CVE-2022-4254 – sssd: libsss_certmap fails to sanitise certificate data used in LDAP filters
https://notcve.org/view.php?id=CVE-2022-4254
sssd: libsss_certmap fails to sanitise certificate data used in LDAP filters A vulnerability was found in SSSD, in the libsss_certmap functionality. PKINIT enables a client to authenticate to the KDC using an X.509 certificate and the corresponding private key, rather than a passphrase or keytab. FreeIPA uses mapping rules to map a certificate presented during a PKINIT authentication request to the corresponding principal. The mapping filter is vulnerable to LDAP filter injection. The search result can be influenced by values in the certificate, which may be attacker controlled. • https://access.redhat.com/security/cve/CVE-2022-4254 https://bugzilla.redhat.com/show_bug.cgi?id=2149894 https://github.com/SSSD/sssd/commit/a2b9a84460429181f2a4fa7e2bb5ab49fd561274 https://github.com/SSSD/sssd/issues/5135 https://lists.debian.org/debian-lts-announce/2023/05/msg00028.html • CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') •
CVE-2022-0330 – kernel: possible privileges escalation due to missing TLB flush
https://notcve.org/view.php?id=CVE-2022-0330
A random memory access flaw was found in the Linux kernel's GPU i915 kernel driver functionality in the way a user may run malicious code on the GPU. This flaw allows a local user to crash the system or escalate their privileges on the system. Se ha encontrado un fallo de acceso aleatorio a la memoria en la funcionalidad del controlador del kernel de la GPU i915 de Linux en la forma en que un usuario puede ejecutar código malicioso en la GPU. Este fallo permite a un usuario local bloquear el sistema o escalar sus privilegios en el mismo A random memory access flaw was found in the Linux kernel’s GPU i915 kernel driver functionality in the way a user may run malicious code on the GPU. This flaw allows a local user to crash the system or escalate their privileges on the system. • http://www.openwall.com/lists/oss-security/2022/11/30/1 https://bugzilla.redhat.com/show_bug.cgi?id=2042404 https://security.netapp.com/advisory/ntap-20220526-0001 https://www.openwall.com/lists/oss-security/2022/01/25/12 https://access.redhat.com/security/cve/CVE-2022-0330 • CWE-281: Improper Preservation of Permissions •
CVE-2021-4091 – 389-ds-base: double free of the virtual attribute context in persistent search
https://notcve.org/view.php?id=CVE-2021-4091
A double-free was found in the way 389-ds-base handles virtual attributes context in persistent searches. An attacker could send a series of search requests, forcing the server to behave unexpectedly, and crash. Se ha encontrado una vulnerabilidad de doble liberación en la forma en que 389-ds-base maneja el contexto de los atributos virtuales en las búsquedas persistentes. Un atacante podría enviar una serie de peticiones de búsqueda, forzando al servidor a comportarse de forma inesperada, y bloquearse A double free was found in the way 389-ds-base handles virtual attributes context in persistent searches. An attacker could send a series of search requests, forcing the server to behave unexpectedly, and crash. • https://bugzilla.redhat.com/show_bug.cgi?id=2030307 https://lists.debian.org/debian-lts-announce/2023/04/msg00026.html https://access.redhat.com/security/cve/CVE-2021-4091 • CWE-415: Double Free •
CVE-2021-44142 – Samba fruit_pwrite Heap-based Buffer Overflow Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2021-44142
The Samba vfs_fruit module uses extended file attributes (EA, xattr) to provide "...enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver." Samba versions prior to 4.13.17, 4.14.12 and 4.15.5 with vfs_fruit configured allow out-of-bounds heap read and write via specially crafted extended file attributes. A remote attacker with write access to extended file attributes can execute arbitrary code with the privileges of smbd, typically root. El módulo vfs_fruit de Samba usa atributos de archivo extendidos (EA, xattr) para proporcionar "...compatibilidad mejorada con los clientes SMB de Apple e interoperabilidad con un servidor de archivos AFP de Netatalk 3". Samba versiones anteriores a 4.13.17, 4.14.12 y 4.15.5 con vfs_fruit configurado permiten una lectura y escritura fuera de límites de la pila por medio de atributos de archivo extendidos especialmente diseñados. • https://github.com/horizon3ai/CVE-2021-44142 https://github.com/gudyrmik/CVE-2021-44142 https://github.com/hrsman/Samba-CVE-2021-44142 https://bugzilla.samba.org/show_bug.cgi?id=14914 https://kb.cert.org/vuls/id/119678 https://security.gentoo.org/glsa/202309-06 https://www.samba.org/samba/security/CVE-2021-44142.html https://www.zerodayinitiative.com/blog/2022/2/1/cve-2021-44142-details-on-a-samba-code-execution-bug-demonstrated-at-pwn2own-austin https://access.redhat • CWE-125: Out-of-bounds Read CWE-787: Out-of-bounds Write •
CVE-2021-4034 – Red Hat Polkit Out-of-Bounds Read and Write Vulnerability
https://notcve.org/view.php?id=CVE-2021-4034
A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine. • https://github.com/dzonerzy/poc-cve-2021-4034 https://github.com/arthepsy/CVE-2021-4034 https://github.com/berdav/CVE-2021-4034 https://www.exploit-db.com/exploits/50689 https://github.com/PwnFunction/CVE-2021-4034 https://github.com/joeammond/CVE-2021-4034 https://github.com/nikaiw/CVE-2021-4034 https://github.com/ryaagard/CVE-2021-4034 https://github.com/Rvn0xsy/CVE-2021-4034 https://github.com/Ayrx/CVE-2021-4034 https://github.com/zhzyker/CVE-2021-4034& • CWE-20: Improper Input Validation CWE-125: Out-of-bounds Read CWE-787: Out-of-bounds Write •