Vulnerability Detection Pipeline

Upcoming and New QIDs

Browse, filter by detection status, or search by CVE to get visibility into upcoming and new detections (QIDs) for all severities.

Disclaimer: The Vulnerability Detection Pipeline is intended to give users an early insight into some of the CVEs the Qualys Research Team is investigating. It may not show all the CVEs that are actively being investigated. Specific CVE feature requests filed via a Qualys Support case may or may not show up on this page. Please reach out to Qualys Support for status of such support cases.

Detection Status

  • Under investigation: We are researching a detection and will publish one if it is feasible.
  • In development: We are coding a detection and will typically publish it within a few days.
  • Recently published: We have published the detection on the date indicated, and it will typically be available in the KnowledgeBase on shared platforms within a day.

Non-Qualys customers can audit their network for all published vulnerabilities by signing up for a Qualys Free Trial or Qualys Community Edition.

Displaying QID development activity from through last updated:
907 results
CVE
Qualys ID
Title
Severity
  • CVE-2015-10082
    QID: 753848
    In Development

    SUSE Enterprise Linux Security Update for libplist (SUSE-SU-2023:0872-1)

    Severity
    Critical4
    Qualys ID
    753848
    Vendor Reference
    SUSE-SU-2023:0872-1
    CVE Reference
    CVE-2015-10082
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    SUSE has released a security update for libplist to fix the vulnerabilities.

    Affected product(s):
    SUSE Linux Enterprise (Desktop|Server) 12 SP5
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to SUSE security advisory SUSE-SU-2023:0872-1 for updates and patch information.
    Patches
    SUSE Enterprise Linux SUSE-SU-2023:0872-1
  • CVE-2022-0670+
    QID: 753847
    In Development

    SUSE Enterprise Linux Security Update for ceph (SUSE-SU-2023:1580-1)

    Severity
    Critical4
    Qualys ID
    753847
    Vendor Reference
    SUSE-SU-2023:1580-1
    CVE Reference
    CVE-2022-0670, CVE-2022-3854, CVE-2022-3650
    CVSS Scores
    Base 9.1 / Temporal 7.9
    Description
    SUSE has released a security update for ceph to fix the vulnerabilities.

    Affected product(s):
    SUSE Linux Enterprise Server 15 SP3|SUSE Linux Enterprise Server for SAP Applications 15 SP3
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to SUSE security advisory SUSE-SU-2023:1580-1 for updates and patch information.
    Patches
    SUSE Enterprise Linux SUSE-SU-2023:1580-1
  • CVE-2023-1032+
    QID: 199256
    In Development

    Ubuntu Security Notification for Linux kernel (OEM) Vulnerabilities (USN-5977-1)

    Severity
    Critical4
    Qualys ID
    199256
    Vendor Reference
    USN-5977-1
    CVE Reference
    CVE-2023-1032, CVE-2023-1281, CVE-2022-2196
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Ubuntu has released a security update for linux to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Ubuntu security advisory USN-5977-1 for updates and patch information.
    Patches
    Ubuntu Linux USN-5977-1
  • CVE-2022-3628+
    QID: 199255
    In Development

    Ubuntu Security Notification for Linux kernel (OEM) Vulnerabilities (USN-5976-1)

    Severity
    Critical4
    Qualys ID
    199255
    Vendor Reference
    USN-5976-1
    CVE Reference
    CVE-2022-3628, CVE-2022-3061, CVE-2022-2196, CVE-2022-3646, CVE-2023-0394, CVE-2022-3649, CVE-2022-36280, CVE-2022-41850, CVE-2023-0461
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Ubuntu has released a security update for linux to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Ubuntu security advisory USN-5976-1 for updates and patch information.
    Patches
    Ubuntu Linux USN-5976-1
  • CVE-2023-1078+
    QID: 199254
    In Development

    Ubuntu Security Notification for Linux kernel (OEM) Vulnerabilities (USN-5978-1)

    Severity
    Critical4
    Qualys ID
    199254
    Vendor Reference
    USN-5978-1
    CVE Reference
    CVE-2023-1078, CVE-2022-2196, CVE-2023-1073, CVE-2023-0394, CVE-2022-27672, CVE-2022-4842, CVE-2022-4382, CVE-2023-1281, CVE-2023-1075, CVE-2023-23559, CVE-2023-26545, CVE-2023-1074
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Ubuntu has released a security update for linux to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Ubuntu security advisory USN-5978-1 for updates and patch information.
    Patches
    Ubuntu Linux USN-5978-1
  • CVE-2023-27932+
    QID: 378187
    In Development

    Apple Safari Multiple Vulnerabilities (HT213671)

    Severity
    Critical4
    Qualys ID
    378187
    Vendor Reference
    HT213671
    CVE Reference
    CVE-2023-27932, CVE-2023-27954
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Safari is a Web-browser developed by Apple which is based on the WebKit engine.

    Affected versions:
    Apple Safari Versions Prior to 16.4

    QID Detection Logic (Authenticated)
    This QID checks for vulnerable versions of Apple Safari.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Processing maliciously crafted web content may lead to arbitrary code execution

    Solution
    The apple browser safari needs to upgrade to the latest version 16.4 released by Apple.
    For more information regarding the update HT213671
    Patches
    HT213671
  • CVE-2022-29162+
    QID: 181640
    In Development

    Debian Security Update for runc (DLA 3369-1)

    Severity
    Critical4
    Qualys ID
    181640
    Vendor Reference
    DLA 3369-1
    CVE Reference
    CVE-2022-29162, CVE-2019-16884, CVE-2019-19921, CVE-2021-30465, CVE-2023-27561
    CVSS Scores
    Base 8.5 / Temporal 7.4
    Description
    Debian has released a security update for runc to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Debian security advisory DLA 3369-1 for updates and patch information.
    Patches
    Debian DLA 3369-1
  • CVE-2022-4744+
    QID: 940967
    In Development

    AlmaLinux Security Update for kernel-rt (ALSA-2023:1469)

    Severity
    Critical4
    Qualys ID
    940967
    Vendor Reference
    ALSA-2023:1469
    CVE Reference
    CVE-2022-4744, CVE-2022-4269, CVE-2023-0266
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    AlmaLinux has released a security update for kernel-rt to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect confidentiality, integrity, and availability.
    Solution
    Refer to AlmaLinux security advisory ALSA-2023:1469 for updates and patch information.
    Patches
    AlmaLinux ALSA-2023:1469
  • CVE-2022-4744+
    QID: 940966
    In Development

    AlmaLinux Security Update for kernel (ALSA-2023:1470)

    Severity
    Critical4
    Qualys ID
    940966
    Vendor Reference
    ALSA-2023:1470
    CVE Reference
    CVE-2022-4744, CVE-2022-4269, CVE-2023-0266
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    AlmaLinux has released a security update for kernel to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect confidentiality, integrity, and availability.
    Solution
    Refer to AlmaLinux security advisory ALSA-2023:1470 for updates and patch information.
    Patches
    AlmaLinux ALSA-2023:1470
  • CVE-2023-23542+
    QID: 378190
    In Development

    Apple macOS Monterey 12.6.4 Not Installed (HT213677)

    Severity
    Critical4
    Qualys ID
    378190
    Vendor Reference
    HT213677
    CVE Reference
    CVE-2023-23542, CVE-2023-27962, CVE-2023-27936, CVE-2023-27953, CVE-2023-28182, CVE-2023-27955, CVE-2023-27937, CVE-2023-27958, CVE-2023-27963, CVE-2023-0512, CVE-2023-23540, CVE-2023-27933, CVE-2023-0433, CVE-2023-27946, CVE-2023-27944, CVE-2023-23538, CVE-2023-23527, CVE-2023-27951, CVE-2023-27935, CVE-2023-27949, CVE-2023-23533, CVE-2023-27961, CVE-2023-28200, CVE-2023-28178, CVE-2023-27942, CVE-2023-28192, CVE-2023-23514
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    macOS Monterey 12.6.4 is current major release of macOS, Apple's desktop operating system for Macintosh computers.

    Affected versions:
    Apple macOS Monterey Versions Prior to 12.6.4

    QID Detection Logic (Authenticated)
    This QID checks for vulnerable versions of Apple macOS Monterey.

    Consequence
    A malicious application may be able to execute arbitrary code.

    Solution
    For more information regarding the update HT213677
    Patches
    HT213677
  • CVE-2023-23542+
    QID: 378189
    In Development

    Apple macOS Ventura 13.3 Not Installed (HT213670)

    Severity
    Critical4
    Qualys ID
    378189
    Vendor Reference
    HT213670
    CVE Reference
    CVE-2023-23542, CVE-2023-23534, CVE-2023-27969, CVE-2023-23526, CVE-2023-27962, CVE-2023-27936, CVE-2023-27931, CVE-2023-27953, CVE-2023-27928, CVE-2023-28182, CVE-2023-28180, CVE-2023-0054, CVE-2023-27943, CVE-2023-27965, CVE-2023-23514, CVE-2023-27955, CVE-2023-27937, CVE-2023-27958, CVE-2023-27941, CVE-2023-23535, CVE-2023-0288, CVE-2023-27963, CVE-2023-27968, CVE-2023-0512, CVE-2023-27932, CVE-2023-27954, CVE-2023-27933, CVE-2023-0433, CVE-2023-27946, CVE-2023-23525, CVE-2023-27944, CVE-2023-0051, CVE-2022-43552, CVE-2023-27957, CVE-2023-0049, CVE-2023-23538, CVE-2023-23537, CVE-2023-23527, CVE-2023-28190, CVE-2023-27951, CVE-2023-23523, CVE-2023-27935, CVE-2023-27934, CVE-2023-27949, CVE-2023-23533, CVE-2023-28181, CVE-2023-27956, CVE-2023-27961, CVE-2023-28200, CVE-2023-23543, CVE-2022-43551, CVE-2023-23532, CVE-2023-28178, CVE-2023-27942, CVE-2023-28192, CVE-2023-27929, CVE-2023-27952
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    macOS Ventura 13.3 is current major release of macOS, Apple's desktop operating system for Macintosh computers.

    Affected versions:
    Apple macOS Ventura Versions Prior to 13.3

    QID Detection Logic (Authenticated)
    This QID checks for vulnerable versions of Apple macOS Ventura.

    Consequence
    A malicious application may be able to execute arbitrary code.

    Solution
    For more information regarding the update HT213670
    Patches
    HT213670
  • CVE-2023-23542+
    QID: 378188
    In Development

    Apple macOS Big Sur 11.7.5 Not Installed (HT213675)

    Severity
    Critical4
    Qualys ID
    378188
    Vendor Reference
    HT213675
    CVE Reference
    CVE-2023-23542, CVE-2023-23534, CVE-2023-27962, CVE-2023-27936, CVE-2023-27953, CVE-2023-27928, CVE-2023-28182, CVE-2023-27955, CVE-2023-27937, CVE-2023-27958, CVE-2023-23535, CVE-2023-0512, CVE-2023-23540, CVE-2023-0433, CVE-2023-27946, CVE-2023-27944, CVE-2023-23537, CVE-2023-23527, CVE-2023-27951, CVE-2023-27935, CVE-2022-26702, CVE-2023-27961, CVE-2023-28200, CVE-2023-28192, CVE-2023-23514
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    macOS Big Sur 11.7.5 is current major release of macOS, Apple's desktop operating system for Macintosh computers.

    Affected versions:
    Apple macOS Big Sur Versions Prior to 11.7.5

    QID Detection Logic (Authenticated)
    This QID checks for vulnerable versions of Apple macOS Big Sur.

    Consequence
    A malicious application may be able to execute arbitrary code.

    Solution
    For more information regarding the update HT213675
    Patches
    HT213675
  • CVE-2018-3774+
    QID: 199257
    In Development

    Ubuntu Security Notification for url-parse Vulnerabilities (USN-5973-1)

    Severity
    Critical4
    Qualys ID
    199257
    Vendor Reference
    USN-5973-1
    CVE Reference
    CVE-2018-3774, CVE-2022-0686, CVE-2020-8124, CVE-2022-0512, CVE-2022-0639, CVE-2021-27515, CVE-2022-0691, CVE-2021-3664
    CVSS Scores
    Base 10 / Temporal 8.7
    Description
    Ubuntu has released a security update for url-parse to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Ubuntu security advisory USN-5973-1 for updates and patch information.
    Patches
    Ubuntu Linux USN-5973-1
  • CVE-2022-46149
    QID: 770181
    In Development

    Red Hat OpenShift Container Platform 4.12 Security Update (RHSA-2023:1408)

    Severity
    Serious3
    Qualys ID
    770181
    Vendor Reference
    RHSA-2023:1408
    CVE Reference
    CVE-2022-46149
    CVSS Scores
    Base 5.4 / Temporal 4.7
    Description

    Red Hat openshift container platform is Red Hat's cloud computing kubernetes application platform solution designed for on-premise or private cloud deployments.

    Security Fix(es):
    • capnproto: out of bounds read when handling a list of lists. (
      Cve-2022-46149)

    Affected Products:

    • Red Hat openshift container platform 4.12 for rhel 9 x86_64
    • Red Hat openshift container platform 4.12 for rhel 8 x86_64
    • Red Hat openshift container platform for power 4.12 for rhel 9 ppc64le
    • Red Hat openshift container platform for power 4.12 for rhel 8 ppc64le
    • Red Hat openshift container platform for ibm z and linuxone 4.12 for rhel 9 s390x
    • Red Hat openshift container platform for ibm z and linuxone 4.12 for rhel 8 s390x
    • Red Hat openshift container platform for arm 64 4.12 for rhel 9 aarch64
    • Red Hat openshift container platform for arm 64 4.12 for rhel 8 aarch64



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Red Hat security advisory RHSA-2023:1408 for updates and patch information.
    Patches
    Red Hat Enterprise Linux CoreOS RHSA-2023:1408
  • CVE-2022-46149
    QID: 241300
    In Development

    Red Hat OpenShift Container Platform 4.12 Security Update (RHSA-2023:1408)

    Severity
    Serious3
    Qualys ID
    241300
    Vendor Reference
    RHSA-2023:1408
    CVE Reference
    CVE-2022-46149
    CVSS Scores
    Base 5.4 / Temporal 4.7
    Description
    Red hat openshift container platform is Red Hat's cloud computing kubernetes application platform solution designed for on-premise or private cloud deployments...Security Fix(es):
      capnproto: out of bounds read when handling a list of lists. (
      Cve-2022-46149).
    Affected Products:
      Red Hat openshift container platform 4.12 for rhel 9 x86_64.
      Red hat openshift container platform 4.12 for rhel 8 x86_64.
      Red hat openshift container platform for power 4.12 for rhel 9 ppc64le.
      Red hat openshift container platform for power 4.12 for rhel 8 ppc64le.
      Red hat openshift container platform for ibm z and linuxone 4.12 for rhel 9 s390x.
      Red hat openshift container platform for ibm z and linuxone 4.12 for rhel 8 s390x.
      Red hat openshift container platform for arm 64 4.12 for rhel 9 aarch64.
      Red hat openshift container platform for arm 64 4.12 for rhel 8 aarch64.
    .

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Red Hat security advisory RHSA-2023:1408 for updates and patch information.
    Patches
    Red Hat Enterprise Linux RHSA-2023:1408
  • CVE-2017-2620
    QID: 378167
    In Development

    Virtuozzo Linux Security Update for qemu-kvm (VZLSA-2017:0352)

    Severity
    Urgent5
    Qualys ID
    378167
    Vendor Reference
    VZLSA-2017:0352
    CVE Reference
    CVE-2017-2620
    CVSS Scores
    Base 9.9 / Temporal 8.6
    Description
    Virtuozzo has released a security update for qemu-kvm to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2017:0352 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2017:0352
  • CVE-2017-2615+
    QID: 378163
    In Development

    Virtuozzo Linux Security Update for qemu-kvm (VZLSA-2017:0396)

    Severity
    Urgent5
    Qualys ID
    378163
    Vendor Reference
    VZLSA-2017:0396
    CVE Reference
    CVE-2017-2615, CVE-2017-2620
    CVSS Scores
    Base 9.9 / Temporal 8.6
    Description
    Virtuozzo has released a security update for qemu-kvm to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2017:0396 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2017:0396
  • CVE-2019-11500
    QID: 378179
    In Development

    Virtuozzo Linux Security Update for dovecot-mysql (VZLSA-2019:2836)

    Severity
    Urgent5
    Qualys ID
    378179
    Vendor Reference
    VZLSA-2019:2836
    CVE Reference
    CVE-2019-11500
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Virtuozzo has released a security update for dovecot-mysql to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2019:2836 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2019:2836
  • CVE-2017-7494
    QID: 378175
    In Development

    Virtuozzo Linux Security Update for samba4-common (VZLSA-2017:1271)

    Severity
    Urgent5
    Qualys ID
    378175
    Vendor Reference
    VZLSA-2017:1271
    CVE Reference
    CVE-2017-7494
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Virtuozzo has released a security update for samba4-common to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2017:1271 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2017:1271
  • CVE-2017-5470+
    QID: 378160
    In Development

    Virtuozzo Linux Security Update for firefox (VZLSA-2017:1440)

    Severity
    Urgent5
    Qualys ID
    378160
    Vendor Reference
    VZLSA-2017:1440
    CVE Reference
    CVE-2017-5470, CVE-2017-5472, CVE-2017-7749, CVE-2017-7750, CVE-2017-7751, CVE-2017-7752, CVE-2017-7754, CVE-2017-7756, CVE-2017-7757, CVE-2017-7758, CVE-2017-7764, CVE-2017-7771, CVE-2017-7772, CVE-2017-7773, CVE-2017-7774, CVE-2017-7775, CVE-2017-7776, CVE-2017-7777, CVE-2017-7778
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Virtuozzo has released a security update for firefox to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2017:1440 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2017:1440
  • CVE-2017-7771+
    QID: 378157
    In Development

    Virtuozzo Linux Security Update for graphite2-devel (VZLSA-2017:1793)

    Severity
    Urgent5
    Qualys ID
    378157
    Vendor Reference
    VZLSA-2017:1793
    CVE Reference
    CVE-2017-7771, CVE-2017-7772, CVE-2017-7773, CVE-2017-7774, CVE-2017-7775, CVE-2017-7776, CVE-2017-7777, CVE-2017-7778
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Virtuozzo has released a security update for graphite2-devel to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2017:1793 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2017:1793
  • CVE-2016-9634+
    QID: 378149
    In Development

    Virtuozzo Linux Security Update for gstreamer1-plugins-good (VZLSA-2017:0020)

    Severity
    Urgent5
    Qualys ID
    378149
    Vendor Reference
    VZLSA-2017:0020
    CVE Reference
    CVE-2016-9634, CVE-2016-9635, CVE-2016-9636, CVE-2016-9807, CVE-2016-9808
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Virtuozzo has released a security update for gstreamer1-plugins-good to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2017:0020 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2017:0020
  • CVE-2016-9634+
    QID: 378147
    In Development

    Virtuozzo Linux Security Update for gstreamer-plugins-good (VZLSA-2017:0019)

    Severity
    Urgent5
    Qualys ID
    378147
    Vendor Reference
    VZLSA-2017:0019
    CVE Reference
    CVE-2016-9634, CVE-2016-9635, CVE-2016-9636, CVE-2016-9807, CVE-2016-9808
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Virtuozzo has released a security update for gstreamer-plugins-good to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2017:0019 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2017:0019
  • CVE-2015-8870+
    QID: 378144
    In Development

    Virtuozzo Linux Security Update for libtiff-static (VZLSA-2017:0225)

    Severity
    Urgent5
    Qualys ID
    378144
    Vendor Reference
    VZLSA-2017:0225
    CVE Reference
    CVE-2015-8870, CVE-2016-5652, CVE-2016-9533, CVE-2016-9534, CVE-2016-9535, CVE-2016-9536, CVE-2016-9537, CVE-2016-9540
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Virtuozzo has released a security update for libtiff-static to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2017:0225 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2017:0225
  • CVE-2013-5653+
    QID: 378143
    In Development

    Virtuozzo Linux Security Update for ghostscript-doc (VZLSA-2017:0013)

    Severity
    Urgent5
    Qualys ID
    378143
    Vendor Reference
    VZLSA-2017:0013
    CVE Reference
    CVE-2013-5653, CVE-2016-7977, CVE-2016-7978, CVE-2016-7979, CVE-2016-8602
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Virtuozzo has released a security update for ghostscript-doc to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2017:0013 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2017:0013
  • CVE-2017-3167+
    QID: 378141
    In Development

    Virtuozzo Linux Security Update for mod_ssl (VZLSA-2017:2478)

    Severity
    Urgent5
    Qualys ID
    378141
    Vendor Reference
    VZLSA-2017:2478
    CVE Reference
    CVE-2017-3167, CVE-2017-3169, CVE-2017-7679, CVE-2017-9788
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Virtuozzo has released a security update for mod_ssl to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2017:2478 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2017:2478
  • CVE-2019-9811+
    QID: 378138
    In Development

    Virtuozzo Linux Security Update for firefox (VZLSA-2019:1763)

    Severity
    Urgent5
    Qualys ID
    378138
    Vendor Reference
    VZLSA-2019:1763
    CVE Reference
    CVE-2019-9811, CVE-2019-11709, CVE-2019-11711, CVE-2019-11712, CVE-2019-11713, CVE-2019-11715, CVE-2019-11717, CVE-2019-11730
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Virtuozzo has released a security update for firefox to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2019:1763 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2019:1763
  • CVE-2022-37454
    QID: 150663
    In Development

    PHP Buffer Overflow Vulnerability (CVE-2022-37454)

    Severity
    Urgent5
    Qualys ID
    150663
    Vendor Reference
    Sec Bug 81738
    CVE Reference
    CVE-2022-37454
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    PHP is a programming language originally designed for use in web-based applications with HTML content. PHP supports a wide variety of platforms and is used by numerous web-based software applications.

    The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.

    Affected Versions:
    PHP versions before 7.4.33
    PHP versions 8.0.0 prior to 8.0.25
    PHP versions 8.1.0 prior to 8.1.12

    QID Detection Logic (Unauthenticated):
    This QID checks the HTTP Server header to see if the server is running a vulnerable version of PHP.

    Consequence
    Allows attackers to execute arbitrary code or eliminate expected cryptographic properties.

    Solution
    Customers are advised to upgrade to the latest version of PHP.
    For more information please refer to Sec Bug 81738 .

    Patches
    Sec Bug 81738
  • QID: 106117
    In Development

    EOL/Obsolete Software: Oracle Java Standard Edition (SE) Java Runtime Environment (JRE) Java Development Kit (JDK) 7 (1.7) Detected

    Severity
    Urgent5
    Qualys ID
    106117
    Vendor Reference
    Java SE 7 End of Public Updates Notice
    CVSS Scores
    Base 9.8 / Temporal 9
    Description
    Java Platform, Standard Edition (Java SE) lets you develop and deploy Java applications on desktops, servers, and embedded environments, while offering user interface, performance, versatility, portability, and security that applications require. Java Runtime Environment (JRE) allows you to run Java applications and applets. To develop Java applications and applets, you need the Java Development Kit (JDK), which includes the JRE.

    Starting April 2015, Oracle will no longer post updates of Java SE 7 to its public download sites as it has reached end of life support. Existing Java SE 7/1.7 downloads already posted as of April 2015 will remain accessible in the Java Archive on Oracle Technology Network.

    Developers and end-users are encouraged to update to more recent Java SE versions that remain available for public download.

    Note:
    Oracle offers updates to Java 7 only for customers who have purchased Java support or have Oracle products that require Java 7, but no public updates.

    Consequence
    The system is at high risk of being exposed to security vulnerabilities. Since the vendor no longer provides updates, obsolete software is highly prone to vulnerabilities.

