CVSS: 6.6EPSS: 0%CPEs: 4EXPL: 0CVE-2024-41128 – Action Dispatch has possible ReDoS vulnerability in query parameter filtering
https://notcve.org/view.php?id=CVE-2024-41128
Starting in version 3.1.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. Carefully crafted query parameters can cause query parameter filtering to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to version 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant patch immediately. ... Los parámetros de consulta cuidadosamente manipulados pueden hacer que el filtrado de parámetros de consulta tarde una cantidad inesperada de tiempo, lo que puede dar como resultado una vulnerabilidad de DoS. Todos los usuarios que ejecuten una versión afectada deben actualizar a la versión 6.1.7.9, 7.0.8.5, 7.1.4.1 o 7.2.1.1 o aplicar el parche correspondiente de inmediato. • https://access.redhat.com/security/cve/cve-2024-41128 https://bugzilla.redhat.com/show_bug.cgi?id=2319036 https://github.com/rails/rails/commit/27121e80f6dbb260f5a9f0452cd8411cb681f075 https://github.com/rails/rails/commit/b0fe99fa854ec8ff4498e75779b458392d1560ef https://github.com/rails/rails/commit/b1241f468d1b32235f438c2e2203386e6efd3891 https://github.com/rails/rails/commit/fb493bebae1a9b83e494fe7edbf01f6167d606fd https://github.com/rails/rails/security/advisories/GHSA-x76w-6vjr-8xgj • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 5.4EPSS: 0%CPEs: 6EXPL: 0CVE-2024-20463 – Cisco ATA 190 Series Analog Telephone Adapter Firmware Command Injection and Denial of Service Vulnerability
https://notcve.org/view.php?id=CVE-2024-20463
A vulnerability in the web-based management interface of Cisco ATA 190 Series Analog Telephone Adapter firmware could allow an unauthenticated, remote attacker to modify the configuration or reboot an affected device. This vulnerability is due to the HTTP server allowing state changes in GET requests. ... A successful exploit could allow the attacker to make limited modifications to the configuration or reboot the device, resulting in a denial of service (DoS) condition. Una vulnerabilidad en la interfaz de administración basada en web del firmware del adaptador telefónico analógico Cisco ATA 190 Series podría permitir que un atacante remoto no autenticado modifique la configuración o reinicie un dispositivo afectado. ... Una explotación exitosa podría permitir al atacante realizar modificaciones limitadas a la configuración o reiniciar el dispositivo, lo que resultaría en una condición de denegación de servicio (DoS). • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ata19x-multi-RDTEqRsy • CWE-305: Authentication Bypass by Primary Weakness CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-29155 – Denial of service on Microchip RN4870 devices
https://notcve.org/view.php?id=CVE-2024-29155
On Microchip RN4870 devices, when more than one consecutive PairReqNoInputNoOutput request is received, the device becomes incapable of completing the pairing process. • https://ww1.microchip.com/downloads/aemDocuments/documents/WSG/ProductDocuments/SoftwareLibraries/Firmware/RN4870-71-Firmware-1.44.zip https://www.microchip.com/en-us/product/rn4870 • CWE-20: Improper Input Validation •
CVSS: 8.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-45219 – Apache CloudStack: Uploaded and registered templates and volumes can be used to abuse KVM-based infrastructure
https://notcve.org/view.php?id=CVE-2024-45219
Due to missing validation checks for KVM-compatible templates or volumes in CloudStack 4.0.0 through 4.18.2.3 and 4.19.0.0 through 4.19.1.1, an attacker that can upload or register templates and volumes, can use them to deploy malicious instances or attach uploaded volumes to their existing instances on KVM-based environments and exploit this to gain access to the host filesystems that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of KVM-based infrastructure managed by CloudStack. Users are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue. Additionally, all user-uploaded or registered KVM-compatible templates and volumes can be scanned and checked that they are flat files that should not be using any additional or unnecessary features. ... Therefore, the command execution for the primary storages can show both false positives and false negatives. For checking the whole template/volume features of each disk, operators can run the following command: for file in $(find /path/to/storage/ -type f -regex [a-f0-9\-]*.*); do echo "Retrieving file [$file] info • https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2 https://lists.apache.org/thread/ktsfjcnj22x4kg49ctock3d9tq7jnvlo https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-4-and-4-19-1-2 • CWE-20: Improper Input Validation CWE-116: Improper Encoding or Escaping of Output •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45085 – IBM WebSphere Application Server denial of service
https://notcve.org/view.php?id=CVE-2024-45085
IBM WebSphere Application Server 8.5 is vulnerable to a denial of service, under certain configurations, caused by an unexpected specially crafted request. A remote attacker could exploit this vulnerability to cause an error resulting in a denial of service. • https://www.ibm.com/support/pages/node/7173128 • CWE-754: Improper Check for Unusual or Exceptional Conditions •