINUX context.

Memory Corruption

CVE-2023-5455: CSRF in FreeIPA /ipa/session/login_password
CVE-2023-5455 6.5 - Medium - January 10, 2024

A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA. This flaw allows an attacker to trick the user into submitting a request that could perform actions as the user, resulting in a loss of confidentiality and system integrity. During community penetration testing it was found that for certain HTTP end-points FreeIPA does not ensure CSRF protection. Due to implementation details one cannot use this flaw for reflection of a cookie representing already logged-in user. An attacker would always have to go through a new authentication attempt.

Session Riding

Shadow-Utils Password Reinput Buffer Leak
CVE-2023-4641 5.5 - Medium - December 27, 2023

A flaw was found in shadow-utils. When asking for a new password, shadow-utils asks the password twice. If the password fails on the second attempt, shadow-utils fails in cleaning the buffer used to store the first entry. This may allow an attacker with enough access to retrieve the password from the memory.

authentification

PostgreSQL pg_cancel_backend Exploit Allowing DoS on Background Worker
CVE-2023-5870 2.2 - Low - December 10, 2023

A flaw was found in PostgreSQL involving the pg_cancel_backend role that signals background workers, including the logical replication launcher, autovacuum workers, and the autovacuum launcher. Successful exploitation requires a non-core extension with a less-resilient background worker and would affect that specific background worker only. This issue may allow a remote high privileged user to launch a denial of service (DoS) attack.

Resource Exhaustion

PostgreSQL Array Integer Overflow Allows Authenticated Code Exec
CVE-2023-5869 8.8 - High - December 10, 2023

A flaw was found in PostgreSQL that allows authenticated database users to execute arbitrary code through missing overflow checks during SQL array value modification. This issue exists due to an integer overflow during array modification where a remote user can trigger the overflow by providing specially crafted data. This enables the execution of arbitrary code on the target system, allowing users to write arbitrary bytes to memory and extensively read the server's memory.

Integer Overflow or Wraparound

PostgreSQL Mem Disclosure via Unknown-Type Aggregate Calls
CVE-2023-5868 4.3 - Medium - December 10, 2023

A memory disclosure vulnerability was found in PostgreSQL that allows remote users to access sensitive information by exploiting certain aggregate function calls with 'unknown'-type arguments. Handling 'unknown'-type values from string literals without type designation can disclose bytes, potentially revealing notable and confidential information. This issue exists due to excessive data output in aggregate function calls, enabling remote users to read some portion of system memory.

Function Call With Incorrect Argument Type

Samba rpcecho RPC DoS via dcesrv_echo_TestSleep()
CVE-2023-42669 6.5 - Medium - November 06, 2023

A vulnerability was found in Samba's "rpcecho" development server, a non-Windows RPC server used to test Samba's DCE/RPC stack elements. This vulnerability stems from an RPC function that can be blocked indefinitely. The issue arises because the "rpcecho" service operates with only one worker in the main RPC task, allowing calls to the "rpcecho" server to be blocked for a specified time, causing service disruptions. This disruption is triggered by a "sleep()" call in the "dcesrv_echo_TestSleep()" function under specific conditions. Authenticated users or attackers can exploit this vulnerability to make calls to the "rpcecho" server, requesting it to block for a specified duration, effectively disrupting most services and leading to a complete denial of service on the AD DC. The DoS affects all other services as "rpcecho" runs in the main RPC task.

SQUID HTTP Request Smuggling via Chunked Decoder Lenience
CVE-2023-46846 9.3 - Critical - November 03, 2023

SQUID is vulnerable to HTTP request smuggling, caused by chunked decoder lenience, allows a remote attacker to perform Request/Response smuggling past firewall and frontend security systems.

HTTP Request Smuggling

Squid HTTP Digest Buffer Overflow DoS
CVE-2023-46847 8.6 - High - November 03, 2023

Squid is vulnerable to a Denial of Service, where a remote attacker can perform buffer overflow attack by writing up to 2 MB of arbitrary data to heap memory when Squid is configured to accept HTTP Digest Authentication.

Classic Buffer Overflow

Red Hat Insights Client LPE via Unsafe Temp Dir Handling
CVE-2023-3972 7.8 - High - November 01, 2023

A vulnerability was found in insights-client. This security issue occurs because of insecure file operations or unsafe handling of temporary files and directories that lead to local privilege escalation. Before the insights-client has been registered on the system by root, an unprivileged local user or attacker could create the /var/tmp/insights-client directory (owning the directory with read, write, and execute permissions) on the system. After the insights-client is registered by root, an attacker could then control the directory content that insights are using by putting malicious scripts into it and executing arbitrary code as root (trivially bypassing SELinux protections because insights processes are allowed to disable SELinux system-wide).

Creation of Temporary File in Directory with Insecure Permissions

CVE-2023-5367: OOB Write in Xorg X11 Server XIChangeDeviceProperty
CVE-2023-5367 7.8 - High - October 25, 2023

A out-of-bounds write flaw was found in the xorg-x11-server. This issue occurs due to an incorrect calculation of a buffer offset when copying data stored in the heap in the XIChangeDeviceProperty function in Xi/xiproperty.c and in RRChangeOutputProperty function in randr/rrproperty.c, allowing for possible escalation of privileges or denial of service.

Memory Corruption

VMware Workstation 3D Accel UAF: Priv Esc via Refcount Bug
CVE-2023-5633 7.8 - High - October 23, 2023

The reference count changes made as part of the CVE-2023-33951 and CVE-2023-33952 fixes exposed a use-after-free flaw in the way memory objects were handled when they were being used to store a surface. When running inside a VMware guest with 3D acceleration enabled, a local, unprivileged user could potentially use this flaw to escalate their privileges.

