Three important vulnerabilities were discovered in Chromium, including a type confusion in V8 (CVE-2023-3420) and use after frees in Media (CVE-2023-3421) and Guest View (CVE-2023-3422). With a low attack complexity and a high confidentiality, integrity and availability impact, these flaws have received a National Vulnerability Database severity rating of 8.8 out of 10 (“High” severity).
Several remotely exploitable security issues were found in the Bind Internet Domain Name Server. It was discovered that Bind incorrectly handled the cache size limit (CVE-2023-2828) and the recursive-clients quota (CVE-2023-2911). With a low attack complexity and a high availability impact, these bugs have received a National Vulnerability Database severity rating of “High”.
Several security issues were found in the Linux kernel, including an out-of-bounds write vulnerability in the Flower classifier implementation in the kernel (CVE-2023-35788). It was also discovered that for some Intel processors the INVLPG instruction implementation did not properly flush global TLB entries when PCIDs are enabled. With a low attack complexity and a high confidentiality, integrity and availability impact, these flaws have received a National Vulnerability Database severity rating of 7.8 out of 10 (“High” severity).
Multiple SQL injection vulnerabilities have been disclosed in Gentoo Soko that could lead to remote code execution (RCE) on vulnerable systems. "These SQL injections happened despite the use of an Object-Relational Mapping (ORM) library and prepared statements," SonarSource researcher Thomas Chauchefoin said, adding they could result in RCE on Soko because of a "misconfiguration of the database."
Multiple remotely exploitable denial of service (DoS) and code execution vulnerabilities have been found in the VLC multimedia player and streamer. These bugs have been classified as “high-severity” by the National Vulnerability Database due to their high confidentiality, integrity and availability impact.
Four critical security vulnerabilities have been discovered in Chromium, including use after free bugs in Autofill payments, WebRTC and WebXR, and a type confusion flaw in V8.
Several important denial of service (DoS) and information disclosure vulnerabilities have been discovered in the OpenJDK Java runtime. These bugs require no privileges or user interaction to exploit, and have been classified by the National Vulnerability Database as having a high confidentiality, integrity and availability impact on affected systems.
Several important security vulnerabilities have been found in the c-ares fork of the ares library, including a 0-byte UDP payload denial of service (DoS) bug (CVE-2023-32067). With low attack complexity, no privileges or user interaction required to exploit, and a high availability impact, this flaw has received a National Vulnerability Database (NVD) base score of 7.5 out of 10 (“High” severity).
Fourteen important vulnerabilities have been discovered in Chromium, including multiple use-after-free and type confusion bugs. With a low attack complexity and a high confidentiality, integrity and availability impact, these issues have received a National Vulnerability Database severity rating of “High”.
Two important security bugs have been found in Ruby. It was discovered that an HTTP response splitting flaw exists in the Ruby cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 (CVE-2021-3362). It was also discovered that a buffer over-read occurs in String-to-Float conversion in Ruby before 2.6.10, 2.7.x before 2.7.6, 3.x before 3.0.4, and 3.1.x before 3.1.2 (CVE-2022-28739). With a low attack complexity and a high confidentiality and integrity impact, these bugs have received a National Vulnerability Database severity rating of “High”.
An Improper Validation of Array Index vulnerability (CVE-2023-0950) was discovered in the spreadsheet component of The Document Foundation LibreOffice 7.4 versions prior to 7.4.6 and 7.5 versions prior to 7.5.1. With a low attack complexity, no privileges or user interaction required to exploit, and a high confidentiality, integrity and availability impact, this bug has received a National Vulnerability Database (NVD) severity rating of “Critical”.
Multiple important denial of service (DoS) vulnerabilities (CVE-2023-0464 and CVE-2023-2650) have been discovered in the OpenSSL Secure Sockets Layer toolkit. These bugs are easy to exploit and have a high availability impact.
Several significant security issues have been found in the Linux kernel, including a use-after-free vulnerability in the netfilter subsystem (CVE-2023-32233), an an out-of-bounds write vulnerability in the scheduler implementation (CVE-2023-31436), and improper data buffer size validation in the Broadcom FullMAC USB WiFi driver (CVE-2023-1380).
Several buffer overflow vulnerabilities have been identified in ntfs-3g. With a low attack complexity and a high confidentiality, integrity and availability impact, these vulnerabilities have received a National Vulnerability Database (NVD) severity rating of “High”.
It was discovered that Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1 incorrectly handled uploading multiple files using one form field (CVE-2023-31047). With a low attack complexity, no privileges required to exploit, and a high confidentiality, integrity and availability impact, this vulnerability has been rated as “Critical” by the National Vulnerability Database (NVD).
Several important security issues have been found in the Linux kernel, including a slab-out-of-bound read problem (CVE-2023-1380), a heap out-of-bounds read/write vulnerability in the traffic control (QoS) subsystem (CVE-2023-2248), and an out-of-bounds write issue in the kernel before 6.2.13 (CVE-2023-31436). The vulnerabilities have received a National Vulnerability Database (NVD) rating of “high-severity” due to their high confidentiality, integrity and availability impact.
Several important security issues were identified in the runC Open Container Project. It was discovered that runC incorrectly performed access control when mounting /proc to non-directories (CVE-2023-27561), and incorrectly handled /proc and /sys mounts inside a container (CVE-2023-28642).
The Cybersecurity & Infrastructure Security Agency (CISA) added seven new Linux vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog on Friday based on evidence of active exploitation, some of which have been known for a decade:
Two important ReDoS issues have been found in the Ruby programming language; one in the URI component (CVE-2023-28755) and one in the Time component (CVE-2023-28756). It was discovered that the URI parser and the Time parser mishandle invalid URLs that have specific characters, causing an increase in execution time for parsing strings to URI and Time objects.
It was discovered that Open vSwitch could be made to stop forwarding packets if it received specially crafted network traffic (CVE-2023-1668). Due to its high availability impact and the low attack complexity required to exploit the bug, this vulnerability has received a National Vulnerability Database (NVD) base score of 8.2 out of 10 (“High” severity).
Like staying secure? So do we.
Sign up for updates, tips, and alerts!