    Solution
    Users are advised to upgrade to latest supported version of Java SE from the Java SE Downloads web page.
  • CVE-2017-10053+
    QID: 378170
    In Development

    Virtuozzo Linux Security Update for java-1.7.0-openjdk (VZLSA-2017:2424)

    Severity
    Urgent5
    Qualys ID
    378170
    Vendor Reference
    VZLSA-2017:2424
    CVE Reference
    CVE-2017-10053, CVE-2017-10067, CVE-2017-10074, CVE-2017-10081, CVE-2017-10087, CVE-2017-10089, CVE-2017-10090, CVE-2017-10096, CVE-2017-10101, CVE-2017-10102, CVE-2017-10107, CVE-2017-10108, CVE-2017-10109, CVE-2017-10110, CVE-2017-10115, CVE-2017-10116, CVE-2017-10135, CVE-2017-10243
    CVSS Scores
    Base 9.6 / Temporal 8.3
    Description
    Virtuozzo has released a security update for java-1.7.0-openjdk to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2017:2424 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2017:2424
  • CVE-2017-10053+
    QID: 378134
    In Development

    Virtuozzo Linux Security Update for java-1.8.0-openjdk-debug (VZLSA-2017:1789)

    Severity
    Urgent5
    Qualys ID
    378134
    Vendor Reference
    VZLSA-2017:1789
    CVE Reference
    CVE-2017-10053, CVE-2017-10067, CVE-2017-10074, CVE-2017-10078, CVE-2017-10081, CVE-2017-10087, CVE-2017-10089, CVE-2017-10090, CVE-2017-10096, CVE-2017-10101, CVE-2017-10102, CVE-2017-10107, CVE-2017-10108, CVE-2017-10109, CVE-2017-10110, CVE-2017-10111, CVE-2017-10115, CVE-2017-10116, CVE-2017-10135, CVE-2017-10193, CVE-2017-10198, CVE-2017-10243
    CVSS Scores
    Base 9.6 / Temporal 8.3
    Description
    Virtuozzo has released a security update for java-1.8.0-openjdk-debug to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2017:1789 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2017:1789
  • CVE-2017-1000257
    QID: 378161
    In Development

    Virtuozzo Linux Security Update for libcurl (VZLSA-2017:3263)

    Severity
    Urgent5
    Qualys ID
    378161
    Vendor Reference
    VZLSA-2017:3263
    CVE Reference
    CVE-2017-1000257
    CVSS Scores
    Base 9.1 / Temporal 7.9
    Description
    Virtuozzo has released a security update for libcurl to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2017:3263 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2017:3263
  • CVE-2016-2857+
    QID: 378154
    In Development

    Virtuozzo Linux Security Update for qemu-kvm (VZLSA-2017:0309)

    Severity
    Urgent5
    Qualys ID
    378154
    Vendor Reference
    VZLSA-2017:0309
    CVE Reference
    CVE-2016-2857, CVE-2017-2615
    CVSS Scores
    Base 9.1 / Temporal 7.9
    Description
    Virtuozzo has released a security update for qemu-kvm to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2017:0309 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2017:0309
  • CVE-2018-3136+
    QID: 378139
    In Development

    Virtuozzo Linux Security Update for java-1.8.0-openjdk-javadoc-zip (VZLSA-2018:2942)

    Severity
    Urgent5
    Qualys ID
    378139
    Vendor Reference
    VZLSA-2018:2942
    CVE Reference
    CVE-2018-3136, CVE-2018-3139, CVE-2018-3149, CVE-2018-3169, CVE-2018-3180, CVE-2018-3183, CVE-2018-3214
    CVSS Scores
    Base 9 / Temporal 7.8
    Description
    Virtuozzo has released a security update for java-1.8.0-openjdk-javadoc-zip to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2018:2942 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2018:2942
  • CVE-2023-1530+
    QID: 283821
    In Development

    Fedora Security Update for chromium (FEDORA-2023-3003165311)

    Severity
    Critical4
    Qualys ID
    283821
    Vendor Reference
    FEDORA-2023-3003165311
    CVE Reference
    CVE-2023-1530, CVE-2023-1531, CVE-2023-1534, CVE-2023-1529, CVE-2023-1528, CVE-2023-1533, CVE-2023-1532
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Fedora has released a security update for chromium to fix the vulnerabilities.

    Affected OS:
    Fedora 36


    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Refer to Fedora security advisory Fedora 36 for updates and patch information.
    Patches
    Fedora 36 FEDORA-2023-3003165311
  • CVE-2021-25636+
    QID: 181639
    Recently Published

    Debian Security Update for libreoffice (DLA 3368-1)

    Severity
    Critical4
    Qualys ID
    181639
    Date Published
    March 27, 2023
    Vendor Reference
    DLA 3368-1
    CVE Reference
    CVE-2021-25636, CVE-2022-3140, CVE-2022-26305, CVE-2022-26306, CVE-2022-26307
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Debian has released a security update for libreoffice to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Debian security advisory DLA 3368-1 for updates and patch information.
    Patches
    Debian DLA 3368-1
  • CVE-2023-27537+
    QID: 283820
    In Development

    Fedora Security Update for curl (FEDORA-2023-2884ba1528)

    Severity
    Critical4
    Qualys ID
    283820
    Vendor Reference
    FEDORA-2023-2884ba1528
    CVE Reference
    CVE-2023-27537, CVE-2023-27538, CVE-2023-27534, CVE-2023-27536, CVE-2023-27535, CVE-2023-27533
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Fedora has released a security update for curl to fix the vulnerabilities.

    Affected OS:
    Fedora 37


    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Refer to Fedora security advisory Fedora 37 for updates and patch information.
    Patches
    Fedora 37 FEDORA-2023-2884ba1528
  • CVE-2022-4744
    QID: 241299
    In Development

    Red Hat Update for kpatch-patch (RHSA-2023:1466)

    Severity
    Critical4
    Qualys ID
    241299
    Vendor Reference
    RHSA-2023:1466
    CVE Reference
    CVE-2022-4744
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    This is a kernel live patch module which is automatically loaded by the rpm post-install script to modify the code of a running kernel...Security Fix(es):
      kernel: tun: avoid double free in tun_free_netdev (cve-2022-4744).
    Affected Products:
      Red Hat enterprise linux for x86_64 - extended update support 9.0 x86_64.
      Red hat enterprise linux for power, little endian - extended update support 9.0 ppc64le.
      Red hat enterprise linux server for power le - update services for sap solutions 9.0 ppc64le.
      Red hat enterprise linux for x86_64 - update services for sap solutions 9.0 x86_64.
    .

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Red Hat security advisory RHSA-2023:1466 for updates and patch information.
    Patches
    Red Hat Enterprise Linux RHSA-2023:1466
  • CVE-2022-4744
    QID: 241297
    In Development

    Red Hat Update for kernel security (RHSA-2023:1468)

    Severity
    Critical4
    Qualys ID
    241297
    Vendor Reference
    RHSA-2023:1468
    CVE Reference
    CVE-2022-4744
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    The kernel packages contain the linux kernel, the core of any linux operating system...Security Fix(es):
      kernel: tun: avoid double free in tun_free_netdev (cve-2022-4744).
    <H2></H2>
      Red Hat enterprise linux for x86_64 - extended update support 9.0 x86_64.
      Red hat enterprise linux for ibm z systems - extended update support 9.0 s390x.
      Red hat enterprise linux for power, little endian - extended update support 9.0 ppc64le.
      Red hat enterprise linux for arm 64 - extended update support 9.0 aarch64.
      Red hat enterprise linux server for power le - update services for sap solutions 9.0 ppc64le.
      Red hat enterprise linux for x86_64 - update services for sap solutions 9.0 x86_64.
      Red hat codeready linux builder for x86_64 - extended update support 9.0 x86_64.
      Red hat codeready linux builder for power, little endian - extended update support 9.0 ppc64le.
      Red hat codeready linux builder for ibm z systems - extended update support 9.0 s390x.
      Red hat codeready linux builder for arm 64 - extended update support 9.0 aarch64.
      Red hat enterprise linux server for arm 64 - 4 years of updates 9.0 aarch64.
      Red hat enterprise linux server for ibm z systems - 4 years of updates 9.0 s390x.
    .

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Red Hat security advisory RHSA-2023:1468 for updates and patch information.
    Patches
    Red Hat Enterprise Linux RHSA-2023:1468
  • CVE-2022-4744
    QID: 241296
    In Development

    Red Hat Update for kernel-rt (RHSA-2023:1467)

    Severity
    Critical4
    Qualys ID
    241296
    Vendor Reference
    RHSA-2023:1467
    CVE Reference
    CVE-2022-4744
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    The kernel-rt packages provide the real time linux kernel, which enables fine-tuning for systems with extremely high determinism requirements...Security Fix(es):
      kernel: tun: avoid double free in tun_free_netdev (cve-2022-4744).
    <H2></H2>
      Red Hat enterprise linux for real time for x86_64 - 4 years of updates 9.0 x86_64.
      Red hat enterprise linux for real time for nfv for x86_64 - 4 years of updates 9.0 x86_64.
    .

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Red Hat security advisory RHSA-2023:1467 for updates and patch information.
    Patches
    Red Hat Enterprise Linux RHSA-2023:1467
  • CVE-2023-25751+
    QID: 241294
    In Development

    Red Hat Update for thunderbird (RHSA-2023:1472)

    Severity
    Critical4
    Qualys ID
    241294
    Vendor Reference
    RHSA-2023:1472
    CVE Reference
    CVE-2023-25751, CVE-2023-25752, CVE-2023-28162, CVE-2023-28164, CVE-2023-28176
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Mozilla thunderbird is a standalone mail and newsgroup client...Security Fix(es):
      mozilla: incorrect code generation during jit compilation (cve-2023-25751).
      Mozilla: memory safety bugs fixed in firefox 111 and firefox esr 102.9 (cve-2023-28176).
      Mozilla: potential out-of-bounds when accessing throttled streams (cve-2023-25752).
      Mozilla: invalid downcast in worklets (cve-2023-28162).
      Mozilla: url being dragged from a removed cross-origin iframe into the same tab triggered navigation (cve-2023-28164).
    Affected Products:
      Red Hat enterprise linux for x86_64 - extended update support 8.4 x86_64.
      Red hat enterprise linux server - aus 8.4 x86_64.
      Red hat enterprise linux for ibm z systems - extended update support 8.4 s390x.
      Red hat enterprise linux for power, little endian - extended update support 8.4 ppc64le.
      Red hat enterprise linux server - tus 8.4 x86_64.
      Red hat enterprise linux for arm 64 - extended update support 8.4 aarch64.
      Red hat enterprise linux server for power le - update services for sap solutions 8.4 ppc64le.
      Red hat enterprise linux for x86_64 - update services for sap solutions 8.4 x86_64.
    .

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Red Hat security advisory RHSA-2023:1472 for updates and patch information.
    Patches
    Red Hat Enterprise Linux RHSA-2023:1472
  • CVE-2023-28176+
    QID: 199253
    In Development

    Ubuntu Security Notification for Thunderbird Vulnerabilities (USN-5972-1)

    Severity
    Critical4
    Qualys ID
    199253
    Vendor Reference
    USN-5972-1
    CVE Reference
    CVE-2023-28176, CVE-2023-25752, CVE-2023-28164, CVE-2023-25751, CVE-2023-28162
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Ubuntu has released a security update for thunderbird to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Ubuntu security advisory USN-5972-1 for updates and patch information.
    Patches
    Ubuntu Linux USN-5972-1
  • CVE-2018-3136+
    QID: 378162
    In Development

    Virtuozzo Linux Security Update for java-1.7.0-openjdk (VZLSA-2018:3409)

    Severity
    Critical4
    Qualys ID
    378162
    Vendor Reference
    VZLSA-2018:3409
    CVE Reference
    CVE-2018-3136, CVE-2018-3139, CVE-2018-3149, CVE-2018-3169, CVE-2018-3180, CVE-2018-3214
    CVSS Scores
    Base 8.3 / Temporal 7.2
    Description
    Virtuozzo has released a security update for java-1.7.0-openjdk to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2018:3409 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2018:3409
  • CVE-2017-7718+
    QID: 378183
    In Development

    Virtuozzo Linux Security Update for qemu-kvm (VZLSA-2017:1430)

    Severity
    Critical4
    Qualys ID
    378183
    Vendor Reference
    VZLSA-2017:1430
    CVE Reference
    CVE-2017-7718, CVE-2017-7980
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Virtuozzo has released a security update for qemu-kvm to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2017:1430 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2017:1430
  • CVE-2017-6462+
    QID: 378174
    In Development

    Virtuozzo Linux Security Update for ntp-doc (VZLSA-2017:3071)

    Severity
    Critical4
    Qualys ID
    378174
    Vendor Reference
    VZLSA-2017:3071
    CVE Reference
    CVE-2017-6462, CVE-2017-6463, CVE-2017-6464
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Virtuozzo has released a security update for ntp-doc to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2017:3071 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2017:3071
  • CVE-2018-10194+
    QID: 378172
    In Development

    Virtuozzo Linux Security Update for ghostscript-doc (VZLSA-2018:2918)

    Severity
    Critical4
    Qualys ID
    378172
    Vendor Reference
    VZLSA-2018:2918
    CVE Reference
    CVE-2018-10194, CVE-2018-15910, CVE-2018-16509, CVE-2018-16542
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Virtuozzo has released a security update for ghostscript-doc to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2018:2918 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2018:2918
  • CVE-2016-8650+
    QID: 378168
    In Development

    Virtuozzo Linux Security Update for perf (VZLSA-2017:0933)

    Severity
    Critical4
    Qualys ID
    378168
    Vendor Reference
    VZLSA-2017:0933
    CVE Reference
    CVE-2016-8650, CVE-2016-9793, CVE-2017-2618, CVE-2017-2636
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Virtuozzo has released a security update for perf to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2017:0933 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2017:0933
  • CVE-2015-5203+
    QID: 378165
    In Development

    Virtuozzo Linux Security Update for jasper-utils (VZLSA-2017:1208)

    Severity
    Critical4
    Qualys ID
    378165
    Vendor Reference
    VZLSA-2017:1208
    CVE Reference
    CVE-2015-5203, CVE-2015-5221, CVE-2016-10248, CVE-2016-10249, CVE-2016-10251, CVE-2016-1577, CVE-2016-1867, CVE-2016-2089, CVE-2016-2116, CVE-2016-8654, CVE-2016-8690, CVE-2016-8691, CVE-2016-8692, CVE-2016-8693, CVE-2016-8883, CVE-2016-8884, CVE-2016-8885, CVE-2016-9262, CVE-2016-9387, CVE-2016-9388, CVE-2016-9389, CVE-2016-9390, CVE-2016-9391, CVE-2016-9392, CVE-2016-9393, CVE-2016-9394, CVE-2016-9560, CVE-2016-9583, CVE-2016-9591, CVE-2016-9600
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Virtuozzo has released a security update for jasper-utils to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2017:1208 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2017:1208
  • CVE-2016-10167+
    QID: 378159
    In Development

    Virtuozzo Linux Security Update for php (VZLSA-2017:3221)

    Severity
    Critical4
    Qualys ID
    378159
    Vendor Reference
    VZLSA-2017:3221
    CVE Reference
    CVE-2016-10167, CVE-2016-10168
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Virtuozzo has released a security update for php to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2017:3221 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2017:3221
  • CVE-2016-7910+
    QID: 378155
    In Development

    Virtuozzo Linux Security Update for perf (VZLSA-2017:0892)

    Severity
    Critical4
    Qualys ID
    378155
    Vendor Reference
    VZLSA-2017:0892
    CVE Reference
    CVE-2016-7910, CVE-2017-2636
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Virtuozzo has released a security update for perf to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2017:0892 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2017:0892
  • CVE-2020-8177
    QID: 378137
    In Development

    Virtuozzo Linux Security Update for libcurl (VZLSA-2020:5002)

    Severity
    Critical4
    Qualys ID
    378137
    Vendor Reference
    VZLSA-2020:5002
    CVE Reference
    CVE-2020-8177
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Virtuozzo has released a security update for libcurl to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2020:5002 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2020:5002
  • CVE-2022-4269+
    QID: 241298
    In Development

    Red Hat Update for kernel security (RHSA-2023:1470)

    Severity
    Critical4
    Qualys ID
    241298
    Vendor Reference
    RHSA-2023:1470
    CVE Reference
    CVE-2022-4269, CVE-2022-4744, CVE-2023-0266
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    The kernel packages contain the linux kernel, the core of any linux operating system...Security Fix(es):
      kernel: tun: avoid double free in tun_free_netdev (cve-2022-4744).
      Alsa: pcm: move rwsem lock inside snd_ctl_elem_read to prevent uaf (cve-2023-0266).
      Kernel: net: cpu soft lockup in tc mirred egress-to-ingress action (cve-2022-4269).
    Affected Products:
      Red Hat enterprise linux for x86_64 9 x86_64.
      Red hat enterprise linux for ibm z systems 9 s390x.
      Red hat enterprise linux for power, little endian 9 ppc64le.
      Red hat enterprise linux for arm 64 9 aarch64.
      Red hat codeready linux builder for x86_64 9 x86_64.
      Red hat codeready linux builder for power, little endian 9 ppc64le.
      Red hat codeready linux builder for arm 64 9 aarch64.
      Red hat codeready linux builder for ibm z systems 9 s390x.
    .

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Red Hat security advisory RHSA-2023:1470 for updates and patch information.
    Patches
    Red Hat Enterprise Linux RHSA-2023:1470
  • CVE-2022-4269+
    QID: 241295
    In Development

    Red Hat Update for kernel-rt (RHSA-2023:1469)

    Severity
    Critical4
    Qualys ID
    241295
    Vendor Reference
    RHSA-2023:1469
    CVE Reference
    CVE-2022-4269, CVE-2022-4744, CVE-2023-0266
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    The kernel-rt packages provide the real time linux kernel, which enables fine-tuning for systems with extremely high determinism requirements...Security Fix(es):
      kernel: tun: avoid double free in tun_free_netdev (cve-2022-4744).
      Alsa: pcm: move rwsem lock inside snd_ctl_elem_read to prevent uaf (cve-2023-0266).
      Kernel: net: cpu soft lockup in tc mirred egress-to-ingress action (cve-2022-4269).
    Affected Products:
      Red Hat enterprise linux for real time 9 x86_64.
      Red hat enterprise linux for real time for nfv 9 x86_64.
    .

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Red Hat security advisory RHSA-2023:1469 for updates and patch information.
    Patches
    Red Hat Enterprise Linux RHSA-2023:1469
  • CVE-2022-4744+
    QID: 241293
    In Development

    Red Hat Update for kpatch-patch (RHSA-2023:1471)

    Severity
    Critical4
    Qualys ID
    241293
    Vendor Reference
    RHSA-2023:1471
    CVE Reference
    CVE-2022-4744, CVE-2023-0266
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    This is a kernel live patch module which is automatically loaded by the rpm post-install script to modify the code of a running kernel...Security Fix(es):
      kernel: tun: avoid double free in tun_free_netdev (cve-2022-4744).
      Alsa: pcm: move rwsem lock inside snd_ctl_elem_read to prevent uaf (cve-2023-0266).
    Affected Products:
      Red Hat enterprise linux for x86_64 9 x86_64.
      Red hat enterprise linux for power, little endian 9 ppc64le.
    .

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Red Hat security advisory RHSA-2023:1471 for updates and patch information.
    Patches
    Red Hat Enterprise Linux RHSA-2023:1471
  • CVE-2017-3509+
    QID: 378171
    In Development

    Virtuozzo Linux Security Update for java-1.8.0-openjdk-javadoc-zip (VZLSA-2017:1108)

    Severity
    Critical4
    Qualys ID
    378171
    Vendor Reference
    VZLSA-2017:1108
    CVE Reference
    CVE-2017-3509, CVE-2017-3511, CVE-2017-3526, CVE-2017-3533, CVE-2017-3539, CVE-2017-3544
    CVSS Scores
    Base 7.7 / Temporal 6.7
    Description
    Virtuozzo has released a security update for java-1.8.0-openjdk-javadoc-zip to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2017:1108 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2017:1108
  • CVE-2017-3509+
    QID: 378136
    In Development

    Virtuozzo Linux Security Update for java-1.8.0-openjdk-debug (VZLSA-2017:1109)

    Severity
    Critical4
    Qualys ID
    378136
    Vendor Reference
    VZLSA-2017:1109
    CVE Reference
    CVE-2017-3509, CVE-2017-3511, CVE-2017-3526, CVE-2017-3533, CVE-2017-3539, CVE-2017-3544
    CVSS Scores
    Base 7.7 / Temporal 6.7
    Description
    Virtuozzo has released a security update for java-1.8.0-openjdk-debug to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2017:1109 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2017:1109
  • CVE-2016-0736+
    QID: 378182
    In Development

    Virtuozzo Linux Security Update for mod_proxy_html (VZLSA-2017:0906)

    Severity
    Critical4
    Qualys ID
    378182
    Vendor Reference
    VZLSA-2017:0906
    CVE Reference
    CVE-2016-0736, CVE-2016-2161, CVE-2016-4975, CVE-2016-8743
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Virtuozzo has released a security update for mod_proxy_html to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2017:0906 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2017:0906
  • CVE-2016-9147
    QID: 378177
    In Development

    Virtuozzo Linux Security Update for bind-sdb (VZLSA-2017:0063)

    Severity
    Critical4
    Qualys ID
    378177
    Vendor Reference
    VZLSA-2017:0063
    CVE Reference
    CVE-2016-9147
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Virtuozzo has released a security update for bind-sdb to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2017:0063 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2017:0063
  • CVE-2016-8743
    QID: 378176
    In Development

    Virtuozzo Linux Security Update for mod_ssl (VZLSA-2017:1721)

    Severity
    Critical4
    Qualys ID
    378176
    Vendor Reference
    VZLSA-2017:1721
    CVE Reference
    CVE-2016-8743
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Virtuozzo has released a security update for mod_ssl to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2017:1721 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2017:1721
  • CVE-2017-7805
    QID: 378166
    In Development

    Virtuozzo Linux Security Update for nss-tools (VZLSA-2017:2832)

    Severity
    Critical4
    Qualys ID
    378166
    Vendor Reference
    VZLSA-2017:2832
    CVE Reference
    CVE-2017-7805
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Virtuozzo has released a security update for nss-tools to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2017:2832 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2017:2832
  • CVE-2017-7502
    QID: 378156
    In Development

    Virtuozzo Linux Security Update for nss-tools (VZLSA-2017:1365)

    Severity
    Critical4
    Qualys ID
    378156
    Vendor Reference
    VZLSA-2017:1365
    CVE Reference
    CVE-2017-7502
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Virtuozzo has released a security update for nss-tools to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2017:1365 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2017:1365
  • CVE-2017-8779
    QID: 378153
    In Development

    Virtuozzo Linux Security Update for libtirpc (VZLSA-2017:1263)

    Severity
    Critical4
    Qualys ID
    378153
    Vendor Reference
    VZLSA-2017:1263
    CVE Reference
    CVE-2017-8779
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Virtuozzo has released a security update for libtirpc to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2017:1263 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2017:1263
  • CVE-2017-12150+
    QID: 378151
    In Development

    Virtuozzo Linux Security Update for samba-winbind-krb5-locator (VZLSA-2017:2789)

    Severity
    Critical4
    Qualys ID
    378151
    Vendor Reference
    VZLSA-2017:2789
    CVE Reference
    CVE-2017-12150, CVE-2017-12163, CVE-2017-2619
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Virtuozzo has released a security update for samba-winbind-krb5-locator to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2017:2789 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2017:2789
  • CVE-2018-7159+
    QID: 378150
    In Development

    Virtuozzo Linux Security Update for http-parser (VZLSA-2019:2258)

    Severity
    Critical4
    Qualys ID
    378150
    Vendor Reference
    VZLSA-2019:2258
    CVE Reference
    CVE-2018-7159, CVE-2018-12121
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Virtuozzo has released a security update for http-parser to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2019:2258 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2019:2258
  • CVE-2017-12171+
    QID: 378145
    In Development

    Virtuozzo Linux Security Update for mod_ssl (VZLSA-2017:2972)

    Severity
    Critical4
    Qualys ID
    378145
    Vendor Reference
    VZLSA-2017:2972
    CVE Reference
    CVE-2017-12171, CVE-2017-9798
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Virtuozzo has released a security update for mod_ssl to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2017:2972 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2017:2972
  • CVE-2023-0286
    QID: 520011
    In Development

    Open Secure Sockets Layer (OpenSSL) Type Confusion Vulnerability (CVE-2023-0286)

    Severity
    Critical4
    Qualys ID
    520011
    Vendor Reference
    OpenSSL
    CVE Reference
    CVE-2023-0286
    CVSS Scores
    Base 7.4 / Temporal 6.4
    Description
    OpenSSL is a software library for applications that secure communications over computer networks against eavesdropping or need to identify the party at the other end.

