diff --git a/advisories/unreviewed/2023/06/GHSA-2r96-94cm-p969/GHSA-2r96-94cm-p969.json b/advisories/unreviewed/2023/06/GHSA-2r96-94cm-p969/GHSA-2r96-94cm-p969.json index 16356dbc3dc2b..1d6fa905f710b 100644 --- a/advisories/unreviewed/2023/06/GHSA-2r96-94cm-p969/GHSA-2r96-94cm-p969.json +++ b/advisories/unreviewed/2023/06/GHSA-2r96-94cm-p969/GHSA-2r96-94cm-p969.json @@ -25,7 +25,9 @@ } ], "database_specific": { - "cwe_ids": [], + "cwe_ids": [ + "CWE-404" + ], "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, diff --git a/advisories/unreviewed/2023/06/GHSA-f6rv-53cr-hph9/GHSA-f6rv-53cr-hph9.json b/advisories/unreviewed/2023/06/GHSA-f6rv-53cr-hph9/GHSA-f6rv-53cr-hph9.json index 380a0478dd45f..89afef5e69e46 100644 --- a/advisories/unreviewed/2023/06/GHSA-f6rv-53cr-hph9/GHSA-f6rv-53cr-hph9.json +++ b/advisories/unreviewed/2023/06/GHSA-f6rv-53cr-hph9/GHSA-f6rv-53cr-hph9.json @@ -25,7 +25,9 @@ } ], "database_specific": { - "cwe_ids": [], + "cwe_ids": [ + "CWE-120" + ], "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, diff --git a/advisories/unreviewed/2024/05/GHSA-2277-9x7j-58f3/GHSA-2277-9x7j-58f3.json b/advisories/unreviewed/2024/05/GHSA-2277-9x7j-58f3/GHSA-2277-9x7j-58f3.json index 44d82fa68d7da..b296365ccaa60 100644 --- a/advisories/unreviewed/2024/05/GHSA-2277-9x7j-58f3/GHSA-2277-9x7j-58f3.json +++ b/advisories/unreviewed/2024/05/GHSA-2277-9x7j-58f3/GHSA-2277-9x7j-58f3.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-2277-9x7j-58f3", - "modified": "2024-05-21T15:31:41Z", + "modified": "2024-12-26T21:30:35Z", "published": "2024-05-21T15:31:41Z", "aliases": [ "CVE-2021-47283" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet:sfc: fix non-freed irq in legacy irq mode\n\nSFC driver can be configured via modparam to work using MSI-X, MSI or\nlegacy IRQ interrupts. In the last one, the interrupt was not properly\nreleased on module remove.\n\nIt was not freed because the flag irqs_hooked was not set during\ninitialization in the case of using legacy IRQ.\n\nExample of (trimmed) trace during module remove without this fix:\n\nremove_proc_entry: removing non-empty directory 'irq/125', leaking at least '0000:3b:00.1'\nWARNING: CPU: 39 PID: 3658 at fs/proc/generic.c:715 remove_proc_entry+0x15c/0x170\n...trimmed...\nCall Trace:\n unregister_irq_proc+0xe3/0x100\n free_desc+0x29/0x70\n irq_free_descs+0x47/0x70\n mp_unmap_irq+0x58/0x60\n acpi_unregister_gsi_ioapic+0x2a/0x40\n acpi_pci_irq_disable+0x78/0xb0\n pci_disable_device+0xd1/0x100\n efx_pci_remove+0xa1/0x1e0 [sfc]\n pci_device_remove+0x38/0xa0\n __device_release_driver+0x177/0x230\n driver_detach+0xcb/0x110\n bus_remove_driver+0x58/0xd0\n pci_unregister_driver+0x2a/0xb0\n efx_exit_module+0x24/0xf40 [sfc]\n __do_sys_delete_module.constprop.0+0x171/0x280\n ? exit_to_user_mode_prepare+0x83/0x1d0\n do_syscall_64+0x3d/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7f9f9385800b\n...trimmed...", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } + ], "affected": [], "references": [ { @@ -28,8 +33,10 @@ } ], "database_specific": { - "cwe_ids": [], - "severity": null, + "cwe_ids": [ + "CWE-772" + ], + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-05-21T15:15:16Z" diff --git a/advisories/unreviewed/2024/05/GHSA-2hq2-46wf-3mhv/GHSA-2hq2-46wf-3mhv.json b/advisories/unreviewed/2024/05/GHSA-2hq2-46wf-3mhv/GHSA-2hq2-46wf-3mhv.json index eeffe14348514..2406c403481c0 100644 --- a/advisories/unreviewed/2024/05/GHSA-2hq2-46wf-3mhv/GHSA-2hq2-46wf-3mhv.json +++ b/advisories/unreviewed/2024/05/GHSA-2hq2-46wf-3mhv/GHSA-2hq2-46wf-3mhv.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-2hq2-46wf-3mhv", - "modified": "2024-05-21T15:31:42Z", + "modified": "2024-12-26T21:30:35Z", "published": "2024-05-21T15:31:42Z", "aliases": [ "CVE-2021-47311" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: qcom/emac: fix UAF in emac_remove\n\nadpt is netdev private data and it cannot be\nused after free_netdev() call. Using adpt after free_netdev()\ncan cause UAF bug. Fix it by moving free_netdev() at the end of the\nfunction.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -44,8 +49,10 @@ } ], "database_specific": { - "cwe_ids": [], - "severity": null, + "cwe_ids": [ + "CWE-416" + ], + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-05-21T15:15:18Z" diff --git a/advisories/unreviewed/2024/05/GHSA-39gw-mq6q-79fw/GHSA-39gw-mq6q-79fw.json b/advisories/unreviewed/2024/05/GHSA-39gw-mq6q-79fw/GHSA-39gw-mq6q-79fw.json index 232526c7bd9dc..ddad65e3e759f 100644 --- a/advisories/unreviewed/2024/05/GHSA-39gw-mq6q-79fw/GHSA-39gw-mq6q-79fw.json +++ b/advisories/unreviewed/2024/05/GHSA-39gw-mq6q-79fw/GHSA-39gw-mq6q-79fw.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-39gw-mq6q-79fw", - "modified": "2024-05-21T15:31:41Z", + "modified": "2024-12-26T21:30:35Z", "published": "2024-05-21T15:31:41Z", "aliases": [ "CVE-2021-47279" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: misc: brcmstb-usb-pinmap: check return value after calling platform_get_resource()\n\nIt will cause null-ptr-deref if platform_get_resource() returns NULL,\nwe need check the return value.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } + ], "affected": [], "references": [ { @@ -24,8 +29,10 @@ } ], "database_specific": { - "cwe_ids": [], - "severity": null, + "cwe_ids": [ + "CWE-476" + ], + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-05-21T15:15:16Z" diff --git a/advisories/unreviewed/2024/05/GHSA-3whv-3wrh-jjqq/GHSA-3whv-3wrh-jjqq.json b/advisories/unreviewed/2024/05/GHSA-3whv-3wrh-jjqq/GHSA-3whv-3wrh-jjqq.json index 9adf24f5a6b4d..3e2d85be4f3ef 100644 --- a/advisories/unreviewed/2024/05/GHSA-3whv-3wrh-jjqq/GHSA-3whv-3wrh-jjqq.json +++ b/advisories/unreviewed/2024/05/GHSA-3whv-3wrh-jjqq/GHSA-3whv-3wrh-jjqq.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-3whv-3wrh-jjqq", - "modified": "2024-05-21T15:31:43Z", + "modified": "2024-12-26T21:30:36Z", "published": "2024-05-21T15:31:43Z", "aliases": [ "CVE-2021-47328" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: iscsi: Fix conn use after free during resets\n\nIf we haven't done a unbind target call we can race where\niscsi_conn_teardown wakes up the EH thread and then frees the conn while\nthose threads are still accessing the conn ehwait.\n\nWe can only do one TMF per session so this just moves the TMF fields from\nthe conn to the session. We can then rely on the\niscsi_session_teardown->iscsi_remove_session->__iscsi_unbind_session call\nto remove the target and it's devices, and know after that point there is\nno device or scsi-ml callout trying to access the session.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -40,8 +45,10 @@ } ], "database_specific": { - "cwe_ids": [], - "severity": null, + "cwe_ids": [ + "CWE-416" + ], + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-05-21T15:15:19Z" diff --git a/advisories/unreviewed/2024/05/GHSA-589w-2j5c-px7j/GHSA-589w-2j5c-px7j.json b/advisories/unreviewed/2024/05/GHSA-589w-2j5c-px7j/GHSA-589w-2j5c-px7j.json index dcf09f592c817..a342b72720007 100644 --- a/advisories/unreviewed/2024/05/GHSA-589w-2j5c-px7j/GHSA-589w-2j5c-px7j.json +++ b/advisories/unreviewed/2024/05/GHSA-589w-2j5c-px7j/GHSA-589w-2j5c-px7j.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-589w-2j5c-px7j", - "modified": "2024-05-21T15:31:42Z", + "modified": "2024-12-26T21:30:35Z", "published": "2024-05-21T15:31:42Z", "aliases": [ "CVE-2021-47310" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ti: fix UAF in tlan_remove_one\n\npriv is netdev private data and it cannot be\nused after free_netdev() call. Using priv after free_netdev()\ncan cause UAF bug. Fix it by moving free_netdev() at the end of the\nfunction.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -48,8 +53,10 @@ } ], "database_specific": { - "cwe_ids": [], - "severity": null, + "cwe_ids": [ + "CWE-416" + ], + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-05-21T15:15:18Z" diff --git a/advisories/unreviewed/2024/05/GHSA-5hxm-7v87-m497/GHSA-5hxm-7v87-m497.json b/advisories/unreviewed/2024/05/GHSA-5hxm-7v87-m497/GHSA-5hxm-7v87-m497.json index 5c5b00e9805cc..a471240f861f8 100644 --- a/advisories/unreviewed/2024/05/GHSA-5hxm-7v87-m497/GHSA-5hxm-7v87-m497.json +++ b/advisories/unreviewed/2024/05/GHSA-5hxm-7v87-m497/GHSA-5hxm-7v87-m497.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-5hxm-7v87-m497", - "modified": "2024-05-01T15:30:37Z", + "modified": "2024-12-26T21:30:34Z", "published": "2024-05-01T15:30:37Z", "aliases": [ "CVE-2024-27392" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme: host: fix double-free of struct nvme_id_ns in ns_update_nuse()\n\nWhen nvme_identify_ns() fails, it frees the pointer to the struct\nnvme_id_ns before it returns. However, ns_update_nuse() calls kfree()\nfor the pointer even when nvme_identify_ns() fails. This results in\nKASAN double-free, which was observed with blktests nvme/045 with\nproposed patches [1] on the kernel v6.8-rc7. Fix the double-free by\nskipping kfree() when nvme_identify_ns() fails.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -24,8 +29,10 @@ } ], "database_specific": { - "cwe_ids": [], - "severity": null, + "cwe_ids": [ + "CWE-415" + ], + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-05-01T13:15:51Z" diff --git a/advisories/unreviewed/2024/05/GHSA-5j57-53hq-vmc7/GHSA-5j57-53hq-vmc7.json b/advisories/unreviewed/2024/05/GHSA-5j57-53hq-vmc7/GHSA-5j57-53hq-vmc7.json index 0753ce0d03dac..4270c65aa5946 100644 --- a/advisories/unreviewed/2024/05/GHSA-5j57-53hq-vmc7/GHSA-5j57-53hq-vmc7.json +++ b/advisories/unreviewed/2024/05/GHSA-5j57-53hq-vmc7/GHSA-5j57-53hq-vmc7.