CVSS: 3.3EPSS: 0%CPEs: 4EXPL: 0CVE-2024-1048 – Grub2: grub2-set-bootflag can be abused by local (pseudo-)users
https://notcve.org/view.php?id=CVE-2024-1048
06 Feb 2024 — A flaw was found in the grub2-set-bootflag utility of grub2. After the fix of CVE-2019-14865, grub2-set-bootflag will create a temporary file with the new grubenv content and rename it to the original grubenv file. If the program is killed before the rename operation, the temporary file will not be removed and may fill the filesystem when invoked multiple times, resulting in a filesystem out of free inodes or blocks. Se encontró una falla en la utilidad grub2-set-bootflag de grub2. Después de la corrección ... • http://www.openwall.com/lists/oss-security/2024/02/06/3 • CWE-459: Incomplete Cleanup •
CVSS: 5.5EPSS: 0%CPEs: 12EXPL: 0CVE-2024-0690 – Ansible-core: possible information leak in tasks that ignore ansible_no_log configuration
https://notcve.org/view.php?id=CVE-2024-0690
06 Feb 2024 — An information disclosure flaw was found in ansible-core due to a failure to respect the ANSIBLE_NO_LOG configuration in some scenarios. Information is still included in the output in certain tasks, such as loop items. Depending on the task, this issue may include sensitive information, such as decrypted secret values. Se encontró una falla de divulgación de información en ansible-core debido a que no se respetó la configuración de ANSIBLE_NO_LOG en algunos escenarios. Se descubrió que la información todaví... • https://access.redhat.com/errata/RHSA-2024:0733 • CWE-116: Improper Encoding or Escaping of Output CWE-117: Improper Output Neutralization for Logs •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2023-4503 – Eap-galleon: custom provisioning creates unsecured http-invoker
https://notcve.org/view.php?id=CVE-2023-4503
06 Feb 2024 — An improper initialization vulnerability was found in Galleon. When using Galleon to provision custom EAP or EAP-XP servers, the servers are created unsecured. This issue could allow an attacker to access remote HTTP services available from the server. Se encontró una vulnerabilidad de inicialización incorrecta en Galleon. Cuando se utiliza Galleon para aprovisionar servidores EAP o EAP-XP personalizados, los servidores se crean sin seguridad. • https://access.redhat.com/errata/RHSA-2023:7637 • CWE-665: Improper Initialization •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2023-50782 – Python-cryptography: bleichenbacher timing oracle attack against rsa decryption - incomplete fix for cve-2020-25659
https://notcve.org/view.php?id=CVE-2023-50782
05 Feb 2024 — A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. Se encontró una falla en el paquete python-cryptography. Este problema puede permitir que un atacante remoto descifre mensajes capturados en servidores TLS que utilizan intercambios de claves RSA, lo que puede provocar la exposición de datos confidenciales o sensibles. Hubert Kario dis... • https://access.redhat.com/security/cve/CVE-2023-50782 • CWE-203: Observable Discrepancy CWE-208: Observable Timing Discrepancy •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2023-50781 – M2crypto: bleichenbacher timing attacks in the rsa decryption api - incomplete fix for cve-2020-25657
https://notcve.org/view.php?id=CVE-2023-50781
05 Feb 2024 — A flaw was found in m2crypto. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. Se encontró una falla en m2crypto. Este problema puede permitir que un atacante remoto descifre mensajes capturados en servidores TLS que utilizan intercambios de claves RSA, lo que puede provocar la exposición de datos confidenciales o sensibles. • https://access.redhat.com/security/cve/CVE-2023-50781 • CWE-203: Observable Discrepancy CWE-208: Observable Timing Discrepancy •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 1CVE-2023-7216 – Cpio: extraction allows symlinks which enables remote command execution
https://notcve.org/view.php?id=CVE-2023-7216
05 Feb 2024 — A path traversal vulnerability was found in the CPIO utility. This issue could allow a remote unauthenticated attacker to trick a user into opening a specially crafted archive. During the extraction process, the archiver could follow symlinks outside of the intended directory, which allows files to be written in arbitrary directories through symlinks. Se encontró una vulnerabilidad de path traversal en la utilidad CPIO. Este problema podría permitir que un atacante remoto no autenticado engañe a un usuario ... • https://access.redhat.com/security/cve/CVE-2023-7216 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2023-6240 – Kernel: marvin vulnerability side-channel leakage in the rsa decryption operation
https://notcve.org/view.php?id=CVE-2023-6240
04 Feb 2024 — A Marvin vulnerability side-channel leakage was found in the RSA decryption operation in the Linux Kernel. This issue may allow a network attacker to decrypt ciphertexts or forge signatures, limiting the services that use that private key. Se encontró una fuga de canal lateral de vulnerabilidad de Marvin en la operación de descifrado RSA en el kernel de Linux. Este problema puede permitir que un atacante de red descifre textos cifrados o falsifique firmas, limitando los servicios que utilizan esa clave priv... • https://access.redhat.com/errata/RHSA-2024:1881 • CWE-203: Observable Discrepancy •
CVSS: 5.9EPSS: 0%CPEs: 4EXPL: 0CVE-2023-5992 – Opensc: side-channel leaks while stripping encryption pkcs#1 padding
https://notcve.org/view.php?id=CVE-2023-5992
31 Jan 2024 — A vulnerability was found in OpenSC where PKCS#1 encryption padding removal is not implemented as side-channel resistant. This issue may result in the potential leak of private data. Se encontró una vulnerabilidad en OpenSC donde la eliminación del relleno de cifrado PKCS#1 no se implementa como resistente al canal lateral. Este problema puede resultar en una posible filtración de datos privados. It was discovered that OpenSC did not correctly handle certain memory operations, which could lead to a use-afte... • https://access.redhat.com/errata/RHSA-2024:0966 • CWE-203: Observable Discrepancy •
CVSS: 5.9EPSS: 0%CPEs: 3EXPL: 0CVE-2024-0914 – Opencryptoki: timing side-channel in handling of rsa pkcs#1 v1.5 padded ciphertexts (marvin)
https://notcve.org/view.php?id=CVE-2024-0914
31 Jan 2024 — A timing side-channel vulnerability has been discovered in the opencryptoki package while processing RSA PKCS#1 v1.5 padded ciphertexts. This flaw could potentially enable unauthorized RSA ciphertext decryption or signing, even without access to the corresponding private key. Se descubrió una vulnerabilidad de canal lateral de temporización en el paquete opencryptoki mientras se procesan textos cifrados acolchados RSA PKCS#1 v1.5. Este fallo podría potencialmente permitir el descifrado o la firma de texto c... • https://access.redhat.com/errata/RHSA-2024:1239 • CWE-203: Observable Discrepancy •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 1CVE-2024-0564 – Kernel: max page sharing of kernel samepage merging (ksm) may cause memory deduplication
https://notcve.org/view.php?id=CVE-2024-0564
30 Jan 2024 — A flaw was found in the Linux kernel's memory deduplication mechanism. The max page sharing of Kernel Samepage Merging (KSM), added in Linux kernel version 4.4.0-96.119, can create a side channel. When the attacker and the victim share the same host and the default setting of KSM is "max page sharing=256", it is possible for the attacker to time the unmap to merge with the victim's page. The unmapping time depends on whether it merges with the victim's page and additional physical pages are created beyond t... • https://access.redhat.com/security/cve/CVE-2024-0564 • CWE-203: Observable Discrepancy •