CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2023-45284 – Incorrect detection of reserved device names on Windows in path/filepath
https://notcve.org/view.php?id=CVE-2023-45284
On Windows, The IsLocal function does not correctly detect reserved device names in some cases. Reserved names followed by spaces, such as "COM1 ", and reserved names "COM" and "LPT" followed by superscript 1, 2, or 3, are incorrectly reported as local. With fix, IsLocal now correctly reports these names as non-local. En Windows, la función IsLocal no detecta correctamente los nombres de dispositivos reservados en algunos casos. Los nombres reservados seguidos de espacios, como "COM1", y los nombres reservados "COM" y "LPT" seguidos del superíndice 1, 2 o 3 se informan incorrectamente como locales. • https://go.dev/cl/540277 https://go.dev/issue/63713 https://groups.google.com/g/golang-announce/c/4tU8LZfBFkY https://pkg.go.dev/vuln/GO-2023-2186 •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2023-45283 – Insecure parsing of Windows paths with a \??\ prefix in path/filepath
https://notcve.org/view.php?id=CVE-2023-45283
The filepath package does not recognize paths with a \??\ prefix as special. On Windows, a path beginning with \??\ is a Root Local Device path equivalent to a path beginning with \\?\. • http://www.openwall.com/lists/oss-security/2023/12/05/2 https://go.dev/cl/540277 https://go.dev/cl/541175 https://go.dev/issue/63713 https://go.dev/issue/64028 https://groups.google.com/g/golang-announce/c/4tU8LZfBFkY https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ https://pkg.go.dev/vuln/GO-2023-2185 https://security.netapp.com/advisory/ntap-20231214-0008 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2023-4891
https://notcve.org/view.php?id=CVE-2023-4891
A potential use-after-free vulnerability was reported in the Lenovo View driver that could result in denial of service. Se informó de una posible vulnerabilidad de use-after-free en el controlador Lenovo View que podría provocar una denegación de servicio. • https://support.lenovo.com/us/en/product_security/LEN-135344 • CWE-416: Use After Free •
CVSS: 7.3EPSS: 0%CPEs: 2EXPL: 0CVE-2023-47113 – DLL Search Order Hijacking vulnerability in BleachBit for Windows
https://notcve.org/view.php?id=CVE-2023-47113
BleachBit cleans files to free disk space and to maintain privacy. BleachBit for Windows up to version 4.4.2 is vulnerable to a DLL Hijacking vulnerability. By placing a DLL in the Folder c:\DLLs, an attacker can run arbitrary code on every execution of BleachBit for Windows. This issue has been patched in version 4.5.0. BleachBit limpia archivos para liberar espacio en el disco y mantener la privacidad. • https://github.com/bleachbit/bleachbit/security/advisories/GHSA-j8jc-f6p7-55p8 • CWE-427: Uncontrolled Search Path Element •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-4996 – Local privilege escalation
https://notcve.org/view.php?id=CVE-2023-4996
Netskope was made aware of a security vulnerability in its NSClient product for version 100 & prior where a malicious non-admin user can disable the Netskope client by using a specially-crafted package. The root cause of the problem was a user control code when called by a Windows ServiceController did not validate the permissions associated with the user before executing the user control code. This user control code had permissions to terminate the NSClient service. Netskope fue informado de una vulnerabilidad de seguridad en su producto NSClient para la versión 100 y anteriores donde un usuario malintencionado que no sea administrador puede desactivar el cliente Netskope mediante el uso de un paquete especialmente manipulado. La causa principal del problema fue que un código de control de usuario cuando lo llamaba un ServiceController de Windows no validaba los permisos asociados con el usuario antes de ejecutar el código de control de usuario. • https://www.netskope.com/company/security-compliance-and-assurance/security-advisories-and-disclosures/netskope-security-advisory-nskpsa-2023-003 • CWE-281: Improper Preservation of Permissions •