Browse, filter by detection status, or search by CVE to get visibility into upcoming and new detections (QIDs) for all severities.
Disclaimer: The Vulnerability Detection Pipeline is intended to give users an early insight into some of the CVEs the Qualys Research Team is investigating. It may not show all the CVEs that are actively being investigated. Specific CVE feature requests filed via a Qualys Support case may or may not show up on this page. Please reach out to Qualys Support for status of such support cases.
Under investigation:
We are researching a detection and will publish one if
it is feasible.
In development:
We are coding a detection and will typically publish it
within a few days.
Recently published:
We have published the detection on the date indicated,
and it will typically be available in the KnowledgeBase
on shared platforms within a day.
Non-Qualys customers can audit their network for all published vulnerabilities by signing up for a Qualys Free Trial or Qualys Community Edition.
Affected versions:
Apple Safari Versions Prior to 16.4
QID Detection Logic (Authenticated)
This QID checks for vulnerable versions of Apple Safari.
Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
Affected versions:
Apple macOS Monterey Versions Prior to 12.6.4
QID Detection Logic (Authenticated)
This QID checks for vulnerable versions of Apple macOS Monterey.
Affected versions:
Apple macOS Ventura Versions Prior to 13.3
QID Detection Logic (Authenticated)
This QID checks for vulnerable versions of Apple macOS Ventura.
Affected versions:
Apple macOS Big Sur Versions Prior to 11.7.5
QID Detection Logic (Authenticated)
This QID checks for vulnerable versions of Apple macOS Big Sur.
Red Hat openshift container platform is Red Hat's cloud computing kubernetes application platform solution designed for on-premise or private cloud deployments.
Security Fix(es):Affected Products:
The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.
Affected Versions:
PHP versions before 7.4.33
PHP versions 8.0.0 prior to 8.0.25
PHP versions 8.1.0 prior to 8.1.12
QID Detection Logic (Unauthenticated):
This QID checks the HTTP Server header to see if the server is running a vulnerable version of PHP.
Starting April 2015, Oracle will no longer post updates of Java SE 7 to its public download sites as it has reached end of life support. Existing Java SE 7/1.7 downloads already posted as of April 2015 will remain accessible in the Java Archive on Oracle Technology Network.
Developers and end-users are encouraged to update to more recent Java SE versions that remain available for public download.
Note:
Oracle offers updates to Java 7 only for customers who have purchased Java support or have Oracle products that require Java 7, but no public updates.
Affected OS:
Fedora 36
Affected OS:
Fedora 37
There is a security vulnerability related to the processing of X.400 addresses in an X.509 GeneralName. The issue is caused by a type confusion error in the way X.400 addresses are parsed as an ASN1_STRING but are specified as ASN1_TYPE in the GENERAL_NAME structure definition. This may allow an attacker to pass arbitrary pointers to a memcmp call, potentially enabling them to read memory contents or cause a denial of service attack. The attack may require the attacker to control both the certificate chain and CRL, and the vulnerability is most likely to affect applications with custom CRL retrieval functionality.
Affected Versions:
OpenSSL version 1.0.2 to 1.0.2zf
OpenSSL version 1.1.1 to 1.1.1q
OpenSSL version 3.0.0 to 3.0.7
QID Detection Logic: (Unauthenticated)
This QID checks for vulnerable version of OpenSSL by extracting OpenSSL version from HTTP response header.
This release of the Red Hat build of OpenJDK 11 (11.0.12) for Windows serves as a replacement for the Red Hat build of OpenJDK 11 (11.0.11) and includes security and bug fixes, and enhancements.
OpenJDK: FTP PASV command response can cause FtpClient to connect to arbitrary host (Networking, 8258432) (CVE-2021-2341)
OpenJDK: Incorrect verification of JAR files with multiple MANIFEST.MF files (Library, 8260967) (CVE-2021-2369)
OpenJDK: Incorrect comparison during range check elimination (Hotspot, 8264066) (CVE-2021-2388)
Affected Versions:
Red Hat build of OpenJDK 11 (11.0.11) and later Versions and Prior to OpenJDK 11 (11.0.12)
QID Detection Logic (Authenticated):
This QID checks for:
"HKLM\Software\JavaSoft\Java Runtime Environment"
"HKLM\Software\Wow6432Node\JavaSoft\Java Runtime Environment"
"HKLM\Software\JavaSoft\Java Development Kit"
"HKLM\Software\Wow6432Node\JavaSoft\Java Development Kit"
"HKLM\Software\JavaSoft\JRE"
"HKLM\Software\Wow6432Node\JavaSoft\JRE"
"HKLM\Software\JavaSoft\JDK"
and "HKLM\Software\Wow6432Node\JavaSoft\JDK" subkeys and fetches JavaHome value, checks for bin\java.exe file existence in the fetched location, performs jar extraction to confirm Red Hat as the vendor, then reads the compare the version for file java.exe and posts the QID on Windows Operating Systems
OpenJDK: FTP PASV command response can cause FtpClient to connect to arbitrary host (Networking, 8258432) (CVE-2021-2341).
OpenJDK: Incorrect verification of JAR files with multiple MANIFEST.MF files (Library, 8260967) (CVE-2021-2369)
OpenJDK: Incorrect comparison during range check elimination (Hotspot,8264066) (CVE-2021-2388)
Affected Versions:
Red Hat build of OpenJDK 8 (1.8.0.292) and later Versions and Prior to OpenJDK 8 (1.8.0.302)
QID Detection Logic (Authenticated)
This QID checks for the below registry keys
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" ,"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall and sub values to check Publisher and Display version.
This release of the Red Hat build of OpenJDK 11 (11.0.13) for Windows serves as a replacement for the Red Hat build of OpenJDK 11 (11.0.12) and includes security and bug fixes, and enhancements..
OpenJDK: Loop in HttpsServer triggered during TLS session close (JSSE, 8254967) (CVE-2021-35565).
OpenJDK: Incorrect principal selection when using Kerberos Constrained Delegation (Libraries, 8266689) (CVE-2021-35567).
OpenJDK: Weak ciphers preferred over stronger ones for TLS (JSSE, 8264210) (CVE-2021-35550).
OpenJDK: Excessive memory allocation in RTFParser (Swing, 8265167) (CVE-2021-35556).
OpenJDK: Excessive memory allocation in RTFReader (Swing, 8265580) (CVE-2021-35559).
OpenJDK: Excessive memory allocation in HashMap and HashSet (Utility, 8266097) (CVE-2021-35561).
OpenJDK: Certificates with end dates too far in the future can corrupt keystore (Keytool, 8266137) (CVE-2021-35564).
OpenJDK: Unexpected exception raised during TLS handshake (JSSE, 8267729) (CVE-2021-35578).
OpenJDK: Excessive memory allocation in BMPImageReader (ImageIO, 8267735) (CVE-2021-35586).
OpenJDK: Non-constant comparison during TLS handshakes (JSSE, 8269618) (CVE-2021-35603).