    There is a security vulnerability related to the processing of X.400 addresses in an X.509 GeneralName. The issue is caused by a type confusion error in the way X.400 addresses are parsed as an ASN1_STRING but are specified as ASN1_TYPE in the GENERAL_NAME structure definition. This may allow an attacker to pass arbitrary pointers to a memcmp call, potentially enabling them to read memory contents or cause a denial of service attack. The attack may require the attacker to control both the certificate chain and CRL, and the vulnerability is most likely to affect applications with custom CRL retrieval functionality.

    Affected Versions:
    OpenSSL version 1.0.2 to 1.0.2zf
    OpenSSL version 1.1.1 to 1.1.1q
    OpenSSL version 3.0.0 to 3.0.7

    QID Detection Logic: (Unauthenticated)
    This QID checks for vulnerable version of OpenSSL by extracting OpenSSL version from HTTP response header.

    Consequence
    If successfully exploited, this vulnerability could potentially allow an attacker to read sensitive memory contents or cause a denial of service attack.

    Solution
    Vendor has released a patch to address these vulnerabilities. Customers are advised to refer to OpenSSL Security Advisory for more information pertaining to these vulnerabilities.

    Patches
    OpenSSL
  • CVE-2019-14823
    QID: 378169
    In Development

    Virtuozzo Linux Security Update for jss-javadoc (VZLSA-2019:3067)

    Severity
    Critical4
    Qualys ID
    378169
    Vendor Reference
    VZLSA-2019:3067
    CVE Reference
    CVE-2019-14823
    CVSS Scores
    Base 7.4 / Temporal 6.4
    Description
    Virtuozzo has released a security update for jss-javadoc to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2019:3067 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2019:3067
  • CVE-2017-12150+
    QID: 378135
    In Development

    Virtuozzo Linux Security Update for samba4-common (VZLSA-2017:2791)

    Severity
    Critical4
    Qualys ID
    378135
    Vendor Reference
    VZLSA-2017:2791
    CVE Reference
    CVE-2017-12150, CVE-2017-12163
    CVSS Scores
    Base 7.4 / Temporal 6.4
    Description
    Virtuozzo has released a security update for samba4-common to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2017:2791 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2017:2791
  • CVE-2021-2341+
    QID: 378184
    In Development

    Red Hat OpenJDK 11.0.12 Security Update for Windows Builds (RHSA-2021:2779)

    Severity
    Serious3
    Qualys ID
    378184
    Vendor Reference
    RHSA-2021:2779
    CVE Reference
    CVE-2021-2341, CVE-2021-2369, CVE-2021-2388
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description

    This release of the Red Hat build of OpenJDK 11 (11.0.12) for Windows serves as a replacement for the Red Hat build of OpenJDK 11 (11.0.11) and includes security and bug fixes, and enhancements.

    OpenJDK: FTP PASV command response can cause FtpClient to connect to arbitrary host (Networking, 8258432) (CVE-2021-2341)

    OpenJDK: Incorrect verification of JAR files with multiple MANIFEST.MF files (Library, 8260967) (CVE-2021-2369)

    OpenJDK: Incorrect comparison during range check elimination (Hotspot, 8264066) (CVE-2021-2388)
    Affected Versions:
    Red Hat build of OpenJDK 11 (11.0.11) and later Versions and Prior to OpenJDK 11 (11.0.12)

    QID Detection Logic (Authenticated):
    This QID checks for:
    "HKLM\Software\JavaSoft\Java Runtime Environment"
    "HKLM\Software\Wow6432Node\JavaSoft\Java Runtime Environment"
    "HKLM\Software\JavaSoft\Java Development Kit"
    "HKLM\Software\Wow6432Node\JavaSoft\Java Development Kit"
    "HKLM\Software\JavaSoft\JRE"
    "HKLM\Software\Wow6432Node\JavaSoft\JRE"
    "HKLM\Software\JavaSoft\JDK"
    and "HKLM\Software\Wow6432Node\JavaSoft\JDK" subkeys and fetches JavaHome value, checks for bin\java.exe file existence in the fetched location, performs jar extraction to confirm Red Hat as the vendor, then reads the compare the version for file java.exe and posts the QID on Windows Operating Systems

    Consequence
    Successful attacks of this vulnerability can result in takeover of Java SE.
    Solution
    For more information regarding the update RHSA-2021:2779
    Patches
    RHSA-2021:2779
  • CVE-2021-2341+
    QID: 378130
    In Development

    Red Hat OpenJDK 8u302 Windows Builds release and security update (RHSA-2021:2777)

    Severity
    Serious3
    Qualys ID
    378130
    Vendor Reference
    RHSA-2021:2777
    CVE Reference
    CVE-2021-2341, CVE-2021-2369, CVE-2021-2388
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    P>The OpenJDK 8 packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.

    OpenJDK: FTP PASV command response can cause FtpClient to connect to arbitrary host (Networking, 8258432) (CVE-2021-2341).

    OpenJDK: Incorrect verification of JAR files with multiple MANIFEST.MF files (Library, 8260967) (CVE-2021-2369)

    OpenJDK: Incorrect comparison during range check elimination (Hotspot,8264066) (CVE-2021-2388)
    Affected Versions:
    Red Hat build of OpenJDK 8 (1.8.0.292) and later Versions and Prior to OpenJDK 8 (1.8.0.302)

    QID Detection Logic (Authenticated)
    This QID checks for the below registry keys HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" ,"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall and sub values to check Publisher and Display version.

    Consequence
    Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE.
    Solution
    For more information regarding the update RHSA-2021:2777
    Patches
    RHSA-2021:2777
  • CVE-2021-35550+
    QID: 378185
    In Development

    Red Hat OpenJDK 11.0.13 security update for Windows Builds (RHSA-2021:3968)

    Severity
    Serious3
    Qualys ID
    378185
    Vendor Reference
    RHSA-2021:3968
    CVE Reference
    CVE-2021-35550, CVE-2021-35556, CVE-2021-35559, CVE-2021-35561, CVE-2021-35564, CVE-2021-35565, CVE-2021-35567, CVE-2021-35578, CVE-2021-35586, CVE-2021-35603
    CVSS Scores
    Base 6.8 / Temporal 5.9
    Description

    This release of the Red Hat build of OpenJDK 11 (11.0.13) for Windows serves as a replacement for the Red Hat build of OpenJDK 11 (11.0.12) and includes security and bug fixes, and enhancements..

    OpenJDK: Loop in HttpsServer triggered during TLS session close (JSSE, 8254967) (CVE-2021-35565).

    OpenJDK: Incorrect principal selection when using Kerberos Constrained Delegation (Libraries, 8266689) (CVE-2021-35567).

    OpenJDK: Weak ciphers preferred over stronger ones for TLS (JSSE, 8264210) (CVE-2021-35550).

    OpenJDK: Excessive memory allocation in RTFParser (Swing, 8265167) (CVE-2021-35556).

    OpenJDK: Excessive memory allocation in RTFReader (Swing, 8265580) (CVE-2021-35559).

    OpenJDK: Excessive memory allocation in HashMap and HashSet (Utility, 8266097) (CVE-2021-35561).

    OpenJDK: Certificates with end dates too far in the future can corrupt keystore (Keytool, 8266137) (CVE-2021-35564).

    OpenJDK: Unexpected exception raised during TLS handshake (JSSE, 8267729) (CVE-2021-35578).

    OpenJDK: Excessive memory allocation in BMPImageReader (ImageIO, 8267735) (CVE-2021-35586).

    OpenJDK: Non-constant comparison during TLS handshakes (JSSE, 8269618) (CVE-2021-35603).
    Affected Versions:
    Red Hat build of OpenJDK 11 (11.0.12) and later Versions and Prior to OpenJDK 11 (11.0.13)

    QID Detection Logic (Authenticated):
    This QID checks for:
    "HKLM\Software\JavaSoft\Java Runtime Environment"
    "HKLM\Software\Wow6432Node\JavaSoft\Java Runtime Environment"
    "HKLM\Software\JavaSoft\Java Development Kit"
    "HKLM\Software\Wow6432Node\JavaSoft\Java Development Kit"
    "HKLM\Software\JavaSoft\JRE"
    "HKLM\Software\Wow6432Node\JavaSoft\JRE"
    "HKLM\Software\JavaSoft\JDK"
    and "HKLM\Software\Wow6432Node\JavaSoft\JDK" subkeys and fetches JavaHome value, checks for bin\java.exe file existence in the fetched location, performs jar extraction to confirm Red Hat as the vendor, then reads the compare the version for file java.exe and posts the QID on Windows Operating Systems

    Consequence
    Successful attacks of this vulnerability can result in unauthorized access to critical data .
    Solution
    For more information regarding the update RHSA-2021:3968
    Patches
    RHSA-2021:3968
  • CVE-2019-2945+
    QID: 378152
    In Development

    Virtuozzo Linux Security Update for java-1.7.0-openjdk-headless (VZLSA-2019:3157)

    Severity
    Serious3
    Qualys ID
    378152
    Vendor Reference
    VZLSA-2019:3157
    CVE Reference
    CVE-2019-2945, CVE-2019-2962, CVE-2019-2964, CVE-2019-2973, CVE-2019-2978, CVE-2019-2981, CVE-2019-2983, CVE-2019-2987, CVE-2019-2988, CVE-2019-2989, CVE-2019-2992, CVE-2019-2999
    CVSS Scores
    Base 6.8 / Temporal 5.9
    Description
    Virtuozzo has released a security update for java-1.7.0-openjdk-headless to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2019:3157 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2019:3157
  • CVE-2020-11078
    QID: 378148
    In Development

    Virtuozzo Linux Security Update for fence-agents-mpath (VZLSA-2020:5003)

    Severity
    Serious3
    Qualys ID
    378148
    Vendor Reference
    VZLSA-2020:5003
    CVE Reference
    CVE-2020-11078
    CVSS Scores
    Base 6.8 / Temporal 5.9
    Description
    Virtuozzo has released a security update for fence-agents-mpath to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2020:5003 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2020:5003
  • CVE-2021-35550+
    QID: 378132
    In Development

    Red Hat OpenJDK 8u312 Windows Builds release and security update (RHSA-2021:3961)

    Severity
    Serious3
    Qualys ID
    378132
    Vendor Reference
    RHSA-2021:3961
    CVE Reference
    CVE-2021-35550, CVE-2021-35556, CVE-2021-35559, CVE-2021-35561, CVE-2021-35564, CVE-2021-35565, CVE-2021-35567, CVE-2021-35578, CVE-2021-35586, CVE-2021-35588, CVE-2021-35603
    CVSS Scores
    Base 6.8 / Temporal 5.9
    Description

    The OpenJDK 8 packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.

    Loop in HttpsServer triggered during TLS session close (JSSE, 8254967) (CVE-2021-35565)

    Incorrect principal selection when using Kerberos Constrained Delegation (Libraries, 8266689) (CVE-2021-35567)

    Weak ciphers preferred over stronger ones for TLS (JSSE, 8264210) (CVE-2021-35550)

    Excessive memory allocation in RTFParser (Swing, 8265167) (CVE-2021-35556)

    Excessive memory allocation in RTFReader (Swing, 8265580) (CVE-2021-35559)

    Excessive memory allocation in HashMap and HashSet (Utility, 8266097) (CVE-2021-35561)

    Certificates with end dates too far in the future can corrupt keystore (Keytool, 8266137) (CVE-2021-35564)

    Unexpected exception raised during TLS handshake (JSSE, 8267729) (CVE-2021-35578)

    Excessive memory allocation in BMPImageReader (ImageIO, 8267735) (CVE-2021-35586)

    Incomplete validation of inner class references in ClassFileParser (Hotspot, 8268071) (CVE-2021-35588)

    Non-constant comparison during TLS handshakes (JSSE, 8269618) (CVE-2021-35603)
    Affected Versions:
    Red Hat build of OpenJDK 8 (1.8.0.302) and later Versions and Prior to OpenJDK 8 (1.8.0.312)

    QID Detection Logic (Authenticated)
    This QID checks for the below registry keys HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" ,"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall and sub values to check Publisher and Display version.

    Consequence
    Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java
    Solution
    For more information regarding the update RHSA-2021:3961
    Patches
    RHSA-2021:3961
  • CVE-2017-3142+
    QID: 378178
    In Development

    Virtuozzo Linux Security Update for bind-sdb (VZLSA-2017:1679)

    Severity
    Serious3
    Qualys ID
    378178
    Vendor Reference
    VZLSA-2017:1679
    CVE Reference
    CVE-2017-3142, CVE-2017-3143
    CVSS Scores
    Base 5.9 / Temporal 5.2
    Description
    Virtuozzo has released a security update for bind-sdb to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2017:1679 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2017:1679
  • CVE-2018-12384
    QID: 378164
    In Development

    Virtuozzo Linux Security Update for nss-tools (VZLSA-2018:2898)

    Severity
    Serious3
    Qualys ID
    378164
    Vendor Reference
    VZLSA-2018:2898
    CVE Reference
    CVE-2018-12384
    CVSS Scores
    Base 5.9 / Temporal 5.2
    Description
    Virtuozzo has released a security update for nss-tools to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2018:2898 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2018:2898
  • CVE-2019-1559
    QID: 378140
    In Development

    Virtuozzo Linux Security Update for openssl-perl (VZLSA-2019:2471)

    Severity
    Serious3
    Qualys ID
    378140
    Vendor Reference
    VZLSA-2019:2471
    CVE Reference
    CVE-2019-1559
    CVSS Scores
    Base 5.9 / Temporal 5.2
    Description
    Virtuozzo has released a security update for openssl-perl to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2019:2471 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2019:2471
  • CVE-2021-2161+
    QID: 378133
    In Development

    Red Hat OpenJDK 11.0.11 Security Update for Windows Builds (RHSA-2021:1447)

    Severity
    Serious3
    Qualys ID
    378133
    Vendor Reference
    RHSA-2021:1447
    CVE Reference
    CVE-2021-2161, CVE-2021-2163
    CVSS Scores
    Base 5.9 / Temporal 5.2
    Description

    This release of the Red Hat build of OpenJDK 11 (11.0.11) for Windows serves as a replacement for the Red Hat build of OpenJDK 11 (11.0.10) and includes security and bug fixes, and enhancements.

    OpenJDK: Incorrect handling of partially quoted arguments in ProcessBuilder on Windows (Libraries, 8250568) (CVE-2021-2161)

    OpenJDK: Incomplete enforcement of JAR signing disabled algorithms (Libraries, 8249906) (CVE-2021-2163)
    Affected Versions:
    Red Hat build of OpenJDK 11 (11.0.10) and later Versions and Prior to OpenJDK 11 (11.0.11)

    QID Detection Logic (Authenticated):
    This QID checks for:
    "HKLM\Software\JavaSoft\Java Runtime Environment"
    "HKLM\Software\Wow6432Node\JavaSoft\Java Runtime Environment"
    "HKLM\Software\JavaSoft\Java Development Kit"
    "HKLM\Software\Wow6432Node\JavaSoft\Java Development Kit"
    "HKLM\Software\JavaSoft\JRE"
    "HKLM\Software\Wow6432Node\JavaSoft\JRE"
    "HKLM\Software\JavaSoft\JDK"
    and "HKLM\Software\Wow6432Node\JavaSoft\JDK" subkeys and fetches JavaHome value, checks for bin\java.exe file existence in the fetched location, performs jar extraction to confirm Red Hat as the vendor, then reads the compare the version for file java.exe and posts the QID on Windows Operating Systems

    Consequence
    Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE.
    Solution
    For more information regarding the update RHSA-2021:1447
    Patches
    RHSA-2021:1447
  • CVE-2021-2161+
    QID: 378129
    In Development

    Red Hat OpenJDK 8u292 Windows Builds release and security update (RHSA-2021:1445)

    Severity
    Serious3
    Qualys ID
    378129
    Vendor Reference
    RHSA-2021:1445
    CVE Reference
    CVE-2021-2161, CVE-2021-2163
    CVSS Scores
    Base 5.9 / Temporal 5.2
    Description

    The OpenJDK 8 packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.

    This release of the Red Hat build of OpenJDK 8 (1.8.0.292) for Windows serves as a replacement for the Red Hat build of OpenJDK 8 (1.8.0.282) and includes security and bug fixes, and enhancements.
    OpenJDK: Incorrect handling of partially quoted arguments in ProcessBuilder on Windows (Libraries, 8250568) (CVE-2021-2161)
    OpenJDK: Incomplete enforcement of JAR signing disabled algorithms (Libraries, 8249906) (CVE-2021-2163)
    Affected Versions:
    Red Hat build of OpenJDK 8 (1.8.0.282) and later Versions and Prior to OpenJDK 8 (1.8.0.292)

    QID Detection Logic (Authenticated)
    This QID checks for the below registry keys HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" ,"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall and sub values to check Publisher and Display version.

    Consequence
    Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE.
    Solution
    For more information regarding the update RHSA-2021:1445
    Patches
    RHSA-2021:1445
  • CVE-2018-12126+
    QID: 378146
    In Development

    Virtuozzo Linux Security Update for libvirt-lock-sanlock (VZLSA-2019:1180)

    Severity
    Serious3
    Qualys ID
    378146
    Vendor Reference
    VZLSA-2019:1180
    CVE Reference
    CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091
    CVSS Scores
    Base 5.6 / Temporal 4.9
    Description
    Virtuozzo has released a security update for libvirt-lock-sanlock to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2019:1180 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2019:1180
  • CVE-2022-21248+
    QID: 378186
    In Development

    Red Hat OpenJDK 17.0.2 security update for Windows Builds (RHSA-2022:0165)

    Severity
    Serious3
    Qualys ID
    378186
    Vendor Reference
    RHSA-2022:0165
    CVE Reference
    CVE-2022-21248, CVE-2022-21277, CVE-2022-21282, CVE-2022-21283, CVE-2022-21291, CVE-2022-21293, CVE-2022-21294, CVE-2022-21296, CVE-2022-21299, CVE-2022-21305, CVE-2022-21340, CVE-2022-21341, CVE-2022-21360, CVE-2022-21365, CVE-2022-21366
    CVSS Scores
    Base 5.3 / Temporal 4.6
    Description

    The OpenJDK 17 packages provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit.

    OpenJDK: Unexpected exception thrown in regex Pattern (Libraries, 8268813) (CVE-2022-21283).

    OpenJDK: Incomplete checks of StringBuffer and StringBuilder during deserialization (Libraries, 8270392) (CVE-2022-21293).

    OpenJDK: Incorrect IdentityHashMap size checks during deserialization (Libraries, 8270416) (CVE-2022-21294).

    OpenJDK: Insufficient URI checks in the XSLT TransformerImpl (JAXP, 8270492) (CVE-2022-21282).

    OpenJDK: Incorrect access checks in XMLEntityManager (JAXP, 8270498) (CVE-2022-21296).

    OpenJDK: Infinite loop related to incorrect handling of newlines in XMLEntityScanner (JAXP, 8270646) (CVE-2022-21299).

    OpenJDK: Incorrect reading of TIFF files in TIFFNullDecompressor (ImageIO, 8270952) (CVE-2022-21277).

    OpenJDK: Excessive memory allocation in BMPImageReader (ImageIO, 8273756) (CVE-2022-21360).

    OpenJDK: Integer overflow in BMPImageReader (ImageIO, 8273838) (CVE-2022-21365).

    OpenJDK: Excessive memory allocation in TIFF*Decompressor (ImageIO, 8274096) (CVE-2022-21366).

    OpenJDK: Incomplete deserialization class filtering in ObjectInputStream (Serialization, 8264934) (CVE-2022-21248).

    OpenJDK: Incorrect marking of writeable fields (Hotspot, 8270386) (CVE-2022-21291).

    OpenJDK: Array indexing issues in LIRGenerator (Hotspot, 8272014) (CVE-2022-21305).

    OpenJDK: Excessive resource use when reading JAR manifest attributes (Libraries, 8272026) (CVE-2022-21340).

    OpenJDK: Insufficient checks when deserializing exceptions in ObjectInputStream (Serialization, 8272236) (CVE-2022-21341).
    Affected Versions:
    Red Hat build of OpenJDK 17 (17.0.1) and later Versions and Prior to OpenJDK 17 (17.0.2)

    QID Detection Logic (Authenticated):
    This QID checks for:
    "HKLM\Software\JavaSoft\Java Runtime Environment"
    "HKLM\Software\Wow6432Node\JavaSoft\Java Runtime Environment"
    "HKLM\Software\JavaSoft\Java Development Kit"
    "HKLM\Software\Wow6432Node\JavaSoft\Java Development Kit"
    "HKLM\Software\JavaSoft\JRE"
    "HKLM\Software\Wow6432Node\JavaSoft\JRE"
    "HKLM\Software\JavaSoft\JDK"
    and "HKLM\Software\Wow6432Node\JavaSoft\JDK" subkeys and fetches JavaHome value, checks for bin\java.exe file existence in the fetched location, performs jar extraction to confirm Red Hat as the vendor, then reads the compare the version for file java.exe and posts the QID on Windows Operating Systems

    Consequence
    Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS).
    Solution
    For more information regarding the update RHSA-2022:0165
    Patches
    RHSA-2022:0165
  • CVE-2019-2745+
    QID: 378181
    In Development

    Virtuozzo Linux Security Update for java-1.8.0-openjdk-javadoc-zip (VZLSA-2019:1815)

    Severity
    Serious3
    Qualys ID
    378181
    Vendor Reference
    VZLSA-2019:1815
    CVE Reference
    CVE-2019-2745, CVE-2019-2762, CVE-2019-2769, CVE-2019-2786, CVE-2019-2816, CVE-2019-2842
    CVSS Scores
    Base 5.3 / Temporal 4.6
    Description
    Virtuozzo has released a security update for java-1.8.0-openjdk-javadoc-zip to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2019:1815 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2019:1815
  • CVE-2019-2745+
    QID: 378180
    In Development

    Virtuozzo Linux Security Update for java-1.7.0-openjdk-headless (VZLSA-2019:1839)

    Severity
    Serious3
    Qualys ID
    378180
    Vendor Reference
    VZLSA-2019:1839
    CVE Reference
    CVE-2019-2745, CVE-2019-2762, CVE-2019-2769, CVE-2019-2786, CVE-2019-2816, CVE-2019-2842
    CVSS Scores
    Base 5.3 / Temporal 4.6
    Description
    Virtuozzo has released a security update for java-1.7.0-openjdk-headless to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2019:1839 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2019:1839
  • CVE-2023-1410
    QID: 730771
    In Development

    Grafana Stored Cross-Site Scripting (XSS) Vulnerability

    Severity
    Serious3
    Qualys ID
    730771
    Vendor Reference
    Grafana Security Advisory
    CVE Reference
    CVE-2023-1410
    CVSS Scores
    Base 4.8 / Temporal 4.3
    Description
    Grafana is a multi-platform open source analytics and interactive visualization web application. It provides charts, graphs, and alerts for the web when connected to supported data sources.