Dangling pointer

Buffer Overflow in glibc's ld.so via GLIBC_TUNABLES env var
CVE-2023-4911 7.8 - High - October 03, 2023

A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.

Heap-based Buffer Overflow

Linux Kernel Local user DOS via pfn_swap_entry_to_page
CVE-2023-4732 4.7 - Medium - October 03, 2023

A flaw was found in pfn_swap_entry_to_page in memory management subsystem in the Linux Kernel. In this flaw, an attacker with a local user privilege may cause a denial of service problem due to a BUG statement referencing pmd_t x.

Race Condition within a Thread

A vulnerability was found in MariaDB
CVE-2023-5157 7.5 - High - September 27, 2023

A vulnerability was found in MariaDB. An OpenVAS port scan on ports 3306 and 4567 allows a malicious remote client to cause a denial of service.

Resource Exhaustion

A flaw was found in glibc
CVE-2023-4527 6.5 - Medium - September 18, 2023

A flaw was found in glibc. When the getaddrinfo function is called with the AF_UNSPEC address family and the system is configured with no-aaaa mode via /etc/resolv.conf, a DNS response via TCP larger than 2048 bytes can potentially disclose stack contents through the function returned address data, and may cause a crash.

Out-of-bounds Read

A flaw has been identified in glibc
CVE-2023-4806 5.9 - Medium - September 18, 2023

A flaw has been identified in glibc. In an extremely rare situation, the getaddrinfo function may access memory that has been freed, resulting in an application crash. This issue is only exploitable when a NSS module implements only the _nss_*_gethostbyname2_r and _nss_*_getcanonname_r hooks without implementing the _nss_*_gethostbyname3_r hook. The resolved name should return a large number of IPv6 and IPv4, and the call to the getaddrinfo function should have the AF_INET6 address family with AI_CANONNAME, AI_ALL and AI_V4MAPPED as flags.

Dangling pointer

A flaw was found in the Keylime registrar that could allow a bypass of the challenge-response protocol during agent registration
CVE-2023-38201 6.5 - Medium - August 25, 2023

A flaw was found in the Keylime registrar that could allow a bypass of the challenge-response protocol during agent registration. This issue may allow an attacker to impersonate an agent and hide the true status of a monitored machine if the fake agent is added to the verifier list by a legitimate user, resulting in a breach of the integrity of the registrar database.

A flaw was found in ghostscript
CVE-2023-4042 5.5 - Medium - August 23, 2023

A flaw was found in ghostscript. The fix for CVE-2020-16305 in ghostscript was not included in RHSA-2021:1852-06 advisory as it was claimed to be. This issue only affects the ghostscript package as shipped with Red Hat Enterprise Linux 8.

Out-of-bounds Read

A vulnerability was found in subscription-manager that allows local privilege escalation due to inadequate authorization
CVE-2023-3899 7.8 - High - August 23, 2023

A vulnerability was found in subscription-manager that allows local privilege escalation due to inadequate authorization. The D-Bus interface com.redhat.RHSM1 exposes a significant number of methods to all users that could change the state of the registration. By using the com.redhat.RHSM1.Config.SetAll() method, a low-privileged local user could tamper with the state of the registration, by unregistering the system or by changing the current entitlements. This flaw allows an attacker to set arbitrary configuration directives for /etc/rhsm/rhsm.conf, which can be abused to cause a local privilege escalation to an unconfined root.

AuthZ

A flaw was found in Keylime
CVE-2023-38200 7.5 - High - July 24, 2023

A flaw was found in Keylime. Due to their blocking nature, the Keylime registrar is subject to a remote denial of service against its SSL connections. This flaw allows an attacker to exhaust all available connections.

Excessive Iteration

A buffer overflow vulnerability was found in the Netfilter subsystem in the Linux Kernel
CVE-2023-0179 7.8 - High - March 27, 2023

A buffer overflow vulnerability was found in the Netfilter subsystem in the Linux Kernel. This issue could allow the leakage of both stack and heap addresses, and potentially allow Local Privilege Escalation to the root user via arbitrary code execution.

Integer Overflow or Wraparound

A vulnerability was found in X.Org
CVE-2023-0494 7.8 - High - March 27, 2023

A vulnerability was found in X.Org. This issue occurs due to a dangling pointer in DeepCopyPointerClasses that can be exploited by ProcXkbSetDeviceInfo() and ProcXkbGetDeviceInfo() to read and write into freed memory. This can lead to local privilege elevation on systems where the X server runs privileged and remote code execution for ssh X forwarding sessions.

Dangling pointer

A vulnerability was found in WebKit
CVE-2019-8720 8.8 - High - March 06, 2023

A vulnerability was found in WebKit. The flaw is triggered when processing maliciously crafted web content that may lead to arbitrary code execution. Improved memory handling addresses the multiple memory corruption issues.

Buffer Overflow

sssd: libsss_certmap fails to sanitise certificate data used in LDAP filters
CVE-2022-4254 8.8 - High - February 01, 2023

sssd: libsss_certmap fails to sanitise certificate data used in LDAP filters

LDAP Injection

A flaw was found in the Linux kernel
CVE-2021-3669 - August 26, 2022

A flaw was found in the Linux kernel. Measuring usage of the shared memory does not scale with large shared memory segment counts which could lead to resource exhaustion and DoS.

Resource Exhaustion