Affected Versions:
Red Hat build of OpenJDK 11 (11.0.12) and later Versions and Prior to OpenJDK 11 (11.0.13)
QID Detection Logic (Authenticated):
This QID checks for:
"HKLM\Software\JavaSoft\Java Runtime Environment"
"HKLM\Software\Wow6432Node\JavaSoft\Java Runtime Environment"
"HKLM\Software\JavaSoft\Java Development Kit"
"HKLM\Software\Wow6432Node\JavaSoft\Java Development Kit"
"HKLM\Software\JavaSoft\JRE"
"HKLM\Software\Wow6432Node\JavaSoft\JRE"
"HKLM\Software\JavaSoft\JDK"
and "HKLM\Software\Wow6432Node\JavaSoft\JDK" subkeys and fetches JavaHome value, checks for bin\java.exe file existence in the fetched location, performs jar extraction to confirm Red Hat as the vendor, then reads the compare the version for file java.exe and posts the QID on Windows Operating Systems
The OpenJDK 8 packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.
Loop in HttpsServer triggered during TLS session close (JSSE, 8254967) (CVE-2021-35565)
Incorrect principal selection when using Kerberos Constrained Delegation (Libraries, 8266689) (CVE-2021-35567)
Weak ciphers preferred over stronger ones for TLS (JSSE, 8264210) (CVE-2021-35550)
Excessive memory allocation in RTFParser (Swing, 8265167) (CVE-2021-35556)
Excessive memory allocation in RTFReader (Swing, 8265580) (CVE-2021-35559)
Excessive memory allocation in HashMap and HashSet (Utility, 8266097) (CVE-2021-35561)
Certificates with end dates too far in the future can corrupt keystore (Keytool, 8266137) (CVE-2021-35564)
Unexpected exception raised during TLS handshake (JSSE, 8267729) (CVE-2021-35578)
Excessive memory allocation in BMPImageReader (ImageIO, 8267735) (CVE-2021-35586)
Incomplete validation of inner class references in ClassFileParser (Hotspot, 8268071) (CVE-2021-35588)
Non-constant comparison during TLS handshakes (JSSE, 8269618) (CVE-2021-35603)
Affected Versions:
Red Hat build of OpenJDK 8 (1.8.0.302) and later Versions and Prior to OpenJDK 8 (1.8.0.312)
QID Detection Logic (Authenticated)
This QID checks for the below registry keys
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" ,"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall and sub values to check Publisher and Display version.
This release of the Red Hat build of OpenJDK 11 (11.0.11) for Windows serves as a replacement for the Red Hat build of OpenJDK 11 (11.0.10) and includes security and bug fixes, and enhancements.
OpenJDK: Incorrect handling of partially quoted arguments in ProcessBuilder on Windows (Libraries, 8250568) (CVE-2021-2161)
OpenJDK: Incomplete enforcement of JAR signing disabled algorithms (Libraries, 8249906) (CVE-2021-2163)
Affected Versions:
Red Hat build of OpenJDK 11 (11.0.10) and later Versions and Prior to OpenJDK 11 (11.0.11)
QID Detection Logic (Authenticated):
This QID checks for:
"HKLM\Software\JavaSoft\Java Runtime Environment"
"HKLM\Software\Wow6432Node\JavaSoft\Java Runtime Environment"
"HKLM\Software\JavaSoft\Java Development Kit"
"HKLM\Software\Wow6432Node\JavaSoft\Java Development Kit"
"HKLM\Software\JavaSoft\JRE"
"HKLM\Software\Wow6432Node\JavaSoft\JRE"
"HKLM\Software\JavaSoft\JDK"
and "HKLM\Software\Wow6432Node\JavaSoft\JDK" subkeys and fetches JavaHome value, checks for bin\java.exe file existence in the fetched location, performs jar extraction to confirm Red Hat as the vendor, then reads the compare the version for file java.exe and posts the QID on Windows Operating Systems
The OpenJDK 8 packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.
This release of the Red Hat build of OpenJDK 8 (1.8.0.292) for Windows serves as a replacement for the Red Hat build of OpenJDK 8 (1.8.0.282) and includes security and bug fixes, and enhancements.
OpenJDK: Incorrect handling of partially quoted arguments in ProcessBuilder on Windows (Libraries, 8250568) (CVE-2021-2161)
OpenJDK: Incomplete enforcement of JAR signing disabled algorithms (Libraries, 8249906) (CVE-2021-2163)
Affected Versions:
Red Hat build of OpenJDK 8 (1.8.0.282) and later Versions and Prior to OpenJDK 8 (1.8.0.292)
QID Detection Logic (Authenticated)
This QID checks for the below registry keys
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" ,"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall and sub values to check Publisher and Display version.
The OpenJDK 17 packages provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit.
OpenJDK: Unexpected exception thrown in regex Pattern (Libraries, 8268813) (CVE-2022-21283).
OpenJDK: Incomplete checks of StringBuffer and StringBuilder during deserialization (Libraries, 8270392) (CVE-2022-21293).
OpenJDK: Incorrect IdentityHashMap size checks during deserialization (Libraries, 8270416) (CVE-2022-21294).
OpenJDK: Insufficient URI checks in the XSLT TransformerImpl (JAXP, 8270492) (CVE-2022-21282).
OpenJDK: Incorrect access checks in XMLEntityManager (JAXP, 8270498) (CVE-2022-21296).
OpenJDK: Infinite loop related to incorrect handling of newlines in XMLEntityScanner (JAXP, 8270646) (CVE-2022-21299).
OpenJDK: Incorrect reading of TIFF files in TIFFNullDecompressor (ImageIO, 8270952) (CVE-2022-21277).
OpenJDK: Excessive memory allocation in BMPImageReader (ImageIO, 8273756) (CVE-2022-21360).
OpenJDK: Integer overflow in BMPImageReader (ImageIO, 8273838) (CVE-2022-21365).
OpenJDK: Excessive memory allocation in TIFF*Decompressor (ImageIO, 8274096) (CVE-2022-21366).
OpenJDK: Incomplete deserialization class filtering in ObjectInputStream (Serialization, 8264934) (CVE-2022-21248).
OpenJDK: Incorrect marking of writeable fields (Hotspot, 8270386) (CVE-2022-21291).
OpenJDK: Array indexing issues in LIRGenerator (Hotspot, 8272014) (CVE-2022-21305).
OpenJDK: Excessive resource use when reading JAR manifest attributes (Libraries, 8272026) (CVE-2022-21340).
OpenJDK: Insufficient checks when deserializing exceptions in ObjectInputStream (Serialization, 8272236) (CVE-2022-21341).
Affected Versions:
Red Hat build of OpenJDK 17 (17.0.1) and later Versions and Prior to OpenJDK 17 (17.0.2)
QID Detection Logic (Authenticated):
This QID checks for:
"HKLM\Software\JavaSoft\Java Runtime Environment"
"HKLM\Software\Wow6432Node\JavaSoft\Java Runtime Environment"
"HKLM\Software\JavaSoft\Java Development Kit"
"HKLM\Software\Wow6432Node\JavaSoft\Java Development Kit"
"HKLM\Software\JavaSoft\JRE"
"HKLM\Software\Wow6432Node\JavaSoft\JRE"
"HKLM\Software\JavaSoft\JDK"
and "HKLM\Software\Wow6432Node\JavaSoft\JDK" subkeys and fetches JavaHome value, checks for bin\java.exe file existence in the fetched location, performs jar extraction to confirm Red Hat as the vendor, then reads the compare the version for file java.exe and posts the QID on Windows Operating Systems
When a user adds a Graphite data source, they can then use the data source in a dashboard. This capability contains a feature to use Functions. Once a function is selected, a small tooltip appears when hovering over the name of the function. This tooltip allows you to delete the selected Function from your query or show the Function Description. However, no sanitization is done when adding this description to the DOM.