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-5j57-53hq-vmc7", - "modified": "2024-05-21T15:31:41Z", + "modified": "2024-12-26T21:30:35Z", "published": "2024-05-21T15:31:41Z", "aliases": [ "CVE-2021-47278" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbus: mhi: pci_generic: Fix possible use-after-free in mhi_pci_remove()\n\nThis driver's remove path calls del_timer(). However, that function\ndoes not wait until the timer handler finishes. This means that the\ntimer handler may still be running after the driver's remove function\nhas finished, which would result in a use-after-free.\n\nFix by calling del_timer_sync(), which makes sure the timer handler\nhas finished, and unable to re-schedule itself.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -24,8 +29,10 @@ } ], "database_specific": { - "cwe_ids": [], - "severity": null, + "cwe_ids": [ + "CWE-416" + ], + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-05-21T15:15:16Z" diff --git a/advisories/unreviewed/2024/05/GHSA-84wp-3676-5rx2/GHSA-84wp-3676-5rx2.json b/advisories/unreviewed/2024/05/GHSA-84wp-3676-5rx2/GHSA-84wp-3676-5rx2.json index 7d81cdec06c47..bed607cd2feac 100644 --- a/advisories/unreviewed/2024/05/GHSA-84wp-3676-5rx2/GHSA-84wp-3676-5rx2.json +++ b/advisories/unreviewed/2024/05/GHSA-84wp-3676-5rx2/GHSA-84wp-3676-5rx2.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-84wp-3676-5rx2", - "modified": "2024-05-21T15:31:41Z", + "modified": "2024-12-26T21:30:35Z", "published": "2024-05-21T15:31:41Z", "aliases": [ "CVE-2021-47273" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3-meson-g12a: fix usb2 PHY glue init when phy0 is disabled\n\nWhen only PHY1 is used (for example on Odroid-HC4), the regmap init code\nuses the usb2 ports when doesn't initialize the PHY1 regmap entry.\n\nThis fixes:\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000020\n...\npc : regmap_update_bits_base+0x40/0xa0\nlr : dwc3_meson_g12a_usb2_init_phy+0x4c/0xf8\n...\nCall trace:\nregmap_update_bits_base+0x40/0xa0\ndwc3_meson_g12a_usb2_init_phy+0x4c/0xf8\ndwc3_meson_g12a_usb2_init+0x7c/0xc8\ndwc3_meson_g12a_usb_init+0x28/0x48\ndwc3_meson_g12a_probe+0x298/0x540\nplatform_probe+0x70/0xe0\nreally_probe+0xf0/0x4d8\ndriver_probe_device+0xfc/0x168\n...", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } + ], "affected": [], "references": [ { @@ -28,8 +33,10 @@ } ], "database_specific": { - "cwe_ids": [], - "severity": null, + "cwe_ids": [ + "CWE-476" + ], + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-05-21T15:15:15Z" diff --git a/advisories/unreviewed/2024/05/GHSA-8cxw-6695-4jq3/GHSA-8cxw-6695-4jq3.json b/advisories/unreviewed/2024/05/GHSA-8cxw-6695-4jq3/GHSA-8cxw-6695-4jq3.json index 895bb3a9b1db3..19affdbc6681c 100644 --- a/advisories/unreviewed/2024/05/GHSA-8cxw-6695-4jq3/GHSA-8cxw-6695-4jq3.json +++ b/advisories/unreviewed/2024/05/GHSA-8cxw-6695-4jq3/GHSA-8cxw-6695-4jq3.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-8cxw-6695-4jq3", - "modified": "2024-05-21T15:31:41Z", + "modified": "2024-12-26T21:30:35Z", "published": "2024-05-21T15:31:41Z", "aliases": [ "CVE-2021-47266" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/ipoib: Fix warning caused by destroying non-initial netns\n\nAfter the commit 5ce2dced8e95 (\"RDMA/ipoib: Set rtnl_link_ops for ipoib\ninterfaces\"), if the IPoIB device is moved to non-initial netns,\ndestroying that netns lets the device vanish instead of moving it back to\nthe initial netns, This is happening because default_device_exit() skips\nthe interfaces due to having rtnl_link_ops set.\n\nSteps to reporoduce:\n ip netns add foo\n ip link set mlx5_ib0 netns foo\n ip netns delete foo\n\nWARNING: CPU: 1 PID: 704 at net/core/dev.c:11435 netdev_exit+0x3f/0x50\nModules linked in: xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT\nnf_reject_ipv4 nft_compat nft_counter nft_chain_nat nf_nat nf_conntrack\nnf_defrag_ipv6 nf_defrag_ipv4 nf_tables nfnetlink tun d\n fuse\nCPU: 1 PID: 704 Comm: kworker/u64:3 Tainted: G S W 5.13.0-rc1+ #1\nHardware name: Dell Inc. PowerEdge R630/02C2CP, BIOS 2.1.5 04/11/2016\nWorkqueue: netns cleanup_net\nRIP: 0010:netdev_exit+0x3f/0x50\nCode: 48 8b bb 30 01 00 00 e8 ef 81 b1 ff 48 81 fb c0 3a 54 a1 74 13 48\n8b 83 90 00 00 00 48 81 c3 90 00 00 00 48 39 d8 75 02 5b c3 <0f> 0b 5b\nc3 66 66 2e 0f 1f 84 00 00 00 00 00 66 90 0f 1f 44 00\nRSP: 0018:ffffb297079d7e08 EFLAGS: 00010206\nRAX: ffff8eb542c00040 RBX: ffff8eb541333150 RCX: 000000008010000d\nRDX: 000000008010000e RSI: 000000008010000d RDI: ffff8eb440042c00\nRBP: ffffb297079d7e48 R08: 0000000000000001 R09: ffffffff9fdeac00\nR10: ffff8eb5003be000 R11: 0000000000000001 R12: ffffffffa1545620\nR13: ffffffffa1545628 R14: 0000000000000000 R15: ffffffffa1543b20\nFS: 0000000000000000(0000) GS:ffff8ed37fa00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00005601b5f4c2e8 CR3: 0000001fc8c10002 CR4: 00000000003706e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n ops_exit_list.isra.9+0x36/0x70\n cleanup_net+0x234/0x390\n process_one_work+0x1cb/0x360\n ? process_one_work+0x360/0x360\n worker_thread+0x30/0x370\n ? process_one_work+0x360/0x360\n kthread+0x116/0x130\n ? kthread_park+0x80/0x80\n ret_from_fork+0x22/0x30\n\nTo avoid the above warning and later on the kernel panic that could happen\non shutdown due to a NULL pointer dereference, make sure to set the\nnetns_refund flag that was introduced by commit 3a5ca857079e (\"can: dev:\nMove device back to init netns on owning netns delete\") to properly\nrestore the IPoIB interfaces to the initial netns.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } + ], "affected": [], "references": [ { @@ -32,8 +37,10 @@ } ], "database_specific": { - "cwe_ids": [], - "severity": null, + "cwe_ids": [ + "CWE-476" + ], + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-05-21T15:15:15Z" diff --git a/advisories/unreviewed/2024/05/GHSA-8fm5-v3c4-vrmq/GHSA-8fm5-v3c4-vrmq.json b/advisories/unreviewed/2024/05/GHSA-8fm5-v3c4-vrmq/GHSA-8fm5-v3c4-vrmq.json index 5694d1717066c..07bbdd6bc27e5 100644 --- a/advisories/unreviewed/2024/05/GHSA-8fm5-v3c4-vrmq/GHSA-8fm5-v3c4-vrmq.json +++ b/advisories/unreviewed/2024/05/GHSA-8fm5-v3c4-vrmq/GHSA-8fm5-v3c4-vrmq.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-8fm5-v3c4-vrmq", - "modified": "2024-05-21T15:31:42Z", + "modified": "2024-12-26T21:30:35Z", "published": "2024-05-21T15:31:42Z", "aliases": [ "CVE-2021-47299" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nxdp, net: Fix use-after-free in bpf_xdp_link_release\n\nThe problem occurs between dev_get_by_index() and dev_xdp_attach_link().\nAt this point, dev_xdp_uninstall() is called. Then xdp link will not be\ndetached automatically when dev is released. But link->dev already\npoints to dev, when xdp link is released, dev will still be accessed,\nbut dev has been released.\n\ndev_get_by_index() |\nlink->dev = dev |\n | rtnl_lock()\n | unregister_netdevice_many()\n | dev_xdp_uninstall()\n | rtnl_unlock()\nrtnl_lock(); |\ndev_xdp_attach_link() |\nrtnl_unlock(); |\n | netdev_run_todo() // dev released\nbpf_xdp_link_release() |\n /* access dev. |\n use-after-free */ |\n\n[ 45.966867] BUG: KASAN: use-after-free in bpf_xdp_link_release+0x3b8/0x3d0\n[ 45.967619] Read of size 8 at addr ffff00000f9980c8 by task a.out/732\n[ 45.968297]\n[ 45.968502] CPU: 1 PID: 732 Comm: a.out Not tainted 5.13.0+ #22\n[ 45.969222] Hardware name: linux,dummy-virt (DT)\n[ 45.969795] Call trace:\n[ 45.970106] dump_backtrace+0x0/0x4c8\n[ 45.970564] show_stack+0x30/0x40\n[ 45.970981] dump_stack_lvl+0x120/0x18c\n[ 45.971470] print_address_description.constprop.0+0x74/0x30c\n[ 45.972182] kasan_report+0x1e8/0x200\n[ 45.972659] __asan_report_load8_noabort+0x2c/0x50\n[ 45.973273] bpf_xdp_link_release+0x3b8/0x3d0\n[ 45.973834] bpf_link_free+0xd0/0x188\n[ 45.974315] bpf_link_put+0x1d0/0x218\n[ 45.974790] bpf_link_release+0x3c/0x58\n[ 45.975291] __fput+0x20c/0x7e8\n[ 45.975706] ____fput+0x24/0x30\n[ 45.976117] task_work_run+0x104/0x258\n[ 45.976609] do_notify_resume+0x894/0xaf8\n[ 45.977121] work_pending+0xc/0x328\n[ 45.977575]\n[ 45.977775] The buggy address belongs to the page:\n[ 45.978369] page:fffffc00003e6600 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4f998\n[ 45.979522] flags: 0x7fffe0000000000(node=0|zone=0|lastcpupid=0x3ffff)\n[ 45.980349] raw: 07fffe0000000000 fffffc00003e6708 ffff0000dac3c010 0000000000000000\n[ 45.981309] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000\n[ 45.982259] page dumped because: kasan: bad access detected\n[ 45.982948]\n[ 45.983153] Memory state around the buggy address:\n[ 45.983753] ffff00000f997f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n[ 45.984645] ffff00000f998000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[ 45.985533] >ffff00000f998080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[ 45.986419] ^\n[ 45.987112] ffff00000f998100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[ 45.988006] ffff00000f998180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[ 45.988895] ==================================================================\n[ 45.989773] Disabling lock debugging due to kernel taint\n[ 45.990552] Kernel panic - not syncing: panic_on_warn set ...