CVE-2024-5629 – Out-of-bounds read in bson module of PyMongo
https://notcve.org/view.php?id=CVE-2024-5629
An out-of-bounds read in the 'bson' module of PyMongo 4.6.2 or earlier allows deserialization of malformed BSON provided by a Server to raise an exception which may contain arbitrary application memory. Una lectura fuera de los límites en el módulo 'bson' de PyMongo 4.6.2 o anterior permite la deserialización de BSON mal formado proporcionado por un servidor para generar una excepción que puede contener memoria de aplicación arbitraria. • https://jira.mongodb.org/browse/PYTHON-4305 https://lists.debian.org/debian-lts-announce/2024/06/msg00007.html • CWE-125: Out-of-bounds Read •
CVE-2023-52160 – wpa_supplicant: potential authorization bypass
https://notcve.org/view.php?id=CVE-2023-52160
The implementation of PEAP in wpa_supplicant through 2.10 allows authentication bypass. For a successful attack, wpa_supplicant must be configured to not verify the network's TLS certificate during Phase 1 authentication, and an eap_peap_decrypt vulnerability can then be abused to skip Phase 2 authentication. The attack vector is sending an EAP-TLV Success packet instead of starting Phase 2. This allows an adversary to impersonate Enterprise Wi-Fi networks. La implementación de PEAP en wpa_supplicant hasta la versión 2.10 permite omitir la autenticación. • https://lists.debian.org/debian-lts-announce/2024/02/msg00013.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N46C4DTVUWK336OYDA4LGALSC5VVPTCC https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QU6IR4KV3ZXJZLK2BY7HAHGZNCP7FPNI https://w1.fi/cgit/hostap/commit/?id=8e6485a1bcb0baffdea9e55255a81270b768439c https://www.top10vpn.com/research/wifi-vulnerabilities https://access.redhat.com/security/cve/CVE-2023-52160 https://bugzilla.redhat.com/ • CWE-285: Improper Authorization CWE-287: Improper Authentication •
CVE-2024-0755 – Mozilla: Memory safety bugs fixed in Firefox 122, Firefox ESR 115.7, and Thunderbird 115.7
https://notcve.org/view.php?id=CVE-2024-0755
Memory safety bugs present in Firefox 121, Firefox ESR 115.6, and Thunderbird 115.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7. Errores de seguridad de la memoria presentes en Firefox 121, Firefox ESR 115.6 y Thunderbird 115.6. Algunos de estos errores mostraron evidencia de corrupción de memoria y suponemos que con suficiente esfuerzo algunos de ellos podrían haberse aprovechado para ejecutar código arbitrario. • https://bugzilla.mozilla.org/buglist.cgi?bug_id=1868456%2C1871445%2C1873701 https://lists.debian.org/debian-lts-announce/2024/01/msg00015.html https://lists.debian.org/debian-lts-announce/2024/01/msg00022.html https://www.mozilla.org/security/advisories/mfsa2024-01 https://www.mozilla.org/security/advisories/mfsa2024-02 https://www.mozilla.org/security/advisories/mfsa2024-04 https://access.redhat.com/security/cve/CVE-2024-0755 https://bugzilla.redhat.com/show_bug.cgi?id=2259934 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVE-2024-0753 – Mozilla: HSTS policy on subdomain could bypass policy of upper domain
https://notcve.org/view.php?id=CVE-2024-0753
In specific HSTS configurations an attacker could have bypassed HSTS on a subdomain. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7. En configuraciones HSTS específicas, un atacante podría haber omitido HSTS en un subdominio. Esta vulnerabilidad afecta a Firefox < 122, Firefox ESR < 115.7 y Thunderbird < 115.7. The Mozilla Foundation Security Advisory describes this flaw as: In specific HSTS configurations an attacker could have bypassed HSTS on a subdomain. • https://bugzilla.mozilla.org/show_bug.cgi?id=1870262 https://lists.debian.org/debian-lts-announce/2024/01/msg00015.html https://lists.debian.org/debian-lts-announce/2024/01/msg00022.html https://www.mozilla.org/security/advisories/mfsa2024-01 https://www.mozilla.org/security/advisories/mfsa2024-02 https://www.mozilla.org/security/advisories/mfsa2024-04 https://access.redhat.com/security/cve/CVE-2024-0753 https://bugzilla.redhat.com/show_bug.cgi?id=2259933 • CWE-326: Inadequate Encryption Strength •
CVE-2024-0751 – Mozilla: Privilege escalation through devtools
https://notcve.org/view.php?id=CVE-2024-0751
A malicious devtools extension could have been used to escalate privileges. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7. Se podría haber utilizado una extensión devtools maliciosa para escalar privilegios. Esta vulnerabilidad afecta a Firefox < 122, Firefox ESR < 115.7 y Thunderbird < 115.7. The Mozilla Foundation Security Advisory describes this flaw as: A malicious devtools extension could have been used to escalate privileges. • https://bugzilla.mozilla.org/show_bug.cgi?id=1865689 https://lists.debian.org/debian-lts-announce/2024/01/msg00015.html https://lists.debian.org/debian-lts-announce/2024/01/msg00022.html https://www.mozilla.org/security/advisories/mfsa2024-01 https://www.mozilla.org/security/advisories/mfsa2024-02 https://www.mozilla.org/security/advisories/mfsa2024-04 https://access.redhat.com/security/cve/CVE-2024-0751 https://bugzilla.redhat.com/show_bug.cgi?id=2259932 • CWE-20: Improper Input Validation CWE-269: Improper Privilege Management •