Since it is not uncommon to connect to public data sources, an attacker could host a Graphite instance with modified Function Descriptions containing XSS payloads. When the victim uses it in a query and accidentally hovers over the Function Description, an attacker-controlled XSS payload will be executed.
Affected Versions:
Grafana versions from 8.5.0 to 8.5.21
Grafana versions from 9.2.0 to 9.2.14
Grafana versions from 9.3.0 to 9.3.10
Grafana versions from 9.4.0 to 9.4.6
CVE-2023-28303: Microsoft Windows Snipping Tool is vulnerable to Information Disclosure Vulnerability.
Affected Versions:
Snip and Sketch installed on Windows 10, app versions prior to 10.2008.3001.0
Snipping Tool installed on Windows 11, app versions prior to 11.2302.20.0
Patched Versions:
For Snip and Sketch installed on Windows 10, app versions 10.2008.3001.0 and later contain this update.
For Snipping Tool installed on Windows 11, app versions 11.2302.20.0 and later contain this update.
NOTE:
Only Snip/Sketch in Windows 10 and Snipping Tool in Windows 11 are affected by this vulnerability.
QID Detection Logic (Authenticated):
Windows: Checks for vulnerable version by using the following WMI query "select version from Win32_InstalledStoreProgram where name='Microsoft.ScreenSketch'".
Affected OS:
Fedora 37
Affected OS:
Fedora 36
Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
Affected OS:
Fedora 37
The Microsoft Visual C++ 2010 Redistributable Package installs runtime components of Visual C++ Libraries required to run applications developed with Visual C++ on a computer that does not have Visual C++ 2010 installed.
The Host is running Microsoft VC++ 2010 Redistributable which is not supported by Microsoft anymore.
QID Detection Logic (authenticated):
This QID checks if VC++ 2010 Redistributable Package is installed or not by checking the presence of 'msdia100.dll' file.
NOTE: This detection does not differentiate if the software is installed directly or shipped with other microsoft product.
The system is at high risk of being exposed to security vulnerabilities. Since the vendor no longer provides updates, obsolete software is more vulnerable to viruses and other attacks.
Affected OS:
Fedora 37
Affected Platform:
AIX 7.1, 7.2, 7.3
QID Detection Logic (Authenticated):
The detection checks for installed packages version via command lslpp -L | grep -i openssl.base. It also checks for interim fixes installed The detection posts vulnerable if installed package version is less than patched version and interim fixes are also not installed.
Affected OS:
Fedora 36
Affected OS:
Fedora 37
Affected Products:
Cisco IOS and IOS XE Software
NOTE:
This vulnerability affects those devices that are having at least one interface with both IPv6 enabled and the DHCPv6 client feature enabled.
QID Detection Logic (Authenticated):
The check matches Cisco IOS and IOS XE version retrieved via Unix Auth using "show version" command.
QID Detection Logic (Unauthenticated):
The check matches Cisco IOS and IOS XE version retrieved via SNMP or TCP/IP Fingerprint or NTP or Telnet.
Customers are advised to refer to cisco-sa-asaftdios-dhcpv6-cli-Zf3zTv for more information.
Affected Versions:
WebSphere Application Server Version 9.0.0.0 through 9.0.5.14
QID Detection Logic:(Authenticated)
It reads the fix xml file and WebSphereApplicationServer.properties to detect the vulnerable version and also checks for fix pack version.
Tomcat's RemoteIpFilter, when used with HTTP requests received from a reverse proxy that includes the X-Forwarded-Proto header set to https, may cause session cookies created by Tomcat to be transmitted over an insecure channel if the secure attribute is not included in the cookies. This could potentially expose sensitive user data to attackers.
Affected Versions:
Apache Tomcat 11.0.0-M1 to 11.0.0-M2
Apache Tomcat 10.1.0-M1 to 10.1.5
Apache Tomcat 9.0.0-M1 to 9.0.71
Apache Tomcat 8.5.0 to 8.5.85
QID Detection Logic (Unauthenticated):
This QID sends a HTTP GET request to a invalid URL and based on the response confirms the vulnerable instance of Apache Tomcat running on the host.
Affected Splunk Enterprise versions inject risky search commands into a form token when the token is used in a query in a cross-origin request.
Affected Versions:
Splunk versions from 9.0.0 prior to 9.0.1
NOTE:
QID Detection Logic(Authenticated)
Linux: Checks for installed vulnerable version of Splunk Enterprise from "/etc/splunk.version" file either in "/opt/splunk" directory or using "$SPLUNK_HOME" environment variable.
Windows: Checks for installed vulnerable version of Splunk from "/etc/splunk.version" file using registry "HKLM\SYSTEM\CurrentControlSet\Services\Splunkd".
Affected OS:
Fedora 36
Affected OS:
Fedora 37
Affected OS:
Fedora 37
Affected versions:
PowerShell Universal v2.0.0-v2.12.5
PowerShell Universal v3.0.0-v3.4.6
PowerShell Universal v3.5.0-v3.5.2
QID Detection Logic (Authenticated)
This QID checks for vulnerable versions of PowerShell Universal via Registry.
Affected Releases
1000 Series Integrated Services Routers
4000 Series Integrated Services Routers
Catalyst 8000V Edge Software Routers
Catalyst 8200 Series Edge Platforms
Catalyst 8300 Series Edge Platforms
Catalyst 8500L Series Edge Platforms
Cloud Services Router 1000V Series
QID Detection Logic (Authenticated):
The check matches Cisco IOS XE version retrieved via Unix Auth using "show version" command.
QID Detection Logic (Unauthenticated):
The check matches Cisco IOS XE version retrieved via SNMP or TCP/IP Fingerprint or NTP or Telnet.
Customers are advised to refer to cisco-sa-ipv4-vfr-dos-CXxtFacb for more information.
Affected Products
This vulnerability affects Cisco devices if they are running a vulnerable release of Cisco IOS or IOS XE Software and have IPv6 and the DHCPv6 relay or server feature enabled. IPv6 and DHCPv6 are disabled in Cisco IOS and IOS XE Software by default.
QID Detection Logic (Authenticated):
The check matches Cisco IOS XE version retrieved via Unix Auth using "show version" command.
QID Detection Logic (Unauthenticated):
The check matches Cisco IOS XE version retrieved via SNMP or TCP/IP Fingerprint or NTP or Telnet.
Customers are advised to refer to cisco-sa-ios-dhcpv6-dos-44cMvdDK for more information.
Affected Releases
Cisco IOS XE Software releases 17.9.1, 17.9.1a, or 17.9.1w and have a tunnel interface configured.
QID Detection Logic (Authenticated):
The check matches Cisco IOS XE version retrieved via Unix Auth using "show version" command.
QID Detection Logic (Unauthenticated):
The check matches Cisco IOS XE version retrieved via SNMP or TCP/IP Fingerprint or NTP or Telnet.
Customers are advised to refer to cisco-sa-ios-gre-crash-p6nE5Sq5 for more information.
Affected OS:
Fedora 36
Affected Products:
This vulnerability affects the following Cisco products if they are running a vulnerable release of universal Cisco IOS XE Software in controller mode or a vulnerable release of standalone Cisco IOS XE SD WAN Software:
1000 Series Integrated Services Routers (ISR)
4000 Series ISR
ASR 1000 Series Aggregation Services Routers
Catalyst 8000 Edge Platforms Family
Cloud Services Router (CSR) 1000V Series
Note: The standalone Cisco IOS XE SD-WAN Software release images are separate from the universal Cisco IOS XE Software release images.