\n[ 45.991166] CPU: 1 PID: 732 Comm: a.out Tainted: G B 5.13.0+ #22\n[ 45.991929] Hardware name: linux,dummy-virt (DT)\n[ 45.992448] Call trace:\n[ 45.992753] dump_backtrace+0x0/0x4c8\n[ 45.993208] show_stack+0x30/0x40\n[ 45.993627] dump_stack_lvl+0x120/0x18c\n[ 45.994113] dump_stack+0x1c/0x34\n[ 45.994530] panic+0x3a4/0x7d8\n[ 45.994930] end_report+0x194/0x198\n[ 45.995380] kasan_report+0x134/0x200\n[ 45.995850] __asan_report_load8_noabort+0x2c/0x50\n[ 45.996453] bpf_xdp_link_release+0x3b8/0x3d0\n[ 45.997007] bpf_link_free+0xd0/0x188\n[ 45.997474] bpf_link_put+0x1d0/0x218\n[ 45.997942] bpf_link_release+0x3c/0x58\n[ 45.998429] __fput+0x20c/0x7e8\n[ 45.998833] ____fput+0x24/0x30\n[ 45.999247] task_work_run+0x104/0x258\n[ 45.999731] do_notify_resume+0x894/0xaf8\n[ 46.000236] work_pending\n---truncated---", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } + ], "affected": [], "references": [ { @@ -28,8 +33,10 @@ } ], "database_specific": { - "cwe_ids": [], - "severity": null, + "cwe_ids": [ + "CWE-416" + ], + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-05-21T15:15:17Z" diff --git a/advisories/unreviewed/2024/05/GHSA-8g98-8rxj-3j4q/GHSA-8g98-8rxj-3j4q.json b/advisories/unreviewed/2024/05/GHSA-8g98-8rxj-3j4q/GHSA-8g98-8rxj-3j4q.json index f9a0f23ffbbcd..1b5fcfe8b16f6 100644 --- a/advisories/unreviewed/2024/05/GHSA-8g98-8rxj-3j4q/GHSA-8g98-8rxj-3j4q.json +++ b/advisories/unreviewed/2024/05/GHSA-8g98-8rxj-3j4q/GHSA-8g98-8rxj-3j4q.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-8g98-8rxj-3j4q", - "modified": "2024-05-21T15:31:41Z", + "modified": "2024-12-26T21:30:35Z", "published": "2024-05-21T15:31:41Z", "aliases": [ "CVE-2021-47268" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: tcpm: cancel vdm and state machine hrtimer when unregister tcpm port\n\nA pending hrtimer may expire after the kthread_worker of tcpm port\nis destroyed, see below kernel dump when do module unload, fix it\nby cancel the 2 hrtimers.\n\n[ 111.517018] Unable to handle kernel paging request at virtual address ffff8000118cb880\n[ 111.518786] blk_update_request: I/O error, dev sda, sector 60061185 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 0\n[ 111.526594] Mem abort info:\n[ 111.526597] ESR = 0x96000047\n[ 111.526600] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 111.526604] SET = 0, FnV = 0\n[ 111.526607] EA = 0, S1PTW = 0\n[ 111.526610] Data abort info:\n[ 111.526612] ISV = 0, ISS = 0x00000047\n[ 111.526615] CM = 0, WnR = 1\n[ 111.526619] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000041d75000\n[ 111.526623] [ffff8000118cb880] pgd=10000001bffff003, p4d=10000001bffff003, pud=10000001bfffe003, pmd=10000001bfffa003, pte=0000000000000000\n[ 111.526642] Internal error: Oops: 96000047 [#1] PREEMPT SMP\n[ 111.526647] Modules linked in: dwc3_imx8mp dwc3 phy_fsl_imx8mq_usb [last unloaded: tcpci]\n[ 111.526663] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.13.0-rc4-00927-gebbe9dbd802c-dirty #36\n[ 111.526670] Hardware name: NXP i.MX8MPlus EVK board (DT)\n[ 111.526674] pstate: 800000c5 (Nzcv daIF -PAN -UAO -TCO BTYPE=--)\n[ 111.526681] pc : queued_spin_lock_slowpath+0x1a0/0x390\n[ 111.526695] lr : _raw_spin_lock_irqsave+0x88/0xb4\n[ 111.526703] sp : ffff800010003e20\n[ 111.526706] x29: ffff800010003e20 x28: ffff00017f380180\n[ 111.537156] buffer_io_error: 6 callbacks suppressed\n[ 111.537162] Buffer I/O error on dev sda1, logical block 60040704, async page read\n[ 111.539932] x27: ffff00017f3801c0\n[ 111.539938] x26: ffff800010ba2490 x25: 0000000000000000 x24: 0000000000000001\n[ 111.543025] blk_update_request: I/O error, dev sda, sector 60061186 op 0x0:(READ) flags 0x0 phys_seg 7 prio class 0\n[ 111.548304]\n[ 111.548306] x23: 00000000000000c0 x22: ffff0000c2a9f184 x21: ffff00017f380180\n[ 111.551374] Buffer I/O error on dev sda1, logical block 60040705, async page read\n[ 111.554499]\n[ 111.554503] x20: ffff0000c5f14210 x19: 00000000000000c0 x18: 0000000000000000\n[ 111.557391] Buffer I/O error on dev sda1, logical block 60040706, async page read\n[ 111.561218]\n[ 111.561222] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\n[ 111.564205] Buffer I/O error on dev sda1, logical block 60040707, async page read\n[ 111.570887] x14: 00000000000000f5 x13: 0000000000000001 x12: 0000000000000040\n[ 111.570902] x11: ffff0000c05ac6d8\n[ 111.583420] Buffer I/O error on dev sda1, logical block 60040708, async page read\n[ 111.588978] x10: 0000000000000000 x9 : 0000000000040000\n[ 111.588988] x8 : 0000000000000000\n[ 111.597173] Buffer I/O error on dev sda1, logical block 60040709, async page read\n[ 111.605766] x7 : ffff00017f384880 x6 : ffff8000118cb880\n[ 111.605777] x5 : ffff00017f384880\n[ 111.611094] Buffer I/O error on dev sda1, logical block 60040710, async page read\n[ 111.617086] x4 : 0000000000000000 x3 : ffff0000c2a9f184\n[ 111.617096] x2 : ffff8000118cb880\n[ 111.622242] Buffer I/O error on dev sda1, logical block 60040711, async page read\n[ 111.626927] x1 : ffff8000118cb880 x0 : ffff00017f384888\n[ 111.626938] Call trace:\n[ 111.626942] queued_spin_lock_slowpath+0x1a0/0x390\n[ 111.795809] kthread_queue_work+0x30/0xc0\n[ 111.799828] state_machine_timer_handler+0x20/0x30\n[ 111.804624] __hrtimer_run_queues+0x140/0x1e0\n[ 111.808990] hrtimer_interrupt+0xec/0x2c0\n[ 111.813004] arch_timer_handler_phys+0x38/0x50\n[ 111.817456] handle_percpu_devid_irq+0x88/0x150\n[ 111.821991] __handle_domain_irq+0x80/0xe0\n[ 111.826093] gic_handle_irq+0xc0/0x140\n[ 111.829848] el1_irq+0xbc/0x154\n[ 111.832991] arch_cpu_idle+0x1c/0x2c\n[ 111.836572] default_idle_call+0x24/0x6c\n[ 111.840497] do_idle+0x238/0x2ac\n[ 1\n---truncated---", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -29,7 +34,7 @@ ], "database_specific": { "cwe_ids": [], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-05-21T15:15:15Z" diff --git a/advisories/unreviewed/2024/05/GHSA-8xwv-9gjh-23gh/GHSA-8xwv-9gjh-23gh.json b/advisories/unreviewed/2024/05/GHSA-8xwv-9gjh-23gh/GHSA-8xwv-9gjh-23gh.json index 8b139e1f4b0ee..60e349e66f9b0 100644 --- a/advisories/unreviewed/2024/05/GHSA-8xwv-9gjh-23gh/GHSA-8xwv-9gjh-23gh.json +++ b/advisories/unreviewed/2024/05/GHSA-8xwv-9gjh-23gh/GHSA-8xwv-9gjh-23gh.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-8xwv-9gjh-23gh", - "modified": "2024-05-01T15:30:36Z", + "modified": "2024-12-26T21:30:34Z", "published": "2024-05-01T15:30:36Z", "aliases": [ "CVE-2024-27070" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid use-after-free issue in f2fs_filemap_fault\n\nsyzbot reports a f2fs bug as below:\n\nBUG: KASAN: slab-use-after-free in f2fs_filemap_fault+0xd1/0x2c0 fs/f2fs/file.c:49\nRead of size 8 at addr ffff88807bb22680 by task syz-executor184/5058\n\nCPU: 0 PID: 5058 Comm: syz-executor184 Not tainted 6.7.0-syzkaller-09928-g052d534373b7 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x163/0x540 mm/kasan/report.c:488\n kasan_report+0x142/0x170 mm/kasan/report.c:601\n f2fs_filemap_fault+0xd1/0x2c0 fs/f2fs/file.c:49\n __do_fault+0x131/0x450 mm/memory.c:4376\n do_shared_fault mm/memory.c:4798 [inline]\n do_fault mm/memory.c:4872 [inline]\n do_pte_missing mm/memory.c:3745 [inline]\n handle_pte_fault mm/memory.c:5144 [inline]\n __handle_mm_fault+0x23b7/0x72b0 mm/memory.c:5285\n handle_mm_fault+0x27e/0x770 mm/memory.c:5450\n do_user_addr_fault arch/x86/mm/fault.c:1364 [inline]\n handle_page_fault arch/x86/mm/fault.c:1507 [inline]\n exc_page_fault+0x456/0x870 arch/x86/mm/fault.c:1563\n asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:570\n\nThe root cause is: in f2fs_filemap_fault(), vmf->vma may be not alive after\nfilemap_fault(), so it may cause use-after-free issue when accessing\nvmf->vma->vm_flags in trace_f2fs_filemap_fault(). So it needs to keep vm_flags\nin separated temporary variable for tracepoint use.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -24,8 +29,10 @@ } ], "database_specific": { - "cwe_ids": [], - "severity": null, + "cwe_ids": [ + "CWE-416" + ], + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-05-01T13:15:51Z" diff --git a/advisories/unreviewed/2024/05/GHSA-9h2q-cwg7-7wx8/GHSA-9h2q-cwg7-7wx8.json b/advisories/unreviewed/2024/05/GHSA-9h2q-cwg7-7wx8/GHSA-9h2q-cwg7-7wx8.json index 299c7d8b1c9af..c5f750a81ee11 100644 --- a/advisories/unreviewed/2024/05/GHSA-9h2q-cwg7-7wx8/GHSA-9h2q-cwg7-7wx8.json +++ b/advisories/unreviewed/2024/05/GHSA-9h2q-cwg7-7wx8/GHSA-9h2q-cwg7-7wx8.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-9h2q-cwg7-7wx8", - "modified": "2024-05-21T15:31:42Z", + "modified": "2024-12-26T21:30:35Z", "published": "2024-05-21T15:31:42Z", "aliases": [ "CVE-2021-47301" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nigb: Fix use-after-free error during reset\n\nCleans the next descriptor to watch (next_to_watch) when cleaning the\nTX ring.\n\nFailure to do so can cause invalid memory accesses. If igb_poll() runs\nwhile the controller is reset this can lead to the driver try to free\na skb that was already freed.\n\n(The crash is harder to reproduce with the igb driver, but the same\npotential problem exists as the code is identical to igc)", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -40,8 +45,10 @@ } ], "database_specific": { - "cwe_ids": [], - "severity": null, + "cwe_ids": [ + "CWE-416" + ], + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-05-21T15:15:17Z" diff --git a/advisories/unreviewed/2024/05/GHSA-c5qq-qcr6-82vp/GHSA-c5qq-qcr6-82vp.json b/advisories/unreviewed/2024/05/GHSA-c5qq-qcr6-82vp/GHSA-c5qq-qcr6-82vp.json index 9c4232db811b4..1a28ea7f71f11 100644 --- a/advisories/unreviewed/2024/05/GHSA-c5qq-qcr6-82vp/GHSA-c5qq-qcr6-82vp.json +++ b/advisories/unreviewed/2024/05/GHSA-c5qq-qcr6-82vp/GHSA-c5qq-qcr6-82vp.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-c5qq-qcr6-82vp", - "modified": "2024-05-21T15:31:43Z", + "modified": "2024-12-26T21:30:36Z", "published": "2024-05-21T15:31:43Z", "aliases": [ "CVE-2021-47342" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix possible UAF when remounting r/o a mmp-protected file system\n\nAfter commit 618f003199c6 (\"ext4: fix memory leak in\next4_fill_super\"), after the file system is remounted read-only, there\nis a race where the kmmpd thread can exit, causing sbi->s_mmp_tsk to\npoint at freed memory, which the call to ext4_stop_mmpd() can trip\nover.\n\nFix this by only allowing kmmpd() to exit when it is stopped via\next4_stop_mmpd().