CVSS: 3.7EPSS: 0%CPEs: 21EXPL: 0CVE-2024-21208 – JDK: HTTP client improper handling of maxHeaderSize (8328286)
https://notcve.org/view.php?id=CVE-2024-21208
15 Oct 2024 — Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for ... • https://www.oracle.com/security-alerts/cpuoct2024.html • CWE-130: Improper Handling of Length Parameter Inconsistency CWE-203: Observable Discrepancy •
CVSS: 6.8EPSS: 0%CPEs: 37EXPL: 0CVE-2024-9676 – Podman: buildah: cri-o: symlink traversal vulnerability in the containers/storage library can cause denial of service (dos)
https://notcve.org/view.php?id=CVE-2024-9676
15 Oct 2024 — A vulnerability was found in Podman, Buildah, and CRI-O. A symlink traversal vulnerability in the containers/storage library can cause Podman, Buildah, and CRI-O to hang and result in a denial of service via OOM kill when running a malicious image using an automatically assigned user namespace (`--userns=auto` in Podman and Buildah). The containers/storage library will read /etc/passwd inside the container, but does not properly validate if that file is a symlink, which can be used to cause the library to r... • https://access.redhat.com/errata/RHSA-2024:10289 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.4EPSS: 0%CPEs: 11EXPL: 0CVE-2024-48949 – elliptic: Missing Validation in Elliptic's EDDSA Signature Verification
https://notcve.org/view.php?id=CVE-2024-48949
10 Oct 2024 — The verify function in lib/elliptic/eddsa/index.js in the Elliptic package before 6.5.6 for Node.js omits "sig.S().gte(sig.eddsa.curve.n) || sig.S().isNeg()" validation. A flaw was found in the Elliptic package. This vulnerability allows attackers to bypass EDDSA signature validation via improper handling of signature values where the S() component of the signature is not properly checked for being non-negative or smaller than the curve order. • https://github.com/indutny/elliptic/commit/7ac5360118f74eb02da73bdf9f24fd0c72ff5281 • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 7.8EPSS: 0%CPEs: 42EXPL: 0CVE-2024-9675 – Buildah: buildah allows arbitrary directory mount
https://notcve.org/view.php?id=CVE-2024-9675
09 Oct 2024 — A vulnerability was found in Buildah. Cache mounts do not properly validate that user-specified paths for the cache are within our cache directory, allowing a `RUN` instruction in a Container file to mount an arbitrary directory from the host (read/write) into the container as long as those files can be accessed by the user running Buildah. • https://access.redhat.com/security/cve/CVE-2024-9675 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: 36EXPL: 2CVE-2024-9680 – Mozilla Firefox Use-After-Free Vulnerability
https://notcve.org/view.php?id=CVE-2024-9680
09 Oct 2024 — An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild. This vulnerability affects Firefox < 131.0.2, Firefox ESR < 128.3.1, and Firefox ESR < 115.16.1. An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild. • https://github.com/tdonaworth/Firefox-CVE-2024-9680 • CWE-416: Use After Free •
CVSS: 7.8EPSS: 0%CPEs: 15EXPL: 0CVE-2024-47850 – cups-browsed: cups-filters: cups-browsed vulnerable to DDoS amplification attack
https://notcve.org/view.php?id=CVE-2024-47850
04 Oct 2024 — CUPS cups-browsed before 2.5b1 will send an HTTP POST request to an arbitrary destination and port in response to a single IPP UDP packet requesting a printer to be added, a different vulnerability than CVE-2024-47176. (The request is meant to probe the new printer but can be used to create DDoS amplification attacks.) A flaw was found in cups-browsed. This vulnerability allows an attacker to launch DDoS amplification attacks via an HTTP POST request to an arbitrary destination and port in response to a sin... • https://github.com/OpenPrinting/cups • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.6EPSS: 0%CPEs: 19EXPL: 0CVE-2024-9403 – firefox: thunderbird: Memory safety bugs fixed in Firefox 131 and Thunderbird 131
https://notcve.org/view.php?id=CVE-2024-9403
01 Oct 2024 — Memory safety bugs present in Firefox 130. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 131 and Thunderbird < 131. The Mozilla Foundation's Security Advisory: Memory safety bugs present in Firefox 130. Some of these bugs show evidence of memory corruption and we presume that with enough effort, some of these could be exploited to run arbitrary code. • https://bugzilla.mozilla.org/show_bug.cgi?id=1917807 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 10.0EPSS: 0%CPEs: 32EXPL: 0CVE-2024-9402 – firefox: thunderbird: Memory safety bugs fixed in Firefox 131, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3
https://notcve.org/view.php?id=CVE-2024-9402
01 Oct 2024 — Memory safety bugs present in Firefox 130, Firefox ESR 128.2, and Thunderbird 128.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Thunderbird < 128.3, and Thunderbird < 131. A flaw was found in Mozilla. The Mozilla Foundation's Security Advisory describes the issue as follows: Memory safety bugs are present in Firefox 130, Firefox ESR... • https://bugzilla.mozilla.org/buglist.cgi?bug_id=1872744%2C1897792%2C1911317%2C1913445%2C1914106%2C1914475%2C1914963%2C1915008%2C1916476 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 10.0EPSS: 0%CPEs: 34EXPL: 0CVE-2024-9401 – firefox: thunderbird: Memory safety bugs fixed in Firefox 131, Firefox ESR 115.16, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3
https://notcve.org/view.php?id=CVE-2024-9401
01 Oct 2024 — Memory safety bugs present in Firefox 130, Firefox ESR 115.15, Firefox ESR 128.2, and Thunderbird 128.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Firefox ESR < 115.16, Thunderbird < 128.3, and Thunderbird < 131. The Mozilla Foundation's Security Advisory: Memory safety bugs present in Firefox 130, Firefox ESR 115.15, Firefox ESR 1... • https://bugzilla.mozilla.org/buglist.cgi?bug_id=1872744%2C1897792%2C1911317%2C1916476 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 8.8EPSS: 0%CPEs: 32EXPL: 0CVE-2024-9400 – firefox: thunderbird: Potential memory corruption during JIT compilation
https://notcve.org/view.php?id=CVE-2024-9400
01 Oct 2024 — A potential memory corruption vulnerability could be triggered if an attacker had the ability to trigger an OOM at a specific moment during JIT compilation. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Thunderbird < 128.3, and Thunderbird < 131. The Mozilla Foundation's Security Advisory: A potential memory corruption vulnerability could be triggered if an attacker has the ability to trigger an OOM at a specific moment during JIT compilation. Gentoo Linux Security Advisory 202412-6 - Multi... • https://bugzilla.mozilla.org/show_bug.cgi?id=1915249 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-789: Memory Allocation with Excessive Size Value •