QID Detection Logic (Authenticated):
The check matches Cisco IOS XE version retrieved via Unix Auth using "show version" command.
QID Detection Logic (Unauthenticated):
The check matches Cisco IOS XE version retrieved via SNMP or TCP/IP Fingerprint or NTP or Telnet.
Customers are advised to refer to cisco-sa-ios-xe-sdwan-VQAhEjYw for more information.
A vulnerability in the Cisco IOx application hosting subsystem of Cisco IOS XE Software could allow an authenticated, local attacker to elevate privileges to root on an affected device.
Affected Products:
Cisco products if they are running a vulnerable release of Cisco IOS XE Software, they have the Cisco IOx application hosting feature configured, and the hosted application is running.
QID Detection Logic (Authenticated):
The check matches Cisco IOS XE version retrieved via Unix Auth using "show version" command.
QID Detection Logic (Unauthenticated):
The check matches Cisco IOS XE version retrieved via SNMP or TCP/IP Fingerprint or NTP or Telnet.
Customers are advised to refer to cisco-sa-iox-priv-escalate-Xg8zkyPk for more information.
Affected OS:
Fedora 37
Affected Releases
This vulnerability affects the following Cisco products if they are running a vulnerable release of Cisco IOS XE Software for WLCs and have the HTTP-based client profiling feature configured. Client profiling is not enabled by default.
Catalyst 9800 Embedded Wireless Controllers for Catalyst 9300, 9400, and 9500 Series Switches
Catalyst 9800 Series Wireless Controllers
Catalyst 9800-CL Wireless Controllers for Cloud
Embedded Wireless Controllers on Catalyst Access Points
QID Detection Logic (Authenticated):
The check matches Cisco IOS XE version retrieved via Unix Auth using "show version" command.
QID Detection Logic (Unauthenticated):
The check matches Cisco IOS XE version retrieved via SNMP or TCP/IP Fingerprint or NTP or Telnet.
Note: This QID does not check for workaround, hence kept as practice
Customers are advised to refer to cisco-sa-ewlc-dos-wFujBHKw for more information.
Affected Releases
This vulnerability affects Cisco Catalyst 9300 Series Switches if they are running Cisco IOS XE Software with a release of Cisco IOS XE ROM Monitor (ROMMON) that is earlier than Release 17.3.7r, Release 17.6.5r, or Release 17.8.1r.
QID Detection Logic (Authenticated):
The check matches Cisco IOS XE version retrieved via Unix Auth using "show version" command.
QID Detection Logic (Unauthenticated):
The check matches Cisco IOS XE version retrieved via SNMP or TCP/IP Fingerprint or NTP or Telnet.
Customers are advised to refer to cisco-sa-VU855201-J3z8CKTX for more information.
Affected Products:
Catalyst 9800 Series Wireless Controllers
Catalyst 9800-CL Wireless Controllers for Cloud
Embedded Wireless Controllers on Catalyst Access Points
NOTE:
Catalyst 9800 Embedded Wireless Controllers for Catalyst 9300, 9400, and 9500 Series Switches not supported.
QID Detection Logic (Authenticated):
The check matches Cisco IOS XE version retrieved via Unix Auth using "show version" command.
QID Detection Logic (Unauthenticated):
The check matches Cisco IOS XE version retrieved via SNMP or TCP/IP Fingerprint or NTP or Telnet.
Customers are advised to refer to cisco-sa-c9800-apjoin-dos-nXRHkt5 for more information.
QID Detection Logic (Authenticated):
The check matches Cisco IOS XE version retrieved via Unix Auth using "show version" command.
QID Detection Logic (Unauthenticated):
The check matches Cisco IOS XE version retrieved via SNMP or TCP/IP Fingerprint or NTP or Telnet.
Customers are advised to refer to cisco-sa-webui-pthtrv-es7GSb9V for more information.
Affected Products
Prior to 20.6.5
20.8 prior to 20.8.1
20.9 prior to 20.9.1
QID detection logic:
The QID checks for Cisco SD WAN version retrieved via Unix Auth using "show system status" command
Customers are advised to refer to cisco-sa-vman-csrf-76RDbLEh for more information.
QID Detection Logic (Authenticated):
The check matches Cisco IOS XE version retrieved via Unix Auth using "show version" command.
QID Detection Logic (Unauthenticated):
The check matches Cisco IOS XE version retrieved via SNMP or TCP/IP Fingerprint or NTP or Telnet.
Customers are advised to refer to cisco-sa-iosxe-priv-esc-sABD8hcU for more information.
When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Tomcat did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.
Affected versions:
Apache Tomcat 10.1.0-M1 to 10.1.5
QID Detection Logic (Unauthenticated):
This QID sends a HTTP GET request to an invalid URL and based on the response confirms the vulnerable instance of Apache Tomcat running on the host.
When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Tomcat did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.
Affected versions:
Apache Tomcat 9.0.0-M1 to 9.0.71
QID Detection Logic (Unauthenticated):
This QID sends a HTTP GET request to an invalid URL and based on the response confirms the vulnerable instance of Apache Tomcat running on the host.
When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Tomcat did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.
Affected versions:
Apache Tomcat 8.5.0 to 8.5.85
QID Detection Logic (Unauthenticated):
This QID sends a HTTP GET request to an invalid URL and based on the response confirms the vulnerable instance of Apache Tomcat running on the host.
Affected versions:
Apple macOS Monterey 12.3 and later Versions Prior to 10.4.8
QID Detection Logic (Authenticated)
This QID checks for vulnerable versions of Apple macOS Monterey 12.3 and later.
Arista EOS is a fully programmable and highly modular, Linux-based network operation system, using familiar industry-standard CLI, and runs a single binary software image across the Arista switching family.
Affected EOS versions:
4.27.3 and below releases in the 4.27.x train
4.26.5 and below releases in the 4.26.x train
4.25.8 and below releases in the 4.25.x train
4.24.9 and below release in the 4.24.x train
4.23.11 and below release in the 4.23.x train
4.22.x train
QID Detection Logic (Authenticated):
The check matches Arista EOS version retrieved via Unix Auth using "show version" command.
Arista EOS is a fully programmable and highly modular, Linux-based network operation system, using familiar industry-standard CLI, and runs a single binary software image across the Arista switching family.
Affected EOS versions:
4.27.1F and below releases in the 4.27.x train
4.26.3M and below releases in the 4.26.x train
4.25.6M and below releases in the 4.25.x train
QID Detection Logic (Authenticated):
The check matches Arista EOS version retrieved via Unix Auth using "show version" command.
Arista EOS is a fully programmable and highly modular, Linux-based network operation system, using familiar industry-standard CLI, and runs a single binary software image across the Arista switching family.
Affected EOS versions:
4.27.1 and below releases in the 4.27.x train
4.26.4 and below releases in the 4.26.x train
4.25.6 and below releases in the 4.25.x train
4.24.8 and below releases in the 4.24.x train
4.23.10 and below releases in the 4.23.x train
4.22.x train
NOTE:
Only vulnerable if PTP is enabled on the switch and please refer to advisory for affected Arista EOS-based products.
QID Detection Logic (Authenticated):
The check matches Arista EOS version retrieved via Unix Auth using "show version" command.
Arista EOS is a fully programmable and highly modular, Linux-based network operation system, using familiar industry-standard CLI, and runs a single binary software image across the Arista switching family.