\n\nBug-Report-Link: <20210629143603.2166962-1-yebin10@huawei.com>", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -28,8 +33,10 @@ } ], "database_specific": { - "cwe_ids": [], - "severity": null, + "cwe_ids": [ + "CWE-416" + ], + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-05-21T15:15:20Z" diff --git a/advisories/unreviewed/2024/05/GHSA-c9p5-rxmf-r4m6/GHSA-c9p5-rxmf-r4m6.json b/advisories/unreviewed/2024/05/GHSA-c9p5-rxmf-r4m6/GHSA-c9p5-rxmf-r4m6.json index 7163deadf1824..c0510ed212a37 100644 --- a/advisories/unreviewed/2024/05/GHSA-c9p5-rxmf-r4m6/GHSA-c9p5-rxmf-r4m6.json +++ b/advisories/unreviewed/2024/05/GHSA-c9p5-rxmf-r4m6/GHSA-c9p5-rxmf-r4m6.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-c9p5-rxmf-r4m6", - "modified": "2024-05-21T15:31:42Z", + "modified": "2024-12-26T21:30:35Z", "published": "2024-05-21T15:31:42Z", "aliases": [ "CVE-2021-47307" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: prevent NULL deref in cifs_compose_mount_options()\n\nThe optional @ref parameter might contain an NULL node_name, so\nprevent dereferencing it in cifs_compose_mount_options().\n\nAddresses-Coverity: 1476408 (\"Explicit null dereferenced\")", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } + ], "affected": [], "references": [ { @@ -32,8 +37,10 @@ } ], "database_specific": { - "cwe_ids": [], - "severity": null, + "cwe_ids": [ + "CWE-476" + ], + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-05-21T15:15:18Z" diff --git a/advisories/unreviewed/2024/05/GHSA-cc2x-949j-9v5x/GHSA-cc2x-949j-9v5x.json b/advisories/unreviewed/2024/05/GHSA-cc2x-949j-9v5x/GHSA-cc2x-949j-9v5x.json index 04b88c7cdd73c..d7dd0b0d02c1e 100644 --- a/advisories/unreviewed/2024/05/GHSA-cc2x-949j-9v5x/GHSA-cc2x-949j-9v5x.json +++ b/advisories/unreviewed/2024/05/GHSA-cc2x-949j-9v5x/GHSA-cc2x-949j-9v5x.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-cc2x-949j-9v5x", - "modified": "2024-05-21T15:31:44Z", + "modified": "2024-12-26T21:30:36Z", "published": "2024-05-21T15:31:44Z", "aliases": [ "CVE-2021-47362" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: Update intermediate power state for SI\n\nUpdate the current state as boot state during dpm initialization.\nDuring the subsequent initialization, set_power_state gets called to\ntransition to the final power state. set_power_state refers to values\nfrom the current state and without current state populated, it could\nresult in NULL pointer dereference.\n\nFor ex: on platforms where PCI speed change is supported through ACPI\nATCS method, the link speed of current state needs to be queried before\ndeciding on changing to final power state's link speed. The logic to query\nATCS-support was broken on certain platforms. The issue became visible\nwhen broken ATCS-support logic got fixed with commit\nf9b7f3703ff9 (\"drm/amdgpu/acpi: make ATPX/ATCS structures global (v2)\").\n\nBug: https://gitlab.freedesktop.org/drm/amd/-/issues/1698", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } + ], "affected": [], "references": [ { @@ -28,8 +33,10 @@ } ], "database_specific": { - "cwe_ids": [], - "severity": null, + "cwe_ids": [ + "CWE-476" + ], + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-05-21T15:15:22Z" diff --git a/advisories/unreviewed/2024/05/GHSA-chv3-xxv6-8hvr/GHSA-chv3-xxv6-8hvr.json b/advisories/unreviewed/2024/05/GHSA-chv3-xxv6-8hvr/GHSA-chv3-xxv6-8hvr.json index fffb44d058439..0e8b39b12f6b5 100644 --- a/advisories/unreviewed/2024/05/GHSA-chv3-xxv6-8hvr/GHSA-chv3-xxv6-8hvr.json +++ b/advisories/unreviewed/2024/05/GHSA-chv3-xxv6-8hvr/GHSA-chv3-xxv6-8hvr.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-chv3-xxv6-8hvr", - "modified": "2024-05-21T15:31:43Z", + "modified": "2024-12-26T21:30:36Z", "published": "2024-05-21T15:31:43Z", "aliases": [ "CVE-2021-47334" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc/libmasm/module: Fix two use after free in ibmasm_init_one\n\nIn ibmasm_init_one, it calls ibmasm_init_remote_input_dev().\nInside ibmasm_init_remote_input_dev, mouse_dev and keybd_dev are\nallocated by input_allocate_device(), and assigned to\nsp->remote.mouse_dev and sp->remote.keybd_dev respectively.\n\nIn the err_free_devices error branch of ibmasm_init_one,\nmouse_dev and keybd_dev are freed by input_free_device(), and return\nerror. Then the execution runs into error_send_message error branch\nof ibmasm_init_one, where ibmasm_free_remote_input_dev(sp) is called\nto unregister the freed sp->remote.mouse_dev and sp->remote.keybd_dev.\n\nMy patch add a \"error_init_remote\" label to handle the error of\nibmasm_init_remote_input_dev(), to avoid the uaf bugs.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -52,8 +57,10 @@ } ], "database_specific": { - "cwe_ids": [], - "severity": null, + "cwe_ids": [ + "CWE-416" + ], + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-05-21T15:15:20Z" diff --git a/advisories/unreviewed/2024/05/GHSA-f8fr-xvcp-37m8/GHSA-f8fr-xvcp-37m8.json b/advisories/unreviewed/2024/05/GHSA-f8fr-xvcp-37m8/GHSA-f8fr-xvcp-37m8.json index 6dfee66567656..ef0121ce133d8 100644 --- a/advisories/unreviewed/2024/05/GHSA-f8fr-xvcp-37m8/GHSA-f8fr-xvcp-37m8.json +++ b/advisories/unreviewed/2024/05/GHSA-f8fr-xvcp-37m8/GHSA-f8fr-xvcp-37m8.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-f8fr-xvcp-37m8", - "modified": "2024-05-21T15:31:42Z", + "modified": "2024-12-26T21:30:36Z", "published": "2024-05-21T15:31:42Z", "aliases": [ "CVE-2021-47318" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\narch_topology: Avoid use-after-free for scale_freq_data\n\nCurrently topology_scale_freq_tick() (which gets called from\nscheduler_tick()) may end up using a pointer to \"struct\nscale_freq_data\", which was previously cleared by\ntopology_clear_scale_freq_source(), as there is no protection in place\nhere. The users of topology_clear_scale_freq_source() though needs a\nguarantee that the previously cleared scale_freq_data isn't used\nanymore, so they can free the related resources.\n\nSince topology_scale_freq_tick() is called from scheduler tick, we don't\nwant to add locking in there. Use the RCU update mechanism instead\n(which is already used by the scheduler's utilization update path) to\nguarantee race free updates here.\n\nsynchronize_rcu() makes sure that all RCU critical sections that started\nbefore it is called, will finish before it returns. And so the callers\nof topology_clear_scale_freq_source() don't need to worry about their\ncallback getting called anymore.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -24,8 +29,10 @@ } ], "database_specific": { - "cwe_ids": [], - "severity": null, + "cwe_ids": [ + "CWE-416" + ], + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-05-21T15:15:19Z" diff --git a/advisories/unreviewed/2024/05/GHSA-fhjr-hghh-2jv9/GHSA-fhjr-hghh-2jv9.json b/advisories/unreviewed/2024/05/GHSA-fhjr-hghh-2jv9/GHSA-fhjr-hghh-2jv9.json index 8bae8081d150e..b18171ba3982b 100644 --- a/advisories/unreviewed/2024/05/GHSA-fhjr-hghh-2jv9/GHSA-fhjr-hghh-2jv9.json +++ b/advisories/unreviewed/2024/05/GHSA-fhjr-hghh-2jv9/GHSA-fhjr-hghh-2jv9.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-fhjr-hghh-2jv9", - "modified": "2024-05-21T15:31:42Z", + "modified": "2024-12-26T21:30:36Z", "published": "2024-05-21T15:31:42Z", "aliases": [ "CVE-2021-47321" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwatchdog: Fix possible use-after-free by calling del_timer_sync()\n\nThis driver's remove path calls del_timer(). However, that function\ndoes not wait until the timer handler finishes. This means that the\ntimer handler may still be running after the driver's remove function\nhas finished, which would result in a use-after-free.\n\nFix by calling del_timer_sync(), which makes sure the timer handler\nhas finished, and unable to re-schedule itself.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -52,8 +57,10 @@ } ], "database_specific": { - "cwe_ids": [], - "severity": null, + "cwe_ids": [ + "CWE-416" + ], + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-05-21T15:15:19Z" diff --git a/advisories/unreviewed/2024/05/GHSA-g595-9cfg-4hxm/GHSA-g595-9cfg-4hxm.json b/advisories/unreviewed/2024/05/GHSA-g595-9cfg-4hxm/GHSA-g595-9cfg-4hxm.json index 8034b787ab283..f9a86e3c52b90 100644 --- a/advisories/unreviewed/2024/05/GHSA-g595-9cfg-4hxm/GHSA-g595-9cfg-4hxm.json +++ b/advisories/unreviewed/2024/05/GHSA-g595-9cfg-4hxm/GHSA-g595-9cfg-4hxm.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-g595-9cfg-4hxm", - "modified": "2024-05-21T15:31:42Z", + "modified": "2024-12-26T21:30:35Z", "published": "2024-05-21T15:31:42Z", "aliases": [ "CVE-2021-47302" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nigc: Fix use-after-free error during reset\n\nCleans the next descriptor to watch (next_to_watch) when cleaning the\nTX ring.\n\nFailure to do so can cause invalid memory accesses. If igc_poll() runs\nwhile the controller is being reset this can lead to the driver try to\nfree a skb that was already freed.\n\nLog message:\n\n [ 101.525242] refcount_t: underflow; use-after-free.