CVE-2021-37136 – netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data
https://notcve.org/view.php?id=CVE-2021-37136
The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack La función Bzip2 decompression decoder no permite establecer restricciones de tamaño en los datos de salida descomprimidos (lo que afecta al tamaño de asignación usado durante la descompresión). Todos los usuarios de Bzip2Decoder están afectados. La entrada maliciosa puede desencadenar un OOME y así un ataque de DoS A flaw was found in Netty's netty-codec due to size restrictions for decompressed data in the Bzip2Decoder. • https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d%40%3Ccommits.druid.apache.org%3E https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb%40%3Ccommits.druid.apache.org%3E https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04%40%3Ccommits.druid.apache.org%3E https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0%40%3Ccommits.druid.apache.org%3E ht • CWE-400: Uncontrolled Resource Consumption •
CVE-2021-38153 – Timing Attack Vulnerability for Apache Kafka Connect and Clients
https://notcve.org/view.php?id=CVE-2021-38153
Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0. Algunos componentes de Apache Kafka usan "Arrays.equals" para comprender una contraseña o clave, lo cual es vulnerable a ataques de tiempo que hacen que los ataques de fuerza bruta para dichas credenciales tengan más probabilidades de éxito. Los usuarios deben actualizar a la versión 2.8.1 o superior, o a la 3.0.0 o superior, donde se ha corregido esta vulnerabilidad. • https://kafka.apache.org/cve-list https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c%40%3Cdev.kafka.apache.org%3E https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c%40%3Cusers.kafka.apache.org%3E https://lists.apache.org/thread.html/r35322aec467ddae34002690edaa4d9f16e7df9b5bf7164869b75b62c%40%3Cdev.kafka.apache.org%3E https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be%40%3Cdev.kafka.apache.org%3E https://lists.apache.org/thread.html/r45c • CWE-203: Observable Discrepancy CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVE-2021-3807 – Inefficient Regular Expression Complexity in chalk/ansi-regex
https://notcve.org/view.php?id=CVE-2021-3807
ansi-regex is vulnerable to Inefficient Regular Expression Complexity ansi-regex es vulnerable a una Complejidad de Expresiones Regulares Ineficientes A regular expression denial of service (ReDoS) vulnerability was found in nodejs-ansi-regex. This could possibly cause an application using ansi-regex to use an excessive amount of CPU time when matching crafted ANSI escape codes. • https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9 https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994 https://security.netapp.com/advisory/ntap-20221014-0002 https://www.oracle.com/security-alerts/cpuapr2022.html https://access.redhat.com/security/cve/CVE-2021-3807 https://bugzilla.redhat.com/show_bug.cgi?id=2007557 • CWE-400: Uncontrolled Resource Consumption CWE-1333: Inefficient Regular Expression Complexity •
CVE-2021-3572 – python-pip: Incorrect handling of unicode separators in git references
https://notcve.org/view.php?id=CVE-2021-3572
A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1. Se ha encontrado un fallo en python-pip en la forma en que maneja los separadores Unicode en las referencias git. • https://github.com/frenzymadness/CVE-2021-3572 https://bugzilla.redhat.com/show_bug.cgi?id=1962856 https://security.netapp.com/advisory/ntap-20240621-0006 https://www.oracle.com/security-alerts/cpuapr2022.html https://www.oracle.com/security-alerts/cpujul2022.html https://access.redhat.com/security/cve/CVE-2021-3572 • CWE-20: Improper Input Validation •
CVE-2021-3200 – libsolv: heap-based buffer overflow in testcase_read() in src/testcase.c
https://notcve.org/view.php?id=CVE-2021-3200
Buffer overflow vulnerability in libsolv 2020-12-13 via the Solver * testcase_read(Pool *pool, FILE *fp, const char *testcase, Queue *job, char **resultp, int *resultflagsp function at src/testcase.c: line 2334, which could cause a denial of service Una vulnerabilidad de desbordamiento de búfer en libsolv versiones hasta el 13-12-2020 por medio de la función Solver * testcase_read(Pool *pool, FILE *fp, const char *testcase, Queue *job, char **resultp, int *resultflagsp en el archivo src/testcase.c: línea 2334, que podría causar una denegación de servicio A flaw was found in libsolv. A buffer overflow vulnerability could cause a denial of service. The highest threat from this vulnerability is to system availability. • https://github.com/openSUSE/libsolv/issues/416 https://github.com/yangjiageng/PoC/blob/master/libsolv-PoCs/PoC-testcase_read-2334 https://www.oracle.com/security-alerts/cpuapr2022.html https://access.redhat.com/security/cve/CVE-2021-3200 https://bugzilla.redhat.com/show_bug.cgi?id=1962307 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-125: Out-of-bounds Read •