CVSS: 5.9EPSS: 96%CPEs: 79EXPL: 1CVE-2023-48795 – ssh: Prefix truncation attack on Binary Packet Protocol (BPP)
https://notcve.org/view.php?id=CVE-2023-48795
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust. • http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html http://seclists.org/fulldisclosure/2024/Mar/21 http://www.openwall.com/lists/oss-security/2023/12/18/3 http://www.openwall.com/lists/oss-security/2023/12/19/5 http://www.openwall.com/lists/oss-security/2023/12/20/3 http://www.openwall.com/lists/oss-security/2024/03/06/3 http://www.openwall.com/lists/oss-security/2024/04/17/8 https://access.redhat.com/security/cve/cve-2023-48 • CWE-222: Truncation of Security-relevant Information CWE-354: Improper Validation of Integrity Check Value •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2020-1712 – systemd: use-after-free when asynchronous polkit queries are performed
https://notcve.org/view.php?id=CVE-2020-1712
A heap use-after-free vulnerability was found in systemd before version v245-rc1, where asynchronous Polkit queries are performed while handling dbus messages. A local unprivileged attacker can abuse this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted dbus messages. Se detectó una vulnerabilidad uso de la memoria previamente liberada de la pila en systemd versiones anteriores a v245-rc1, donde se llevaron a cabo consultas de Polkit asincrónicas mientras se manejan mensajes dbus. Un atacante no privilegiado local puede abusar de este fallo para bloquear los servicios de systemd o potencialmente ejecutar código y elevar sus privilegios, mediante el envío de mensajes dbus especialmente diseñados. A heap use-after-free vulnerability was found in systemd, where asynchronous Polkit queries are performed while handling dbus messages. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1712 https://github.com/systemd/systemd/commit/1068447e6954dc6ce52f099ed174c442cb89ed54 https://github.com/systemd/systemd/commit/637486261528e8aa3da9f26a4487dc254f4b7abb https://github.com/systemd/systemd/commit/bc130b6858327b382b07b3985cf48e2aa9016b2d https://github.com/systemd/systemd/commit/ea0d0ede03c6f18dbc5036c5e9cccf97e415ccc2 https://lists.debian.org/debian-lts-announce/2022/06/msg00025.html https://www.openwall.com/lists/oss-security/2020/02/05/1 https://access.redhat.c • CWE-416: Use After Free •
CVSS: 6.1EPSS: 2%CPEs: 218EXPL: 4CVE-2019-11358 – jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection
https://notcve.org/view.php?id=CVE-2019-11358
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. jQuery, en versiones anteriores a 3.4.0, como es usado en Drupal, Backdrop CMS, y otros productos, maneja mal jQuery.extend(true, {}, ...) debido a la contaminación de Object.prototype. Si un objeto fuente no sanitizado contenía una propiedad enumerable __proto__, podría extender el Object.prototype nativo. A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modifying objects up the prototype chain, including the global Object. • https://github.com/isacaya/CVE-2019-11358 https://github.com/ossf-cve-benchmark/CVE-2019-11358 https://github.com/Snorlyd/https-nj.gov---CVE-2019-11358 http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html http://packetstormsecurity.c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 6.5EPSS: 0%CPEs: 71EXPL: 0CVE-2018-1257 – spring-framework: ReDoS Attack with spring-messaging
https://notcve.org/view.php?id=CVE-2018-1257
Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack. Spring Framework, en versiones 5.0.x anteriores a la 5.0.6, versiones 4.3.x anteriores a la 4.3.17 y versiones antiguas no soportadas, permite que las aplicaciones expongan STOMP sobre los endpoints WebSocket con un simple broker STOP dentro de la memoria a través del módulo spring-messaging. Un usuario (o atacante) malicioso puede crear un mensaje para el broker que puede conducir a un ataque de denegación de servicio (DoS) de expresión regular. • http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html http://www.securityfocus.com/bid/104260 https://access.redhat.com/errata/RHSA-2018:1809 https://access.redhat.com/errata/RHSA-2018:3768 https://pivotal.io/security/cve-2018-1257 https://www.oracle.com/security-alerts/cpujan2020.html https://www.oracle.com/security-alerts/cpujul2020.html https://www.oracle.com/security-alerts/cpuoct2021.html https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html ht • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 81EXPL: 0CVE-2018-1258 – spring-security-core: Unauthorized Access with Spring Security Method Security
https://notcve.org/view.php?id=CVE-2018-1258
Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted. La versión 5.0.5 de Spring Framework, cuando se utiliza en combinación con cualquier versión de Spring Security, contiene un omisión de autorización cuando se utiliza la seguridad del método. Un usuario malicioso no autorizado puede obtener acceso no autorizado a métodos que deben ser restringidos. • http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html http://www.securityfocus.com/bid/104222 http://www.securitytracker.com/id/1041888 http://www.securitytracker.com/id/1041896 https://access.redhat.com/errata/RHSA-2019:2413 https://pivotal.io/security/cve-2018-1258 https://security.netapp.com/advisory/ntap-20181018-0002 https://www.oracle.com/security-alerts/cpuapr2020.html https://www.oracle& • CWE-287: Improper Authentication CWE-863: Incorrect Authorization •