    When a user adds a Graphite data source, they can then use the data source in a dashboard. This capability contains a feature to use Functions. Once a function is selected, a small tooltip appears when hovering over the name of the function. This tooltip allows you to delete the selected Function from your query or show the Function Description. However, no sanitization is done when adding this description to the DOM.
    Since it is not uncommon to connect to public data sources, an attacker could host a Graphite instance with modified Function Descriptions containing XSS payloads. When the victim uses it in a query and accidentally hovers over the Function Description, an attacker-controlled XSS payload will be executed.

    Affected Versions:
    Grafana versions from 8.5.0 to 8.5.21
    Grafana versions from 9.2.0 to 9.2.14
    Grafana versions from 9.3.0 to 9.3.10
    Grafana versions from 9.4.0 to 9.4.6

    QID Detection Logic (Unauthenticated):
    This QID checks for vulnerable version of Grafana from the server response

    Consequence
    An attacker needs to have control over an already configured Graphite data source, or a Grafana admin needs to add a deliberately modified Graphite data source.
    This means that vertical privilege escalation is possible, where malicious JavaScript could change to a known password for a user, when viewing the Explore view and hovering over a Function tooltip.

    Solution
    Grafana has released patch to address the vulnerability. For more information please refer to Grafana Security Advisory

    Patches
    Grafana Security Advisory
  • CVE-2023-28303
    QID: 378131
    Recently Published

    Microsoft Windows Snipping Tool Information Disclosure Vulnerability

    Severity
    Medium2
    Qualys ID
    378131
    Date Published
    March 27, 2023
    Vendor Reference
    Microsoft Windows Snipping Tool Studio Advisory
    CVE Reference
    CVE-2023-28303
    CVSS Scores
    Base 3.3 / Temporal 3
    Description
    Snipping Tool is a Microsoft Windows screenshot utility, it can take still screenshots of an open window, rectangular areas, a free-form area, or the entire screen.

    CVE-2023-28303: Microsoft Windows Snipping Tool is vulnerable to Information Disclosure Vulnerability.

    Affected Versions:
    Snip and Sketch installed on Windows 10, app versions prior to 10.2008.3001.0
    Snipping Tool installed on Windows 11, app versions prior to 11.2302.20.0

    Patched Versions:
    For Snip and Sketch installed on Windows 10, app versions 10.2008.3001.0 and later contain this update.
    For Snipping Tool installed on Windows 11, app versions 11.2302.20.0 and later contain this update.

    NOTE:
    Only Snip/Sketch in Windows 10 and Snipping Tool in Windows 11 are affected by this vulnerability.

    QID Detection Logic (Authenticated):
    Windows: Checks for vulnerable version by using the following WMI query "select version from Win32_InstalledStoreProgram where name='Microsoft.ScreenSketch'".

    Consequence
    Successful exploitation may allow an attacker ability to recover parts of the original image if partially overwritten through the use of a special tool.
    Solution
    Customers are advised to upgrade latest available version to remediate this vulnerability. For more information please refer to Microsoft Windows Snipping Tool Studio Advisory.

    Patches
    Microsoft Windows Snipping Tool Studio Advisory
  • CVE-2022-42331+
    QID: 283819
    Recently Published

    Fedora Security Update for xen (FEDORA-2023-da8315e641)

    Severity
    Critical4
    Qualys ID
    283819
    Date Published
    March 27, 2023
    Vendor Reference
    FEDORA-2023-da8315e641
    CVE Reference
    CVE-2022-42331, CVE-2022-42334, CVE-2022-42333, CVE-2022-42332
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Fedora has released a security update for xen to fix the vulnerabilities.

    Affected OS:
    Fedora 37


    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Refer to Fedora security advisory Fedora 37 for updates and patch information.
    Patches
    Fedora 37 FEDORA-2023-da8315e641
  • CVE-2023-25690+
    QID: 753845
    Recently Published

    SUSE Enterprise Linux Security Update for apache2 (SUSE-SU-2023:1573-1)

    Severity
    Urgent5
    Qualys ID
    753845
    Date Published
    March 27, 2023
    Vendor Reference
    SUSE-SU-2023:1573-1
    CVE Reference
    CVE-2023-25690, CVE-2023-27522
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    SUSE has released a security update for apache2 to fix the vulnerabilities.

    Affected product(s):
    SUSE Linux Enterprise Server 15 SP3|SUSE Linux Enterprise Server for SAP Applications 15 SP3
    SUSE Linux Enterprise Server 15 SP2|SUSE Linux Enterprise Server for SAP Applications 15 SP2
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to SUSE security advisory SUSE-SU-2023:1573-1 for updates and patch information.
    Patches
    SUSE Enterprise Linux SUSE-SU-2023:1573-1
  • CVE-2023-25690+
    QID: 283818
    Recently Published

    Fedora Security Update for httpd (FEDORA-2023-7df48f618b)

    Severity
    Urgent5
    Qualys ID
    283818
    Date Published
    March 27, 2023
    Vendor Reference
    FEDORA-2023-7df48f618b
    CVE Reference
    CVE-2023-25690, CVE-2023-27522
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Fedora has released a security update for httpd to fix the vulnerabilities.

    Affected OS:
    Fedora 36


    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Refer to Fedora security advisory Fedora 36 for updates and patch information.
    Patches
    Fedora 36 FEDORA-2023-7df48f618b
  • CVE-2023-28286+
    QID: 378128
    Recently Published

    Microsoft Edge Based on Chromium Prior to 111.0.1661.54/ Extended Version 110.0.1587.78 has Multiple Vulnerabilities

    Severity
    Critical4
    Qualys ID
    378128
    Date Published
    March 27, 2023
    Vendor Reference
    Edge (chromium based) 111.0.1661.54
    CVE Reference
    CVE-2023-28286, CVE-2023-28261, CVE-2023-1528, CVE-2023-1534, CVE-2023-1532, CVE-2023-1531, CVE-2023-1529, CVE-2023-1533, CVE-2023-1530
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    EdgeChromium has released security update for Mac and Windows to fix the vulnerabilities.
    QID Detection Logic: (Authenticated).
    It checks package versions to check for the vulnerable packages.


    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Customers are advised to upgrade to version 111.0.1661.54 or later
    Patches
    Edge (chromium based) 111.0.1661.54
  • CVE-2023-1533+
    QID: 283817
    Recently Published

    Fedora Security Update for chromium (FEDORA-2023-0e77b3d321)

    Severity
    Critical4
    Qualys ID
    283817
    Date Published
    March 27, 2023
    Vendor Reference
    FEDORA-2023-0e77b3d321
    CVE Reference
    CVE-2023-1533, CVE-2023-1534, CVE-2023-1531, CVE-2023-1532, CVE-2023-1528, CVE-2023-1530, CVE-2023-1529
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Fedora has released a security update for chromium to fix the vulnerabilities.

    Affected OS:
    Fedora 37


    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Refer to Fedora security advisory Fedora 37 for updates and patch information.
    Patches
    Fedora 37 FEDORA-2023-0e77b3d321
  • QID: 753846
    Recently Published

    SUSE Enterprise Linux Security Update for dpdk (SUSE-SU-2023:1572-1)

    Severity
    Critical4
    Qualys ID
    753846
    Date Published
    March 27, 2023
    Vendor Reference
    SUSE-SU-2023:1572-1
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    SUSE has released a security update for suse_enterprise_linux to fix the vulnerabilities.

    Affected product(s):
    SUSE Linux Enterprise Server 12 SP4|SUSE Linux Enterprise Server for SAP Applications 12 SP4
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to SUSE security advisory SUSE-SU-2023:1572-1 for updates and patch information.
    Patches
    SUSE Enterprise Linux SUSE-SU-2023:1572-1
  • QID: 691100
    Recently Published

    Free Berkeley Software Distribution (FreeBSD) Security Update for phpmyfaq (6bacd9fd-ca56-11ed-bc52-589cfc0f81b0)

    Severity
    Critical4
    Qualys ID
    691100
    Date Published
    March 27, 2023
    Vendor Reference
    6bacd9fd-ca56-11ed-bc52-589cfc0f81b0
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    FreeBSD has released a security update for phpmyfaq to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to FreeBSD security advisory 6bacd9fd-ca56-11ed-bc52-589cfc0f81b0 for updates and patch information.
    Patches
    "FreeBSD" 6bacd9fd-ca56-11ed-bc52-589cfc0f81b0
  • CVE-2023-28686
    QID: 502693
    Recently Published

    Alpine Linux Security Update for dino

    Severity
    Critical4
    Qualys ID
    502693
    Date Published
    March 27, 2023
    Vendor Reference
    dino
    CVE Reference
    CVE-2023-28686
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Alpine Linux has released a security update for dino to fix the vulnerabilities.

    Affected versions:
    Alpine Linux 3.16


    Affected Package versions prior to 0.3.2-r0.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Alpine Linux advisory dino for updates and patch information.
    Patches
    Alpine Linux dino-0.3.2-r0
  • QID: 181638
    Recently Published

    Debian Security Update for libdatetime-timezone-perl (DLA 3367-1)

    Severity
    Serious3
    Qualys ID
    181638
    Date Published
    March 27, 2023
    Vendor Reference
    DLA 3367-1
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Debian has released a security update for libdatetime-timezone-perl to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Debian security advisory DLA 3367-1 for updates and patch information.
    Patches
    Debian DLA 3367-1
  • QID: 181637
    Recently Published

    Debian Security Update for tzdata (DLA 3366-1)

    Severity
    Serious3
    Qualys ID
    181637
    Date Published
    March 27, 2023
    Vendor Reference
    DLA 3366-1
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Debian has released a security update for tzdata to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Debian security advisory DLA 3366-1 for updates and patch information.
    Patches
    Debian DLA 3366-1
  • CVE-2023-27522+
    QID: 691094
    Recently Published

    Free Berkeley Software Distribution (FreeBSD) Security Update for apache httpd (8edeb3c1-bfe7-11ed-96f5-3497f65b111b)

    Severity
    Urgent5
    Qualys ID
    691094
    Date Published
    March 27, 2023
    Vendor Reference
    8edeb3c1-bfe7-11ed-96f5-3497f65b111b
    CVE Reference
    CVE-2023-27522, CVE-2023-25690
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    FreeBSD has released a security update for apache httpd to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to FreeBSD security advisory 8edeb3c1-bfe7-11ed-96f5-3497f65b111b for updates and patch information.
    Patches
    "FreeBSD" 8edeb3c1-bfe7-11ed-96f5-3497f65b111b
  • QID: 106116
    In Development

    EOL/Obsolete Software: Microsoft Visual C++ 2010 Redistributable Package Detected

    Severity
    Urgent5
    Qualys ID
    106116
    Vendor Reference
    Microsoft Support Lifecycle
    CVSS Scores
    Base 9.8 / Temporal 9
    Description

    The Microsoft Visual C++ 2010 Redistributable Package installs runtime components of Visual C++ Libraries required to run applications developed with Visual C++ on a computer that does not have Visual C++ 2010 installed.

    The Host is running Microsoft VC++ 2010 Redistributable which is not supported by Microsoft anymore.

    QID Detection Logic (authenticated):
    This QID checks if VC++ 2010 Redistributable Package is installed or not by checking the presence of 'msdia100.dll' file.

    NOTE: This detection does not differentiate if the software is installed directly or shipped with other microsoft product.

    Consequence

    The system is at high risk of being exposed to security vulnerabilities. Since the vendor no longer provides updates, obsolete software is more vulnerable to viruses and other attacks.

    Solution
    Customers are advised to update to latest version of Microsoft VC++ Redistributable. Refer to The Latest Supported Visual C++ Redistributable Downloads for more details.
  • CVE-2023-28100+
    QID: 283814
    Recently Published

    Fedora Security Update for flatpak (FEDORA-2023-b0717d8c45)

    Severity
    Urgent5
    Qualys ID
    283814
    Date Published
    March 27, 2023
    Vendor Reference
    FEDORA-2023-b0717d8c45
    CVE Reference
    CVE-2023-28100, CVE-2023-28101
    CVSS Scores
    Base 10 / Temporal 8.7
    Description
    Fedora has released a security update for flatpak to fix the vulnerabilities.

    Affected OS:
    Fedora 37


    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Refer to Fedora security advisory Fedora 37 for updates and patch information.
    Patches
    Fedora 37 FEDORA-2023-b0717d8c45
  • CVE-2023-1530+
    QID: 691092
    Recently Published

    Free Berkeley Software Distribution (FreeBSD) Security Update for chromium (c8b334e0-6e83-4575-81d1-f9d5803ceb07)

    Severity
    Critical4
    Qualys ID
    691092
    Date Published
    March 27, 2023
    Vendor Reference
    c8b334e0-6e83-4575-81d1-f9d5803ceb07
    CVE Reference
    CVE-2023-1530, CVE-2023-1528, CVE-2023-1532, CVE-2023-1529, CVE-2023-1534, CVE-2023-1531, CVE-2023-1533
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    FreeBSD has released a security update for chromium to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to FreeBSD security advisory c8b334e0-6e83-4575-81d1-f9d5803ceb07 for updates and patch information.
    Patches
    "FreeBSD" c8b334e0-6e83-4575-81d1-f9d5803ceb07
  • CVE-2023-1223+
    QID: 691095
    Recently Published

    Free Berkeley Software Distribution (FreeBSD) Security Update for chromium (d357f6bb-0af4-4ac9-b096-eeec183ad829)

    Severity
    Critical4
    Qualys ID
    691095
    Date Published
    March 27, 2023
    Vendor Reference
    d357f6bb-0af4-4ac9-b096-eeec183ad829
    CVE Reference
    CVE-2023-1223, CVE-2023-1235, CVE-2023-1224, CVE-2023-1234, CVE-2023-1233, CVE-2023-1221, CVE-2023-1230, CVE-2023-1232, CVE-2023-1218, CVE-2023-1229, CVE-2023-1225, CVE-2023-1216, CVE-2023-1214, CVE-2023-1217, CVE-2023-1222, CVE-2023-1213, CVE-2023-1226, CVE-2023-1227, CVE-2023-1228, CVE-2023-1220, CVE-2023-1236, CVE-2023-1219, CVE-2023-1215, CVE-2023-1231
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    FreeBSD has released a security update for chromium to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to FreeBSD security advisory d357f6bb-0af4-4ac9-b096-eeec183ad829 for updates and patch information.
    Patches
    "FreeBSD" d357f6bb-0af4-4ac9-b096-eeec183ad829
  • CVE-2022-46285+
    QID: 691091
    Recently Published

    Free Berkeley Software Distribution (FreeBSD) Security Update for libxpm (38f213b6-8f3d-4067-91ef-bf14de7ba518)

    Severity
    Critical4
    Qualys ID
    691091
    Date Published
    March 27, 2023
    Vendor Reference
    38f213b6-8f3d-4067-91ef-bf14de7ba518
    CVE Reference
    CVE-2022-46285, CVE-2022-44617, CVE-2022-4883
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    FreeBSD has released a security update for libxpm to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to FreeBSD security advisory 38f213b6-8f3d-4067-91ef-bf14de7ba518 for updates and patch information.
    Patches
    "FreeBSD" 38f213b6-8f3d-4067-91ef-bf14de7ba518
  • CVE-2022-3970
    QID: 502692
    Recently Published

    Alpine Linux Security Update for tiff

    Severity
    Critical4
    Qualys ID
    502692
    Date Published
    March 27, 2023
    Vendor Reference
    tiff
    CVE Reference
    CVE-2022-3970
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Alpine Linux has released a security update for tiff to fix the vulnerabilities.

    Affected versions:
    Alpine Linux 3.14
    Alpine Linux 3.15
    Alpine Linux 3.16


    Affected Package versions prior to 4.4.0-r1.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Alpine Linux advisory tiff for updates and patch information.
    Patches
    Alpine Linux tiff-4.4.0-r1
  • CVE-2022-42328+
    QID: 199251
    Recently Published

    Ubuntu Security Notification for Linux kernel Vulnerabilities (USN-5970-1)

    Severity
    Critical4
    Qualys ID
    199251
    Date Published
    March 27, 2023
    Vendor Reference
    USN-5970-1
    CVE Reference
    CVE-2022-42328, CVE-2023-1195, CVE-2023-0266, CVE-2022-2196, CVE-2022-4382, CVE-2023-0469, CVE-2023-23559, CVE-2023-0045, CVE-2022-42329
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Ubuntu has released a security update for linux to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Ubuntu security advisory USN-5970-1 for updates and patch information.
    Patches
    Ubuntu Linux USN-5970-1
  • CVE-2023-25752+
    QID: 940965
    Recently Published

    AlmaLinux Security Update for thunderbird (ALSA-2023:1407)

    Severity
    Critical4
    Qualys ID
    940965
    Date Published
    March 27, 2023
    Vendor Reference
    ALSA-2023:1407
    CVE Reference
    CVE-2023-25752, CVE-2023-28164, CVE-2023-25751, CVE-2023-28176, CVE-2023-28162
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    AlmaLinux has released a security update for thunderbird to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect confidentiality, integrity, and availability.
    Solution
    Refer to AlmaLinux security advisory ALSA-2023:1407 for updates and patch information.
    Patches
    AlmaLinux ALSA-2023:1407
  • CVE-2023-0767
    QID: 940964
    Recently Published

    AlmaLinux Security Update for nss (ALSA-2023:1368)

    Severity
    Critical4
    Qualys ID
    940964
    Date Published
    March 27, 2023
    Vendor Reference
    ALSA-2023:1368
    CVE Reference
    CVE-2023-0767
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    AlmaLinux has released a security update for nss to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect confidentiality, integrity, and availability.
    Solution
    Refer to AlmaLinux security advisory ALSA-2023:1368 for updates and patch information.
    Patches
    AlmaLinux ALSA-2023:1368
  • CVE-2023-28162+
    QID: 940963
    Recently Published

    AlmaLinux Security Update for thunderbird (ALSA-2023:1403)

    Severity
    Critical4
    Qualys ID
    940963
    Date Published
    March 27, 2023
    Vendor Reference
    ALSA-2023:1403
    CVE Reference
    CVE-2023-28162, CVE-2023-25752, CVE-2023-28164, CVE-2023-28176, CVE-2023-25751
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    AlmaLinux has released a security update for thunderbird to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect confidentiality, integrity, and availability.
    Solution
    Refer to AlmaLinux security advisory ALSA-2023:1403 for updates and patch information.
    Patches
    AlmaLinux ALSA-2023:1403
  • QID: 753844
    Recently Published

    SUSE Enterprise Linux Security Update for grub2 (SUSE-SU-2023:0880-1)

    Severity
    Critical4
    Qualys ID
    753844
    Date Published
    March 27, 2023
    Vendor Reference
    SUSE-SU-2023:0880-1
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    SUSE has released a security update for suse_enterprise_linux to fix the vulnerabilities.

    Affected product(s):
    SUSE Linux Enterprise Server 15 SP2|SUSE Linux Enterprise Server for SAP Applications 15 SP2
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to SUSE security advisory SUSE-SU-2023:0880-1 for updates and patch information.
    Patches
    SUSE Enterprise Linux SUSE-SU-2023:0880-1
  • QID: 753843
    Recently Published

    SUSE Enterprise Linux Security Update for grub2 (SUSE-SU-2023:0881-1)

    Severity
    Critical4
    Qualys ID
    753843
    Date Published
    March 27, 2023
    Vendor Reference
    SUSE-SU-2023:0881-1
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    SUSE has released a security update for suse_enterprise_linux to fix the vulnerabilities.

    Affected product(s):
    SUSE Linux Enterprise Server 15 SP1|SUSE Linux Enterprise Server for SAP Applications 15 SP1
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to SUSE security advisory SUSE-SU-2023:0881-1 for updates and patch information.
    Patches
    SUSE Enterprise Linux SUSE-SU-2023:0881-1
  • QID: 753842
    Recently Published

    SUSE Enterprise Linux Security Update for grub2 (SUSE-SU-2023:0882-1)

    Severity
    Critical4
    Qualys ID
    753842
    Date Published
    March 27, 2023
    Vendor Reference
    SUSE-SU-2023:0882-1
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    SUSE has released a security update for suse_enterprise_linux to fix the vulnerabilities.

    Affected product(s):
    SUSE Linux Enterprise Server 12 SP5|SUSE Linux Enterprise Server for SAP Applications 12 SP5
    SUSE Linux Enterprise Server 12 SP5
    SUSE Linux Enterprise Server 12 SP4|SUSE Linux Enterprise Server for SAP Applications 12 SP4
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to SUSE security advisory SUSE-SU-2023:0882-1 for updates and patch information.
    Patches
    SUSE Enterprise Linux SUSE-SU-2023:0882-1
  • CVE-2023-0464
    QID: 691099
    In Development

    Free Berkeley Software Distribution (FreeBSD) Security Update for Open Secure Sockets Layer (OpenSSL) (1ba034fb-ca38-11ed-b242-d4c9ef517024)

    Severity
    Critical4
    Qualys ID
    691099
    Vendor Reference
    1ba034fb-ca38-11ed-b242-d4c9ef517024
    CVE Reference
    CVE-2023-0464
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    FreeBSD has released a security update for openssl to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to FreeBSD security advisory 1ba034fb-ca38-11ed-b242-d4c9ef517024 for updates and patch information.
    Patches
    "FreeBSD" 1ba034fb-ca38-11ed-b242-d4c9ef517024
  • CVE-2023-27539
    QID: 691098
    Recently Published

    Free Berkeley Software Distribution (FreeBSD) Security Update for rack (2fdb053c-ca25-11ed-9d7e-080027f5fec9)

    Severity
    Critical4
    Qualys ID
    691098
    Date Published
    March 27, 2023
    Vendor Reference
    2fdb053c-ca25-11ed-9d7e-080027f5fec9
    CVE Reference
    CVE-2023-27539
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    FreeBSD has released a security update for rack to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to FreeBSD security advisory 2fdb053c-ca25-11ed-9d7e-080027f5fec9 for updates and patch information.
    Patches
    "FreeBSD" 2fdb053c-ca25-11ed-9d7e-080027f5fec9
  • CVE-2023-28686
    QID: 691097
    Recently Published

    Free Berkeley Software Distribution (FreeBSD) Security Update for dino (dec6b8e9-c9fe-11ed-bb39-901b0e9408dc)

    Severity
    Critical4
    Qualys ID
    691097
    Date Published
    March 27, 2023
    Vendor Reference
    dec6b8e9-c9fe-11ed-bb39-901b0e9408dc
    CVE Reference
    CVE-2023-28686
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    FreeBSD has released a security update for dino to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to FreeBSD security advisory dec6b8e9-c9fe-11ed-bb39-901b0e9408dc for updates and patch information.
    Patches
    "FreeBSD" dec6b8e9-c9fe-11ed-bb39-901b0e9408dc
  • QID: 691090
    Recently Published

    Free Berkeley Software Distribution (FreeBSD) Security Update for phpmyadmin (72583cb3-a7f9-11ed-bd9e-589cfc0f81b0)

    Severity
    Critical4
    Qualys ID
    691090
    Date Published
    March 27, 2023
    Vendor Reference
    72583cb3-a7f9-11ed-bd9e-589cfc0f81b0
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    FreeBSD has released a security update for phpmyadmin to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to FreeBSD security advisory 72583cb3-a7f9-11ed-bd9e-589cfc0f81b0 for updates and patch information.
    Patches
    "FreeBSD" 72583cb3-a7f9-11ed-bd9e-589cfc0f81b0
  • CVE-2023-27538+
    QID: 691088
    Recently Published

    Free Berkeley Software Distribution (FreeBSD) Security Update for curl (0d7d104c-c6fb-11ed-8a4b-080027f5fec9)

    Severity
    Critical4
    Qualys ID
    691088
    Date Published
    March 27, 2023
    Vendor Reference
    0d7d104c-c6fb-11ed-8a4b-080027f5fec9
    CVE Reference
    CVE-2023-27538, CVE-2023-27535, CVE-2023-27534, CVE-2023-27536, CVE-2023-27537, CVE-2023-27533
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    FreeBSD has released a security update for curl to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to FreeBSD security advisory 0d7d104c-c6fb-11ed-8a4b-080027f5fec9 for updates and patch information.
    Patches
    "FreeBSD" 0d7d104c-c6fb-11ed-8a4b-080027f5fec9
  • CVE-2023-25751+
    QID: 241289
    Recently Published

    Red Hat Update for firefox (RHSA-2023:1444)

    Severity
    Critical4
    Qualys ID
    241289
    Date Published
    March 27, 2023
    Vendor Reference
    RHSA-2023:1444
    CVE Reference
    CVE-2023-25751, CVE-2023-25752, CVE-2023-28162, CVE-2023-28164, CVE-2023-28176
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Mozilla firefox is an open-source web browser, designed for standards compliance, performance, and portability...Security Fix(es):
      mozilla: incorrect code generation during jit compilation (cve-2023-25751).
      Mozilla: memory safety bugs fixed in firefox 111 and firefox esr 102.9 (cve-2023-28176).
      Mozilla: potential out-of-bounds when accessing throttled streams (cve-2023-25752).
      Mozilla: invalid downcast in worklets (cve-2023-28162).
      Mozilla: url being dragged from a removed cross-origin iframe into the same tab triggered navigation (cve-2023-28164).
    Affected Products:
      Red Hat enterprise linux for x86_64 - extended update support 8.4 x86_64.
      Red hat enterprise linux server - aus 8.4 x86_64.
      Red hat enterprise linux for ibm z systems - extended update support 8.4 s390x.
      Red hat enterprise linux for power, little endian - extended update support 8.4 ppc64le.
      Red hat enterprise linux server - tus 8.4 x86_64.
      Red hat enterprise linux for arm 64 - extended update support 8.4 aarch64.
      Red hat enterprise linux server for power le - update services for sap solutions 8.4 ppc64le.
      Red hat enterprise linux for x86_64 - update services for sap solutions 8.4 x86_64.
    .

