CVE-2018-16864 – systemd: stack overflow when calling syslog from a command with long cmdline
https://notcve.org/view.php?id=CVE-2018-16864
An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when a program with long command line arguments calls syslog. A local attacker may use this flaw to crash systemd-journald or escalate his privileges. Versions through v240 are vulnerable. Se ha descubierto una asignación de memoria sin límites, que podría resultar en que la pila choque con otra región de memoria, en systemd-journald, cuando un programa con argumentos largos de la línea de comandos llama a syslog. Un atacante local podría emplear este error para provocar el cierre inesperado de systemd-journald o escalar sus privilegios. • http://www.openwall.com/lists/oss-security/2021/07/20/2 http://www.securityfocus.com/bid/106523 https://access.redhat.com/errata/RHBA-2019:0327 https://access.redhat.com/errata/RHSA-2019:0049 https://access.redhat.com/errata/RHSA-2019:0204 https://access.redhat.com/errata/RHSA-2019:0271 https://access.redhat.com/errata/RHSA-2019:0342 https://access.redhat.com/errata/RHSA-2019:0361 https://access.redhat.com/errata/RHSA-2019:2402 https://bugzilla.redhat.com/show_ • CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2018-16865 – systemd: stack overflow when receiving many journald entries
https://notcve.org/view.php?id=CVE-2018-16865
An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when many entries are sent to the journal socket. A local attacker, or a remote one if systemd-journal-remote is used, may use this flaw to crash systemd-journald or execute code with journald privileges. Versions through v240 are vulnerable. Se ha descubierto una asignación de memoria sin límites que podría resultar en que la pila choque con otra región de memoria, en systemd-journald, cuando se envían muchas entradas al socket de journal. Un atacante local, o uno remoto si se emplea systemd-journal-remote, podría emplear este error para provocar el cierre inesperado de systemd-journald o ejecutar código con privilegios de journald. • http://packetstormsecurity.com/files/152841/System-Down-A-systemd-journald-Exploit.html http://seclists.org/fulldisclosure/2019/May/21 http://www.openwall.com/lists/oss-security/2019/05/10/4 http://www.openwall.com/lists/oss-security/2021/07/20/2 http://www.securityfocus.com/bid/106525 https://access.redhat.com/errata/RHBA-2019:0327 https://access.redhat.com/errata/RHSA-2019:0049 https://access.redhat.com/errata/RHSA-2019:0204 https://access.redhat.com/errata/RHSA-2019 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2018-11237 – glibc: Buffer overflow in __mempcpy_avx512_no_vzeroupper
https://notcve.org/view.php?id=CVE-2018-11237
An AVX-512-optimized implementation of the mempcpy function in the GNU C Library (aka glibc or libc6) 2.27 and earlier may write data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper. Una implementación optimizada para AVX-512 de la función mempcpy en GNU C Library (también conocido como glibc o libc6), en versiones 2.27 y anteriores, podría escribir datos más allá del búfer objetivo, lo que desemboca en un desbordamiento de búfer en __mempcpy_avx512_no_vzeroupper. A buffer overflow has been discovered in the GNU C Library (aka glibc or libc6) in the __mempcpy_avx512_no_vzeroupper function when particular conditions are met. An attacker could use this vulnerability to cause a denial of service or potentially execute code. GNU glibc versions prior to 2.27 suffer from a buffer overflow vulnerability. • http://www.securityfocus.com/bid/104256 https://access.redhat.com/errata/RHBA-2019:0327 https://access.redhat.com/errata/RHSA-2018:3092 https://security.netapp.com/advisory/ntap-20190329-0001 https://security.netapp.com/advisory/ntap-20190401-0001 https://sourceware.org/bugzilla/show_bug.cgi?id=23196 https://usn.ubuntu.com/4416-1 https://www.exploit-db.com/exploits/44750 https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html https://access.redhat.com/security • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-787: Out-of-bounds Write •
CVE-2018-11236 – glibc: Integer overflow in stdlib/canonicalize.c on 32-bit architectures leading to stack-based buffer overflow
https://notcve.org/view.php?id=CVE-2018-11236
stdlib/canonicalize.c in the GNU C Library (aka glibc or libc6) 2.27 and earlier, when processing very long pathname arguments to the realpath function, could encounter an integer overflow on 32-bit architectures, leading to a stack-based buffer overflow and, potentially, arbitrary code execution. stdlib/canonicalize.c en GNU C Library (también conocida como glibc o libc6), en versiones 2.27 y anteriores, al procesar argumentos con un nombre de ruta muy largo en la función realpath, podría encontrarse con un desbordamiento de enteros en arquitecturas de 32 bits. Esto podría desembocar en un desbordamiento de búfer basado en pila y en una potencial ejecución de código arbitrario. • http://www.securityfocus.com/bid/104255 https://access.redhat.com/errata/RHBA-2019:0327 https://access.redhat.com/errata/RHSA-2018:3092 https://security.netapp.com/advisory/ntap-20190329-0001 https://security.netapp.com/advisory/ntap-20190401-0001 https://sourceware.org/bugzilla/show_bug.cgi?id=22786 https://sourceware.org/git/gitweb.cgi?p=glibc.git%3Bh=5460617d1567657621107d895ee2dd83bc1f88f2 https://usn.ubuntu.com/4416-1 https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.h • CWE-121: Stack-based Buffer Overflow CWE-190: Integer Overflow or Wraparound CWE-787: Out-of-bounds Write •
CVE-2018-1257 – spring-framework: ReDoS Attack with spring-messaging
https://notcve.org/view.php?id=CVE-2018-1257
Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack. Spring Framework, en versiones 5.0.x anteriores a la 5.0.6, versiones 4.3.x anteriores a la 4.3.17 y versiones antiguas no soportadas, permite que las aplicaciones expongan STOMP sobre los endpoints WebSocket con un simple broker STOP dentro de la memoria a través del módulo spring-messaging. Un usuario (o atacante) malicioso puede crear un mensaje para el broker que puede conducir a un ataque de denegación de servicio (DoS) de expresión regular. • http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html http://www.securityfocus.com/bid/104260 https://access.redhat.com/errata/RHSA-2018:1809 https://access.redhat.com/errata/RHSA-2018:3768 https://pivotal.io/security/cve-2018-1257 https://www.oracle.com/security-alerts/cpujan2020.html https://www.oracle.com/security-alerts/cpujul2020.html https://www.oracle.com/security-alerts/cpuoct2021.html https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html ht • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •