CVSS: 7.5EPSS: 23%CPEs: 10EXPL: 4CVE-2018-10583 – LibreOffice/Open Office - '.odt' Information Disclosure
https://notcve.org/view.php?id=CVE-2018-10583
An information disclosure vulnerability occurs when LibreOffice 6.0.3 and Apache OpenOffice Writer 4.1.5 automatically process and initiate an SMB connection embedded in a malicious file, as demonstrated by xlink:href=file://192.168.0.2/test.jpg within an office:document-content element in a .odt XML document. Ocurre una vulnerabilidad de divulgación de información cuando LibreOffice 6.0.3 y Apache OpenOffice Writer 4.1.5 procesan automáticamente e inician una conexión SMB embebida en un archivo malicioso, tal y como queda demostrado con xlink:href=file://192.168.0.2/test.jpg en un elemento office:document-content en un documento XML .odt. Generates a Malicious ODT File which can be used with auxiliary/server/capture/smb or similar to capture hashes. • https://www.exploit-db.com/exploits/44564 https://github.com/MrTaherAmine/CVE-2018-10583 https://github.com/octodi/CVE-2018-10583 http://seclists.org/fulldisclosure/2020/Oct/26 http://secureyourit.co.uk/wp/2018/05/01/creating-malicious-odt-files https://access.redhat.com/errata/RHSA-2018:3054 https://lists.apache.org/thread.html/0598708912978b27121b2e380b44a225c706aca882cd1da6a955a0af%40%3Cdev.openoffice.apache.org%3E https://lists.apache.org/thread.html/6c65f22306c36c95e75f8d2b7f49cfcbeb0a4614245c20934612a39d%40%3Cde • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2017-2591
https://notcve.org/view.php?id=CVE-2017-2591
389-ds-base before version 1.3.6 is vulnerable to an improperly NULL terminated array in the uniqueness_entry_to_config() function in the "attribute uniqueness" plugin of 389 Directory Server. An authenticated, or possibly unauthenticated, attacker could use this flaw to force an out-of-bound heap memory read, possibly triggering a crash of the LDAP service. 389-ds-base, en versiones anteriores a la 1.3.6, es vulnerable a un array terminado indebidamente en NULL en la función uniqueness_entry_to_config() en el plugin "attribute uniqueness" de 389 Directory Server. Un atacante autenticado o, posiblemente, sin autenticar, podría emplear este error para forzar una lectura fuera de límites de la memoria dinámica (heap), desencadenando un cierre inesperado del servicio LDAP. • http://www.securityfocus.com/bid/95670 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2591 https://pagure.io/389-ds-base/issue/48986 • CWE-122: Heap-based Buffer Overflow CWE-125: Out-of-bounds Read •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2018-10535 – binutils: NULL pointer dereference in elf.c
https://notcve.org/view.php?id=CVE-2018-10535
The ignore_section_sym function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, does not validate the output_section pointer in the case of a symtab entry with a "SECTION" type that has a "0" value, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file, as demonstrated by objcopy. La función ignore_section_sym en elf.c en la biblioteca Binary File Descriptor (BFD), también conocida como libbfd, tal y como se distribuye en GNU Binutils 2.30, no valida el puntero output_section en el caso de que haya una entrada symtab con un tipo "SECTION" que tiene un valor "0". Esto permite que atacantes remotos provoquen una denegación de servicio (desreferencia de puntero NULL y cierre inesperado de la aplicación) mediante un archivo manipulado, tal y como demuestra objcopy. • http://www.securityfocus.com/bid/104021 https://access.redhat.com/errata/RHBA-2019:0327 https://access.redhat.com/errata/RHSA-2018:3032 https://security.gentoo.org/glsa/201908-01 https://sourceware.org/bugzilla/show_bug.cgi?id=23113 https://usn.ubuntu.com/4336-1 https://access.redhat.com/security/cve/CVE-2018-10535 https://bugzilla.redhat.com/show_bug.cgi?id=1574697 • CWE-476: NULL Pointer Dereference •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2018-10534 – binutils: out of bounds memory write in peXXigen.c files
https://notcve.org/view.php?id=CVE-2018-10534
The _bfd_XX_bfd_copy_private_bfd_data_common function in peXXigen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, processes a negative Data Directory size with an unbounded loop that increases the value of (external_IMAGE_DEBUG_DIRECTORY) *edd so that the address exceeds its own memory region, resulting in an out-of-bounds memory write, as demonstrated by objcopy copying private info with _bfd_pex64_bfd_copy_private_bfd_data_common in pex64igen.c. La función _bfd_XX_bfd_copy_private_bfd_data_common en peXXigen.c en la biblioteca Binary File Descriptor (BFD), también conocida como libbfd, tal y como se distribuye en GNU Binutils 2.30, procesa un tamaño Data Directory negativo con un bucle no limitado que aumenta el valor de (external_IMAGE_DEBUG_DIRECTORY) *edd para que la dirección exceda su propia región de memoria, lo que resulta en una escritura en la memoria fuera de límites, tal y como demuestra la copia de información privada por parte de objcopy con _bfd_pex64_bfd_copy_private_bfd_data_common en pex64igen.c. • http://www.securityfocus.com/bid/104025 https://access.redhat.com/errata/RHBA-2019:0327 https://access.redhat.com/errata/RHSA-2018:3032 https://security.gentoo.org/glsa/201908-01 https://sourceware.org/bugzilla/show_bug.cgi?id=23110 https://usn.ubuntu.com/4336-1 https://access.redhat.com/security/cve/CVE-2018-10534 https://bugzilla.redhat.com/show_bug.cgi?id=1574696 • CWE-787: Out-of-bounds Write •
CVSS: 5.9EPSS: 1%CPEs: 42EXPL: 0CVE-2018-10237 – guava: Unbounded memory allocation in AtomicDoubleArray and CompoundOrdering classes allow remote attackers to cause a denial of service
https://notcve.org/view.php?id=CVE-2018-10237
Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable. Asignación de memoria sin restringir en Google Guava 11.0 hasta las versiones 24.x anteriores a la 24.1.1 permite que los atacantes remotos realicen ataques de denegación de servicio (DoS) contra servidores que dependen de esta librería y que deserialicen datos proporcionados por dichos atacantes debido a que la clase AtomicDoubleArray (cuando se serializa con serialización Java) y la clase CompoundOrdering (cuando se serializa con serialización GWT) realiza una asignación sin comprobar adecuadamente lo que ha enviado un cliente y si el tamaño de los datos es razonable. A vulnerability was found in Guava where the AtomicDoubleArray and CompoundOrdering classes were found to allocate memory based on size fields sent by the client without validation. A crafted message could cause the server to consume all available memory or crash leading to a denial of service. • http://www.securitytracker.com/id/1041707 https://access.redhat.com/errata/RHSA-2018:2423 https://access.redhat.com/errata/RHSA-2018:2424 https://access.redhat.com/errata/RHSA-2018:2425 https://access.redhat.com/errata/RHSA-2018:2428 https://access.redhat.com/errata/RHSA-2018:2598 https://access.redhat.com/errata/RHSA-2018:2643 https://access.redhat.com/errata/RHSA-2018:2740 https://access.redhat.com/errata/RHSA-2018:2741 https://access.redhat.com/errata/RHSA-2018:274 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-770: Allocation of Resources Without Limits or Throttling •