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Red Hat security advisory RHSA-2023:1444 for updates and patch information.
    Patches
    Red Hat Enterprise Linux RHSA-2023:1444
  • CVE-2022-3564+
    QID: 241290
    Recently Published

    Red Hat Update for kpatch-patch (RHSA-2023:1435)

    Severity
    Critical4
    Qualys ID
    241290
    Date Published
    March 27, 2023
    Vendor Reference
    RHSA-2023:1435
    CVE Reference
    CVE-2022-3564, CVE-2022-4378, CVE-2022-4379, CVE-2023-0179, CVE-2023-0266
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    This is a kernel live patch module which is automatically loaded by the rpm post-install script to modify the code of a running kernel...Security Fix(es):
      kernel: use-after-free caused by l2cap_reassemble_sdu() in net/bluetooth/l2cap_core.c (cve-2022-3564).
      Kernel: stack overflow in do_proc_dointvec and proc_skip_spaces (cve-2022-4378).
      Kernel: use-after-free in __nfs42_ssc_open() in fs/nfs/nfs4file.c leading to remote denial of service attack (cve-2022-4379).
      Kernel: netfilter integer overflow vulnerability in nft_payload_copy_vlan (cve-2023-0179).
      Alsa: pcm: move rwsem lock inside snd_ctl_elem_read to prevent uaf (cve-2023-0266).
    Affected Products:
      Red Hat enterprise linux for x86_64 - extended update support 9.0 x86_64.
      Red hat enterprise linux for power, little endian - extended update support 9.0 ppc64le.
      Red hat enterprise linux server for power le - update services for sap solutions 9.0 ppc64le.
      Red hat enterprise linux for x86_64 - update services for sap solutions 9.0 x86_64.
    .

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Red Hat security advisory RHSA-2023:1435 for updates and patch information.
    Patches
    Red Hat Enterprise Linux RHSA-2023:1435
  • CVE-2021-45910+
    QID: 199252
    Recently Published

    Ubuntu Security Notification for gif2apng Vulnerabilities (USN-5969-1)

    Severity
    Critical4
    Qualys ID
    199252
    Date Published
    March 27, 2023
    Vendor Reference
    USN-5969-1
    CVE Reference
    CVE-2021-45910, CVE-2021-45909, CVE-2021-45911
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Ubuntu has released a security update for gif2apng to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Ubuntu security advisory USN-5969-1 for updates and patch information.
    Patches
    Ubuntu Linux USN-5969-1
  • CVE-2023-0215+
    QID: 940962
    Recently Published

    AlmaLinux Security Update for Open Secure Sockets Layer (OpenSSL) (ALSA-2023:1405)

    Severity
    Critical4
    Qualys ID
    940962
    Date Published
    March 27, 2023
    Vendor Reference
    ALSA-2023:1405
    CVE Reference
    CVE-2023-0215, CVE-2022-4304, CVE-2022-4450, CVE-2023-0286
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    AlmaLinux has released a security update for openssl to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect confidentiality, integrity, and availability.
    Solution
    Refer to AlmaLinux security advisory ALSA-2023:1405 for updates and patch information.
    Patches
    AlmaLinux ALSA-2023:1405
  • CVE-2023-27900+
    QID: 691093
    Recently Published

    Free Berkeley Software Distribution (FreeBSD) Security Update for jenkins (f68bb358-be8e-11ed-9215-00e081b7aa2d)

    Severity
    Critical4
    Qualys ID
    691093
    Date Published
    March 27, 2023
    Vendor Reference
    f68bb358-be8e-11ed-9215-00e081b7aa2d
    CVE Reference
    CVE-2023-27900, CVE-2023-27903, CVE-2023-27898, CVE-2023-27901, CVE-2023-24998, CVE-2023-27902, CVE-2023-27904
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    FreeBSD has released a security update for jenkins to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to FreeBSD security advisory f68bb358-be8e-11ed-9215-00e081b7aa2d for updates and patch information.
    Patches
    "FreeBSD" f68bb358-be8e-11ed-9215-00e081b7aa2d
  • CVE-2022-3996+
    QID: 330133
    In Development

    IBM Advanced Interactive eXecutive (AIX) Open Secure Sockets Layer (OpenSSL) Multiple Vulnerabilities (openssl_advisory38)

    Severity
    Critical4
    Qualys ID
    330133
    Vendor Reference
    openssl_advisory38
    CVE Reference
    CVE-2022-3996, CVE-2023-0401, CVE-2022-4304, CVE-2022-4203, CVE-2023-0216, CVE-2023-0215, CVE-2023-0217, CVE-2023-0286, CVE-2022-4450
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    A vulnerability in OpenSSL cause a denial service (CVE-2022-3996, CVE-2023-0401, CVE-2022-4203, CVE-2023-0216, CVE-2023-0215, CVE-2023-0217, CVE-2023-0286, CVE-2022-4450) or obtain sensitive information (CVE-2022-4304).OpenSSL is used by AIX as part of AIX's secure network communications

    Affected Platform:
    AIX 7.1, 7.2, 7.3
    QID Detection Logic (Authenticated):
    The detection checks for installed packages version via command lslpp -L | grep -i openssl.base. It also checks for interim fixes installed The detection posts vulnerable if installed package version is less than patched version and interim fixes are also not installed.

    Consequence
    A vulnerability in OpenSSL cause denial of service and information disclosure

    Solution
    The vendor has released fixes to openssl_advisory38 this vulnerability.
    Patches
    openssl_advisory38
  • CVE-2022-3064+
    QID: 283816
    Recently Published

    Fedora Security Update for gmailctl (FEDORA-2023-abb47e24d8)

    Severity
    Critical4
    Qualys ID
    283816
    Date Published
    March 27, 2023
    Vendor Reference
    FEDORA-2023-abb47e24d8
    CVE Reference
    CVE-2022-3064, CVE-2022-41717, CVE-2022-41723
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Fedora has released a security update for gmailctl to fix the vulnerabilities.

    Affected OS:
    Fedora 36


    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Refer to Fedora security advisory Fedora 36 for updates and patch information.
    Patches
    Fedora 36 FEDORA-2023-abb47e24d8
  • CVE-2022-3064+
    QID: 283815
    Recently Published

    Fedora Security Update for gmailctl (FEDORA-2023-ca444fdecf)

    Severity
    Critical4
    Qualys ID
    283815
    Date Published
    March 27, 2023
    Vendor Reference
    FEDORA-2023-ca444fdecf
    CVE Reference
    CVE-2022-3064, CVE-2022-41717, CVE-2022-41723
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Fedora has released a security update for gmailctl to fix the vulnerabilities.

    Affected OS:
    Fedora 37


    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Refer to Fedora security advisory Fedora 37 for updates and patch information.
    Patches
    Fedora 37 FEDORA-2023-ca444fdecf
  • CVE-2023-0286
    QID: 241292
    Recently Published

    Red Hat Update for Open Secure Sockets Layer (OpenSSL) (RHSA-2023:1441)

    Severity
    Critical4
    Qualys ID
    241292
    Date Published
    March 27, 2023
    Vendor Reference
    RHSA-2023:1441
    CVE Reference
    CVE-2023-0286
    CVSS Scores
    Base 7.4 / Temporal 6.4
    Description
    Openssl is a toolkit that implements the secure sockets layer (ssl) and transport layer security (tls) protocols, as well as a full-strength general-purpose cryptography library...Security Fix(es):
      openssl: x.400 address type confusion in x.509 generalname (cve-2023-0286).
    Affected Products:
      Red Hat enterprise linux for x86_64 - extended update support 8.6 x86_64.
      Red hat enterprise linux server - aus 8.6 x86_64.
      Red hat enterprise linux for ibm z systems - extended update support 8.6 s390x.
      Red hat enterprise linux for power, little endian - extended update support 8.6 ppc64le.
      Red hat enterprise linux server - tus 8.6 x86_64.
      Red hat enterprise linux for arm 64 - extended update support 8.6 aarch64.
      Red hat enterprise linux server for power le - update services for sap solutions 8.6 ppc64le.
      Red hat enterprise linux for x86_64 - update services for sap solutions 8.6 x86_64.
    .

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Red Hat security advisory RHSA-2023:1441 for updates and patch information.
    Patches
    Red Hat Enterprise Linux RHSA-2023:1441
  • CVE-2023-0286
    QID: 241291
    Recently Published

    Red Hat Update for Open Secure Sockets Layer (OpenSSL) (RHSA-2023:1440)

    Severity
    Critical4
    Qualys ID
    241291
    Date Published
    March 27, 2023
    Vendor Reference
    RHSA-2023:1440
    CVE Reference
    CVE-2023-0286
    CVSS Scores
    Base 7.4 / Temporal 6.4
    Description
    Openssl is a toolkit that implements the secure sockets layer (ssl) and transport layer security (tls) protocols, as well as a full-strength general-purpose cryptography library...Security Fix(es):
      openssl: x.400 address type confusion in x.509 generalname (cve-2023-0286).
    Affected Products:
      Red Hat enterprise linux for x86_64 - extended update support 8.4 x86_64.
      Red hat enterprise linux server - aus 8.4 x86_64.
      Red hat enterprise linux for ibm z systems - extended update support 8.4 s390x.
      Red hat enterprise linux for power, little endian - extended update support 8.4 ppc64le.
      Red hat enterprise linux server - tus 8.4 x86_64.
      Red hat enterprise linux for arm 64 - extended update support 8.4 aarch64.
      Red hat enterprise linux server for power le - update services for sap solutions 8.4 ppc64le.
      Red hat enterprise linux for x86_64 - update services for sap solutions 8.4 x86_64.
    .

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Red Hat security advisory RHSA-2023:1440 for updates and patch information.
    Patches
    Red Hat Enterprise Linux RHSA-2023:1440
  • CVE-2023-20081
    QID: 317315
    In Development

    Cisco Internetwork Operating System (IOS) and Internetwork Operating System (IOS) XE Software Internet Protocol (IPv6) DHCP (DHCPv6) Client Denial of Service (DoS) Vulnerability (cisco-sa-asaftdios-dhcpv6-cli-Zf3zTv)

    Severity
    Serious3
    Qualys ID
    317315
    Vendor Reference
    cisco-sa-asaftdios-dhcpv6-cli-Zf3zTv
    CVE Reference
    CVE-2023-20081
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    A vulnerability in the IPv6 DHCP (DHCPv6) client module of Cisco IOS and IOS XE Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

    Affected Products:
    Cisco IOS and IOS XE Software

    NOTE:
    This vulnerability affects those devices that are having at least one interface with both IPv6 enabled and the DHCPv6 client feature enabled.

    QID Detection Logic (Authenticated):
    The check matches Cisco IOS and IOS XE version retrieved via Unix Auth using "show version" command.
    QID Detection Logic (Unauthenticated):
    The check matches Cisco IOS and IOS XE version retrieved via SNMP or TCP/IP Fingerprint or NTP or Telnet.

    Consequence
    Successful exploitation of this vulnerability may allow an unauthenticated remote attacker to cause the device to reload, resulting in a DoS condition.
    Solution

    Customers are advised to refer to cisco-sa-asaftdios-dhcpv6-cli-Zf3zTv for more information.

    Patches
    cisco-sa-asaftdios-dhcpv6-cli-Zf3zTv
  • CVE-2022-4144
    QID: 753841
    In Development

    SUSE Enterprise Linux Security Update for qemu (SUSE-SU-2023:0877-1)

    Severity
    Serious3
    Qualys ID
    753841
    Vendor Reference
    SUSE-SU-2023:0877-1
    CVE Reference
    CVE-2022-4144
    CVSS Scores
    Base 6.5 / Temporal 5.7
    Description
    SUSE has released a security update for qemu to fix the vulnerabilities.

    Affected product(s):
    SUSE Linux Enterprise Server 15 SP1|SUSE Linux Enterprise Server for SAP Applications 15 SP1
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to SUSE security advisory SUSE-SU-2023:0877-1 for updates and patch information.
    Patches
    SUSE Enterprise Linux SUSE-SU-2023:0877-1
  • CVE-2021-3507+
    QID: 753840
    In Development

    SUSE Enterprise Linux Security Update for qemu (SUSE-SU-2023:0878-1)

    Severity
    Serious3
    Qualys ID
    753840
    Vendor Reference
    SUSE-SU-2023:0878-1
    CVE Reference
    CVE-2021-3507, CVE-2022-4144
    CVSS Scores
    Base 6.5 / Temporal 5.7
    Description
    SUSE has released a security update for qemu to fix the vulnerabilities.

    Affected product(s):
    SUSE Linux Enterprise Server 15 SP2|SUSE Linux Enterprise Server for SAP Applications 15 SP2
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to SUSE security advisory SUSE-SU-2023:0878-1 for updates and patch information.
    Patches
    SUSE Enterprise Linux SUSE-SU-2023:0878-1
  • CVE-2023-28436
    QID: 691096
    Recently Published

    Free Berkeley Software Distribution (FreeBSD) Security Update for tailscale (1b15a554-c981-11ed-bb39-901b0e9408dc)

    Severity
    Serious3
    Qualys ID
    691096
    Date Published
    March 27, 2023
    Vendor Reference
    1b15a554-c981-11ed-bb39-901b0e9408dc
    CVE Reference
    CVE-2023-28436
    CVSS Scores
    Base 5.7 / Temporal 5
    Description
    FreeBSD has released a security update for tailscale to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to FreeBSD security advisory 1b15a554-c981-11ed-bb39-901b0e9408dc for updates and patch information.
    Patches
    "FreeBSD" 1b15a554-c981-11ed-bb39-901b0e9408dc
  • CVE-2023-28425
    QID: 691089
    Recently Published

    Free Berkeley Software Distribution (FreeBSD) Security Update for redis (a60cc0e4-c7aa-11ed-8a4b-080027f5fec9)

    Severity
    Serious3
    Qualys ID
    691089
    Date Published
    March 27, 2023
    Vendor Reference
    a60cc0e4-c7aa-11ed-8a4b-080027f5fec9
    CVE Reference
    CVE-2023-28425
    CVSS Scores
    Base 5.5 / Temporal 4.8
    Description
    FreeBSD has released a security update for redis to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to FreeBSD security advisory a60cc0e4-c7aa-11ed-8a4b-080027f5fec9 for updates and patch information.
    Patches
    "FreeBSD" a60cc0e4-c7aa-11ed-8a4b-080027f5fec9
  • CVE-2023-26283
    QID: 378127
    In Development

    IBM WebSphere Application Server Cross-Site Scripting (XSS) Vulnerability (6964836)

    Severity
    Serious3
    Qualys ID
    378127
    Vendor Reference
    6964836
    CVE Reference
    CVE-2023-26283
    CVSS Scores
    Base 5.4 / Temporal 4.7
    Description
    IBM WebSphere Application Server is vulnerable to cross-site scripting.

    Affected Versions:
    WebSphere Application Server Version 9.0.0.0 through 9.0.5.14

    QID Detection Logic:(Authenticated)
    It reads the fix xml file and WebSphereApplicationServer.properties to detect the vulnerable version and also checks for fix pack version.

    Consequence
    This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
    Solution
    Upgrade to minimal fix pack levels6964836 or Apply Fix Pack 9.0.58 or later for 9.0 versions and 8.5.5.19 or later for 8.5 versions.
    Patches
    6964836
  • CVE-2023-28708
    QID: 150662
    In Development

    Apache Tomcat Information Disclosure Vulnerability (CVE-2023-28708)

    Severity
    Serious3
    Qualys ID
    150662
    Vendor Reference
    Apache Tomcat
    CVE Reference
    CVE-2023-28708
    CVSS Scores
    Base 4.3 / Temporal 3.8
    Description
    Apache Tomcat is an open source web server and servlet container developed by the Apache Software Foundation.

    Tomcat's RemoteIpFilter, when used with HTTP requests received from a reverse proxy that includes the X-Forwarded-Proto header set to https, may cause session cookies created by Tomcat to be transmitted over an insecure channel if the secure attribute is not included in the cookies. This could potentially expose sensitive user data to attackers.

    Affected Versions:
    Apache Tomcat 11.0.0-M1 to 11.0.0-M2
    Apache Tomcat 10.1.0-M1 to 10.1.5
    Apache Tomcat 9.0.0-M1 to 9.0.71
    Apache Tomcat 8.5.0 to 8.5.85

    QID Detection Logic (Unauthenticated):
    This QID sends a HTTP GET request to a invalid URL and based on the response confirms the vulnerable instance of Apache Tomcat running on the host.

    Consequence
    Insecure transmission of session cookies could potentially expose sensitive user data to attackers.

    Solution
    To address this vulnerability, it is recommended that customers upgrade to one of the following versions of Apache Tomcat: 11.0.0-M3, 10.1.6, 9.0.72, or 8.5.86, or install a newer version. For additional information, please refer to the Apache Tomcat Security Advisory.

    Patches
    Apache Tomcat
  • CVE-2021-33640
    QID: 672854
    Recently Published

    EulerOS Security Update for libtar (EulerOS-SA-2023-1585)

    Severity
    Urgent5
    Qualys ID
    672854
    Date Published
    March 27, 2023
    Vendor Reference
    EulerOS-SA-2023-1585
    CVE Reference
    CVE-2021-33640
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    EulerOS has released a security update(s) for libtar to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to EulerOS security advisory EulerOS-SA-2023-1585 for updates and patch information.
    Patches
    EulerOS 2\\.0 SP11 EulerOS-SA-2023-1585
  • CVE-2021-33640
    QID: 672850
    Recently Published

    EulerOS Security Update for libtar (EulerOS-SA-2023-1575)

    Severity
    Urgent5
    Qualys ID
    672850
    Date Published
    March 27, 2023
    Vendor Reference
    EulerOS-SA-2023-1575
    CVE Reference
    CVE-2021-33640
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    EulerOS has released a security update(s) for libtar to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to EulerOS security advisory EulerOS-SA-2023-1575 for updates and patch information.
    Patches
    EulerOS 2\\.0 SP11 EulerOS-SA-2023-1575
  • CVE-2022-3520+
    QID: 672847
    Recently Published

    EulerOS Security Update for vim (EulerOS-SA-2023-1589)

    Severity
    Urgent5
    Qualys ID
    672847
    Date Published
    March 27, 2023
    Vendor Reference
    EulerOS-SA-2023-1589
    CVE Reference
    CVE-2022-3520, CVE-2022-4292, CVE-2022-4141, CVE-2022-4293
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    EulerOS has released a security update(s) for vim to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to EulerOS security advisory EulerOS-SA-2023-1589 for updates and patch information.
    Patches
    EulerOS 2\\.0 SP11 EulerOS-SA-2023-1589
  • CVE-2022-3520+
    QID: 672837
    Recently Published

    EulerOS Security Update for vim (EulerOS-SA-2023-1579)

    Severity
    Urgent5
    Qualys ID
    672837
    Date Published
    March 27, 2023
    Vendor Reference
    EulerOS-SA-2023-1579
    CVE Reference
    CVE-2022-3520, CVE-2022-4292, CVE-2022-4141, CVE-2022-4293
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    EulerOS has released a security update(s) for vim to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to EulerOS security advisory EulerOS-SA-2023-1579 for updates and patch information.
    Patches
    EulerOS 2\\.0 SP11 EulerOS-SA-2023-1579
  • CVE-2022-37437
    QID: 378125
    Recently Published

    Splunk Enterprise Security Update (SVD-2022-0801)

    Severity
    Urgent5
    Qualys ID
    378125
    Date Published
    March 27, 2023
    Vendor Reference
    SVD-2022-0801
    CVE Reference
    CVE-2022-37437
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Splunk Enterprise captures, indexes and correlates real-time data in a searchable repository from which it can generate graphs, reports, alerts, dashboards, and visualizations.

    Affected Splunk Enterprise versions inject risky search commands into a form token when the token is used in a query in a cross-origin request.

    Affected Versions:
    Splunk versions from 9.0.0 prior to 9.0.1
    NOTE:

    QID Detection Logic(Authenticated)
    Linux: Checks for installed vulnerable version of Splunk Enterprise from "/etc/splunk.version" file either in "/opt/splunk" directory or using "$SPLUNK_HOME" environment variable.
    Windows: Checks for installed vulnerable version of Splunk from "/etc/splunk.version" file using registry "HKLM\SYSTEM\CurrentControlSet\Services\Splunkd".

    Consequence
    Successful exploitation of this vulnerability may affect the confidentiality and integrity of the targeted user.
    Solution
    Vendor has released updated versions to fix these vulnerabilities. Please refer SVD-2022-0801 for more details.

    Patches
    SVD-2022-0801
  • CVE-2023-1350
    QID: 283813
    Recently Published

    Fedora Security Update for liferea (FEDORA-2023-f0ee64e7ec)

    Severity
    Urgent5
    Qualys ID
    283813
    Date Published
    March 27, 2023
    Vendor Reference
    FEDORA-2023-f0ee64e7ec
    CVE Reference
    CVE-2023-1350
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Fedora has released a security update for liferea to fix the vulnerabilities.

    Affected OS:
    Fedora 36


    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Refer to Fedora security advisory Fedora 36 for updates and patch information.
    Patches
    Fedora 36 FEDORA-2023-f0ee64e7ec
  • CVE-2023-1350
    QID: 283812
    Recently Published

    Fedora Security Update for liferea (FEDORA-2023-1ba7a77530)

    Severity
    Urgent5
    Qualys ID
    283812
    Date Published
    March 27, 2023
    Vendor Reference
    FEDORA-2023-1ba7a77530
    CVE Reference
    CVE-2023-1350
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Fedora has released a security update for liferea to fix the vulnerabilities.

    Affected OS:
    Fedora 37


    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Refer to Fedora security advisory Fedora 37 for updates and patch information.
    Patches
    Fedora 37 FEDORA-2023-1ba7a77530
  • CVE-2023-27586
    QID: 283811
    Recently Published

    Fedora Security Update for python (FEDORA-2023-ab86bdbce6)

    Severity
    Urgent5
    Qualys ID
    283811
    Date Published
    March 27, 2023
    Vendor Reference
    FEDORA-2023-ab86bdbce6
    CVE Reference
    CVE-2023-27586
    CVSS Scores
    Base 7.1 / Temporal 6.2
    Description
    Fedora has released a security update for python to fix the vulnerabilities.