Affected EOS versions:
4.24.9 and below releases in the 4.24.x release train
4.25.8 and below releases in the 4.25.x release train
4.26.5 and below releases in the 4.26.x release train
4.27.3 and below releases in the 4.27.x release train
QID Detection Logic (Authenticated):
The check matches Arista EOS version retrieved via Unix Auth using "show version" command.
Arista EOS is a fully programmable and highly modular, Linux-based network operation system, using familiar industry-standard CLI, and runs a single binary software image across the Arista switching family.
Affected EOS versions:
4.23.11 and below release in the 4.23.x train
4.24.9 and below release in the 4.24.x train
4.25.7 and below releases in the 4.25.x train
4.26.5 and below releases in the 4.26.x train
4.27.3 and below releases in the 4.27.x train
QID Detection Logic (Authenticated):
The check matches Arista EOS version retrieved via Unix Auth using "show version" command.
Arista EOS is a fully programmable and highly modular, Linux-based network operation system, using familiar industry-standard CLI, and runs a single binary software image across the Arista switching family.
Affected EOS versions:
4.23.11 and below release in the 4.23.x train
4.24.9 and below release in the 4.24.x train
4.25.7 and below releases in the 4.25.x train
4.26.5 and below releases in the 4.26.x train
4.27.1 and below releases in the 4.27.x train
QID Detection Logic (Authenticated):
The check matches Arista EOS version retrieved via Unix Auth using "show version" command.
Microsoft has released Servicing Stack security updates for Windows.
Related KB:
KB5023790
QID Detection Logic (Authenticated):
This authenticated QID will check for file version of CbsCore.dll
Microsoft has released Servicing Stack security updates for Windows.
Related KB:
KB5023788
QID Detection Logic (Authenticated):
This authenticated QID will check for file version of CbsCore.dll
Multiple NetApp products incorporate Libcurl. Libcurl versions 7.77.0 prior to 7.86.0 are susceptible to vulnerabilities which when successfully exploited could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS).
Affected Versions:
NetApp Clustered Data ONTAP versions prior to 9.11.1P6
NetApp Clustered Data ONTAP versions prior to 9.12.1
QID Detection Logic (Authenticated):
This authenticated QID detects vulnerable NetApp OS command 'version'
Customers are advised to refer to NTAP-20221209-0010 for more information about patching this vulnerability.
Arista EOS is a fully programmable and highly modular, Linux-based network operation system, using familiar industry-standard CLI, and runs a single binary software image across the Arista switching family.
On affected Arista EOS platforms, if a VXLAN match rule exists in an IPv4 access-list that is applied to the ingress of an L2 or an L3 port/SVI, the VXLAN rule and subsequent ACL rules in that access list will ignore the specified IP protocol.
Affected EOS versions:
4.26.3M and below releases in the 4.26.x train
4.27.0F in the 4.27.x train
QID Detection Logic (Authenticated):
The check matches Arista EOS version retrieved via Unix Auth using "show version" command.
Arista EOS is a fully programmable and highly modular, Linux-based network operation system, using familiar industry-standard CLI, and runs a single binary software image across the Arista switching family.
Affected EOS versions:
4.28.2F and older releases in the 4.28.x train
4.27.6M and older releases in the 4.27.x train
4.26.7M and older releases in the 4.26.x train
4.25.9M and older releases in the 4.25.x train
4.24.10M and older releases in the 4.24.x train
4.23.12M and older releases in the 4.23.x train
4.22.12M and older releases in the 4.22.x train
QID Detection Logic (Authenticated):
The check matches Arista EOS version retrieved via Unix Auth using "show version" command.
Arista EOS is a fully programmable and highly modular, Linux-based network operation system, using familiar industry-standard CLI, and runs a single binary software image across the Arista switching family.
Affected EOS versions:
4.28.3M and below releases in the 4.28.x train
4.27.6M and below releases in the 4.27.x train
4.26.8M and below releases in the 4.26.x train
4.25.9M and below releases in the 4.25.x train
4.24.10M and below releases in the 4.24.x train
4.23.13M and below releases in the 4.23.x train
QID Detection Logic (Authenticated):
The check matches Arista EOS version retrieved via Unix Auth using "show version" command.
Affected Products
QID Detection Logic (Authenticated):
The check matches Cisco IOS XR version retrieved via Unix Auth using "show version" command.
Customers are advised to refer to cisco-sa-iosxr-load-infodisc-9rdOr5Fq for more information.
Making this QID as practice as we cannot add Workarounds configuration check in signature.
Affected Products
Cisco devices if they were running Cisco IOS XR Software releases
From 6.5 and Prior to 7.5.3
From 7.6 and Prior to 7.6.2
7.7 and later and Prior to 7.7.1
QID Detection Logic (Authenticated):
The check matches Cisco IOS XR version retrieved via Unix Auth using "show version" command.
Customers are advised to refer to cisco-sa-bfd-XmRescbT for more information.
Affected Products
MDS 9000 Series Multilayer Switches
Nexus 1000 Virtual Edge for VMware vSphere
Nexus 1000V Switch for Microsoft Hyper-V
Nexus 1000V Switch for VMware vSphere
Nexus 3000 Series Switches
Nexus 5500 Platform Switches
Nexus 5600 Platform Switches
Nexus 6000 Series Switches
Nexus 7000 Series Switches
Nexus 9000 Series Switches in standalone NX-OS mode
QID Detection Logic(Authenticated):
It checks for vulnerable version of Cisco NX-OS using show version Command.
Customers are advised to refer to cisco-sa-nxos-cli-cmdinject-euQVK9u
Note:- Mitigation is available, hence making this detection practice.
Affected Versions:
Splunk Enterprise 8.1.6 and lower
Note:- Mitigation is available, hence making this detection practice.
Splunk Enterprise is affected by multiple vulnerabilities:
Affected Versions:
Splunk Enterprise 8.1.11 and lower
Splunk Enterprise 8.2.0 to 8.2.8
QID Detection Logic(Authenticated)
It checks for vulnerable version of Splunk Enterprise .
AFFECTED PRODUCTS
The following versions of CNCSoft, a software management platform, are affected:
CNCSoft: All versions prior to v1.01.34
QID Detection Logic (Authenticated)
QID checks for the Vulnerable version using windows registry keys
Customers are advised to refer to CERT MITIGATIONS section ICSA-23-026-01 for affected packages and patching details.
Note:- Mitigation is available, hence making this detection practice.
Splunk Enterprise is affected by multiple vulnerabilities:
Affected Versions:
Splunk Enterprise 8.1.12 and lower
Splunk Enterprise 8.2.0 to 8.2.9
Splunk Enterprise 9.0.0 to 9.0.3
QID Detection Logic(Authenticated)
It checks for vulnerable version of Splunk Enterprise .
AFFECTED PRODUCTS
The following Fuji Electric remote monitoring and operation software products are affected:
Tellus Lite V-Simulator Versions upto v4.0.12.0
QID Detection Logic (Authenticated)
QID checks for the Vulnerable version using windows registry keys
Customers are advised to refer to CERT MITIGATIONS section ICSA-22-354-01 for affected packages and patching details.
AFFECTED PRODUCTS
The following versions of XG5000, a PLC programming software, are affected: LS ELECTRIC XG5000: All versions prior to V4.0
QID Detection Logic (Authenticated)
QID checks for the Vulnerable version using windows registry keys
Customers are advised to refer to Schneider Electric MITIGATIONS section ICSA-22-228-02 for affected packages and patching details.
