Page 5 of 531 results (0.008 seconds)

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

FreeBSD's crontab calculates the MD5 sum of the previous and new cronjob to determine if any changes have been made before copying the new version in. In particular, it uses the MD5File() function, which takes a pathname as an argument, and is called with euid 0. A race condition in this process may lead to an arbitrary MD5 comparison regardless of the read permissions. El crontab de FreeBSD calcula la suma MD5 del cronjob anterior y del nuevo para determinar si se han realizado cambios antes de copiar la nueva versión. En concreto, sa la función MD5File(), que toma un nombre de ruta como argumento y se llama con euid 0. • https://marc.info/?l=full-disclosure&m=129891323028897&w=2 https://security.netapp.com/advisory/ntap-20211125-0004 https://www.openwall.com/lists/oss-security/2011/02/28/14 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •

CVSS: 8.1EPSS: 0%CPEs: 29EXPL: 0

In FreeBSD 13.0-STABLE before n246938-0729ba2f49c9, 12.2-STABLE before r370383, 11.4-STABLE before r370381, 13.0-RELEASE before p4, 12.2-RELEASE before p10, and 11.4-RELEASE before p13, the ggatec daemon does not validate the size of a response before writing it to a fixed-sized buffer allowing a malicious attacker in a privileged network position to overwrite the stack of ggatec and potentially execute arbitrary code. En FreeBSD versiones 13.0-STABLE anteriores a n246938-0729ba2f49c9, 12.2-STABLE anteriores a r370383, 11.4-STABLE anteriores a r370381, 13.0-RELEASE anteriores a p4, 12.2-RELEASE anteriores a p10, y 11. 4-RELEASE anteriores a p13, el demonio ggatec no comprueba el tamaño de una respuesta antes de escribirla en un búfer de tamaño fijo, permitiendo a un atacante malicioso en una posición de red privilegiada sobrescribir la pila de ggatec y ejecutar potencialmente código arbitrario. • https://security.FreeBSD.org/advisories/FreeBSD-SA-21:14.ggatec.asc https://security.netapp.com/advisory/ntap-20210923-0005 • CWE-787: Out-of-bounds Write •

CVSS: 7.8EPSS: 0%CPEs: 29EXPL: 0

In FreeBSD 13.0-STABLE before n246941-20f96f215562, 12.2-STABLE before r370400, 11.4-STABLE before r370399, 13.0-RELEASE before p4, 12.2-RELEASE before p10, and 11.4-RELEASE before p13, certain VirtIO-based device models in bhyve failed to handle errors when fetching I/O descriptors. A malicious guest may cause the device model to operate on uninitialized I/O vectors leading to memory corruption, crashing of the bhyve process, and possibly arbitrary code execution in the bhyve process. En FreeBSD versiones 13.0-STABLE anteriores a n246941-20f96f215562, 12.2-STABLE anteriores a r370400, 11.4-STABLE anteriores a r370399, 13.0-RELEASE anteriores a p4, 12.2-RELEASE anteriores a p10, y 11.4-RELEASE anteriores a p13, determinados modelos de dispositivos basados en VirtIO en bhyve presentaban un fallo al manejar los errores cuando se obtenían descriptores de E/S. Un huésped malicioso puede causar al modelo de dispositivo operar en vectores de E/S no inicializados, conllevando a una corrupción de la memoria, un bloqueo del proceso bhyve y, posiblemente, una ejecución de código arbitrario en el proceso bhyve. • https://security.FreeBSD.org/advisories/FreeBSD-SA-21:13.bhyve.asc https://security.netapp.com/advisory/ntap-20210923-0004 • CWE-908: Use of Uninitialized Resource •

CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 1

libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\0' terminator one byte too late. libfetch versiones anteriores al 26-07-2021, como se usa en apk-tools, xbps, y otros productos, maneja inapropiadamente las cadenas numéricas para los protocolos FTP y HTTP. La implementación del modo pasivo de FTP permite una lectura fuera de límites porque strtol se usa para analizar los números relevantes en bytes de dirección. • https://github.com/freebsd/freebsd-src/commits/main/lib/libfetch https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10749 https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cdev.kafka.apache.org%3E https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cusers.kafka.apache.org%3E https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cdev.kafka.apache.org%3E https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810 • CWE-125: Out-of-bounds Read •

CVSS: 7.5EPSS: 0%CPEs: 20EXPL: 0

In FreeBSD 12.2-STABLE before r367402, 11.4-STABLE before r368202, 12.2-RELEASE before p1, 12.1-RELEASE before p11 and 11.4-RELEASE before p5 the handler for a routing option caches a pointer into the packet buffer holding the ICMPv6 message. However, when processing subsequent options the packet buffer may be freed, rendering the cached pointer invalid. The network stack may later dereference the pointer, potentially triggering a use-after-free. En FreeBSD versiones 12.2-STABLE anteriores a r367402, versiones 11.4-STABLE anteriores a r368202, versiones 12.2-RELEASE anteriores a p1, versiones 12.1-RELEASE anteriores a p11 y versiones 11.4-RELEASE anteriores a p5, el manejador para una opción de enrutamiento almacena en caché un puntero en el búfer de paquetes que contiene el mensaje ICMPv6. Sin embargo, cuando se procesan opciones posteriores, el búfer de paquetes puede ser liberado, renderizando el puntero inválido en caché. • https://security.FreeBSD.org/advisories/FreeBSD-SA-20:31.icmp6.asc https://security.netapp.com/advisory/ntap-20210720-0001 • CWE-416: Use After Free •