    Affected OS:
    Fedora 37


    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Refer to Fedora security advisory Fedora 37 for updates and patch information.
    Patches
    Fedora 37 FEDORA-2023-ab86bdbce6
  • CVE-2022-4603
    QID: 672844
    Recently Published

    EulerOS Security Update for ppp (EulerOS-SA-2023-1586)

    Severity
    Critical4
    Qualys ID
    672844
    Date Published
    March 27, 2023
    Vendor Reference
    EulerOS-SA-2023-1586
    CVE Reference
    CVE-2022-4603
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    EulerOS has released a security update(s) for ppp to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to EulerOS security advisory EulerOS-SA-2023-1586 for updates and patch information.
    Patches
    EulerOS 2\\.0 SP11 EulerOS-SA-2023-1586
  • CVE-2022-4603
    QID: 672835
    Recently Published

    EulerOS Security Update for ppp (EulerOS-SA-2023-1576)

    Severity
    Critical4
    Qualys ID
    672835
    Date Published
    March 27, 2023
    Vendor Reference
    EulerOS-SA-2023-1576
    CVE Reference
    CVE-2022-4603
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    EulerOS has released a security update(s) for ppp to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to EulerOS security advisory EulerOS-SA-2023-1576 for updates and patch information.
    Patches
    EulerOS 2\\.0 SP11 EulerOS-SA-2023-1576
  • CVE-2022-42310+
    QID: 390275
    Recently Published

    Oracle Managed Virtualization (VM) Server for x86 Security Update for xen (OVMSA-2023-0005)

    Severity
    Critical4
    Qualys ID
    390275
    Date Published
    March 27, 2023
    Vendor Reference
    OVMSA-2023-0005
    CVE Reference
    CVE-2022-42310, CVE-2022-42315, CVE-2022-42325, CVE-2022-42326, CVE-2022-42321, CVE-2022-42322, CVE-2022-42318, CVE-2022-42311, CVE-2022-42323, CVE-2022-42316, CVE-2022-42320, CVE-2022-42312, CVE-2022-42309, CVE-2022-42313, CVE-2022-42317, CVE-2022-42314, CVE-2022-42319
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Oracle VM Server for x86 has released a security update for xen to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Oracle VM Server security advisory OVMSA-2023-0005 for updates and patch information.
    Patches
    Oracle VM Server OVMSA-2023-0005
  • CVE-2022-45183+
    QID: 378126
    In Development

    PowerShell Universal Multiple Vulnerabilities

    Severity
    Critical4
    Qualys ID
    378126
    Vendor Reference
    psu-2022-11-cve
    CVE Reference
    CVE-2022-45183, CVE-2022-45184
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    PowerShell Universal is a platform for providing non-technical users access to scripts and tools developed by your team.

    Affected versions:
    PowerShell Universal v2.0.0-v2.12.5
    PowerShell Universal v3.0.0-v3.4.6
    PowerShell Universal v3.5.0-v3.5.2
    QID Detection Logic (Authenticated)
    This QID checks for vulnerable versions of PowerShell Universal via Registry.

    Consequence
    It allows an attacker with a valid app token to retrieve other app tokens.

    Solution
    For more information regarding the update psu-2022-11-cve
    Patches
    psu-2022-11-cve
  • CVE-2023-20027
    QID: 317308
    Recently Published

    Cisco Internetwork Operating System (IOS) XE Software Virtual Fragmentation Reassembly Denial of Service (DoS) Vulnerability (cisco-sa-ipv4-vfr-dos-CXxtFacb)

    Severity
    Critical4
    Qualys ID
    317308
    Date Published
    March 27, 2023
    Vendor Reference
    cisco-sa-ipv4-vfr-dos-CXxtFacb
    CVE Reference
    CVE-2023-20027
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    A vulnerability in the implementation of the IPv4 Virtual Fragmentation Reassembly (VFR) feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

    Affected Releases

    1000 Series Integrated Services Routers
    4000 Series Integrated Services Routers
    Catalyst 8000V Edge Software Routers
    Catalyst 8200 Series Edge Platforms
    Catalyst 8300 Series Edge Platforms
    Catalyst 8500L Series Edge Platforms
    Cloud Services Router 1000V Series

    QID Detection Logic (Authenticated):
    The check matches Cisco IOS XE version retrieved via Unix Auth using "show version" command.
    QID Detection Logic (Unauthenticated):
    The check matches Cisco IOS XE version retrieved via SNMP or TCP/IP Fingerprint or NTP or Telnet.

    Consequence
    A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.

    Solution

    Customers are advised to refer to cisco-sa-ipv4-vfr-dos-CXxtFacb for more information.

    Patches
    cisco-sa-ipv4-vfr-dos-CXxtFacb
  • CVE-2023-20080
    QID: 317305
    In Development

    Cisco Internetwork Operating System (IOS) and IOS XE Software Internet Protocol (IPv6) DHCP (DHCPv6) Relay and Server Denial of Service (DoS) Vulnerability (cisco-sa-ios-dhcpv6-dos-44cMvdDK)

    Severity
    Critical4
    Qualys ID
    317305
    Vendor Reference
    cisco-sa-ios-dhcpv6-dos-44cMvdDK
    CVE Reference
    CVE-2023-20080
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    A vulnerability in the IPv6 DHCP version 6 (DHCPv6) relay and server features of Cisco IOS and IOS XE Software could allow an unauthenticated, remote attacker to trigger a denial of service (DoS) condition.

    Affected Products
    This vulnerability affects Cisco devices if they are running a vulnerable release of Cisco IOS or IOS XE Software and have IPv6 and the DHCPv6 relay or server feature enabled. IPv6 and DHCPv6 are disabled in Cisco IOS and IOS XE Software by default.
    QID Detection Logic (Authenticated): The check matches Cisco IOS XE version retrieved via Unix Auth using "show version" command. QID Detection Logic (Unauthenticated): The check matches Cisco IOS XE version retrieved via SNMP or TCP/IP Fingerprint or NTP or Telnet.

    Consequence
    A successful exploit could allow the attacker to cause the device to reload unexpectedly.

    Solution

    Customers are advised to refer to cisco-sa-ios-dhcpv6-dos-44cMvdDK for more information.

    Patches
    cisco-sa-ios-dhcpv6-dos-44cMvdDK
  • CVE-2023-20072
    QID: 317304
    In Development

    Cisco Internetwork Operating System (IOS) XE Software Fragmented Tunnel Protocol Packet Denial of Service (DoS) Vulnerability (cisco-sa-ios-gre-crash-p6nE5Sq5)

    Severity
    Critical4
    Qualys ID
    317304
    Vendor Reference
    cisco-sa-ios-gre-crash-p6nE5Sq5
    CVE Reference
    CVE-2023-20072
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    A vulnerability in the fragmentation handling code of tunnel protocol packets in Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected system to reload, resulting in a denial of service (DoS) condition.

    Affected Releases

    Cisco IOS XE Software releases 17.9.1, 17.9.1a, or 17.9.1w and have a tunnel interface configured.

    QID Detection Logic (Authenticated):
    The check matches Cisco IOS XE version retrieved via Unix Auth using "show version" command.
    QID Detection Logic (Unauthenticated):
    The check matches Cisco IOS XE version retrieved via SNMP or TCP/IP Fingerprint or NTP or Telnet.

    Consequence
    A successful exploit could allow the attacker to cause the affected system to reload, resulting in a DoS condition.

    Solution

    Customers are advised to refer to cisco-sa-ios-gre-crash-p6nE5Sq5 for more information.

    Patches
    cisco-sa-ios-gre-crash-p6nE5Sq5
  • QID: 283810
    Recently Published

    Fedora Security Update for firefox (FEDORA-2023-fd5e1c279d)

    Severity
    Critical4
    Qualys ID
    283810
    Date Published
    March 27, 2023
    Vendor Reference
    FEDORA-2023-fd5e1c279d
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Fedora has released a security update for firefox to fix the vulnerabilities.

    Affected OS:
    Fedora 36


    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Refer to Fedora security advisory Fedora 36 for updates and patch information.
    Patches
    Fedora 36 FEDORA-2023-fd5e1c279d
  • CVE-2022-45939
    QID: 672852
    Recently Published

    EulerOS Security Update for emacs (EulerOS-SA-2023-1572)

    Severity
    Critical4
    Qualys ID
    672852
    Date Published
    March 27, 2023
    Vendor Reference
    EulerOS-SA-2023-1572
    CVE Reference
    CVE-2022-45939
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    EulerOS has released a security update(s) for emacs to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to EulerOS security advisory EulerOS-SA-2023-1572 for updates and patch information.
    Patches
    EulerOS 2\\.0 SP11 EulerOS-SA-2023-1572
  • CVE-2022-3903+
    QID: 672851
    Recently Published

    EulerOS Security Update for kernel (EulerOS-SA-2023-1574)

    Severity
    Critical4
    Qualys ID
    672851
    Date Published
    March 27, 2023
    Vendor Reference
    EulerOS-SA-2023-1574
    CVE Reference
    CVE-2022-3903, CVE-2022-20572, CVE-2022-4378, CVE-2022-3114
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    EulerOS has released a security update(s) for kernel to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to EulerOS security advisory EulerOS-SA-2023-1574 for updates and patch information.
    Patches
    EulerOS 2\\.0 SP11 EulerOS-SA-2023-1574
  • CVE-2022-45939
    QID: 672846
    Recently Published

    EulerOS Security Update for emacs (EulerOS-SA-2023-1582)

    Severity
    Critical4
    Qualys ID
    672846
    Date Published
    March 27, 2023
    Vendor Reference
    EulerOS-SA-2023-1582
    CVE Reference
    CVE-2022-45939
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    EulerOS has released a security update(s) for emacs to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to EulerOS security advisory EulerOS-SA-2023-1582 for updates and patch information.
    Patches
    EulerOS 2\\.0 SP11 EulerOS-SA-2023-1582
  • CVE-2022-3903+
    QID: 672838
    Recently Published

    EulerOS Security Update for kernel (EulerOS-SA-2023-1584)

    Severity
    Critical4
    Qualys ID
    672838
    Date Published
    March 27, 2023
    Vendor Reference
    EulerOS-SA-2023-1584
    CVE Reference
    CVE-2022-3903, CVE-2022-20572, CVE-2022-4378, CVE-2022-3114
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    EulerOS has released a security update(s) for kernel to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to EulerOS security advisory EulerOS-SA-2023-1584 for updates and patch information.
    Patches
    EulerOS 2\\.0 SP11 EulerOS-SA-2023-1584
  • CVE-2023-20035
    QID: 317311
    Recently Published

    Cisco Internetwork Operating System (IOS) XE SD-WAN Software Command Injection Vulnerability (cisco-sa-ios-xe-sdwan-VQAhEjYw)

    Severity
    Critical4
    Qualys ID
    317311
    Date Published
    March 27, 2023
    Vendor Reference
    cisco-sa-ios-xe-sdwan-VQAhEjYw
    CVE Reference
    CVE-2023-20035
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    A vulnerability in the CLI of Cisco IOS XE SD WAN Software could allow an authenticated, local attacker to execute arbitrary commands with elevated privileges.

    Affected Products:
    This vulnerability affects the following Cisco products if they are running a vulnerable release of universal Cisco IOS XE Software in controller mode or a vulnerable release of standalone Cisco IOS XE SD WAN Software:
    1000 Series Integrated Services Routers (ISR)
    4000 Series ISR
    ASR 1000 Series Aggregation Services Routers
    Catalyst 8000 Edge Platforms Family
    Cloud Services Router (CSR) 1000V Series
    Note: The standalone Cisco IOS XE SD-WAN Software release images are separate from the universal Cisco IOS XE Software release images.

    QID Detection Logic (Authenticated):
    The check matches Cisco IOS XE version retrieved via Unix Auth using "show version" command.
    QID Detection Logic (Unauthenticated):
    The check matches Cisco IOS XE version retrieved via SNMP or TCP/IP Fingerprint or NTP or Telnet.

    Consequence
    A successful exploit could allow the attacker to execute commands on the underlying operating system with root-level privileges.

    Solution

    Customers are advised to refer to cisco-sa-ios-xe-sdwan-VQAhEjYw for more information.

    Patches
    cisco-sa-ios-xe-sdwan-VQAhEjYw
  • CVE-2023-20065
    QID: 317309
    Recently Published

    Cisco Internetwork Operating System (IOS) XE Software IOx Application Hosting Environment Privilege Escalation Vulnerability (cisco-sa-iox-priv-escalate-Xg8zkyPk)

    Severity
    Critical4
    Qualys ID
    317309
    Date Published
    March 27, 2023
    Vendor Reference
    cisco-sa-iox-priv-escalate-Xg8zkyPk
    CVE Reference
    CVE-2023-20065
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description

    A vulnerability in the Cisco IOx application hosting subsystem of Cisco IOS XE Software could allow an authenticated, local attacker to elevate privileges to root on an affected device.

    Affected Products:
    Cisco products if they are running a vulnerable release of Cisco IOS XE Software, they have the Cisco IOx application hosting feature configured, and the hosted application is running.

    QID Detection Logic (Authenticated):
    The check matches Cisco IOS XE version retrieved via Unix Auth using "show version" command.
    QID Detection Logic (Unauthenticated):
    The check matches Cisco IOS XE version retrieved via SNMP or TCP/IP Fingerprint or NTP or Telnet.

    Consequence
    A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with root privileges.

    Solution

    Customers are advised to refer to cisco-sa-iox-priv-escalate-Xg8zkyPk for more information.

    Patches
    cisco-sa-iox-priv-escalate-Xg8zkyPk
  • CVE-2022-48303
    QID: 283809
    Recently Published

    Fedora Security Update for tar (FEDORA-2023-123778d70d)

    Severity
    Critical4
    Qualys ID
    283809
    Date Published
    March 27, 2023
    Vendor Reference
    FEDORA-2023-123778d70d
    CVE Reference
    CVE-2022-48303
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Fedora has released a security update for tar to fix the vulnerabilities.

    Affected OS:
    Fedora 37


    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Refer to Fedora security advisory Fedora 37 for updates and patch information.
    Patches
    Fedora 37 FEDORA-2023-123778d70d
  • CVE-2015-20107
    QID: 672853
    Recently Published

    EulerOS Security Update for python3 (EulerOS-SA-2023-1577)

    Severity
    Critical4
    Qualys ID
    672853
    Date Published
    March 27, 2023
    Vendor Reference
    EulerOS-SA-2023-1577
    CVE Reference
    CVE-2015-20107
    CVSS Scores
    Base 7.6 / Temporal 6.6
    Description
    EulerOS has released a security update(s) for python3 to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to EulerOS security advisory EulerOS-SA-2023-1577 for updates and patch information.
    Patches
    EulerOS 2\\.0 SP11 EulerOS-SA-2023-1577
  • CVE-2015-20107
    QID: 672843
    Recently Published

    EulerOS Security Update for python3 (EulerOS-SA-2023-1587)

    Severity
    Critical4
    Qualys ID
    672843
    Date Published
    March 27, 2023
    Vendor Reference
    EulerOS-SA-2023-1587
    CVE Reference
    CVE-2015-20107
    CVSS Scores
    Base 7.6 / Temporal 6.6
    Description
    EulerOS has released a security update(s) for python3 to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to EulerOS security advisory EulerOS-SA-2023-1587 for updates and patch information.
    Patches
    EulerOS 2\\.0 SP11 EulerOS-SA-2023-1587
  • CVE-2022-43551+
    QID: 672845
    Recently Published

    EulerOS Security Update for curl (EulerOS-SA-2023-1581)

    Severity
    Critical4
    Qualys ID
    672845
    Date Published
    March 27, 2023
    Vendor Reference
    EulerOS-SA-2023-1581
    CVE Reference
    CVE-2022-43551, CVE-2022-43552
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    EulerOS has released a security update(s) for curl to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to EulerOS security advisory EulerOS-SA-2023-1581 for updates and patch information.
    Patches
    EulerOS 2\\.0 SP11 EulerOS-SA-2023-1581
  • CVE-2022-43551+
    QID: 672836
    Recently Published

    EulerOS Security Update for curl (EulerOS-SA-2023-1571)

    Severity
    Critical4
    Qualys ID
    672836
    Date Published
    March 27, 2023
    Vendor Reference
    EulerOS-SA-2023-1571
    CVE Reference
    CVE-2022-43551, CVE-2022-43552
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    EulerOS has released a security update(s) for curl to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to EulerOS security advisory EulerOS-SA-2023-1571 for updates and patch information.
    Patches
    EulerOS 2\\.0 SP11 EulerOS-SA-2023-1571
  • CVE-2023-20067
    QID: 317306
    Recently Published

    Cisco Internetwork Operating System (IOS) XE Software for Wireless LAN Controllers Hypertext Transfer Protocol (HTTP) Client Profiling Denial of Service (DoS) Vulnerability (cisco-sa-ewlc-dos-wFujBHKw)

    Severity
    Critical4
    Qualys ID
    317306
    Date Published
    March 27, 2023
    Vendor Reference
    cisco-sa-ewlc-dos-wFujBHKw
    CVE Reference
    CVE-2023-20067
    CVSS Scores
    Base 7.4 / Temporal 6.4
    Description
    A vulnerability in the HTTP-based client profiling feature of Cisco IOS XE Software for Wireless LAN Controllers (WLCs) could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device.

    Affected Releases

    This vulnerability affects the following Cisco products if they are running a vulnerable release of Cisco IOS XE Software for WLCs and have the HTTP-based client profiling feature configured. Client profiling is not enabled by default.
    Catalyst 9800 Embedded Wireless Controllers for Catalyst 9300, 9400, and 9500 Series Switches
    Catalyst 9800 Series Wireless Controllers
    Catalyst 9800-CL Wireless Controllers for Cloud
    Embedded Wireless Controllers on Catalyst Access Points

    QID Detection Logic (Authenticated):
    The check matches Cisco IOS XE version retrieved via Unix Auth using "show version" command.
    QID Detection Logic (Unauthenticated):
    The check matches Cisco IOS XE version retrieved via SNMP or TCP/IP Fingerprint or NTP or Telnet.
    Note: This QID does not check for workaround, hence kept as practice

    Consequence
    A successful exploit could allow the attacker to cause CPU utilization to increase, which could result in a DoS condition on an affected device and could cause new wireless client associations to fail.

    Solution

    Customers are advised to refer to cisco-sa-ewlc-dos-wFujBHKw for more information.

    Patches
    cisco-sa-ewlc-dos-wFujBHKw
  • CVE-2022-46908
    QID: 672849
    Recently Published

    EulerOS Security Update for sqlite (EulerOS-SA-2023-1588)

    Severity
    Critical4
    Qualys ID
    672849
    Date Published
    March 27, 2023
    Vendor Reference
    EulerOS-SA-2023-1588
    CVE Reference
    CVE-2022-46908
    CVSS Scores
    Base 7.3 / Temporal 6.4
    Description
    EulerOS has released a security update(s) for sqlite to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to EulerOS security advisory EulerOS-SA-2023-1588 for updates and patch information.
    Patches
    EulerOS 2\\.0 SP11 EulerOS-SA-2023-1588
  • CVE-2022-46908
    QID: 672848
    Recently Published

    EulerOS Security Update for sqlite (EulerOS-SA-2023-1578)

    Severity
    Critical4
    Qualys ID
    672848
    Date Published
    March 27, 2023
    Vendor Reference
    EulerOS-SA-2023-1578
    CVE Reference
    CVE-2022-46908
    CVSS Scores
    Base 7.3 / Temporal 6.4
    Description
    EulerOS has released a security update(s) for sqlite to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to EulerOS security advisory EulerOS-SA-2023-1578 for updates and patch information.
    Patches
    EulerOS 2\\.0 SP11 EulerOS-SA-2023-1578
  • CVE-2023-20082
    QID: 317307
    In Development

    Cisco Internetwork Operating System (IOS XE) Software Secure Boot Bypass Vulnerability (cisco-sa-c9300-spi-ace-yejYgnNQ)

    Severity
    Critical4
    Qualys ID
    317307
    Vendor Reference
    cisco-sa-c9300-spi-ace-yejYgnNQ
    CVE Reference
    CVE-2023-20082
    CVSS Scores
    Base 6.1 / Temporal 5.3
    Description
    A vulnerability in Cisco IOS XE Software for Cisco Catalyst 9300 Series Switches could allow an authenticated, local attacker with level-15 privileges or an unauthenticated attacker with physical access to the device to execute persistent code at boot time and break the chain of trust.

    Affected Releases

    This vulnerability affects Cisco Catalyst 9300 Series Switches if they are running Cisco IOS XE Software with a release of Cisco IOS XE ROM Monitor (ROMMON) that is earlier than Release 17.3.7r, Release 17.6.5r, or Release 17.8.1r.

    QID Detection Logic (Authenticated):
    The check matches Cisco IOS XE version retrieved via Unix Auth using "show version" command.
    QID Detection Logic (Unauthenticated):
    The check matches Cisco IOS XE version retrieved via SNMP or TCP/IP Fingerprint or NTP or Telnet.

    Consequence
    A successful exploit could allow the attacker to execute persistent code on the underlying operating system.

    Solution

    Customers are advised to refer to cisco-sa-VU855201-J3z8CKTX for more information.

    Patches
    cisco-sa-c9300-spi-ace-yejYgnNQ
  • CVE-2023-20100
    QID: 317312
    Recently Published

    Cisco Internetwork Operating System (IOS) XE Software for Wireless LAN Controllers CAPWAP Join Denial of Service (DoS) Vulnerability (cisco-sa-c9800-apjoin-dos-nXRHkt5)

    Severity
    Serious3
    Qualys ID
    317312
    Date Published
    March 27, 2023
    Vendor Reference
    cisco-sa-c9800-apjoin-dos-nXRHkt5
    CVE Reference
    CVE-2023-20100
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    A vulnerability in the access point (AP) joining process of the Control and Provisioning of Wireless Access Points (CAPWAP) protocol of Cisco IOS XE Software for Wireless LAN Controllers (WLCs) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

    Affected Products:
    Catalyst 9800 Series Wireless Controllers
    Catalyst 9800-CL Wireless Controllers for Cloud
    Embedded Wireless Controllers on Catalyst Access Points

    NOTE:
    Catalyst 9800 Embedded Wireless Controllers for Catalyst 9300, 9400, and 9500 Series Switches not supported.

    QID Detection Logic (Authenticated):
    The check matches Cisco IOS XE version retrieved via Unix Auth using "show version" command.
    QID Detection Logic (Unauthenticated):
    The check matches Cisco IOS XE version retrieved via SNMP or TCP/IP Fingerprint or NTP or Telnet.

    Consequence
    Successful exploitation of this vulnerability may allow an unauthenticated remote attacker to execute Denial of Service attack.
    Solution

    Customers are advised to refer to cisco-sa-c9800-apjoin-dos-nXRHkt5 for more information.