Splunk Enterprise is affected by multiple vulnerabilities:
Affected Versions:
Splunk Enterprise 8.1.12 and lower
Splunk Enterprise 8.2.0 to 8.2.9
Splunk Enterprise 9.0.0 to 9.0.3
QID Detection Logic(Authenticated)
It checks for vulnerable version of Splunk Enterprise .
Affected Products
Following Cisco products and software releases:
4.1 and earlier and 4.2
QID Detection Logic (Authenticated):
The check matches Cisco cimc version retrieved using "show cimc detail " command.
Customers are advised to refer to cisco-sa-imc-gui-dos-TZjrFyZh for more information.
Red Hat OpenJDK is a free and open-source implementation of the Java Development Kit (JDK) for Linux, Windows, and macOS. It is based on the OpenJDK project, with additional features and enhancements from Red Hat.
QID Detection Logic (Authenticated) :
This QID will check the Red Hat OpenJDK DisplayName ,Publisher details as "Red Hat" , and version from registry keys HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall","HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
This QID will check the Red Hat OpenJDK version, path and vendor details.
a carefully crafted if: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent.
This could cause the process to crash.
This issue affects apache http server 2.4.54 and earlier. (
( CVE-2006-20001) inconsistent interpretation of http requests (http request smuggling) vulnerability in mod_proxy_ajp of apache http server allows an attacker to smuggle requests to the ajp server it forwards requests to.
This issue affects apache http server apache http server 2.4 version 2.4.54 and prior versions. (
( CVE-2022-36760) prior to apache http server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body.
If the later headers have any security purpose, they will not be interpreted by the client. (
( CVE-2022-37436) some mod_proxy configurations on apache http server versions 2.4.0 through 2.4.55 allow a http request smuggling attack.
Configurations are affected when mod_proxy is enabled along with some form of rewriterule or proxypassmatch in which a non-specific pattern matches some portion of the user-supplied request-target (url) data and is then re-inserted into the proxied request-target using variable substitution.
For example, something like: rewriteengine on rewriterule "^/here/(.*)" "
Http://example.com:8080/elsewhere?$1"; [p] proxypassreverse /here/ http://example.com:8080/ request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended urls to existing origin servers, and cache poisoning.
This issue affects apache http server: from 2.4.30 through 2.4.55.
Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
Guests can trigger nic interface reset/abort/crash via netback it is possible for a guest to trigger a nic interface reset/abort/crash in a linux based network backend by sending certain kinds of packets.
It appears to be an (unwritten?)
Assumption in the rest of the linux network stack that packet protocol headers are all contained within the linear section of the skb and some nics behave badly if this is not the case.
This has been reported to occur with cisco (enic) and broadcom netxtrem ii bcm5780 (bnx2x) though it may be an issue with other nics/drivers as well.
In case the frontend is sending requests with split headers, netback will forward those violating above mentioned assumption to the networking core, resulting in said misbehavior. (
( CVE-2022-3643) a null pointer dereference flaw was found in rawv6_push_pending_frames in net/ipv6/raw.c in the network subcomponent in the linux kernel.
This flaw causes the system to crash. (
( CVE-2023-0394)
A vulnerability was found in x.org.
This issue occurs due to a dangling pointer in deepcopypointerclasses that can be exploited by procxkbsetdeviceinfo() and procxkbgetdeviceinfo() to read and write into freed memory.
This can lead to local privilege elevation on systems where the x server runs privileged and remote code execution for ssh x forwarding sessions. (
( CVE-2023-0494)
In the linux kernel before 6.1.13, there is a double free in net/mpls/af_mpls.c upon an allocation failure (for registering the sysctl table under a new location) during the renaming of a device. (
( CVE-2023-26545)
Gnu tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump.
Exploitation to change the flow of control has not been demonstrated.
The issue occurs in from_header in list.c via a v7 archive in which mtime has approximately 11 whitespace characters. (
( CVE-2022-48303)
Heap-based buffer overflow in github repository vim/vim prior to 9.0.1189. (
( CVE-2023-0288) heap-based buffer overflow in github repository vim/vim prior to 9.0.1225. (
( CVE-2023-0433) divide by zero in github repository vim/vim prior to 9.0.1247. (
( CVE-2023-0512) divide by zero in github repository vim/vim prior to 9.0.1367. (
( CVE-2023-1127)
In lighttpd 1.4.65, mod_wstunnel does not initialize a handler function pointer if an invalid http request (websocket handshake) is received.
It leads to null pointer dereference which crashes the server.
It could be used by an external attacker to cause denial of service condition. (
( CVE-2022-37797)
A cross-site scripting (xss) vulnerability was found in the python-lxml's clean module.
The module's parser did not properly imitate browsers, causing different behaviors between the sanitizer and the user's page.
This flaw allows a remote attacker to run arbitrary html/js code.
The highest threat from this vulnerability is to confidentiality and integrity. (
( CVE-2020-27783) there's a flaw in python-lxml's html cleaner component, which is responsible for sanitizing html and javascript.
An attacker who is able to submit a crafted payload to a web service using python-lxml's html cleaner may be able to trigger script execution in clients such as web browsers.
This can occur because the html cleaner did not remove scripts within svg images in data urls such as <img src=>.
Xss can result in impacts to the integrity and availability of the web page, as well as a potential impact to data confidentiality in some circumstances. (
( CVE-2021-43818)
A vulnerability was found in linux kernel.
It has been declared as problematic.
Affected by this vulnerability is the function ipv6_renew_options of the component ipv6 handler.
The manipulation leads to memory leak.
The attack can be launched remotely.
It is recommended to apply a patch to fix this issue.
The identifier vdb-211021 was assigned to this vulnerability. (
( CVE-2022-3524)
A flaw was found in the dnsmasq application where a remote attacker can trigger a memory leak by sending specially crafted dhcp responses to the server.
A successful attack is dependent on a specific configuration regarding the domain name set into the dnsmasq.conf file.
Over time, the memory leak may cause the process to run out of memory and terminate, causing a denial of service. (
( CVE-2019-14834)
Affected Versions:
Veritas NetBackup OpsCenter 8.2.x and earlier
QID Detection Logic (Authenticated):
Operating Systems: Windows
The QID checks for the registry to check the vulnerable version.
Some mod_proxy configurations on apache http server versions 2.4.0 through 2.4.55 allow a http request smuggling attack.
Configurations are affected when mod_proxy is enabled along with some form of rewriterule or proxypassmatch in which a non-specific pattern matches some portion of the user-supplied request-target (url) data and is then re-inserted into the proxied request-target using variable substitution.
For example, something like: rewriteengine on rewriterule "^/here/(.*)" "
Http://example.com:8080/elsewhere?$1"; [p] proxypassreverse /here/ http://example.com:8080/ request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended urls to existing origin servers, and cache poisoning.
Users are recommended to update to at least version 2.4.56 of apache http server. (
( CVE-2023-25690) http response smuggling vulnerability in apache http server via mod_proxy_uwsgi.
This issue affects apache http server: from 2.4.30 through 2.4.55.
Special characters in the origin response header can truncate/split the response forwarded to the client. (
( CVE-2023-27522)
CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases
a regression exists in the linux kernel within kvm: nvmx that allowed for speculative execution attacks.
L2 can carry out spectre v2 attacks on l1 due to l1 thinking it doesnt need retpolines or ibpb after running l2 due to kvm (l0) advertising eibrs support to l1.
An attacker at l2 with code execution can execute code on an indirect branch on the host machine.
