Two major security vulnerabilities were recently discovered in PHP. It was discovered that PHP incorrectly handled certain XML files (CVE-2023-3823) and certain PHAR files (CVE-2023-3824). Due to their ease of exploitation and the severe threat that these issues pose to impacted systems, these vulnerabilities have been rated by the National Vulnerability Database as High-Severity and Critcial, respectively.
It was discovered that JOSE for C/C++ AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE (CVE-2023-37464). This severe vulnerability is simple to exploit and threatens the integrity of impacted systems.
It was discovered that ClamAV incorrectly handled parsing HFS+ files (CVE-2023-20197). This bug is easy to exploit and poses a severe threat to the availability of impacted systems.
Several denial of service (DoS) and code execution vulnerabilities have been discovered in the Vim enhanced vi editor.
Twenty-one severe vulnerabilities have been found in Chromium, including multiple use after frees and heap buffer overflows, among other security issues. These bugs have received a National Vulnerability Database severity rating of “High” due to their ease of exploitation and their significant threat to impacted systems' confidentiality, integrity, and availability.
Multiple significant microcode security issues have been discovered. An information exposure bug known as Downfall (CVE-2022-40982) has been found in some Intel(R) Processors, as well as a side channel vulnerability in some AMD CPUs known as Inception (CVE-2023-20569) that may allow an attacker to influence the return address prediction, potentially resulting in speculative execution at an attacker-controlled address.
Two critical remote code execution (RCE) vulnerabilities have been found in OpenSSH (CVE-2023-28531 and CVE-2023-38408). Because these bugs are simple to exploit and pose a severe threat to impacted systems' confidentiality, integrity, and availability, they have received a National Vulnerability Database base score of 9.8 out of 10 (“Critical” severity).
Multiple security issues were discovered in Thunderbird, including a bug in popup notifications delay calculation that could have enabled an attacker to trick a user into granting permissions (CVE-2023-4047), and an out-of-bounds read that could have led to an exploitable crash when parsing HTML with DOMParser in low memory situations (CVE-2023-4048). These bugs are simple to exploit and threaten impacted systems' confidentiality, integrity, and availability. As a result, they have received a National Vulnerability Database severity rating of “High”.
Eleven severe vulnerabilities have been found in Chromium, including multiple Type Confusion bugs in V8, use-after-frees in Cast, Blink Task Scheduling and WebRTC, a heap buffer overflow in Visuals, out-of-bounds read and write in WebGL, out-of-bounds memory access in ANGLE, and insufficient data validation and inappropriate implementation in Extensions. These bugs have received a National Vulnerability Database severity rating of “High” due to their ease of exploitation and the significant threat they pose to impacted systems' confidentiality, integrity, and availability.
It was discovered that under specific microarchitectural circumstances, a register in "Zen 2" CPUs might not be written to 0 correctly, potentially causing data from another process and/or thread to be stored in the YMM register (CVE-2023-20593, also known as Zenbleed).
Two new Linux kernel privilege escalation flaws have been discovered in the OverlayFS module in Ubuntu, which affect nearly 40% of Ubuntu users (CVE-2023-2640 and CVE-2023-32629). Modifications to the OverlayFS module introduced by the Linux kernel project in 2019 and 2022 conflicted with Ubuntu’s earlier changes, and Ubuntu's adoption of the new code introduced these two vulnerabilities.
Several significant out-of-bounds access vulnerabilities have been found in the X.Org X Server (CVE-2021-4008, CVE-2021-4009, and CVE-2021-4011). These flaws threaten data confidentiality and integrity, as well as system availability, and have received a National Vulnerability Database severity rating of “High”.
Thank you to Ruth Webb for contributing this article. WordPress stands tall as one of the most popular content management systems (CMS), empowering millions of websites worldwide in the ever-evolving digital landscape. Its flexibility and user-friendliness have made it a top choice for bloggers, businesses, and individuals. However, with great popularity comes great responsibility, and WordPress, like any other platform, is not immune to security vulnerabilities.
Multiple significant security vulnerabilities have been discovered in the Linux kernel, including a remotely exploitable null pointer dereference flaw in the networking protocol (CVE-2023-3338), use-after-free vulnerabilities in kernel's netfilter subsystem in net/netfilter/nf_tables_api.c (CVE-2023-3390) and nft_chain_lookup_byid() (CVE-2023-31248), and an out-of-bounds read/write vulnerability (CVE-2023-35001). These bugs are easy to exploit and pose a severe risk to your system's confidentiality, integrity, and availability. As a result, they have received a National Vulnerability Database severity rating of “High”.
It was discovered that in Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attacks via a vast number of domain name labels of emails and URLs (CVE-2023-36053).
Multiple severe security issues were discovered in the GPAC multimedia framework, including a heap-based Buffer Overflow in the GitHub repository gpac/gpac before V2.1.0-DEV (CVE-2023-0760) and a NULL Pointer Dereference in the GitHub repository gpac/gpac before 2.2.2 (CVE-2023-3012). These vulnerabilities have received a National Vulnerability Database base score of 7.8 out of 10 (“High” severity).
Multiple significant security vulnerabilities have been found in the Linux kernel, including an out-of-bounds memory access flaw in the XFS file system (CVE-2023-2124) and an out-of-boundary read vulnerability in compare_netdev_and_ip in drivers/infiniband/core/cma.c in RDMA in the kernel (CVE-2023-2176). With a low attack complexity and a high confidentiality, integrity, and availability impact, these bugs have received a National Vulnerability Database base score of 7.8 out of 10 (“High” severity).
A type confusion issue that may have been actively exploited has been identified in the WebKitGTK web engine (CVE-2023-32439). With a low attack complexity and a high confidentiality, integrity and availability impact, this vulnerability has received a National Vulnerability Database severity rating of High.
Exploit code will soon become available for a critical vulnerability in the Linux kernel that a security researcher discovered and reported in mid-June. Dubbed StackRot (CVE-2023-3269), this bug impacts the Linux kernel 6.1 through 6.4. The data structure for managing virtual memory spaces in the Linux kernel handles a particular memory management function in a manner that results in use-after-free-by-RCU (UAFBR) issues. The security researcher who discovered StackRot, Ruihan Li, describes the exploit for StackRot as likely the first to successfully exploit a UAFBR bug.
Several important security issues were discovered in the Vim enhanced vi editor, including an out-of-bounds read vulnerability (CVE-2022-0128), improper memory management when recording and using select mode (CVE-2022-0393), and incorrect handling of certain memory operations during a visual block yank (CVE-2022-0407). Due to their high confidentiality, integrity and availability impact, these bugs have received a National Vulnerability Database severity rating of High.
Like staying secure? So do we.
Sign up for updates, tips, and alerts!