    Patches
    cisco-sa-c9800-apjoin-dos-nXRHkt5
  • CVE-2022-23471
    QID: 672841
    Recently Published

    EulerOS Security Update for containerd (EulerOS-SA-2023-1580)

    Severity
    Serious3
    Qualys ID
    672841
    Date Published
    March 27, 2023
    Vendor Reference
    EulerOS-SA-2023-1580
    CVE Reference
    CVE-2022-23471
    CVSS Scores
    Base 6.5 / Temporal 5.7
    Description
    EulerOS has released a security update(s) for containerd to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to EulerOS security advisory EulerOS-SA-2023-1580 for updates and patch information.
    Patches
    EulerOS 2\\.0 SP11 EulerOS-SA-2023-1580
  • CVE-2022-23471
    QID: 672840
    Recently Published

    EulerOS Security Update for containerd (EulerOS-SA-2023-1570)

    Severity
    Serious3
    Qualys ID
    672840
    Date Published
    March 27, 2023
    Vendor Reference
    EulerOS-SA-2023-1570
    CVE Reference
    CVE-2022-23471
    CVSS Scores
    Base 6.5 / Temporal 5.7
    Description
    EulerOS has released a security update(s) for containerd to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to EulerOS security advisory EulerOS-SA-2023-1570 for updates and patch information.
    Patches
    EulerOS 2\\.0 SP11 EulerOS-SA-2023-1570
  • CVE-2023-20066
    QID: 317314
    Recently Published

    Cisco Internetwork Operating System (IOS) XE Software Web UI Path Traversal Vulnerability (cisco-sa-webui-pthtrv-es7GSb9V)

    Severity
    Serious3
    Qualys ID
    317314
    Date Published
    March 27, 2023
    Vendor Reference
    cisco-sa-webui-pthtrv-es7GSb9V
    CVE Reference
    CVE-2023-20066
    CVSS Scores
    Base 6.5 / Temporal 5.7
    Description
    A vulnerability in the web UI of Cisco IOS XE Software could allow an authenticated, remote attacker to perform a directory traversal and access resources that are outside the filesystem mountpoint of the web UI.

    QID Detection Logic (Authenticated):
    The check matches Cisco IOS XE version retrieved via Unix Auth using "show version" command.
    QID Detection Logic (Unauthenticated):
    The check matches Cisco IOS XE version retrieved via SNMP or TCP/IP Fingerprint or NTP or Telnet.

    Consequence
    A successful exploit could allow the attacker to gain read access to files that are outside the filesystem mountpoint of the web UI.

    Solution

    Customers are advised to refer to cisco-sa-webui-pthtrv-es7GSb9V for more information.

    Patches
    cisco-sa-webui-pthtrv-es7GSb9V
  • CVE-2023-20113
    QID: 317310
    Recently Published

    Cisco SD-WAN vManage Software Cross-Site Request Forgery (CSRF) Vulnerability (cisco-sa-vman-csrf-76RDbLEh)

    Severity
    Serious3
    Qualys ID
    317310
    Date Published
    March 27, 2023
    Vendor Reference
    cisco-sa-vman-csrf-76RDbLEh
    CVE Reference
    CVE-2023-20113
    CVSS Scores
    Base 6.5 / Temporal 5.7
    Description
    A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system.

    Affected Products
    Prior to 20.6.5
    20.8 prior to 20.8.1
    20.9 prior to 20.9.1

    QID detection logic:
    The QID checks for Cisco SD WAN version retrieved via Unix Auth using "show system status" command

    Consequence
    A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. These actions could include modifying the system configuration and deleting accounts.

    Solution

    Customers are advised to refer to cisco-sa-vman-csrf-76RDbLEh for more information.

    Patches
    cisco-sa-vman-csrf-76RDbLEh
  • CVE-2022-41717
    QID: 672842
    Recently Published

    EulerOS Security Update for golang (EulerOS-SA-2023-1573)

    Severity
    Serious3
    Qualys ID
    672842
    Date Published
    March 27, 2023
    Vendor Reference
    EulerOS-SA-2023-1573
    CVE Reference
    CVE-2022-41717
    CVSS Scores
    Base 5.3 / Temporal 4.6
    Description
    EulerOS has released a security update(s) for golang to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to EulerOS security advisory EulerOS-SA-2023-1573 for updates and patch information.
    Patches
    EulerOS 2\\.0 SP11 EulerOS-SA-2023-1573
  • CVE-2022-41717
    QID: 672839
    Recently Published

    EulerOS Security Update for golang (EulerOS-SA-2023-1583)

    Severity
    Serious3
    Qualys ID
    672839
    Date Published
    March 27, 2023
    Vendor Reference
    EulerOS-SA-2023-1583
    CVE Reference
    CVE-2022-41717
    CVSS Scores
    Base 5.3 / Temporal 4.6
    Description
    EulerOS has released a security update(s) for golang to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to EulerOS security advisory EulerOS-SA-2023-1583 for updates and patch information.
    Patches
    EulerOS 2\\.0 SP11 EulerOS-SA-2023-1583
  • CVE-2023-20029
    QID: 317313
    Recently Published

    Cisco Internetwork Operating System (IOS) XE Software Privilege Escalation Vulnerability (cisco-sa-iosxe-priv-esc-sABD8hcU)

    Severity
    Medium2
    Qualys ID
    317313
    Date Published
    March 27, 2023
    Vendor Reference
    cisco-sa-iosxe-priv-esc-sABD8hcU
    CVE Reference
    CVE-2023-20029
    CVSS Scores
    Base 4.4 / Temporal 3.9
    Description

    QID Detection Logic (Authenticated):
    The check matches Cisco IOS XE version retrieved via Unix Auth using "show version" command.
    QID Detection Logic (Unauthenticated):
    The check matches Cisco IOS XE version retrieved via SNMP or TCP/IP Fingerprint or NTP or Telnet.

    Consequence
    An attacker could exploit this vulnerability by modifying the Meraki registration parameters. A successful exploit could allow the attacker to elevate privileges to root.

    Solution

    Customers are advised to refer to cisco-sa-iosxe-priv-esc-sABD8hcU for more information.

    Patches
    cisco-sa-iosxe-priv-esc-sABD8hcU
  • CVE-2022-37704+
    QID: 199250
    Recently Published

    Ubuntu Security Notification for amanda Vulnerabilities (USN-5966-1)

    Severity
    Medium2
    Qualys ID
    199250
    Date Published
    March 27, 2023
    Vendor Reference
    USN-5966-1
    CVE Reference
    CVE-2022-37704, CVE-2022-37703, CVE-2022-37705
    CVSS Scores
    Base 3.3 / Temporal 2.9
    Description
    Ubuntu has released a security update for amanda to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Ubuntu security advisory USN-5966-1 for updates and patch information.
    Patches
    Ubuntu Linux USN-5966-1
  • CVE-2023-28708
    QID: 730770
    Recently Published

    Apache Tomcat information disclosure Vulnerability (CVE-2023-28708)

    Severity
    Urgent5
    Qualys ID
    730770
    Date Published
    March 27, 2023
    Vendor Reference
    Apache_Tomcat_10.1.6
    CVE Reference
    CVE-2023-28708
    CVSS Scores
    Base 4.3 / Temporal 3.8
    Description
    Apache Tomcat is an open source web server and servlet container developed by the Apache Software Foundation.

    When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Tomcat did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.

    Affected versions:
    Apache Tomcat 10.1.0-M1 to 10.1.5

    QID Detection Logic (Unauthenticated):
    This QID sends a HTTP GET request to an invalid URL and based on the response confirms the vulnerable instance of Apache Tomcat running on the host.

    Consequence
    Successful exploitation of this vulnerability could reveal sensitive information to an unauthorized attacker.

    Solution
    Customers are advised to upgrade Apache Tomcat to the new version to remediate this vulnerability. For more information please refer to Apache Tomcat Security Advisory.

    Patches
    Apache Tomcat
  • CVE-2023-28708
    QID: 730769
    Recently Published

    Apache Tomcat information disclosure Vulnerability (CVE-2023-28708)

    Severity
    Urgent5
    Qualys ID
    730769
    Date Published
    March 27, 2023
    Vendor Reference
    Apache_Tomcat_9.0.72
    CVE Reference
    CVE-2023-28708
    CVSS Scores
    Base 4.3 / Temporal 3.8
    Description
    Apache Tomcat is an open source web server and servlet container developed by the Apache Software Foundation.

    When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Tomcat did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.

    Affected versions:
    Apache Tomcat 9.0.0-M1 to 9.0.71

    QID Detection Logic (Unauthenticated):
    This QID sends a HTTP GET request to an invalid URL and based on the response confirms the vulnerable instance of Apache Tomcat running on the host.

    Consequence
    Successful exploitation of this vulnerability could reveal sensitive information to an unauthorized attacker.

    Solution
    Customers are advised to upgrade Apache Tomcat to the new version to remediate this vulnerability. For more information please refer to Apache Tomcat Security Advisory.

    Patches
    Apache Tomcat
  • CVE-2023-28708
    QID: 730768
    Recently Published

    Apache Tomcat information disclosure Vulnerability (CVE-2023-28708)

    Severity
    Urgent5
    Qualys ID
    730768
    Date Published
    March 27, 2023
    Vendor Reference
    Apache_Tomcat_8.5.86
    CVE Reference
    CVE-2023-28708
    CVSS Scores
    Base 4.3 / Temporal 3.8
    Description
    Apache Tomcat is an open source web server and servlet container developed by the Apache Software Foundation.

    When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Tomcat did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.

    Affected versions:
    Apache Tomcat 8.5.0 to 8.5.85

    QID Detection Logic (Unauthenticated):
    This QID sends a HTTP GET request to an invalid URL and based on the response confirms the vulnerable instance of Apache Tomcat running on the host.

    Consequence
    Successful exploitation of this vulnerability could reveal sensitive information to an unauthorized attacker.

    Solution
    Customers are advised to upgrade Apache Tomcat to the new version to remediate this vulnerability. For more information please refer to Apache Tomcat Security Advisory.

    Patches
    Apache Tomcat
  • CVE-2023-27938+
    QID: 378115
    In Development

    Apple macOS Monterey 12.3 and later 10.4.8 Not Installed (HT213650)

    Severity
    Critical4
    Qualys ID
    378115
    Vendor Reference
    HT213650
    CVE Reference
    CVE-2023-27938, CVE-2023-27960
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    macOS Monterey 12.3 and later 10.4.8 is current major release of macOS, Apple's desktop operating system for Macintosh computers.

    Affected versions:
    Apple macOS Monterey 12.3 and later Versions Prior to 10.4.8

    QID Detection Logic (Authenticated)
    This QID checks for vulnerable versions of Apple macOS Monterey 12.3 and later.

    Consequence
    A malicious application may be able to execute arbitrary code.

    Solution
    For more information regarding the update HT213650
    Patches
    HT213650
  • CVE-2022-0778
    QID: 44005
    Recently Published

    Arista EOS Denial of Service (DoS) Vulnerability (SA0075)

    Severity
    Serious3
    Qualys ID
    44005
    Date Published
    March 27, 2023
    Vendor Reference
    Security Advisory 0075
    CVE Reference
    CVE-2022-0778
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Arista EOS

    Arista EOS is a fully programmable and highly modular, Linux-based network operation system, using familiar industry-standard CLI, and runs a single binary software image across the Arista switching family.

    Affected EOS versions:
    4.27.3 and below releases in the 4.27.x train
    4.26.5 and below releases in the 4.26.x train
    4.25.8 and below releases in the 4.25.x train
    4.24.9 and below release in the 4.24.x train
    4.23.11 and below release in the 4.23.x train
    4.22.x train

    QID Detection Logic (Authenticated):
    The check matches Arista EOS version retrieved via Unix Auth using "show version" command.

    Consequence
    he impact of this vulnerability is publicly disclosed vulnerability in OpenSSL which a certificate containing invalid elliptic curve parameters can cause Denial-of-Service (DoS) to the application by triggering an infinite loop.
    Solution
    Refer to Arista Security Advisory SA0075 for patch details.
    Patches
    security-advisory-0075
  • CVE-2021-28504
    QID: 44001
    Recently Published

    Arista EOS Improper Access Control Vulnerability (SA0074)

    Severity
    Serious3
    Qualys ID
    44001
    Date Published
    March 27, 2023
    Vendor Reference
    Arista:Security Advisory 0074
    CVE Reference
    CVE-2021-28504
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Arista EOS

    Arista EOS is a fully programmable and highly modular, Linux-based network operation system, using familiar industry-standard CLI, and runs a single binary software image across the Arista switching family.

    Affected EOS versions:
    4.27.1F and below releases in the 4.27.x train
    4.26.3M and below releases in the 4.26.x train
    4.25.6M and below releases in the 4.25.x train
    QID Detection Logic (Authenticated):
    The check matches Arista EOS version retrieved via Unix Auth using "show version" command.

    Consequence
    Successful exploitation could lead to Improper Access Control Vulnerability

    Solution
    Refer to Arista Security Advisory SA0074 for patch details.
    Patches
    Security Advisory 0074
  • CVE-2021-28510
    QID: 44000
    Recently Published

    Arista EOS PTP Service Denial of Service (DoS) Vulnerability (SA0076)

    Severity
    Serious3
    Qualys ID
    44000
    Date Published
    March 27, 2023
    Vendor Reference
    SA0076
    CVE Reference
    CVE-2021-28510
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Arista EOS

    Arista EOS is a fully programmable and highly modular, Linux-based network operation system, using familiar industry-standard CLI, and runs a single binary software image across the Arista switching family.

    Affected EOS versions:
    4.27.1 and below releases in the 4.27.x train
    4.26.4 and below releases in the 4.26.x train
    4.25.6 and below releases in the 4.25.x train
    4.24.8 and below releases in the 4.24.x train
    4.23.10 and below releases in the 4.23.x train
    4.22.x train

    NOTE:
    Only vulnerable if PTP is enabled on the switch and please refer to advisory for affected Arista EOS-based products.

    QID Detection Logic (Authenticated):
    The check matches Arista EOS version retrieved via Unix Auth using "show version" command.

    Consequence
    Successful exploitation of this vulnerability may allow remote attacker can make the PTP service unavailable.
    Solution
    Customers are advised to refer Arista Security Advisory SA0076 for patch details.
    Patches
    SA0076
  • CVE-2021-28511
    QID: 44004
    Recently Published

    Arista EOS Improper Access Control Vulnerability (SA0078)

    Severity
    Serious3
    Qualys ID
    44004
    Date Published
    March 27, 2023
    Vendor Reference
    Security Advisory 0078
    CVE Reference
    CVE-2021-28511
    CVSS Scores
    Base 6.5 / Temporal 5.7
    Description
    Arista EOS

    Arista EOS is a fully programmable and highly modular, Linux-based network operation system, using familiar industry-standard CLI, and runs a single binary software image across the Arista switching family.

    Affected EOS versions:
    4.24.9 and below releases in the 4.24.x release train
    4.25.8 and below releases in the 4.25.x release train
    4.26.5 and below releases in the 4.26.x release train
    4.27.3 and below releases in the 4.27.x release train
    QID Detection Logic (Authenticated):
    The check matches Arista EOS version retrieved via Unix Auth using "show version" command.

    Consequence
    The impact of this vulnerability is that the security ACL drop rule might be bypassed if a NAT ACL rule filter with permit action matches the packet flow. This could allow a host with an IP address in a range that matches the range allowed by a NAT ACL and a range denied by a Security ACL to be forwarded incorrectly as it should have been denied by the Security ACL. This can enable an ACL bypass.
    Solution
    Refer to Arista Security Advisory SA0078 for patch details.
    Patches
    Security Advisory 0078
  • CVE-2021-28509
    QID: 44003
    Recently Published

    Arista EOS Information Disclosure Vulnerability (SA0077)

    Severity
    Serious3
    Qualys ID
    44003
    Date Published
    March 27, 2023
    Vendor Reference
    security-advisory-0077
    CVE Reference
    CVE-2021-28509
    CVSS Scores
    Base 6.1 / Temporal 5.3
    Description
    Arista EOS

    Arista EOS is a fully programmable and highly modular, Linux-based network operation system, using familiar industry-standard CLI, and runs a single binary software image across the Arista switching family.

    Affected EOS versions:
    4.23.11 and below release in the 4.23.x train
    4.24.9 and below release in the 4.24.x train
    4.25.7 and below releases in the 4.25.x train
    4.26.5 and below releases in the 4.26.x train
    4.27.3 and below releases in the 4.27.x train
    QID Detection Logic (Authenticated):
    The check matches Arista EOS version retrieved via Unix Auth using "show version" command.

    Consequence
    Successful exploitation could lead to Information Disclosure

    Solution
    Refer to Arista Security Advisory SA0077 for patch details.
    Patches
    SA0077
  • CVE-2021-28508
    QID: 44002
    Recently Published

    Arista EOS Information Disclosure Vulnerability (SA0077)

    Severity
    Serious3
    Qualys ID
    44002
    Date Published
    March 27, 2023
    Vendor Reference
    security-advisory-0077
    CVE Reference
    CVE-2021-28508
    CVSS Scores
    Base 6.1 / Temporal 5.3
    Description
    Arista EOS

    Arista EOS is a fully programmable and highly modular, Linux-based network operation system, using familiar industry-standard CLI, and runs a single binary software image across the Arista switching family.

    Affected EOS versions:
    4.23.11 and below release in the 4.23.x train
    4.24.9 and below release in the 4.24.x train
    4.25.7 and below releases in the 4.25.x train
    4.26.5 and below releases in the 4.26.x train
    4.27.1 and below releases in the 4.27.x train
    QID Detection Logic (Authenticated):
    The check matches Arista EOS version retrieved via Unix Auth using "show version" command.

    Consequence
    Successful exploitation could lead to Information Disclosure

    Solution
    Refer to Arista Security Advisory SA0077 for patch details.
    Patches
    SA0077
  • QID: 91998
    Under Investigation

    Microsoft Windows Servicing Stack Security Update March 2023 (KB5023790)

    Severity
    Serious3
    Qualys ID
    91998
    Vendor Reference
    KB5023790
    CVSS Scores
    Base 5.3 / Temporal 4.6
    Description
    Servicing stack updates improve the reliability of the update process to mitigate potential issues while installing the latest quality updates and feature updates. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes.

    Microsoft has released Servicing Stack security updates for Windows.
    Related KB:
    KB5023790
    QID Detection Logic (Authenticated):
    This authenticated QID will check for file version of CbsCore.dll

    Consequence
    Successful exploitation could allow attacker to compromise confidentiality, integrity and availability

    Solution
    Customers are advised to refer to advisory KB5023790 for more information.
    Patches
    KB5023790
  • QID: 91999
    Under Investigation

    Microsoft Windows Servicing Stack Security Update March 2023 (KB5023788)

    Severity
    Medium2
    Qualys ID
    91999
    Vendor Reference
    kb5023788
    CVSS Scores
    Base 0 / Temporal 0
    Description
    Servicing stack updates improve the reliability of the update process to mitigate potential issues while installing the latest quality updates and feature updates. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes.

    Microsoft has released Servicing Stack security updates for Windows.
    Related KB:
    KB5023788
    QID Detection Logic (Authenticated):
    This authenticated QID will check for file version of CbsCore.dll

    Consequence
    Successful exploitation could allow attacker to compromise confidentiality, integrity and availability

    Solution
    Customers are advised to refer to advisory kb5023788 for more information.
    Patches
    KB5023788
  • CVE-2022-42915+
    QID: 378101
    In Development

    NetApp Clustered Data Open Network Technology for Appliance Products (ONTAP) Disclosure of Sensitive Information Denial of Service (DoS) Vulnerability (NTAP-20221209-0010)

    Severity
    Critical4
    Qualys ID
    378101
    Vendor Reference
    NTAP-20221209-0010
    CVE Reference
    CVE-2022-42915, CVE-2022-42916
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    NetApp Data ONTAP is a data management software which allows unifying storage infrastructures across flash, disk and cloud.

    Multiple NetApp products incorporate Libcurl. Libcurl versions 7.77.0 prior to 7.86.0 are susceptible to vulnerabilities which when successfully exploited could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS).

    Affected Versions:
    NetApp Clustered Data ONTAP versions prior to 9.11.1P6
    NetApp Clustered Data ONTAP versions prior to 9.12.1
    QID Detection Logic (Authenticated):
    This authenticated QID detects vulnerable NetApp OS command 'version'

    Consequence
    Successful exploitation of these vulnerabilities could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS).

    Solution

    Customers are advised to refer to NTAP-20221209-0010 for more information about patching this vulnerability.

    Patches
    NTAP-20221209-0010
  • CVE-2021-28505
    QID: 43999
    Recently Published

    Arista EOS VXLAN rule Vulnerability (SA0073)

    Severity
    Critical4
    Qualys ID
    43999
    Date Published
    March 27, 2023
    Vendor Reference
    15267-security-advisory-0073
    CVE Reference
    CVE-2021-28505
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Arista EOS is the Worlds Most Advanced Network Operating System.

    Arista EOS is a fully programmable and highly modular, Linux-based network operation system, using familiar industry-standard CLI, and runs a single binary software image across the Arista switching family.

    On affected Arista EOS platforms, if a VXLAN match rule exists in an IPv4 access-list that is applied to the ingress of an L2 or an L3 port/SVI, the VXLAN rule and subsequent ACL rules in that access list will ignore the specified IP protocol.

    Affected EOS versions:
    4.26.3M and below releases in the 4.26.x train
    4.27.0F in the 4.27.x train
    QID Detection Logic (Authenticated):
    The check matches Arista EOS version retrieved via Unix Auth using "show version" command.

    Consequence
    Successful exploitation could compromise confidentiality, integrity and availability

    Solution
    Refer to Arista Security Advisory SA0073 for patch details.
    Patches
    15267-security-advisory-0073
  • CVE-2021-27853+
    QID: 43997
    Recently Published

    Arista EOS Multiple Vulnerabilities (SA0080)

    Severity
    Medium2
    Qualys ID
    43997
    Date Published
    March 27, 2023
    Vendor Reference
    Security Advisory 0080
    CVE Reference
    CVE-2021-27853, CVE-2021-27861
    CVSS Scores
    Base 4.7 / Temporal 4.1
    Description
    Arista EOS is the Worlds Most Advanced Network Operating System.

    Arista EOS is a fully programmable and highly modular, Linux-based network operation system, using familiar industry-standard CLI, and runs a single binary software image across the Arista switching family.

    Affected EOS versions: 4.28.2F and older releases in the 4.28.x train
    4.27.6M and older releases in the 4.27.x train
    4.26.7M and older releases in the 4.26.x train
    4.25.9M and older releases in the 4.25.x train
    4.24.10M and older releases in the 4.24.x train
    4.23.12M and older releases in the 4.23.x train
    4.22.12M and older releases in the 4.22.x train
    QID Detection Logic (Authenticated):
    The check matches Arista EOS version retrieved via Unix Auth using "show version" command.

    Consequence
    Successful exploitation of these vulnerabilities could lead an attacker to send crafted packets through vulnerable devices to cause Denial-of-Service (DoS) or to perform a Man-in-the-Middle (MitM) attack against L2 reachable hosts in the network.
    Solution
    Refer to Arista Security Advisory SA0080 for patch details.
    Patches
    Security Advisory 0080
  • CVE-2023-24509
    QID: 43996
    Recently Published

    Arista EOS Improper Privilege Management Vulnerability (SA0082)

    Severity
    Urgent5
    Qualys ID
    43996
    Date Published
    March 27, 2023
    Vendor Reference
    Arista:Security Advisory 0082
    CVE Reference
    CVE-2023-24509
    CVSS Scores
    Base 9.3 / Temporal 8.1
    Description
    Arista EOS

    Arista EOS is a fully programmable and highly modular, Linux-based network operation system, using familiar industry-standard CLI, and runs a single binary software image across the Arista switching family.

    Affected EOS versions:
    4.28.3M and below releases in the 4.28.x train
    4.27.6M and below releases in the 4.27.x train
    4.26.8M and below releases in the 4.26.x train
    4.25.9M and below releases in the 4.25.x train
    4.24.10M and below releases in the 4.24.x train
    4.23.13M and below releases in the 4.23.x train
    QID Detection Logic (Authenticated):
    The check matches Arista EOS version retrieved via Unix Auth using "show version" command.