We recommend upgrading to kernel 6.2 or past commit 2e7eab81425a (cve-2022-2196) it has been discovered that on some amd cpus, the ras (return address stack, also called rap - return address predictor - in some amd documentation, and rsb - return stack buffer - in intel terminology) is dynamically partitioned between non-idle threads.
this allows an attacker to control speculative execution on the adjacent thread. (
( CVE-2022-27672) kernel: type confusion in pick_next_rt_entity(), which can result in memory corruption. (
( CVE-2023-1077) the upstream bug report describes this issue as follows: a flaw found in the linux kernel in rds (reliable datagram sockets) protocol.
The rds_rm_zerocopy_callback() uses list_entry() on the head of a list causing a type confusion.
Local user can trigger this with rds_message_put().
Type confusion leads to `struct rds_msg_zcopy_info *info` actually points to something else that is potentially controlled by local user.
It is known how to trigger this, which causes an oob access, and a lock corruption. (
( CVE-2023-1078) in the linux kernel before 6.0.3, drivers/gpu/drm/virtio/virtgpu_object.c misinterprets the drm_gem_shmem_get_sg_table return value (expects it to be null in the error case, whereas it is actually an error pointer). (
( CVE-2023-26545)
A vulnerability was found in sssd, in the libsss_certmap functionality.
Pkinit enables a client to authenticate to the kdc using an x.509 certificate and the corresponding private key, rather than a passphrase or keytab.
Freeipa uses mapping rules to map a certificate presented during a pkinit authentication request to the corresponding principal.
The mapping filter is vulnerable to ldap filter injection.
The search result can be influenced by values in the certificate, which may be attacker controlled.
In the most extreme case, an attacker could gain control of the admin account, leading to full domain takeover. (
( CVE-2022-4254)
A regression exists in the linux kernel within kvm: nvmx that allowed for speculative execution attacks.
L2 can carry out spectre v2 attacks on l1 due to l1 thinking it doesn't need retpolines or ibpb after running l2 due to kvm (l0) advertising eibrs support to l1.
An attacker at l2 with code execution can execute code on an indirect branch on the host machine.
We recommend upgrading to kernel 6.2 or past commit 2e7eab81425a (cve-2022-2196) it has been discovered that on some amd cpus, the ras (return address stack, also called rap - return address predictor - in some amd documentation, and rsb - return stack buffer - in intel terminology) is dynamically partitioned between non-idle threads.
This allows an attacker to control speculative execution on the adjacent thread. (
( CVE-2022-27672) kernel: type confusion in pick_next_rt_entity(), which can result in memory corruption. (
( CVE-2023-1077) the upstream bug report describes this issue as follows: a flaw found in the linux kernel in rds (reliable datagram sockets) protocol.
The rds_rm_zerocopy_callback() uses list_entry() on the head of a list causing a type confusion.
Local user can trigger this with rds_message_put().
Type confusion leads to `struct rds_msg_zcopy_info *info` actually points to something else that is potentially controlled by local user.
It is known how to trigger this, which causes an oob access, and a lock corruption. (
( CVE-2023-1078) in the linux kernel before 6.1.13, there is a double free in net/mpls/af_mpls.c upon an allocation failure (for registering the sysctl table under a new location) during the renaming of a device. (
( CVE-2023-26545)
A regression exists in the linux kernel within kvm: nvmx that allowed for speculative execution attacks.
L2 can carry out spectre v2 attacks on l1 due to l1 thinking it doesn't need retpolines or ibpb after running l2 due to kvm (l0) advertising eibrs support to l1.
An attacker at l2 with code execution can execute code on an indirect branch on the host machine.
We recommend upgrading to kernel 6.2 or past commit 2e7eab81425a (cve-2022-2196) it has been discovered that on some amd cpus, the ras (return address stack, also called rap - return address predictor - in some amd documentation, and rsb - return stack buffer - in intel terminology) is dynamically partitioned between non-idle threads.
This allows an attacker to control speculative execution on the adjacent thread. (
( CVE-2022-27672) kernel: type confusion in pick_next_rt_entity(), which can result in memory corruption. (
( CVE-2023-1077) the upstream bug report describes this issue as follows: a flaw found in the linux kernel in rds (reliable datagram sockets) protocol.
The rds_rm_zerocopy_callback() uses list_entry() on the head of a list causing a type confusion.
Local user can trigger this with rds_message_put().
Type confusion leads to `struct rds_msg_zcopy_info *info` actually points to something else that is potentially controlled by local user.
It is known how to trigger this, which causes an oob access, and a lock corruption. (
( CVE-2023-1078) in the linux kernel before 6.1.13, there is a double free in net/mpls/af_mpls.c upon an allocation failure (for registering the sysctl table under a new location) during the renaming of a device. (
( CVE-2023-26545)
Firefox-esr , thunderbird and nss only are affected by this package. (
( CVE-2023-0767)
The mozilla foundation describes this issue as follows: sometimes, when invalidating jit code while following an iterator, the newly generated code could be overwritten incorrectly.
This could lead to a potentially exploitable crash. (
( CVE-2023-25751) the mozilla foundation describes this issue as follows: when accessing throttled streams, the count of available bytes needed to be checked in the calling function to be within bounds.
This may have lead future code to be incorrect and vulnerable. (
( CVE-2023-25752) this issue affects firefox and thunderbird esr 102.8 and earlier.
The mozilla foundation describes this issue as follows: while implementing audioworklets, some code may have casted one type to another, invalid, dynamic type.
This could have led to a potentially exploitable crash. (
( CVE-2023-28162) a flaw was found in mozilla.
The mozilla foundation security advisory describes the issue that when downloading files through the save as dialog on windows with suggested filenames containing environment variable names, windows would have resolved those in the current user's context.
This bug only affects firefox on windows.
Other versions of firefox are unaffected. (
( CVE-2023-28163) mozilla fuzzing team reported memory safety bugs present in firefox 110 and esr 102.8.
Some of these bugs showed evidence of memory corruption, and we presume that with enough effort, some of these could have been exploited to run arbitrary code. (
( CVE-2023-28176)
Affected OS:
Fedora 37
CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases
CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases
An issue was discovered in libxml2 before 2.10.3.
When parsing a multi-gigabyte xml document with the xml_parse_huge parser option enabled, several integer counters can overflow.
This results in an attempt to access an array at a negative 2gb offset, typically leading to a segmentation fault. (
( CVE-2022-40303) an issue was discovered in libxml2 before 2.10.3.
Certain invalid xml entity definitions can corrupt a hash table key, potentially leading to subsequent logic errors.
In one case, a double-free can be provoked. (
( CVE-2022-40304)
A heap-based buffer overflow was found in openjpeg.
This flaw allows an attacker to execute arbitrary code with the permissions of the application compiled against openjpeg. (
( CVE-2021-3575)
Gnu tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump.
Exploitation to change the flow of control has not been demonstrated.
The issue occurs in from_header in list.c via a v7 archive in which mtime has approximately 11 whitespace characters. (
( CVE-2022-48303)
Divide by zero in github repository vim/vim prior to 9.0.1367. (
( CVE-2023-1127)
In the linux kernel before 6.1.13, there is a double free in net/mpls/af_mpls.c upon an allocation failure (for registering the sysctl table under a new location) during the renaming of a device. (
( CVE-2023-26545)
Artifex ghostscript through 9.26 mishandles .completefont.
