CVE-2020-11100 – haproxy: malformed HTTP/2 requests can lead to out-of-bounds writes
https://notcve.org/view.php?id=CVE-2020-11100
In hpack_dht_insert in hpack-tbl.c in the HPACK decoder in HAProxy 1.8 through 2.x before 2.1.4, a remote attacker can write arbitrary bytes around a certain location on the heap via a crafted HTTP/2 request, possibly causing remote code execution. En la función hpack_dht_insert en el archivo hpack-tbl.c en el decodificador HPACK en HAProxy versiones 1.8 hasta 2.x anteriores a 2.1.4, un atacante remoto puede escribir bytes arbitrarios alrededor de una determinada ubicación en la pila (heap) por medio de una petición HTTP/2 diseñada, causando posiblemente una ejecución de código remoto. A flaw was found in the way HAProxy processed certain HTTP/2 request packets. This flaw allows an attacker to send crafted HTTP/2 request packets, which cause memory corruption, leading to a crash or potential remote arbitrary code execution with the permissions of the user running HAProxy. The haproxy hpack implementation in hpack-tbl.c handles 0-length HTTP headers incorrectly. • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00002.html http://packetstormsecurity.com/files/157323/haproxy-hpack-tbl.c-Out-Of-Bounds-Write.html http://www.haproxy.org https://bugzilla.redhat.com/show_bug.cgi?id=1819111 https://bugzilla.suse.com/show_bug.cgi?id=1168023 https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=5dfc5d5cd0d2128d77253ead3acf03a421ab5b88 https://lists.debian.org/debian-security-announce/2020/msg00052.html https://lists.fedoraproject.org/archives/list/packag • CWE-787: Out-of-bounds Write •
CVE-2020-1706 – openshift/apb-tools: /etc/passwd is given incorrect privileges
https://notcve.org/view.php?id=CVE-2020-1706
It has been found that in openshift-enterprise version 3.11 and openshift-enterprise versions 4.1 up to, including 4.3, multiple containers modify the permissions of /etc/passwd to make them modifiable by users other than root. An attacker with access to the running container can exploit this to modify /etc/passwd to add a user and escalate their privileges. This CVE is specific to the openshift/apb-tools-container. Se ha encontrado que en openshift-enterprise versión 3.11 y openshift-enterprise versiones 4.1 hasta 4.3 incluyéndola, múltiples contenedores modifican los permisos de /etc/passwd para que sean entonces modificables por otros usuarios diferentes de root. Un atacante con acceso al contenedor en ejecución puede explotar esto para modificar /etc/passwd para agregar un usuario y escalar sus privilegios. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1706 https://access.redhat.com/security/cve/CVE-2020-1706 https://bugzilla.redhat.com/show_bug.cgi?id=1793302 https://access.redhat.com/articles/4859371 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVE-2020-8945 – proglottis/gpgme: Use-after-free in GPGME bindings during container image pull
https://notcve.org/view.php?id=CVE-2020-8945
The proglottis Go wrapper before 0.1.1 for the GPGME library has a use-after-free, as demonstrated by use for container image pulls by Docker or CRI-O. This leads to a crash or potential code execution during GPG signature verification. El contenedor Proglottis Go versiones anteriores a 0.1.1 para la biblioteca GPGME, presenta un uso de la memoria previamente liberada, como es demostrado por el uso para las extracciones de imágenes de contenedores para Docker o CRI-O. Esto conlleva a un bloqueo o posible ejecución de código durante una comprobación de la firma GPG. A use-after-free vulnerability was found in the Go GPGME wrapper library, github.com/proglottis/gpgme. • https://access.redhat.com/errata/RHSA-2020:0679 https://access.redhat.com/errata/RHSA-2020:0689 https://access.redhat.com/errata/RHSA-2020:0697 https://bugzilla.redhat.com/show_bug.cgi?id=1795838 https://github.com/containers/image/commit/4c7a23f82ef09127b0ff28366d1cf31316dd6cc1 https://github.com/proglottis/gpgme/compare/v0.1.0...v0.1.1 https://github.com/proglottis/gpgme/pull/23 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3SOCLOPTSYABTE4CLTSPDIF • CWE-416: Use After Free •
CVE-2020-1708 – openshift/mysql-apb: /etc/passwd is given incorrect privileges
https://notcve.org/view.php?id=CVE-2020-1708
It has been found in openshift-enterprise version 3.11 and all openshift-enterprise versions from 4.1 to, including 4.3, that multiple containers modify the permissions of /etc/passwd to make them modifiable by users other than root. An attacker with access to the running container can exploit this to modify /etc/passwd to add a user and escalate their privileges. This CVE is specific to the openshift/mysql-apb. Se ha encontrado en openshift-enterprise versión 3.11 y en todas las versiones de openshift-enterprise desde 4.1 hasta, 4.3 incluyéndola, que varios contenedores modifican los permisos de /etc/passwd para que otros usuarios diferentes de root puedan modificarlos. Un atacante con acceso al contenedor en ejecución puede explotar esto para modificar /etc/passwd para agregar un usuario y escalar sus privilegios. • https://access.redhat.com/errata/RHSA-2020:0617 https://access.redhat.com/errata/RHSA-2020:0681 https://access.redhat.com/errata/RHSA-2020:0694 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1708 https://access.redhat.com/security/cve/CVE-2020-1708 https://bugzilla.redhat.com/show_bug.cgi?id=1793299 https://access.redhat.com/articles/4859371 • CWE-266: Incorrect Privilege Assignment CWE-269: Improper Privilege Management •
CVE-2020-1712 – systemd: use-after-free when asynchronous polkit queries are performed
https://notcve.org/view.php?id=CVE-2020-1712
A heap use-after-free vulnerability was found in systemd before version v245-rc1, where asynchronous Polkit queries are performed while handling dbus messages. A local unprivileged attacker can abuse this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted dbus messages. Se detectó una vulnerabilidad uso de la memoria previamente liberada de la pila en systemd versiones anteriores a v245-rc1, donde se llevaron a cabo consultas de Polkit asincrónicas mientras se manejan mensajes dbus. Un atacante no privilegiado local puede abusar de este fallo para bloquear los servicios de systemd o potencialmente ejecutar código y elevar sus privilegios, mediante el envío de mensajes dbus especialmente diseñados. A heap use-after-free vulnerability was found in systemd, where asynchronous Polkit queries are performed while handling dbus messages. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1712 https://github.com/systemd/systemd/commit/1068447e6954dc6ce52f099ed174c442cb89ed54 https://github.com/systemd/systemd/commit/637486261528e8aa3da9f26a4487dc254f4b7abb https://github.com/systemd/systemd/commit/bc130b6858327b382b07b3985cf48e2aa9016b2d https://github.com/systemd/systemd/commit/ea0d0ede03c6f18dbc5036c5e9cccf97e415ccc2 https://lists.debian.org/debian-lts-announce/2022/06/msg00025.html https://www.openwall.com/lists/oss-security/2020/02/05/1 https://access.redhat.c • CWE-416: Use After Free •