\n [ 101.525251] WARNING: CPU: 1 PID: 646 at lib/refcount.c:28 refcount_warn_saturate+0xab/0xf0\n [ 101.525259] Modules linked in: sch_etf(E) sch_mqprio(E) rfkill(E) intel_rapl_msr(E) intel_rapl_common(E)\n x86_pkg_temp_thermal(E) intel_powerclamp(E) coretemp(E) binfmt_misc(E) kvm_intel(E) kvm(E) irqbypass(E) crc32_pclmul(E)\n ghash_clmulni_intel(E) aesni_intel(E) mei_wdt(E) libaes(E) crypto_simd(E) cryptd(E) glue_helper(E) snd_hda_codec_hdmi(E)\n rapl(E) intel_cstate(E) snd_hda_intel(E) snd_intel_dspcfg(E) sg(E) soundwire_intel(E) intel_uncore(E) at24(E)\n soundwire_generic_allocation(E) iTCO_wdt(E) soundwire_cadence(E) intel_pmc_bxt(E) serio_raw(E) snd_hda_codec(E)\n iTCO_vendor_support(E) watchdog(E) snd_hda_core(E) snd_hwdep(E) snd_soc_core(E) snd_compress(E) snd_pcsp(E)\n soundwire_bus(E) snd_pcm(E) evdev(E) snd_timer(E) mei_me(E) snd(E) soundcore(E) mei(E) configfs(E) ip_tables(E) x_tables(E)\n autofs4(E) ext4(E) crc32c_generic(E) crc16(E) mbcache(E) jbd2(E) sd_mod(E) t10_pi(E) crc_t10dif(E) crct10dif_generic(E)\n i915(E) ahci(E) libahci(E) ehci_pci(E) igb(E) xhci_pci(E) ehci_hcd(E)\n [ 101.525303] drm_kms_helper(E) dca(E) xhci_hcd(E) libata(E) crct10dif_pclmul(E) cec(E) crct10dif_common(E) tsn(E) igc(E)\n e1000e(E) ptp(E) i2c_i801(E) crc32c_intel(E) psmouse(E) i2c_algo_bit(E) i2c_smbus(E) scsi_mod(E) lpc_ich(E) pps_core(E)\n usbcore(E) drm(E) button(E) video(E)\n [ 101.525318] CPU: 1 PID: 646 Comm: irq/37-enp7s0-T Tainted: G E 5.10.30-rt37-tsn1-rt-ipipe #ipipe\n [ 101.525320] Hardware name: SIEMENS AG SIMATIC IPC427D/A5E31233588, BIOS V17.02.09 03/31/2017\n [ 101.525322] RIP: 0010:refcount_warn_saturate+0xab/0xf0\n [ 101.525325] Code: 05 31 48 44 01 01 e8 f0 c6 42 00 0f 0b c3 80 3d 1f 48 44 01 00 75 90 48 c7 c7 78 a8 f3 a6 c6 05 0f 48\n 44 01 01 e8 d1 c6 42 00 <0f> 0b c3 80 3d fe 47 44 01 00 0f 85 6d ff ff ff 48 c7 c7 d0 a8 f3\n [ 101.525327] RSP: 0018:ffffbdedc0917cb8 EFLAGS: 00010286\n [ 101.525329] RAX: 0000000000000000 RBX: ffff98fd6becbf40 RCX: 0000000000000001\n [ 101.525330] RDX: 0000000000000001 RSI: ffffffffa6f2700c RDI: 00000000ffffffff\n [ 101.525332] RBP: ffff98fd6becc14c R08: ffffffffa7463d00 R09: ffffbdedc0917c50\n [ 101.525333] R10: ffffffffa74c3578 R11: 0000000000000034 R12: 00000000ffffff00\n [ 101.525335] R13: ffff98fd6b0b1000 R14: 0000000000000039 R15: ffff98fd6be35c40\n [ 101.525337] FS: 0000000000000000(0000) GS:ffff98fd6e240000(0000) knlGS:0000000000000000\n [ 101.525339] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [ 101.525341] CR2: 00007f34135a3a70 CR3: 0000000150210003 CR4: 00000000001706e0\n [ 101.525343] Call Trace:\n [ 101.525346] sock_wfree+0x9c/0xa0\n [ 101.525353] unix_destruct_scm+0x7b/0xa0\n [ 101.525358] skb_release_head_state+0x40/0x90\n [ 101.525362] skb_release_all+0xe/0x30\n [ 101.525364] napi_consume_skb+0x57/0x160\n [ 101.525367] igc_poll+0xb7/0xc80 [igc]\n [ 101.525376] ? sched_clock+0x5/0x10\n [ 101.525381] ? sched_clock_cpu+0xe/0x100\n [ 101.525385] net_rx_action+0x14c/0x410\n [ 101.525388] __do_softirq+0xe9/0x2f4\n [ 101.525391] __local_bh_enable_ip+0xe3/0x110\n [ 101.525395] ? irq_finalize_oneshot.part.47+0xe0/0xe0\n [ 101.525398] irq_forced_thread_fn+0x6a/0x80\n [ 101.525401] irq_thread+0xe8/0x180\n [ 101.525403] ? wake_threads_waitq+0x30/0x30\n [ 101.525406] ? irq_thread_check_affinity+0xd0/0xd0\n [ 101.525408] kthread+0x183/0x1a0\n [ 101.525412] ? kthread_park+0x80/0x80\n [ 101.525415] ret_from_fork+0x22/0x30", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -32,8 +37,10 @@ } ], "database_specific": { - "cwe_ids": [], - "severity": null, + "cwe_ids": [ + "CWE-416" + ], + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-05-21T15:15:17Z" diff --git a/advisories/unreviewed/2024/05/GHSA-j469-qwv3-79fj/GHSA-j469-qwv3-79fj.json b/advisories/unreviewed/2024/05/GHSA-j469-qwv3-79fj/GHSA-j469-qwv3-79fj.json index c25e159a39a02..94615e1fe73fe 100644 --- a/advisories/unreviewed/2024/05/GHSA-j469-qwv3-79fj/GHSA-j469-qwv3-79fj.json +++ b/advisories/unreviewed/2024/05/GHSA-j469-qwv3-79fj/GHSA-j469-qwv3-79fj.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-j469-qwv3-79fj", - "modified": "2024-05-21T15:31:43Z", + "modified": "2024-12-26T21:30:36Z", "published": "2024-05-21T15:31:43Z", "aliases": [ "CVE-2021-47355" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\natm: nicstar: Fix possible use-after-free in nicstar_cleanup()\n\nThis module's remove path calls del_timer(). However, that function\ndoes not wait until the timer handler finishes. This means that the\ntimer handler may still be running after the driver's remove function\nhas finished, which would result in a use-after-free.\n\nFix by calling del_timer_sync(), which makes sure the timer handler\nhas finished, and unable to re-schedule itself.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -52,8 +57,10 @@ } ], "database_specific": { - "cwe_ids": [], - "severity": null, + "cwe_ids": [ + "CWE-416" + ], + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-05-21T15:15:21Z" diff --git a/advisories/unreviewed/2024/05/GHSA-j8g9-5p8g-4f3x/GHSA-j8g9-5p8g-4f3x.json b/advisories/unreviewed/2024/05/GHSA-j8g9-5p8g-4f3x/GHSA-j8g9-5p8g-4f3x.json index 31607e003f904..6135c4dbd7f73 100644 --- a/advisories/unreviewed/2024/05/GHSA-j8g9-5p8g-4f3x/GHSA-j8g9-5p8g-4f3x.json +++ b/advisories/unreviewed/2024/05/GHSA-j8g9-5p8g-4f3x/GHSA-j8g9-5p8g-4f3x.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-j8g9-5p8g-4f3x", - "modified": "2024-05-21T15:31:42Z", + "modified": "2024-12-26T21:30:35Z", "published": "2024-05-21T15:31:42Z", "aliases": [ "CVE-2021-47306" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fddi: fix UAF in fza_probe\n\nfp is netdev private data and it cannot be\nused after free_netdev() call. Using fp after free_netdev()\ncan cause UAF bug. Fix it by moving free_netdev() after error message.\n\nTURBOchannel adapter\")", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -32,8 +37,10 @@ } ], "database_specific": { - "cwe_ids": [], - "severity": null, + "cwe_ids": [ + "CWE-416" + ], + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-05-21T15:15:18Z" diff --git a/advisories/unreviewed/2024/05/GHSA-jq6v-72pf-8j24/GHSA-jq6v-72pf-8j24.json b/advisories/unreviewed/2024/05/GHSA-jq6v-72pf-8j24/GHSA-jq6v-72pf-8j24.json index 08dca9416072e..7ee99ba30562b 100644 --- a/advisories/unreviewed/2024/05/GHSA-jq6v-72pf-8j24/GHSA-jq6v-72pf-8j24.json +++ b/advisories/unreviewed/2024/05/GHSA-jq6v-72pf-8j24/GHSA-jq6v-72pf-8j24.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-jq6v-72pf-8j24", - "modified": "2024-05-21T15:31:44Z", + "modified": "2024-12-26T21:30:36Z", "published": "2024-05-21T15:31:44Z", "aliases": [ "CVE-2021-47361" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmcb: fix error handling in mcb_alloc_bus()\n\nThere are two bugs:\n1) If ida_simple_get() fails then this code calls put_device(carrier)\n but we haven't yet called get_device(carrier) and probably that\n leads to a use after free.\n2) After device_initialize() then we need to use put_device() to\n release the bus. This will free the internal resources tied to the\n device and call mcb_free_bus() which will free the rest.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -44,8 +49,10 @@ } ], "database_specific": { - "cwe_ids": [], - "severity": null, + "cwe_ids": [ + "CWE-416" + ], + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-05-21T15:15:22Z" diff --git a/advisories/unreviewed/2024/05/GHSA-jvc3-6gh7-chwx/GHSA-jvc3-6gh7-chwx.json b/advisories/unreviewed/2024/05/GHSA-jvc3-6gh7-chwx/GHSA-jvc3-6gh7-chwx.json index ba154679c7de7..ca8aa673cb606 100644 --- a/advisories/unreviewed/2024/05/GHSA-jvc3-6gh7-chwx/GHSA-jvc3-6gh7-chwx.json +++ b/advisories/unreviewed/2024/05/GHSA-jvc3-6gh7-chwx/GHSA-jvc3-6gh7-chwx.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-jvc3-6gh7-chwx", - "modified": "2024-05-03T18:30:37Z", + "modified": "2024-12-26T21:30:35Z", "published": "2024-05-03T18:30:37Z", "aliases": [ "CVE-2022-48695" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpt3sas: Fix use-after-free warning\n\nFix the following use-after-free warning which is observed during\ncontroller reset:\n\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 23 PID: 5399 at lib/refcount.c:28 refcount_warn_saturate+0xa6/0xf0", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -48,8 +53,10 @@ } ], "database_specific": { - "cwe_ids": [], - "severity": null, + "cwe_ids": [ + "CWE-416" + ], + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-05-03T18:15:08Z" diff --git a/advisories/unreviewed/2024/05/GHSA-m2xg-x7vq-c628/GHSA-m2xg-x7vq-c628.json b/advisories/unreviewed/2024/05/GHSA-m2xg-x7vq-c628/GHSA-m2xg-x7vq-c628.json index 03da42efa7a4d..7bcf2cefe8a2f 100644 --- a/advisories/unreviewed/2024/05/GHSA-m2xg-x7vq-c628/GHSA-m2xg-x7vq-c628.json +++ b/advisories/unreviewed/2024/05/GHSA-m2xg-x7vq-c628/GHSA-m2xg-x7vq-c628.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-m2xg-x7vq-c628", - "modified": "2024-05-21T15:31:42Z", + "modified": "2024-12-26T21:30:35Z", "published": "2024-05-21T15:31:42Z", "aliases": [ "CVE-2021-47309" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: validate lwtstate->data before returning from skb_tunnel_info()\n\nskb_tunnel_info() returns pointer of lwtstate->data as ip_tunnel_info\ntype without validation. lwtstate->data can have various types such as\nmpls_iptunnel_encap, etc and these are not compatible.\nSo skb_tunnel_info() should validate before returning that pointer.\n\nSplat looks like:\nBUG: KASAN: slab-out-of-bounds in vxlan_get_route+0x418/0x4b0 [vxlan]\nRead of size 2 at addr ffff888106ec2698 by task ping/811\n\nCPU: 1 PID: 811 Comm: ping Not tainted 5.13.0+ #1195\nCall Trace:\n dump_stack_lvl+0x56/0x7b\n print_address_description.constprop.8.cold.13+0x13/0x2ee\n ? vxlan_get_route+0x418/0x4b0 [vxlan]\n ? vxlan_get_route+0x418/0x4b0 [vxlan]\n kasan_report.cold.14+0x83/0xdf\n ? vxlan_get_route+0x418/0x4b0 [vxlan]\n vxlan_get_route+0x418/0x4b0 [vxlan]\n [ ... ]\n vxlan_xmit_one+0x148b/0x32b0 [vxlan]\n [ ... ]\n vxlan_xmit+0x25c5/0x4780 [vxlan]\n [ ... ]\n dev_hard_start_xmit+0x1ae/0x6e0\n __dev_queue_xmit+0x1f39/0x31a0\n [ ... ]\n neigh_xmit+0x2f9/0x940\n mpls_xmit+0x911/0x1600 [mpls_iptunnel]\n lwtunnel_xmit+0x18f/0x450\n ip_finish_output2+0x867/0x2040\n [ ... ]", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H" + } + ], "affected": [], "references": [ { @@ -48,8 +53,10 @@ } ], "database_specific": { - "cwe_ids": [], - "severity": null, + "cwe_ids": [ + "CWE-125" + ], + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-05-21T15:15:18Z" diff --git a/advisories/unreviewed/2024/05/GHSA-qr6c-mgw3-xxq8/GHSA-qr6c-mgw3-xxq8.json b/advisories/unreviewed/2024/05/GHSA-qr6c-mgw3-xxq8/GHSA-qr6c-mgw3-xxq8.json index 28c4e8b999d20..6fbed63375cf7 100644 --- a/advisories/unreviewed/2024/05/GHSA-qr6c-mgw3-xxq8/GHSA-qr6c-mgw3-xxq8.json +++ b/advisories/unreviewed/2024/05/GHSA-qr6c-mgw3-xxq8/GHSA-qr6c-mgw3-xxq8.