Note: this issue exists because of an incomplete fix for( CVE-2019-3839. (
( CVE-2019-25059)
CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases
CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases
CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases
CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases
CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases
A cache poisoning vulnerability was found in bind when using forwarders.
Bogus ns records supplied by the forwarders may be cached and used by name if it needs to recurse for any reason.
This issue causes it to obtain and pass on potentially incorrect answers.
This flaw allows a remote attacker to manipulate cache results with incorrect records, leading to queries made to the wrong servers, possibly resulting in false information received on the client's end. (
( CVE-2021-25220) by flooding the target resolver with queries exploiting this flaw an attacker can significantly impair the resolver's performance, effectively denying legitimate clients access to the dns resolution service. (
( CVE-2022-2795) by spoofing the target resolver with responses that have a malformed ecdsa signature, an attacker can trigger a small memory leak.
It is possible to gradually erode available memory to the point where named crashes for lack of resources. (
( CVE-2022-38177) by spoofing the target resolver with responses that have a malformed eddsa signature, an attacker can trigger a small memory leak.
( CVE-2022-38178)
Hyperium hyper before 0.14.19 does not allow for customization of the max_header_list_size method in the h2 third-party software, allowing attackers to perform http2 attacks. (
( CVE-2022-31394)
An issue in the urllib.parse component of python before v3.11 allows attackers to bypass blocklisting methods by supplying a url that starts with blank characters. (
( CVE-2023-24329)
A flaw was found in the xdg-email component of xdg-utils-1.1.0-rc1 and newer.
When handling mailto: uris, xdg-email allows attachments to be discreetly added via the uri when being passed to thunderbird.
An attacker could potentially send a victim a uri that automatically attaches a sensitive file to a new email.
If a victim user does not notice that an attachment was added and sends the email, this could result in sensitive information disclosure.
It has been confirmed that the code behind this issue is in xdg-email and not in thunderbird. (
( CVE-2020-27748) when xdg-mail is configured to use thunderbird for mailto urls, improper parsing of the url can lead to additional headers being passed to thunderbird that should not be included per rfc 2368.
An attacker can use this method to create a mailto url that looks safe to users, but will actually attach files when clicked. (
( CVE-2022-4055)
An out-of-bounds read flaw was found in libsndfile's flac codec functionality.
An attacker who is able to submit a specially crafted file (via tricking a user to open or otherwise) to an application linked with libsndfile and using the flac codec, could trigger an out-of-bounds read that would most likely cause a crash but could potentially leak memory information that could be used in further exploitation of other flaws. (
( CVE-2021-4156)
In autofile audio file library 0.3.6, there exists one memory leak vulnerability in printfileinfo, in printinfo.c, which allows an attacker to leak sensitive information via a crafted file.
The printfileinfo function calls the copyrightstring function to get data, however, it dosn't use zero bytes to truncate the data. (
( CVE-2022-24599)
CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases
CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases
CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases
CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases
CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases
CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases
CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases
CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases
CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases
CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases
CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases
CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases
CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases
CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases
A flaw was found in gstreamer-plugins-base where an out-of-bounds read when handling certain id3v2 tags is possible.
The highest threat from this vulnerability is to system availability. (
( CVE-2021-3522)
A flaw was found in the linux kernel's layer 2 tunneling protocol (l2tp).
A missing lock when clearing sk_user_data can lead to a race condition and null pointer dereference.
A local user could use this flaw to potentially crash the system causing a denial of service. (
( CVE-2022-4129)
A flaw was found in the linux kernel's layer 2 tunneling protocol (l2tp).
A missing lock when clearing sk_user_data can lead to a race condition and null pointer dereference.
A local user could use this flaw to potentially crash the system causing a denial of service. (
( CVE-2022-4129)
CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases
The WordPress WooCommerce PDF Invoices and Packing Slips Plugin has been found to contain a security vulnerability known as Cross Site Request Forgery (CSRF). This vulnerability could potentially be exploited by an attacker to force users with higher privileges to perform unintended actions without their knowledge or consent. Such actions could include altering or deleting sensitive information, making unauthorized purchases, or performing other actions that could compromise the security and integrity of the system.
Affected versions:
WooCommerce PDF Invoice and Packing Slips prior to 3.2.6
QID Detection Logic :
This QID sends an HTTP GET request and retrieves a vulnerable version of a plugin running on the target application.
Vulnerable Component: BIG-IP DNS,LTM
Affected Versions:
17.0.0
16.1.0 - 16.1.3
15.1.0 - 15.1.8
14.1.0 - 14.1.5
13.1.0 - 13.1.5
QID Detection Logic(Authenticated):
This QID checks for the vulnerable versions of F5 BIG-IP devices using the tmsh command.
Affected Products:
FortiManager version 6.0.0 through 6.0.4
FortiAnalyzer version 6.0.0 through 6.0.4
QID Detection Logic (Authenticated):
Detection checks for vulnerable versions of FortiManager,FortiAnalyzer
Vendor has released fixes to address this vulnerability
For more details refer advisory FG-IR-18-232
Affected Versions:
FortiOS version 7.2.0 through 7.2.3
FortiOS version 7.0.0 through 7.0.9
FortiOS version 6.4.0 through 6.4.11
FortiOS version 6.2.3 and above
QID Detection Logic (Authenticated):
Detection checks for vulnerable version of FortiOS.
Affected Products:
FortiAnalyzer version 7.2.0 through 7.2.1
FortiAnalyzer version 7.0.0 through 7.0.6
FortiAnalyzer 6.4 all versions
QID Detection Logic (Authenticated):
Detection checks for vulnerable versions of FortiAnalyzer.
Vendor has released fixes to address this vulnerability
For more details please refer advisory FG-IR-22-488
Affected Versions:
Veritas NetBackup OpsCenter 8.2.x and earlier
Veritas NetBackup OpsCenter 8.3.x through 8.3.0.2.
Veritas NetBackup OpsCenter 9.0.0.0
Veritas NetBackup OpsCenter 9.1.0.0
Veritas NetBackup OpsCenter 10.0.0.0
QID Detection Logic (Authenticated):
Operating Systems: Windows
The QID checks for the registry to check the vulnerable version.
Note: QID is marked potential since there is no current check for hotfixes.
Vulnerable Component: BIG-IP ASM,APM,LTM
Affected Versions:
14.0.0
13.0.0 - 13.1.1
12.1.0 - 12.1.4
11.2.1 - 11.6.3
QID Detection Logic(Authenticated):
This QID checks for the vulnerable versions of F5 BIG-IP devices using the tmsh command.
Vulnerable Component: BIG-IP ASM,APM,LTM
Affected Versions:
13.0.0 - 13.1.1
12.1.0 - 12.1.3
11.6.1 - 11.6.311.5.1 - 11.5.8
QID Detection Logic(Authenticated):
This QID checks for the vulnerable versions of F5 BIG-IP devices using the tmsh command.
Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
Red Hat openshift container platform is Red Hat's cloud computing kubernetes application platform solution designed for on-premise or private cloud deployments.
Security Fix(es):<H2></H2>
WordPress plugin Enable Media Replace before 4.0.2 does not prevent authors from uploading arbitrary files to the site, which may allow them to upload PHP shells on affected sites.
Affected Versions:
Enable Media Replace plugin versions prior to 4.0.2
QID Detection Logic(Unauthenticated): This unauthenticated detection depends on the BlindElephant engine to detect the vulnerable version of the Enable Media Replace plugin.
