CVSS: 6.8EPSS: 0%CPEs: 12EXPL: 0CVE-2023-5368 – msdosfs data disclosure
https://notcve.org/view.php?id=CVE-2023-5368
03 Oct 2023 — On an msdosfs filesystem, the 'truncate' or 'ftruncate' system calls under certain circumstances populate the additional space in the file with unallocated data from the underlying disk device, rather than zero bytes. This may permit a user with write access to files on a msdosfs filesystem to read unintended data (e.g. from a previously deleted file). En un sistema de archivos msdosfs, las llamadas al sistema 'truncate' o 'ftruncate' bajo ciertas circunstancias llenan el espacio adicional en el archivo con... • https://dfir.ru/2023/11/01/bringing-unallocated-data-back-the-fat12-16-32-case • CWE-1188: Initialization of a Resource with an Insecure Default •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5369 – copy_file_range insufficient capability rights check
https://notcve.org/view.php?id=CVE-2023-5369
03 Oct 2023 — Before correction, the copy_file_range system call checked only for the CAP_READ and CAP_WRITE capabilities on the input and output file descriptors, respectively. Using an offset is logically equivalent to seeking, and the system call must additionally require the CAP_SEEK capability. This incorrect privilege check enabled sandboxed processes with only read or write but no seek capability on a file descriptor to read data from or write data to an arbitrary location within the file corresponding to that fil... • https://security.FreeBSD.org/advisories/FreeBSD-SA-23:13.capsicum.asc • CWE-273: Improper Check for Dropped Privileges •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5370 – arm64 boot CPUs may lack speculative execution protections
https://notcve.org/view.php?id=CVE-2023-5370
03 Oct 2023 — On CPU 0 the check for the SMCCC workaround is called before SMCCC support has been initialized. This resulted in no speculative execution workarounds being installed on CPU 0. En la CPU 0, se llama a la verificación del workaround de SMCCC antes de que se haya inicializado el soporte de SMCCC. Esto resultó en que no se instalaran workarounds de ejecución especulativa en la CPU 0. On CPU 0 the check for the SMCCC workaround is called before SMCCC support has been initialized. • https://security.FreeBSD.org/advisories/FreeBSD-SA-23:14.smccc.asc • CWE-665: Improper Initialization •
CVSS: 7.5EPSS: 2%CPEs: 3EXPL: 0CVE-2023-42118 – Exim libspf2 Integer Underflow Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2023-42118
27 Sep 2023 — Exim libspf2 Integer Underflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Exim libspf2. Authentication is not required to exploit this vulnerability. The specific flaw exists within the parsing of SPF macros. When parsing SPF macros, the process does not properly validate user-supplied data, which can result in an integer underflow before writing to memory. • https://www.zerodayinitiative.com/advisories/ZDI-23-1472 • CWE-191: Integer Underflow (Wrap or Wraparound) •
CVSS: 7.8EPSS: 0%CPEs: 12EXPL: 0CVE-2023-4809 – pf incorrectly handles multiple IPv6 fragment headers
https://notcve.org/view.php?id=CVE-2023-4809
06 Sep 2023 — In pf packet processing with a 'scrub fragment reassemble' rule, a packet containing multiple IPv6 fragment headers would be reassembled, and then immediately processed. That is, a packet with multiple fragment extension headers would not be recognized as the correct ultimate payload. Instead a packet with multiple IPv6 fragment headers would unexpectedly be interpreted as a fragmented packet, rather than as whatever the real payload is. As a result, IPv6 fragments may bypass pf firewall rules written on th... • http://www.openwall.com/lists/oss-security/2023/09/08/5 • CWE-167: Improper Handling of Additional Special Element •
CVSS: 7.8EPSS: 0%CPEs: 21EXPL: 0CVE-2023-3107 – Remote denial of service in IPv6 fragment reassembly
https://notcve.org/view.php?id=CVE-2023-3107
01 Aug 2023 — A set of carefully crafted ipv6 packets can trigger an integer overflow in the calculation of a fragment reassembled packet's payload length field. This allows an attacker to trigger a kernel panic, resulting in a denial of service. Un conjunto de paquetes ipv6 cuidadosamente diseñados puede desencadenar un desbordamiento de enteros en el cálculo del campo de longitud de la carga útil de un paquete reensamblado por fragmentos. Esto permite a un atacante desencadenar un kernel panic, resultando en una denega... • https://security.FreeBSD.org/advisories/FreeBSD-SA-23:06.ipv6.asc • CWE-190: Integer Overflow or Wraparound •
CVSS: 8.8EPSS: 0%CPEs: 14EXPL: 0CVE-2023-3494 – bhyve privileged guest escape via fwctl
https://notcve.org/view.php?id=CVE-2023-3494
01 Aug 2023 — The fwctl driver implements a state machine which is executed when a bhyve guest accesses certain x86 I/O ports. The interface lets the guest copy a string into a buffer resident in the bhyve process' memory. A bug in the state machine implementation can result in a buffer overflowing when copying this string. Malicious, privileged software running in a guest VM can exploit the buffer overflow to achieve code execution on the host in the bhyve userspace process, which typically runs as root, mitigated by th... • https://security.FreeBSD.org/advisories/FreeBSD-SA-23:07.bhyve.asc • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 10.0EPSS: 0%CPEs: 19EXPL: 0CVE-2023-3326 – Network authentication attack via pam_krb5
https://notcve.org/view.php?id=CVE-2023-3326
21 Jun 2023 — pam_krb5 authenticates a user by essentially running kinit with the password, getting a ticket-granting ticket (tgt) from the Kerberos KDC (Key Distribution Center) over the network, as a way to verify the password. However, if a keytab is not provisioned on the system, pam_krb5 has no way to validate the response from the KDC, and essentially trusts the tgt provided over the network as being valid. In a non-default FreeBSD installation that leverages pam_krb5 for authentication and does not have a keytab p... • https://security.FreeBSD.org/advisories/FreeBSD-SA-23:04.pam_krb5.asc • CWE-287: Improper Authentication CWE-303: Incorrect Implementation of Authentication Algorithm •
CVSS: 6.8EPSS: 0%CPEs: 18EXPL: 0CVE-2023-0751 – GELI silently omits the keyfile if read from stdin
https://notcve.org/view.php?id=CVE-2023-0751
08 Feb 2023 — When GELI reads a key file from standard input, it does not reuse the key file to initialize multiple providers at once resulting in the second and subsequent devices silently using a NULL key as the user key file. If a user only uses a key file without a user passphrase, the master key is encrypted with an empty key file allowing trivial recovery of the master key. When GELI reads a key file from a standard input, it doesn't store it anywhere. If the user tries to initialize multiple providers at once, for... • https://security.FreeBSD.org/advisories/FreeBSD-SA-23:01.geli.asc • CWE-20: Improper Input Validation •
CVSS: 6.5EPSS: 2%CPEs: 2EXPL: 3CVE-2022-23093 – Stack overflow in ping(8)
https://notcve.org/view.php?id=CVE-2022-23093
29 Nov 2022 — ping reads raw IP packets from the network to process responses in the pr_pack() function. As part of processing a response ping has to reconstruct the IP header, the ICMP header and if present a "quoted packet," which represents the packet that generated an ICMP error. The quoted packet again has an IP header and an ICMP header. The pr_pack() copies received IP and ICMP headers into stack buffers for further processing. In so doing, it fails to take into account the possible presence of IP option headers f... • https://github.com/Inplex-sys/CVE-2022-23093 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •