CVSS: 4.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-48948
https://notcve.org/view.php?id=CVE-2024-48948
15 Oct 2024 — The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve's base point is smaller than the hash, because of an _truncateToN anomaly. This leads to valid signatures being rejected. Legitimate transactions or communications may be incorrectly flagged as invalid. • https://github.com/indutny/elliptic/issues/321 • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 9.4EPSS: 0%CPEs: 11EXPL: 0CVE-2024-48949 – elliptic: Missing Validation in Elliptic's EDDSA Signature Verification
https://notcve.org/view.php?id=CVE-2024-48949
10 Oct 2024 — The verify function in lib/elliptic/eddsa/index.js in the Elliptic package before 6.5.6 for Node.js omits "sig.S().gte(sig.eddsa.curve.n) || sig.S().isNeg()" validation. A flaw was found in the Elliptic package. This vulnerability allows attackers to bypass EDDSA signature validation via improper handling of signature values where the S() component of the signature is not properly checked for being non-negative or smaller than the curve order. An update for the grafana:7.3.6 module is now available for Red ... • https://github.com/indutny/elliptic/commit/7ac5360118f74eb02da73bdf9f24fd0c72ff5281 • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2024-48957
https://notcve.org/view.php?id=CVE-2024-48957
10 Oct 2024 — execute_filter_audio in archive_read_support_format_rar.c in libarchive before 3.7.5 allows out-of-bounds access via a crafted archive file because src can move beyond dst. • https://github.com/libarchive/libarchive/compare/v3.7.4...v3.7.5 • CWE-125: Out-of-bounds Read •
CVSS: 9.4EPSS: 0%CPEs: 43EXPL: 0CVE-2024-9675 – Buildah: buildah allows arbitrary directory mount
https://notcve.org/view.php?id=CVE-2024-9675
09 Oct 2024 — A vulnerability was found in Buildah. Cache mounts do not properly validate that user-specified paths for the cache are within our cache directory, allowing a `RUN` instruction in a Container file to mount an arbitrary directory from the host (read/write) into the container as long as those files can be accessed by the user running Buildah. An update for the container-tools:rhel8 module is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 U... • https://access.redhat.com/security/cve/CVE-2024-9675 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 34%CPEs: 36EXPL: 2CVE-2024-9680 – Mozilla Firefox Use-After-Free Vulnerability
https://notcve.org/view.php?id=CVE-2024-9680
09 Oct 2024 — An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild. This vulnerability affects Firefox < 131.0.2, Firefox ESR < 128.3.1, and Firefox ESR < 115.16.1. An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild. • https://github.com/tdonaworth/Firefox-CVE-2024-9680 • CWE-416: Use After Free •
CVSS: 10.0EPSS: 0%CPEs: 11EXPL: 0CVE-2024-32608
https://notcve.org/view.php?id=CVE-2024-32608
09 Oct 2024 — HDF5 library through 1.14.3 has memory corruption in H5A__close resulting in the corruption of the instruction pointer and causing denial of service or potential code execution. • https://www.hdfgroup.org/2024/05/new-hdf5-cve-issues-fixed-in-1-14-4 • CWE-787: Out-of-bounds Write •
CVSS: 5.0EPSS: 0%CPEs: 15EXPL: 0CVE-2024-42934 – openipmi: missing check on the authorization type on incoming LAN messages in IPMI simulator
https://notcve.org/view.php?id=CVE-2024-42934
09 Oct 2024 — OpenIPMI before 2.0.36 has an out-of-bounds array access (for authentication type) in the ipmi_sim simulator, resulting in denial of service or (with very low probability) authentication bypass or code execution. A flaw was found in the IPMI simulator (ipmi_sim) component of OpenIPMI. Due to a missing check in the authorization type on incoming LAN messages, an attacker may be able to trigger a denial of service. An update for OpenIPMI is now available for Red Hat Enterprise Linux 9.2 Extended Update Suppor... • https://bugzilla.redhat.com/show_bug.cgi?id=2308375 • CWE-862: Missing Authorization •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47855 – json-lib: Mishandling of an unbalanced comment string in json-lib
https://notcve.org/view.php?id=CVE-2024-47855
04 Oct 2024 — util/JSONTokener.java in JSON-lib before 3.1.0 mishandles an unbalanced comment string. A flaw was found in JSON-lib's JSONTokener component. This vulnerability allows a denial of service via an unbalanced comment string. • https://github.com/kordamp/json-lib/commit/a0c4a0eae277130e22979cf307c95dec4005a78e • CWE-1286: Improper Validation of Syntactic Correctness of Input •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-9370 – Debian Security Advisory 5781-1
https://notcve.org/view.php?id=CVE-2024-9370
03 Oct 2024 — This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure. •
CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 0CVE-2024-33662
https://notcve.org/view.php?id=CVE-2024-33662
02 Oct 2024 — Portainer before 2.20.2 improperly uses an encryption algorithm in the AesEncrypt function. • https://github.com/portainer/portainer/compare/2.20.1...2.20.2 • CWE-326: Inadequate Encryption Strength •