CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-2512 – Buffer under-read in workerd
https://notcve.org/view.php?id=CVE-2023-2512
Prior to version v1.20230419.0, the FormData API implementation was subject to an integer overflow. If a FormData instance contained more than 2^31 elements, the forEach() method could end up reading from the wrong location in memory while iterating over elements. This would most likely lead to a segmentation fault, but could theoretically allow arbitrary undefined behavior. In order for the bug to be exploitable, the process would need to be able to allocate 160GB of RAM. Due to this, the bug was never exploitable on the Cloudflare Workers platform, but could theoretically be exploitable on deployments of workerd running on machines with a huge amount of memory. Moreover, in order to be remotely exploited, an attacker would have to upload a single form-encoded HTTP request of at least tens of gigabytes in size. • https://github.com/cloudflare/workerd/releases/tag/v1.20230419.0 https://github.com/cloudflare/workerd/security/advisories/GHSA-8vx6-69vg-c46f • CWE-125: Out-of-bounds Read CWE-190: Integer Overflow or Wraparound •
CVSS: 8.2EPSS: 0%CPEs: 1EXPL: 0CVE-2023-1732 – Improper random reading in CIRCL
https://notcve.org/view.php?id=CVE-2023-1732
When sampling randomness for a shared secret, the implementation of Kyber and FrodoKEM, did not check whether crypto/rand.Read() returns an error. In rare deployment cases (error thrown by the Read() function), this could lead to a predictable shared secret. The tkn20 and blindrsa components did not check whether enough randomness was returned from the user provided randomness source. Typically the user provides crypto/rand.Reader, which in the vast majority of cases will always return the right number random bytes. In the cases where it does not, or the user provides a source that does not, the blinding for blindrsa is weak and integrity of the plaintext is not ensured in tkn20. • https://github.com/cloudflare/circl/security/advisories/GHSA-2q89-485c-9j2x • CWE-20: Improper Input Validation CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-0652 – Local Privilege Escalation in Cloudflare WARP Installer (Windows)
https://notcve.org/view.php?id=CVE-2023-0652
Due to a hardlink created in the ProgramData folder during the repair process of the software, the installer (MSI) of WARP Client for Windows (<= 2022.12.582.0) allowed a malicious attacker to forge the destination of the hardlink and escalate privileges, overwriting SYSTEM protected files. As Cloudflare WARP client for Windows (up to version 2022.5.309.0) allowed creation of mount points from its ProgramData folder, during installation of the WARP client, it was possible to escalate privileges and overwrite SYSTEM protected files. • https://developers.cloudflare.com/warp-client/get-started/windows https://github.com/cloudflare/advisories/security/advisories/GHSA-xmhj-9p83-xvw9 https://install.appcenter.ms/orgs/cloudflare/apps/1.1.1.1-windows-1/distribution_groups/release • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-1412 – Local Privilege Escalation Vulnerability in WARP's MSI Installer
https://notcve.org/view.php?id=CVE-2023-1412
An unprivileged (non-admin) user can exploit an Improper Access Control vulnerability in the Cloudflare WARP Client for Windows (<= 2022.12.582.0) to perform privileged operations with SYSTEM context by working with a combination of opportunistic locks (oplock) and symbolic links (which can both be created by an unprivileged user). After installing the Cloudflare WARP Client (admin privileges required), an MSI-Installer is placed under C:\Windows\Installer. The vulnerability lies in the repair function of this MSI. ImpactAn unprivileged (non-admin) user can exploit this vulnerability to perform privileged operations with SYSTEM context, including deleting arbitrary files and reading arbitrary file content. This can lead to a variety of attacks, including the manipulation of system files and privilege escalation. PatchesA new installer with a fix that addresses this vulnerability was released in version 2023.3.381.0. While the WARP Client itself is not vulnerable (only the installer), users are encouraged to upgrade to the latest version and delete any older installers present in their systems. • https://developers.cloudflare.com/warp-client/get-started/windows https://github.com/cloudflare/advisories/security/advisories/GHSA-hgxh-48m3-3gq7 https://install.appcenter.ms/orgs/cloudflare/apps/1.1.1.1-windows-1/distribution_groups/release • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-1314 – Local Privilege Escalation Vulnerability in cloudflared's Installer
https://notcve.org/view.php?id=CVE-2023-1314
A vulnerability has been discovered in cloudflared's installer (<= 2023.3.0) for Windows 32-bits devices that allows a local attacker with no administrative permissions to escalate their privileges on the affected device. This vulnerability exists because the MSI installer used by cloudflared relied on a world-writable directory. An attacker with local access to the device (without Administrator rights) can use symbolic links to trick the MSI installer into deleting files in locations that the attacker would otherwise have no access to. By creating a symlink from the world-writable directory to the target file, the attacker can manipulate the MSI installer's repair functionality to delete the target file during the repair process. Exploitation of this vulnerability could allow an attacker to delete important system files or replace them with malicious files, potentially leading to the affected device being compromised. The cloudflared client itself is not affected by this vulnerability, only the installer for 32-bit Windows devices. • https://github.com/cloudflare/cloudflared/releases https://github.com/cloudflare/cloudflared/security/advisories/GHSA-7mjv-x3jf-545x • CWE-59: Improper Link Resolution Before File Access ('Link Following') •