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-qr6c-mgw3-xxq8", - "modified": "2024-05-21T15:31:43Z", + "modified": "2024-12-26T21:30:36Z", "published": "2024-05-21T15:31:43Z", "aliases": [ "CVE-2021-47357" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\natm: iphase: fix possible use-after-free in ia_module_exit()\n\nThis module's remove path calls del_timer(). However, that function\ndoes not wait until the timer handler finishes. This means that the\ntimer handler may still be running after the driver's remove function\nhas finished, which would result in a use-after-free.\n\nFix by calling del_timer_sync(), which makes sure the timer handler\nhas finished, and unable to re-schedule itself.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -52,8 +57,10 @@ } ], "database_specific": { - "cwe_ids": [], - "severity": null, + "cwe_ids": [ + "CWE-416" + ], + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-05-21T15:15:22Z" diff --git a/advisories/unreviewed/2024/05/GHSA-w5h4-c4xx-3r8p/GHSA-w5h4-c4xx-3r8p.json b/advisories/unreviewed/2024/05/GHSA-w5h4-c4xx-3r8p/GHSA-w5h4-c4xx-3r8p.json index 9576399b61291..00b7226aa7dc5 100644 --- a/advisories/unreviewed/2024/05/GHSA-w5h4-c4xx-3r8p/GHSA-w5h4-c4xx-3r8p.json +++ b/advisories/unreviewed/2024/05/GHSA-w5h4-c4xx-3r8p/GHSA-w5h4-c4xx-3r8p.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-w5h4-c4xx-3r8p", - "modified": "2024-05-21T15:31:42Z", + "modified": "2024-12-26T21:30:35Z", "published": "2024-05-21T15:31:42Z", "aliases": [ "CVE-2021-47300" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix tail_call_reachable rejection for interpreter when jit failed\n\nDuring testing of f263a81451c1 (\"bpf: Track subprog poke descriptors correctly\nand fix use-after-free\") under various failure conditions, for example, when\njit_subprogs() fails and tries to clean up the program to be run under the\ninterpreter, we ran into the following freeze:\n\n [...]\n #127/8 tailcall_bpf2bpf_3:FAIL\n [...]\n [ 92.041251] BUG: KASAN: slab-out-of-bounds in ___bpf_prog_run+0x1b9d/0x2e20\n [ 92.042408] Read of size 8 at addr ffff88800da67f68 by task test_progs/682\n [ 92.043707]\n [ 92.044030] CPU: 1 PID: 682 Comm: test_progs Tainted: G O 5.13.0-53301-ge6c08cb33a30-dirty #87\n [ 92.045542] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 04/01/2014\n [ 92.046785] Call Trace:\n [ 92.047171] ? __bpf_prog_run_args64+0xc0/0xc0\n [ 92.047773] ? __bpf_prog_run_args32+0x8b/0xb0\n [ 92.048389] ? __bpf_prog_run_args64+0xc0/0xc0\n [ 92.049019] ? ktime_get+0x117/0x130\n [...] // few hundred [similar] lines more\n [ 92.659025] ? ktime_get+0x117/0x130\n [ 92.659845] ? __bpf_prog_run_args64+0xc0/0xc0\n [ 92.660738] ? __bpf_prog_run_args32+0x8b/0xb0\n [ 92.661528] ? __bpf_prog_run_args64+0xc0/0xc0\n [ 92.662378] ? print_usage_bug+0x50/0x50\n [ 92.663221] ? print_usage_bug+0x50/0x50\n [ 92.664077] ? bpf_ksym_find+0x9c/0xe0\n [ 92.664887] ? ktime_get+0x117/0x130\n [ 92.665624] ? kernel_text_address+0xf5/0x100\n [ 92.666529] ? __kernel_text_address+0xe/0x30\n [ 92.667725] ? unwind_get_return_address+0x2f/0x50\n [ 92.668854] ? ___bpf_prog_run+0x15d4/0x2e20\n [ 92.670185] ? ktime_get+0x117/0x130\n [ 92.671130] ? __bpf_prog_run_args64+0xc0/0xc0\n [ 92.672020] ? __bpf_prog_run_args32+0x8b/0xb0\n [ 92.672860] ? __bpf_prog_run_args64+0xc0/0xc0\n [ 92.675159] ? ktime_get+0x117/0x130\n [ 92.677074] ? lock_is_held_type+0xd5/0x130\n [ 92.678662] ? ___bpf_prog_run+0x15d4/0x2e20\n [ 92.680046] ? ktime_get+0x117/0x130\n [ 92.681285] ? __bpf_prog_run32+0x6b/0x90\n [ 92.682601] ? __bpf_prog_run64+0x90/0x90\n [ 92.683636] ? lock_downgrade+0x370/0x370\n [ 92.684647] ? mark_held_locks+0x44/0x90\n [ 92.685652] ? ktime_get+0x117/0x130\n [ 92.686752] ? lockdep_hardirqs_on+0x79/0x100\n [ 92.688004] ? ktime_get+0x117/0x130\n [ 92.688573] ? __cant_migrate+0x2b/0x80\n [ 92.689192] ? bpf_test_run+0x2f4/0x510\n [ 92.689869] ? bpf_test_timer_continue+0x1c0/0x1c0\n [ 92.690856] ? rcu_read_lock_bh_held+0x90/0x90\n [ 92.691506] ? __kasan_slab_alloc+0x61/0x80\n [ 92.692128] ? eth_type_trans+0x128/0x240\n [ 92.692737] ? __build_skb+0x46/0x50\n [ 92.693252] ? bpf_prog_test_run_skb+0x65e/0xc50\n [ 92.693954] ? bpf_prog_test_run_raw_tp+0x2d0/0x2d0\n [ 92.694639] ? __fget_light+0xa1/0x100\n [ 92.695162] ? bpf_prog_inc+0x23/0x30\n [ 92.695685] ? __sys_bpf+0xb40/0x2c80\n [ 92.696324] ? bpf_link_get_from_fd+0x90/0x90\n [ 92.697150] ? mark_held_locks+0x24/0x90\n [ 92.698007] ? lockdep_hardirqs_on_prepare+0x124/0x220\n [ 92.699045] ? finish_task_switch+0xe6/0x370\n [ 92.700072] ? lockdep_hardirqs_on+0x79/0x100\n [ 92.701233] ? finish_task_switch+0x11d/0x370\n [ 92.702264] ? __switch_to+0x2c0/0x740\n [ 92.703148] ? mark_held_locks+0x24/0x90\n [ 92.704155] ? __x64_sys_bpf+0x45/0x50\n [ 92.705146] ? do_syscall_64+0x35/0x80\n [ 92.706953] ? entry_SYSCALL_64_after_hwframe+0x44/0xae\n [...]\n\nTurns out that the program rejection from e411901c0b77 (\"bpf: allow for tailcalls\nin BPF subprograms for x64 JIT\") is buggy since env->prog->aux->tail_call_reachable\nis never true. Commit ebf7d1f508a7 (\"bpf, x64: rework pro/epilogue and tailcall\nhandling in JIT\") added a tracker into check_max_stack_depth() which propagates\nthe tail_call_reachable condition throughout the subprograms. This info is then\nassigned to the subprogram's \n---truncated---", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } + ], "affected": [], "references": [ { @@ -28,8 +33,10 @@ } ], "database_specific": { - "cwe_ids": [], - "severity": null, + "cwe_ids": [ + "CWE-125" + ], + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-05-21T15:15:17Z" diff --git a/advisories/unreviewed/2024/05/GHSA-w825-9xqr-f6q3/GHSA-w825-9xqr-f6q3.json b/advisories/unreviewed/2024/05/GHSA-w825-9xqr-f6q3/GHSA-w825-9xqr-f6q3.json index ce27a8bcdeb0f..d2b2932bde7ff 100644 --- a/advisories/unreviewed/2024/05/GHSA-w825-9xqr-f6q3/GHSA-w825-9xqr-f6q3.json +++ b/advisories/unreviewed/2024/05/GHSA-w825-9xqr-f6q3/GHSA-w825-9xqr-f6q3.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-w825-9xqr-f6q3", - "modified": "2024-05-21T15:31:42Z", + "modified": "2024-12-26T21:30:35Z", "published": "2024-05-21T15:31:42Z", "aliases": [ "CVE-2021-47303" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Track subprog poke descriptors correctly and fix use-after-free\n\nSubprograms are calling map_poke_track(), but on program release there is no\nhook to call map_poke_untrack(). However, on program release, the aux memory\n(and poke descriptor table) is freed even though we still have a reference to\nit in the element list of the map aux data. When we run map_poke_run(), we then\nend up accessing free'd memory, triggering KASAN in prog_array_map_poke_run():\n\n [...]\n [ 402.824689] BUG: KASAN: use-after-free in prog_array_map_poke_run+0xc2/0x34e\n [ 402.824698] Read of size 4 at addr ffff8881905a7940 by task hubble-fgs/4337\n [ 402.824705] CPU: 1 PID: 4337 Comm: hubble-fgs Tainted: G I 5.12.0+ #399\n [ 402.824715] Call Trace:\n [ 402.824719] dump_stack+0x93/0xc2\n [ 402.824727] print_address_description.constprop.0+0x1a/0x140\n [ 402.824736] ? prog_array_map_poke_run+0xc2/0x34e\n [ 402.824740] ? prog_array_map_poke_run+0xc2/0x34e\n [ 402.824744] kasan_report.cold+0x7c/0xd8\n [ 402.824752] ? prog_array_map_poke_run+0xc2/0x34e\n [ 402.824757] prog_array_map_poke_run+0xc2/0x34e\n [ 402.824765] bpf_fd_array_map_update_elem+0x124/0x1a0\n [...]\n\nThe elements concerned are walked as follows:\n\n for (i = 0; i < elem->aux->size_poke_tab; i++) {\n poke = &elem->aux->poke_tab[i];\n [...]\n\nThe access to size_poke_tab is a 4 byte read, verified by checking offsets\nin the KASAN dump:\n\n [ 402.825004] The buggy address belongs to the object at ffff8881905a7800\n which belongs to the cache kmalloc-1k of size 1024\n [ 402.825008] The buggy address is located 320 bytes inside of\n 1024-byte region [ffff8881905a7800, ffff8881905a7c00)\n\nThe pahole output of bpf_prog_aux:\n\n struct bpf_prog_aux {\n [...]\n /* --- cacheline 5 boundary (320 bytes) --- */\n u32 size_poke_tab; /* 320 4 */\n [...]\n\nIn general, subprograms do not necessarily manage their own data structures.\nFor example, BTF func_info and linfo are just pointers to the main program\nstructure. This allows reference counting and cleanup to be done on the latter\nwhich simplifies their management a bit. The aux->poke_tab struct, however,\ndid not follow this logic. The initial proposed fix for this use-after-free\nbug further embedded poke data tracking into the subprogram with proper\nreference counting. However, Daniel and Alexei questioned why we were treating\nthese objects special; I agree, its unnecessary. The fix here removes the per\nsubprogram poke table allocation and map tracking and instead simply points\nthe aux->poke_tab pointer at the main programs poke table. This way, map\ntracking is simplified to the main program and we do not need to manage them\nper subprogram.