CVE-2024-20926 – OpenJDK: arbitrary Java code execution in Nashorn (8314284)
https://notcve.org/view.php?id=CVE-2024-20926
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Scripting). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21; Oracle GraalVM for JDK: 17.0.9; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. • https://lists.debian.org/debian-lts-announce/2024/01/msg00023.html https://security.netapp.com/advisory/ntap-20240201-0002 https://www.oracle.com/security-alerts/cpujan2024.html https://access.redhat.com/security/cve/CVE-2024-20926 https://bugzilla.redhat.com/show_bug.cgi?id=2257850 • CWE-20: Improper Input Validation •
CVE-2024-20918 – OpenJDK: array out-of-bounds access due to missing range check in C1 compiler (8314468)
https://notcve.org/view.php?id=CVE-2024-20918
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. • https://lists.debian.org/debian-lts-announce/2024/01/msg00023.html https://security.netapp.com/advisory/ntap-20240201-0002 https://www.oracle.com/security-alerts/cpujan2024.html https://access.redhat.com/security/cve/CVE-2024-20918 https://bugzilla.redhat.com/show_bug.cgi?id=2257728 • CWE-787: Out-of-bounds Write •
CVE-2024-0567 – Gnutls: rejects certificate chain with distributed trust
https://notcve.org/view.php?id=CVE-2024-0567
A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust. This issue occurs when validating a certificate chain with cockpit-certificate-ensure. This flaw allows an unauthenticated, remote client or attacker to initiate a denial of service attack. Se encontró una vulnerabilidad en GnuTLS, donde una cabina (que usa gnuTLS) rechaza una cadena de certificados con confianza distribuida. Este problema ocurre al validar una cadena de certificados con cockpit-certificate-ensure. • http://www.openwall.com/lists/oss-security/2024/01/19/3 https://access.redhat.com/errata/RHSA-2024:0533 https://access.redhat.com/errata/RHSA-2024:1082 https://access.redhat.com/errata/RHSA-2024:1383 https://access.redhat.com/errata/RHSA-2024:2094 https://access.redhat.com/security/cve/CVE-2024-0567 https://bugzilla.redhat.com/show_bug.cgi?id=2258544 https://gitlab.com/gnutls/gnutls/-/issues/1521 https://lists.fedoraproject.org/archives/list/package-announce@lists. • CWE-347: Improper Verification of Cryptographic Signature •
CVE-2023-51781
https://notcve.org/view.php?id=CVE-2023-51781
An issue was discovered in the Linux kernel before 6.6.8. atalk_ioctl in net/appletalk/ddp.c has a use-after-free because of an atalk_recvmsg race condition. Se descubrió un problema en el kernel de Linux anterior a 6.6.8. atalk_ioctl en net/appletalk/ddp.c tiene un use after free debido a una condición de ejecución atalk_recvmsg. • https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.8 https://github.com/torvalds/linux/commit/189ff16722ee36ced4d2a2469d4ab65a8fee4198 https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html https://lists.debian.org/debian-lts-announce/2024/01/msg00005.html • CWE-416: Use After Free •
CVE-2023-51782
https://notcve.org/view.php?id=CVE-2023-51782
An issue was discovered in the Linux kernel before 6.6.8. rose_ioctl in net/rose/af_rose.c has a use-after-free because of a rose_accept race condition. Se descubrió un problema en el kernel de Linux anterior a 6.6.8. rose_ioctl en net/rose/af_rose.c tiene un use after free debido a una condición de ejecución rose_accept. • https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.8 https://github.com/torvalds/linux/commit/810c38a369a0a0ce625b5c12169abce1dd9ccd53 https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html https://lists.debian.org/debian-lts-announce/2024/01/msg00005.html • CWE-416: Use After Free •