\n\nThis also means, bpf_prog_free_deferred(), which unwinds the program reference\ncounting and kfrees objects, needs to ensure that we don't try to double free\nthe poke_tab when free'ing the subprog structures. This is easily solved by\nNULL'ing the poke_tab pointer. The second detail is to ensure that per\nsubprogram JIT logic only does fixups on poke_tab[] entries it owns. To do\nthis, we add a pointer in the poke structure to point at the subprogram value\nso JITs can easily check while walking the poke_tab structure if the current\nentry belongs to the current program. The aux pointer is stable and therefore\nsuitable for such comparison. On the jit_subprogs() error path, we omit\ncleaning up the poke->aux field because these are only ever referenced from\nthe JIT side, but on error we will never make it to the JIT, so its fine to\nleave them dangling. Removing these pointers would complicate the error path\nfor no reason. However, we do need to untrack all poke descriptors from the\nmain program as otherwise they could race with the freeing of JIT memory from\nthe subprograms. Lastly, a748c6975dea3 (\"bpf: propagate poke des\n---truncated---", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -28,8 +33,10 @@ } ], "database_specific": { - "cwe_ids": [], - "severity": null, + "cwe_ids": [ + "CWE-416" + ], + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-05-21T15:15:18Z" diff --git a/advisories/unreviewed/2024/05/GHSA-xp4x-rp64-962g/GHSA-xp4x-rp64-962g.json b/advisories/unreviewed/2024/05/GHSA-xp4x-rp64-962g/GHSA-xp4x-rp64-962g.json index 21ce174d93911..a4d6ebd26a9ae 100644 --- a/advisories/unreviewed/2024/05/GHSA-xp4x-rp64-962g/GHSA-xp4x-rp64-962g.json +++ b/advisories/unreviewed/2024/05/GHSA-xp4x-rp64-962g/GHSA-xp4x-rp64-962g.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-xp4x-rp64-962g", - "modified": "2024-05-21T15:31:44Z", + "modified": "2024-12-26T21:30:36Z", "published": "2024-05-21T15:31:44Z", "aliases": [ "CVE-2021-47358" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: greybus: uart: fix tty use after free\n\nUser space can hold a tty open indefinitely and tty drivers must not\nrelease the underlying structures until the last user is gone.\n\nSwitch to using the tty-port reference counter to manage the life time\nof the greybus tty state to avoid use after free after a disconnect.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -44,8 +49,10 @@ } ], "database_specific": { - "cwe_ids": [], - "severity": null, + "cwe_ids": [ + "CWE-416" + ], + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-05-21T15:15:22Z" diff --git a/advisories/unreviewed/2024/12/GHSA-2x7c-w8p7-47f7/GHSA-2x7c-w8p7-47f7.json b/advisories/unreviewed/2024/12/GHSA-2x7c-w8p7-47f7/GHSA-2x7c-w8p7-47f7.json index fd4132eb40a1f..634d98eefcd5d 100644 --- a/advisories/unreviewed/2024/12/GHSA-2x7c-w8p7-47f7/GHSA-2x7c-w8p7-47f7.json +++ b/advisories/unreviewed/2024/12/GHSA-2x7c-w8p7-47f7/GHSA-2x7c-w8p7-47f7.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-2x7c-w8p7-47f7", - "modified": "2024-12-25T18:30:45Z", + "modified": "2024-12-26T21:30:36Z", "published": "2024-12-25T18:30:45Z", "aliases": [ "CVE-2024-56430" ], "details": "OpenFHE through 1.2.3 has a NULL pointer dereference in BinFHEContext::EvalFloor in lib/binfhe-base-scheme.cpp.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" + } + ], "affected": [], "references": [ { @@ -31,7 +36,7 @@ "cwe_ids": [ "CWE-476" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-12-25T18:15:22Z" diff --git a/advisories/unreviewed/2024/12/GHSA-39w5-q8pm-33q9/GHSA-39w5-q8pm-33q9.json b/advisories/unreviewed/2024/12/GHSA-39w5-q8pm-33q9/GHSA-39w5-q8pm-33q9.json new file mode 100644 index 0000000000000..e76b299ea478e --- /dev/null +++ b/advisories/unreviewed/2024/12/GHSA-39w5-q8pm-33q9/GHSA-39w5-q8pm-33q9.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-39w5-q8pm-33q9", + "modified": "2024-12-26T21:30:36Z", + "published": "2024-12-26T21:30:36Z", + "aliases": [ + "CVE-2024-12965" + ], + "details": "A vulnerability was found in 1000 Projects Portfolio Management System MCA 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /update_ex_detail.php. The manipulation of the argument q leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12965" + }, + { + "type": "WEB", + "url": "https://1000projects.org" + }, + { + "type": "WEB", + "url": "https://github.com/dawatermelon/CVE/blob/main/Portfolio%20Management%20System%20MCA%20Project/README10.md" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.289330" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.289330" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.468989" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-74" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-12-26T21:15:05Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/12/GHSA-3fjf-jf49-wrvp/GHSA-3fjf-jf49-wrvp.json b/advisories/unreviewed/2024/12/GHSA-3fjf-jf49-wrvp/GHSA-3fjf-jf49-wrvp.json new file mode 100644 index 0000000000000..49ecbf237eeb0 --- /dev/null +++ b/advisories/unreviewed/2024/12/GHSA-3fjf-jf49-wrvp/GHSA-3fjf-jf49-wrvp.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3fjf-jf49-wrvp", + "modified": "2024-12-26T21:30:37Z", + "published": "2024-12-26T21:30:36Z", + "aliases": [ + "CVE-2024-12966" + ], + "details": "A vulnerability was found in code-projects Job Recruitment 1.0. It has been rated as critical. This issue affects the function cn_update of the file /_parse/_all_edits.php. The manipulation of the argument cname/url leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12966" + }, + { + "type": "WEB", + "url": "https://code-projects.org" + }, + { + "type": "WEB", + "url": "https://github.com/Viper0617/cve/blob/main/sql-viper.md" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.289331" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.289331" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.469000" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-74" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-12-26T21:15:06Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/12/GHSA-8g3g-85w5-qrm6/GHSA-8g3g-85w5-qrm6.json b/advisories/unreviewed/2024/12/GHSA-8g3g-85w5-qrm6/GHSA-8g3g-85w5-qrm6.json index 5c2ed291b3210..bf22f98566164 100644 --- a/advisories/unreviewed/2024/12/GHSA-8g3g-85w5-qrm6/GHSA-8g3g-85w5-qrm6.json +++ b/advisories/unreviewed/2024/12/GHSA-8g3g-85w5-qrm6/GHSA-8g3g-85w5-qrm6.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-8g3g-85w5-qrm6", - "modified": "2024-12-21T00:33:04Z", + "modified": "2024-12-26T21:30:36Z", "published": "2024-12-21T00:33:04Z", "aliases": [ "CVE-2020-13712" ], "details": "A command injection is possible through the user interface, allowing arbitrary command execution as \nthe root user. oMG2000 running MGOS 3.15.1 or earlier is affected. \n\nMG90 running MGOS 4.2.1 or earlier is affected.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -21,9 +26,10 @@ ], "database_specific": { "cwe_ids": [ + "CWE-77", "CWE-78" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-12-20T22:15:23Z" diff --git a/advisories/unreviewed/2024/12/GHSA-g4g7-2qvf-xwh3/GHSA-g4g7-2qvf-xwh3.json b/advisories/unreviewed/2024/12/GHSA-g4g7-2qvf-xwh3/GHSA-g4g7-2qvf-xwh3.json new file mode 100644 index 0000000000000..b2469099e0cf7 --- /dev/null +++ b/advisories/unreviewed/2024/12/GHSA-g4g7-2qvf-xwh3/GHSA-g4g7-2qvf-xwh3.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-g4g7-2qvf-xwh3", + "modified": "2024-12-26T21:30:37Z", + "published": "2024-12-26T21:30:36Z", + "aliases": [ + "CVE-2024-12964" + ], + "details": "A vulnerability was found in 1000 Projects Daily College Class Work Report Book 1.0. It has been classified as critical. This affects an unknown part of the file /login.php. The manipulation of the argument user leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12964" + }, + { + "type": "WEB", + "url": "https://github.com/alc9700jmo/CVE/issues/4" + }, + { + "type": "WEB", + "url": "https://1000projects.org" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.289329" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.289329" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.468976" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-74" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-12-26T20:15:21Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/12/GHSA-h369-f67q-2q4c/GHSA-h369-f67q-2q4c.json b/advisories/unreviewed/2024/12/GHSA-h369-f67q-2q4c/GHSA-h369-f67q-2q4c.json index f6a140c26a72a..1c0cc03d63f8f 100644 --- a/advisories/unreviewed/2024/12/GHSA-h369-f67q-2q4c/GHSA-h369-f67q-2q4c.json +++ b/advisories/unreviewed/2024/12/GHSA-h369-f67q-2q4c/GHSA-h369-f67q-2q4c.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-h369-f67q-2q4c", - "modified": "2024-12-23T00:30:54Z", + "modified": "2024-12-26T21:30:36Z", "published": "2024-12-23T00:30:54Z", "aliases": [ "CVE-2024-56378" ], "details": "libpoppler.so in Poppler through 24.12.0 has an out-of-bounds read vulnerability within the JBIG2Bitmap::combine function in JBIG2Stream.cc.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" + } + ], "affected": [], "references": [ { @@ -28,8 +33,10 @@ } ], "database_specific": { - "cwe_ids": [], - "severity": null, + "cwe_ids": [ + "CWE-125" + ], + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-12-23T00:15:05Z" diff --git a/advisories/unreviewed/2024/12/GHSA-hjvf-q4w6-qv8p/GHSA-hjvf-q4w6-qv8p.json b/advisories/unreviewed/2024/12/GHSA-hjvf-q4w6-qv8p/GHSA-hjvf-q4w6-qv8p.json index 7df33939be8d5..4f8740850e65d 100644 --- a/advisories/unreviewed/2024/12/GHSA-hjvf-q4w6-qv8p/GHSA-hjvf-q4w6-qv8p.json +++ b/advisories/unreviewed/2024/12/GHSA-hjvf-q4w6-qv8p/GHSA-hjvf-q4w6-qv8p.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-hjvf-q4w6-qv8p", - "modified": "2024-12-18T06:30:49Z", + "modified": "2024-12-26T21:30:36Z", "published": "2024-12-18T06:30:49Z", "aliases": [ "CVE-2024-56170" ], "details": "A validation integrity issue was discovered in Fort through 1.6.4 before 2.0.0. RPKI manifests are listings of relevant files that clients are supposed to verify. Assuming everything else is correct, the most recent version of a manifest should be prioritized over other versions, to prevent replays, accidental or otherwise. Manifests contain the manifestNumber and thisUpdate fields, which can be used to gauge the relevance of a given manifest, when compared to other manifests. The former is a serial-like sequential number, and the latter is the date on which the manifest was created. However, the product does not compare the up-to-dateness of the most recently fetched manifest against the cached manifest. As such, it's prone to a rollback to a previous version if it's served a valid outdated manifest. This leads to outdated route origin validation.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], "affected": [], "references": [ { @@ -20,8 +25,10 @@ } ], "database_specific": { - "cwe_ids": [], - "severity": null, + "cwe_ids": [ + "CWE-346" + ], + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-12-18T05:15:09Z" diff --git a/advisories/unreviewed/2024/12/GHSA-j5cm-9jc4-f88x/GHSA-j5cm-9jc4-f88x.json b/advisories/unreviewed/2024/12/GHSA-j5cm-9jc4-f88x/GHSA-j5cm-9jc4-f88x.json index c1ee4b08856f5..4d9d5ab4d7ce0 100644 --- a/advisories/unreviewed/2024/12/GHSA-j5cm-9jc4-f88x/GHSA-j5cm-9jc4-f88x.json +++ b/advisories/unreviewed/2024/12/GHSA-j5cm-9jc4-f88x/GHSA-j5cm-9jc4-f88x.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-j5cm-9jc4-f88x", - "modified": "2024-12-20T21:30:46Z", + "modified": "2024-12-26T21:30:36Z", "published": "2024-12-20T21:30:46Z", "aliases": [ "CVE-2024-55509" ], "details": "SQL injection vulnerability in CodeAstro Complaint Management System v.1.0 allows a remote attacker to execute arbitrary code and escalate privileges via the id parameter of the delete.php component.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -20,8 +25,10 @@ } ], "database_specific": { - "cwe_ids": [], - "severity": null, + "cwe_ids": [ + "CWE-89" + ], + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-12-20T21:15:09Z" diff --git a/advisories/unreviewed/2024/12/GHSA-mwc8-m5w9-fmf3/GHSA-mwc8-m5w9-fmf3.json b/advisories/unreviewed/2024/12/GHSA-mwc8-m5w9-fmf3/GHSA-mwc8-m5w9-fmf3.json new file mode 100644 index 0000000000000..8708f87523e68 --- /dev/null +++ b/advisories/unreviewed/2024/12/GHSA-mwc8-m5w9-fmf3/GHSA-mwc8-m5w9-fmf3.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mwc8-m5w9-fmf3", + "modified": "2024-12-26T21:30:36Z", + "published": "2024-12-26T21:30:36Z", + "aliases": [ + "CVE-2024-12962" + ], + "details": "A vulnerability has been found in code-projects Job Recruitment 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /_parse/_all_edits.php. The manipulation of the argument skillset leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12962" + }, + { + "type": "WEB", + "url": "https://code-projects.org" + }, + { + "type": "WEB", + "url": "https://github.com/UnrealdDei/cve/blob/main/sql5.md" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.289327" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.289327" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.468921" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-74" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-12-26T19:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/12/GHSA-p5x7-32hj-qcxr/GHSA-p5x7-32hj-qcxr.json b/advisories/unreviewed/2024/12/GHSA-p5x7-32hj-qcxr/GHSA-p5x7-32hj-qcxr.json new file mode 100644 index 0000000000000..2896dfacdd3e9 --- /dev/null +++ b/advisories/unreviewed/2024/12/GHSA-p5x7-32hj-qcxr/GHSA-p5x7-32hj-qcxr.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p5x7-32hj-qcxr", + "modified": "2024-12-26T21:30:36Z", + "published": "2024-12-26T21:30:36Z", + "aliases": [ + "CVE-2024-54907" + ], + "details": "TOTOLINK A3002R V4.0.0-B20230531.1404 is vulnerable to Remote Code Execution in /bin/boa via formWsc.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54907" + }, + { + "type": "WEB", + "url": "https://github.com/MnrikSrins/totolink_A3002R_RCE" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-94" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-12-26T19:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/12/GHSA-pjh7-rccm-x9qh/GHSA-pjh7-rccm-x9qh.json b/advisories/unreviewed/2024/12/GHSA-pjh7-rccm-x9qh/GHSA-pjh7-rccm-x9qh.json index 44a82173b4b79..30b09fcc56f0c 100644 --- a/advisories/unreviewed/2024/12/GHSA-pjh7-rccm-x9qh/GHSA-pjh7-rccm-x9qh.json +++ b/advisories/unreviewed/2024/12/GHSA-pjh7-rccm-x9qh/GHSA-pjh7-rccm-x9qh.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-pjh7-rccm-x9qh", - "modified": "2024-12-19T00:37:35Z", + "modified": "2024-12-26T21:30:36Z", "published": "2024-12-19T00:37:35Z", "aliases": [ "CVE-2024-55506" ], "details": "An IDOR vulnerability in CodeAstro's Complaint Management System v1.0 (version with 0 updates) enables an attacker to execute arbitrary code and obtain sensitive information via the delete.php file and modifying the id parameter.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -20,8 +25,10 @@ } ], "database_specific": { - "cwe_ids": [], - "severity": null, + "cwe_ids": [ + "CWE-639" + ], + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-12-18T23:15:17Z" diff --git a/advisories/unreviewed/2024/12/GHSA-pjm4-fjw9-x2fh/GHSA-pjm4-fjw9-x2fh.json b/advisories/unreviewed/2024/12/GHSA-pjm4-fjw9-x2fh/GHSA-pjm4-fjw9-x2fh.json index aaa3dafd5dcc7..02f2312d3b011 100644 --- a/advisories/unreviewed/2024/12/GHSA-pjm4-fjw9-x2fh/GHSA-pjm4-fjw9-x2fh.json +++ b/advisories/unreviewed/2024/12/GHSA-pjm4-fjw9-x2fh/GHSA-pjm4-fjw9-x2fh.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-pjm4-fjw9-x2fh", - "modified": "2024-12-25T06:30:47Z", + "modified": "2024-12-26T21:30:36Z", "published": "2024-12-25T06:30:47Z", "aliases": [ "CVE-2024-10858" ], "details": "The Jetpack WordPress plugin before 14.1 does not properly checks the postmessage origin in its 13.x versions, allowing it to be bypassed and leading to DOM-XSS. The issue only affects websites hosted on WordPress.com.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], "affected": [], "references": [ { @@ -21,7 +26,7 @@ ], "database_specific": { "cwe_ids": [], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-12-25T06:15:23Z" diff --git a/advisories/unreviewed/2024/12/GHSA-vc4g-xc77-7x3q/GHSA-vc4g-xc77-7x3q.json b/advisories/unreviewed/2024/12/GHSA-vc4g-xc77-7x3q/GHSA-vc4g-xc77-7x3q.json index bb58384deb636..dca720545dfa1 100644 --- a/advisories/unreviewed/2024/12/GHSA-vc4g-xc77-7x3q/GHSA-vc4g-xc77-7x3q.json +++ b/advisories/unreviewed/2024/12/GHSA-vc4g-xc77-7x3q/GHSA-vc4g-xc77-7x3q.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-vc4g-xc77-7x3q", - "modified": "2024-12-19T00:37:35Z", + "modified": "2024-12-26T21:30:36Z", "published": "2024-12-19T00:37:35Z", "aliases": [ "CVE-2024-55231" ], "details": "An IDOR vulnerability in the edit-notes.php module of PHPGurukul Online Notes Sharing Management System v1.0 allows unauthorized users to modify notes belonging to other accounts due to missing authorization checks. This flaw exposes sensitive data and enables attackers to alter another user's information.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" + } + ], "affected": [], "references": [ { @@ -20,8 +25,10 @@ } ], "database_specific": { - "cwe_ids": [], - "severity": null, + "cwe_ids": [ + "CWE-639" + ], + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-12-18T22:15:07Z" diff --git a/advisories/unreviewed/2024/12/GHSA-vpfg-w257-rq9f/GHSA-vpfg-w257-rq9f.json b/advisories/unreviewed/2024/12/GHSA-vpfg-w257-rq9f/GHSA-vpfg-w257-rq9f.json index d35e60303456a..5dfbc3e444d1b 100644 --- a/advisories/unreviewed/2024/12/GHSA-vpfg-w257-rq9f/GHSA-vpfg-w257-rq9f.json +++ b/advisories/unreviewed/2024/12/GHSA-vpfg-w257-rq9f/GHSA-vpfg-w257-rq9f.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-vpfg-w257-rq9f", - "modified": "2024-12-19T00:37:35Z", + "modified": "2024-12-26T21:30:36Z", "published": "2024-12-19T00:37:35Z", "aliases": [ "CVE-2024-55232" ], "details": "An IDOR vulnerability in the manage-notes.php module in PHPGurukul Online Notes Sharing Management System v1.0 allows unauthorized users to delete notes belonging to other accounts due to missing authorization checks. This flaw enables attackers to delete another user's information.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -20,8 +25,10 @@ } ], "database_specific": { - "cwe_ids": [], - "severity": null, + "cwe_ids": [ + "CWE-290" + ], + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-12-18T22:15:07Z" diff --git a/advisories/unreviewed/2024/12/GHSA-x9rv-22wp-hr83/GHSA-x9rv-22wp-hr83.json b/advisories/unreviewed/2024/12/GHSA-x9rv-22wp-hr83/GHSA-x9rv-22wp-hr83.json new file mode 100644 index 0000000000000..cfa2faa693aa8 --- /dev/null +++ b/advisories/unreviewed/2024/12/GHSA-x9rv-22wp-hr83/GHSA-x9rv-22wp-hr83.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-x9rv-22wp-hr83", + "modified": "2024-12-26T21:30:36Z", + "published": "2024-12-26T21:30:36Z", + "aliases": [ + "CVE-2024-12963" + ], + "details": "A vulnerability was found in code-projects Job Recruitment 1.0 and classified as critical. Affected by this issue is the function add_xp of the file /_parse/_all_edits.php. The manipulation of the argument job_company leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12963" + }, + { + "type": "WEB", + "url": "https://code-projects.org" + }, + { + "type": "WEB", + "url": "https://github.com/UnrealdDei/cve/blob/main/sql6.md" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.289328" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.289328" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.468922" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-74" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-12-26T20:15:20Z" + } +} \ No newline at end of file