    Consequence
    Arista EOS equipped with both redundant supervisor modules and having the redundancy protocol configured with RPR or SSO, an existing unprivileged user can login to the standby supervisor as a root user, leading to a privilege escalation. Valid user credentials are required in order to exploit this vulnerability.
    Solution
    Refer to Arista Security Advisory SA0082 for patch details.
    Patches
    Security Advisory 0082
  • CVE-2023-20064
    QID: 317303
    Recently Published

    Cisco Internetwork Operating System (IOS) XR Software Bootloader Unauthenticated Information Disclosure Vulnerability (cisco-sa-iosxr-load-infodisc-9rdOr5Fq)

    Severity
    Serious3
    Qualys ID
    317303
    Date Published
    March 27, 2023
    Vendor Reference
    cisco-sa-iosxr-load-infodisc-9rdOr5Fq
    CVE Reference
    CVE-2023-20064
    CVSS Scores
    Base 4.6 / Temporal 4
    Description
    A vulnerability in the GRand Unified Bootloader (GRUB) for Cisco IOS XR Software could allow an unauthenticated attacker with physical access to the device to view sensitive files on the console using the GRUB bootloader command line.

    Affected Products

    QID Detection Logic (Authenticated):
    The check matches Cisco IOS XR version retrieved via Unix Auth using "show version" command.

    Consequence
    A successful exploit could allow the attacker to view sensitive files that could be used to conduct additional attacks against the device.

    Solution

    Customers are advised to refer to cisco-sa-iosxr-load-infodisc-9rdOr5Fq for more information.

    Patches
    cisco-sa-iosxr-load-infodisc-9rdOr5Fq
  • CVE-2023-20049
    QID: 317302
    Recently Published

    Cisco Internetwork Operating System (IOS) XR Software for ASR 9000 Series Routers Bidirectional Forwarding Detection Denial of Service (DoS) Vulnerability (cisco-sa-bfd-XmRescbT)

    Severity
    Critical4
    Qualys ID
    317302
    Date Published
    March 27, 2023
    Vendor Reference
    cisco-sa-bfd-XmRescbT
    CVE Reference
    CVE-2023-20049
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    A vulnerability in the bidirectional forwarding detection (BFD) hardware offload feature of Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers, ASR 9902 Compact High-Performance Routers, and ASR 9903 Compact High-Performance Routers could allow an unauthenticated, remote attacker to cause a line card to reset, resulting in a denial of service (DoS) condition.

    Making this QID as practice as we cannot add Workarounds configuration check in signature.

    Affected Products
    Cisco devices if they were running Cisco IOS XR Software releases From 6.5 and Prior to 7.5.3
    From 7.6 and Prior to 7.6.2
    7.7 and later and Prior to 7.7.1

    QID Detection Logic (Authenticated):
    The check matches Cisco IOS XR version retrieved via Unix Auth using "show version" command.

    Consequence
    A successful exploit could allow the attacker to cause line card exceptions or a hard reset, resulting in loss of traffic over that line card while the line card reloads.

    Solution

    Customers are advised to refer to cisco-sa-bfd-XmRescbT for more information.

    Patches
    cisco-sa-bfd-XmRescbT
  • CVE-2023-20050
    QID: 317298
    Recently Published

    Cisco Nexus Operating System (NX-OS) Software CLI Command Injection Vulnerability (cisco-sa-nxos-cli-cmdinject-euQVK9u)

    Severity
    Serious3
    Qualys ID
    317298
    Date Published
    March 27, 2023
    Vendor Reference
    cisco-sa-nxos-cli-cmdinject-euQVK9u
    CVE Reference
    CVE-2023-20050
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system of an affected device.

    Affected Products
    MDS 9000 Series Multilayer Switches
    Nexus 1000 Virtual Edge for VMware vSphere
    Nexus 1000V Switch for Microsoft Hyper-V
    Nexus 1000V Switch for VMware vSphere
    Nexus 3000 Series Switches
    Nexus 5500 Platform Switches
    Nexus 5600 Platform Switches
    Nexus 6000 Series Switches
    Nexus 7000 Series Switches
    Nexus 9000 Series Switches in standalone NX-OS mode

    QID Detection Logic(Authenticated):
    It checks for vulnerable version of Cisco NX-OS using show version Command.

    Consequence
    A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of the currently logged-in user.

    Solution

    Customers are advised to refer to cisco-sa-nxos-cli-cmdinject-euQVK9u

    Patches
    cisco-sa-nxos-cli-cmdinject-euQVK9u
  • CVE-2021-33845
    QID: 378030
    Recently Published

    Splunk Enterprise REST API Enumeration Vulnerability (SVD-2022-0502)

    Severity
    Serious3
    Qualys ID
    378030
    Date Published
    March 27, 2023
    Vendor Reference
    SVD-2022-0502
    CVE Reference
    CVE-2021-33845
    CVSS Scores
    Base 5.3 / Temporal 4.6
    Description
    The Splunk Enterprise REST API allows enumeration of usernames via the lockout error message.

    Note:- Mitigation is available, hence making this detection practice.

    Affected Versions:
    Splunk Enterprise 8.1.6 and lower

    Consequence
    The vulnerability allows enumeration of usernames via the lockout error message

    Solution
    Vendor has released updated versions to fix these vulnerabilities. Please refer SVD-2022-0502Workaround:
    If the Splunk Enterprise instance uses the default verboseLoginFailMsg or sets verboseLoginFailMsg to true, it is not impacted. However, setting verboseLoginFailMsg to false.
    Patches
    SVD-2022-0502
  • CVE-2022-43565+
    QID: 378021
    Recently Published

    Splunk Enterprise Multiple Vulnerabilities (SVD-2022-1105,SVD-2022-1103,SVD-2022-1104)

    Severity
    Critical4
    Qualys ID
    378021
    Date Published
    March 27, 2023
    Vendor Reference
    SVD-2022-1103, SVD-2022-1104, SVD-2022-1105
    CVE Reference
    CVE-2022-43565, CVE-2022-43563, CVE-2022-43564
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    In Splunk Enterprise versions below 8.2.9 and 8.1.12, the way that the 'tstats' command handles Javascript Object Notation (JSON) lets an attacker bypass SPL safeguards for risky commands. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser.

    Note:- Mitigation is available, hence making this detection practice. Splunk Enterprise is affected by multiple vulnerabilities:

    Affected Versions:
    Splunk Enterprise 8.1.11 and lower
    Splunk Enterprise 8.2.0 to 8.2.8

    QID Detection Logic(Authenticated)
    It checks for vulnerable version of Splunk Enterprise .

    Consequence
    The vulnerability lets an attacker run risky commands with permissions of a user who holds the power Splunk role.

    Solution
    Vendor has released updated versions to fix these vulnerabilities. Please refer SVD-2022-1105 SVD-2022-1103 SVD-2022-1104
    Patches
    SVD-2022-1103, SVD-2022-1104, SVD-2022-1105
  • CVE-2022-4634
    QID: 591392
    Recently Published

    Delta Electronics CNCSoft ScreenEditor Stack-based Buffer Overflow Vulnerability (ICSA-23-026-01)

    Severity
    Critical4
    Qualys ID
    591392
    Date Published
    March 27, 2023
    Vendor Reference
    ICSA-23-026-01
    CVE Reference
    CVE-2022-4634
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description

    AFFECTED PRODUCTS
    The following versions of CNCSoft, a software management platform, are affected:
    CNCSoft: All versions prior to v1.01.34

    QID Detection Logic (Authenticated)
    QID checks for the Vulnerable version using windows registry keys

    Consequence
    Successful exploitation of this vulnerability could cause a buffer overflow condition, which could allow remote code execution.
    Solution

    Customers are advised to refer to CERT MITIGATIONS section ICSA-23-026-01 for affected packages and patching details.

    Patches
    ICSA-23-026-01
  • CVE-2023-22937
    QID: 378023
    Recently Published

    Splunk Enterprise Local Privilege Escalation Vulnerability (SVD-2023-0207)

    Severity
    Serious3
    Qualys ID
    378023
    Date Published
    March 27, 2023
    Vendor Reference
    SVD-2023-0207
    CVE Reference
    CVE-2023-22937
    CVSS Scores
    Base 4.3 / Temporal 3.8
    Description
    In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the lookup table upload feature let a user upload lookup tables with unnecessary filename extensions. Lookup table file extensions may now be one of the following only: .csv, .csv.gz, .kmz, .kml, .mmdb, or .mmdb.gzl.

    Note:- Mitigation is available, hence making this detection practice. Splunk Enterprise is affected by multiple vulnerabilities:

    Affected Versions:
    Splunk Enterprise 8.1.12 and lower
    Splunk Enterprise 8.2.0 to 8.2.9
    Splunk Enterprise 9.0.0 to 9.0.3

    QID Detection Logic(Authenticated)
    It checks for vulnerable version of Splunk Enterprise .

    Consequence
    Successful exploitation of these vulnerability may allow an Local Privilege Escalation Vulnerability

    Solution
    Vendor has released updated versions to fix these vulnerabilities. Please refer SVD-2023-0207
    Patches
    SVD-2023-0207
  • CVE-2022-3085+
    QID: 591380
    Recently Published

    Fuji Electric Tellus Lite V-Simulator Multiple Vulnerabilities (ICSA-22-354-01)

    Severity
    Critical4
    Qualys ID
    591380
    Date Published
    March 27, 2023
    Vendor Reference
    ICSA-22-354-01
    CVE Reference
    CVE-2022-3085, CVE-2022-3087
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description

    AFFECTED PRODUCTS
    The following Fuji Electric remote monitoring and operation software products are affected:
    Tellus Lite V-Simulator Versions upto v4.0.12.0

    QID Detection Logic (Authenticated)
    QID checks for the Vulnerable version using windows registry keys

    Consequence
    Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code.
    Solution

    Customers are advised to refer to CERT MITIGATIONS section ICSA-22-354-01 for affected packages and patching details.

    Patches
    ICSA-22-354-01
  • CVE-2022-2758
    QID: 591379
    Recently Published

    LS ELECTRIC XG5000 Inadequate Encryption Strength Vulnerability (ICSA-22-228-02)

    Severity
    Serious3
    Qualys ID
    591379
    Date Published
    March 27, 2023
    Vendor Reference
    ICSA-22-228-02
    CVE Reference
    CVE-2022-2758
    CVSS Scores
    Base 5.9 / Temporal 5.2
    Description

    AFFECTED PRODUCTS
    The following versions of XG5000, a PLC programming software, are affected: LS ELECTRIC XG5000: All versions prior to V4.0

    QID Detection Logic (Authenticated)
    QID checks for the Vulnerable version using windows registry keys

    Consequence
    Successful exploitation of this vulnerability could allow an attacker to decrypt credentials and gain full access to the affected programmable logic controller (PLC).
    Solution

    Customers are advised to refer to Schneider Electric MITIGATIONS section ICSA-22-228-02 for affected packages and patching details.

    Patches
    ICSA-22-228-02
  • CVE-2021-21419+
    QID: 378004
    Recently Published

    Splunk Enterprise Multiple Vulnerabilities (SVD-2023-0215,SVD-2023-0211,SVD-2023-0208)

    Severity
    Critical4
    Qualys ID
    378004
    Date Published
    March 27, 2023
    Vendor Reference
    SVD-2023-0208, SVD-2023-0211, SVD-2023-0215
    CVE Reference
    CVE-2021-21419, CVE-2021-28957, CVE-2022-24785, CVE-2022-31129, CVE-2022-32212, CVE-2015-20107, CVE-2021-3517, CVE-2021-3537, CVE-2021-3518, CVE-2023-22941, CVE-2023-22938
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Splunk Enterprise captures, indexes and correlates real-time data in a searchable repository from which it can generate graphs, reports, alerts, dashboards, and visualizations.

    Splunk Enterprise is affected by multiple vulnerabilities:

    Affected Versions:
    Splunk Enterprise 8.1.12 and lower
    Splunk Enterprise 8.2.0 to 8.2.9
    Splunk Enterprise 9.0.0 to 9.0.3

    QID Detection Logic(Authenticated)
    It checks for vulnerable version of Splunk Enterprise .

    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Vendor has released updated versions to fix these vulnerabilities. Please refer SVD-2023-0215 SVD-2023-0211 SVD-2023-0208 for more details.

    Patches
    SVD-2023-0208, SVD-2023-0211, SVD-2023-0215
  • CVE-2021-34736
    QID: 317291
    Recently Published

    Cisco Integrated Management Controller (IMC) GUI Denial of Service (DoS) Vulnerability (cisco-sa-imc-gui-dos-TZjrFyZh)

    Severity
    Serious3
    Qualys ID
    317291
    Date Published
    March 27, 2023
    Vendor Reference
    cisco-sa-imc-gui-dos-TZjrFyZh
    CVE Reference
    CVE-2021-34736
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Software could allow an unauthenticated, remote attacker to cause the web-based management interface to unexpectedly restart.

    Affected Products
    Following Cisco products and software releases:
    4.1 and earlier and 4.2

    QID Detection Logic (Authenticated):
    The check matches Cisco cimc version retrieved using "show cimc detail " command.

    Consequence
    A successful exploit could allow the attacker to cause the interface to restart, resulting in a denial of service (DoS) condition.

    Solution

    Customers are advised to refer to cisco-sa-imc-gui-dos-TZjrFyZh for more information.

    Patches
    cisco-sa-imc-gui-dos-TZjrFyZh
  • QID: 45559
    Recently Published

    Red Hat OpenJDK for Windows Installation Detected

    Severity
    Minimal1
    Qualys ID
    45559
    Date Published
    March 27, 2023
    Vendor Reference
    Red Hat OpenJDK Windows
    CVSS Scores
    Base / Temporal
    Description

    Red Hat OpenJDK is a free and open-source implementation of the Java Development Kit (JDK) for Linux, Windows, and macOS. It is based on the OpenJDK project, with additional features and enhancements from Red Hat.
    QID Detection Logic (Authenticated) :
    This QID will check the Red Hat OpenJDK DisplayName ,Publisher details as "Red Hat" , and version from registry keys HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall","HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall This QID will check the Red Hat OpenJDK version, path and vendor details.

    Consequence
    N/A
    Solution
    N/A
  • CVE-2022-1919+
    QID: 502686
    Recently Published

    Alpine Linux Security Update for firefox

    Severity
    Urgent5
    Qualys ID
    502686
    Date Published
    March 23, 2023
    Vendor Reference
    firefox
    CVE Reference
    CVE-2022-1919, CVE-2022-31736, CVE-2022-31737, CVE-2022-31738, CVE-2022-31739, CVE-2022-31740, CVE-2022-31741, CVE-2022-31742, CVE-2022-31743, CVE-2022-31744, CVE-2022-31745, CVE-2022-31747, CVE-2022-31748
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Alpine Linux has released a security update for firefox to fix the vulnerabilities.

    Affected versions:
    Alpine Linux 3.16


    Affected Package versions prior to 101.0-r0.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Alpine Linux advisory firefox for updates and patch information.
    Patches
    Alpine Linux firefox-101.0-r0
  • CVE-2022-29909+
    QID: 502684
    Recently Published

    Alpine Linux Security Update for firefox

    Severity
    Urgent5
    Qualys ID
    502684
    Date Published
    March 23, 2023
    Vendor Reference
    firefox
    CVE Reference
    CVE-2022-29909, CVE-2022-29910, CVE-2022-29911, CVE-2022-29912, CVE-2022-29914, CVE-2022-29915, CVE-2022-29916, CVE-2022-29917, CVE-2022-29918
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Alpine Linux has released a security update for firefox to fix the vulnerabilities.

    Affected versions:
    Alpine Linux 3.16


    Affected Package versions prior to 100.0-r0.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Alpine Linux advisory firefox for updates and patch information.
    Patches
    Alpine Linux firefox-100.0-r0
  • CVE-2006-20001+
    QID: 354845
    Recently Published

    Amazon Linux Security Advisory for httpd24 : ALAS-2023-1711

    Severity
    Urgent5
    Qualys ID
    354845
    Date Published
    March 23, 2023
    Vendor Reference
    ALAS-2023-1711
    CVE Reference
    CVE-2006-20001, CVE-2023-25690, CVE-2022-36760, CVE-2023-27522, CVE-2022-37436
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description

    a carefully crafted if: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent.
    This could cause the process to crash.
    This issue affects apache http server 2.4.54 and earlier. (
    ( CVE-2006-20001) inconsistent interpretation of http requests (http request smuggling) vulnerability in mod_proxy_ajp of apache http server allows an attacker to smuggle requests to the ajp server it forwards requests to.
    This issue affects apache http server apache http server 2.4 version 2.4.54 and prior versions. (
    ( CVE-2022-36760) prior to apache http server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body.
    If the later headers have any security purpose, they will not be interpreted by the client. (
    ( CVE-2022-37436) some mod_proxy configurations on apache http server versions 2.4.0 through 2.4.55 allow a http request smuggling attack.
    Configurations are affected when mod_proxy is enabled along with some form of rewriterule or proxypassmatch in which a non-specific pattern matches some portion of the user-supplied request-target (url) data and is then re-inserted into the proxied request-target using variable substitution.
    For example, something like: rewriteengine on rewriterule "^/here/(.*)" "
    Http://example.com:8080/elsewhere?$1"; [p] proxypassreverse /here/ http://example.com:8080/ request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended urls to existing origin servers, and cache poisoning.
    This issue affects apache http server: from 2.4.30 through 2.4.55.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.
    Solution
    Please refer to Amazon advisory: ALAS-2023-1711 for affected packages and patching details, or update with your package manager.
    Patches
    amazon linux ALAS-2023-1711
  • CVE-2021-3805+
    QID: 199249
    Recently Published

    Ubuntu Security Notification for object-path Vulnerabilities (USN-5967-1)

    Severity
    Urgent5
    Qualys ID
    199249
    Date Published
    March 23, 2023
    Vendor Reference
    USN-5967-1
    CVE Reference
    CVE-2021-3805, CVE-2021-23434, CVE-2020-15256
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Ubuntu has released a security update for object-path to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Ubuntu security advisory USN-5967-1 for updates and patch information.
    Patches
    Ubuntu Linux USN-5967-1
  • CVE-2022-0843+
    QID: 502690
    Recently Published

    Alpine Linux Security Update for firefox

    Severity
    Urgent5
    Qualys ID
    502690
    Date Published
    March 23, 2023
    Vendor Reference
    firefox
    CVE Reference
    CVE-2022-0843, CVE-2022-26381, CVE-2022-26382, CVE-2022-26383, CVE-2022-26384, CVE-2022-26385, CVE-2022-26387
    CVSS Scores
    Base 9.6 / Temporal 8.3
    Description
    Alpine Linux has released a security update for firefox to fix the vulnerabilities.

    Affected versions:
    Alpine Linux 3.16


    Affected Package versions prior to 98.0-r0.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Alpine Linux advisory firefox for updates and patch information.
    Patches
    Alpine Linux firefox-98.0-r0
  • CVE-2022-26485+
    QID: 502689
    Recently Published

    Alpine Linux Security Update for firefox

    Severity
    Urgent5
    Qualys ID
    502689
    Date Published
    March 23, 2023
    Vendor Reference
    firefox
    CVE Reference
    CVE-2022-26485, CVE-2022-26486
    CVSS Scores
    Base 9.6 / Temporal 8.9
    Description
    Alpine Linux has released a security update for firefox to fix the vulnerabilities.

    Affected versions:
    Alpine Linux 3.16


    Affected Package versions prior to 97.0.2-r0.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Alpine Linux advisory firefox for updates and patch information.
    Patches
    Alpine Linux firefox-97.0.2-r0
  • CVE-2021-4140+
    QID: 502688
    Recently Published

    Alpine Linux Security Update for firefox

    Severity
    Urgent5
    Qualys ID
    502688
    Date Published
    March 23, 2023
    Vendor Reference
    firefox
    CVE Reference
    CVE-2021-4140, CVE-2022-0511, CVE-2022-22736, CVE-2022-22737, CVE-2022-22738, CVE-2022-22739, CVE-2022-22740, CVE-2022-22741, CVE-2022-22742, CVE-2022-22743, CVE-2022-22744, CVE-2022-22745, CVE-2022-22746, CVE-2022-22747, CVE-2022-22748, CVE-2022-22749, CVE-2022-22750, CVE-2022-22751, CVE-2022-22752, CVE-2022-22753, CVE-2022-22754, CVE-2022-22755, CVE-2022-22756, CVE-2022-22757, CVE-2022-22758, CVE-2022-22759, CVE-2022-22760, CVE-2022-22761, CVE-2022-22762, CVE-2022-22764
    CVSS Scores
    Base 10 / Temporal 8.7
    Description
    Alpine Linux has released a security update for firefox to fix the vulnerabilities.

    Affected versions:
    Alpine Linux 3.16


    Affected Package versions prior to 97.0-r0.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Alpine Linux advisory firefox for updates and patch information.
    Patches
    Alpine Linux firefox-97.0-r0
  • CVE-2023-0394+
    QID: 354842
    Recently Published

    Amazon Linux Security Advisory for kernel : ALAS-2023-1706

    Severity
    Urgent5
    Qualys ID
    354842
    Date Published
    March 23, 2023
    Vendor Reference
    ALAS-2023-1706
    CVE Reference
    CVE-2023-0394, CVE-2022-3643
    CVSS Scores
    Base 10 / Temporal 8.7
    Description

    Guests can trigger nic interface reset/abort/crash via netback it is possible for a guest to trigger a nic interface reset/abort/crash in a linux based network backend by sending certain kinds of packets.
    It appears to be an (unwritten?)
    Assumption in the rest of the linux network stack that packet protocol headers are all contained within the linear section of the skb and some nics behave badly if this is not the case.
    This has been reported to occur with cisco (enic) and broadcom netxtrem ii bcm5780 (bnx2x) though it may be an issue with other nics/drivers as well.
    In case the frontend is sending requests with split headers, netback will forward those violating above mentioned assumption to the networking core, resulting in said misbehavior. (
    ( CVE-2022-3643) a null pointer dereference flaw was found in rawv6_push_pending_frames in net/ipv6/raw.c in the network subcomponent in the linux kernel.
    This flaw causes the system to crash. (
    ( CVE-2023-0394)



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.
    Solution
    Please refer to Amazon advisory: ALAS-2023-1706 for affected packages and patching details, or update with your package manager.
    Patches
    amazon linux ALAS-2023-1706
  • CVE-2022-1097+
    QID: 502691
    Recently Published

    Alpine Linux Security Update for firefox

    Severity
    Critical4
    Qualys ID
    502691
    Date Published
    March 23, 2023
    Vendor Reference
    firefox
    CVE Reference
    CVE-2022-1097, CVE-2022-24713, CVE-2022-28281, CVE-2022-28282, CVE-2022-28283, CVE-2022-28284, CVE-2022-28285, CVE-2022-28286, CVE-2022-28287, CVE-2022-28288, CVE-2022-28289
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Alpine Linux has released a security update for firefox to fix the vulnerabilities.

    Affected versions:
    Alpine Linux 3.16


    Affected Package versions prior to 99.0-r0.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Alpine Linux advisory firefox for updates and patch information.
    Patches
    Alpine Linux firefox-99.0-r0
  • CVE-2021-43536+
    QID: 502687
    Recently Published

    Alpine Linux Security Update for firefox

    Severity
    Critical4
    Qualys ID
    502687
    Date Published
    March 23, 2023
    Vendor Reference
    firefox
    CVE Reference
    CVE-2021-43536, CVE-2021-43537, CVE-2021-43538, CVE-2021-43539, CVE-2021-43540, CVE-2021-43541, CVE-2021-43542, CVE-2021-43543, CVE-2021-43544, CVE-2021-43545, CVE-2021-43546
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Alpine Linux has released a security update for firefox to fix the vulnerabilities.

    Affected versions:
    Alpine Linux 3.16


    Affected Package versions prior to 95.0-r0.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Alpine Linux advisory firefox for updates and patch information.
    Patches
    Alpine Linux firefox-95.0-r0
  • CVE-2022-1529+
    QID: 502685
    Recently Published

    Alpine Linux Security Update for firefox

    Severity
    Critical4
    Qualys ID
    502685
    Date Published
    March 23, 2023
    Vendor Reference
    firefox
    CVE Reference
    CVE-2022-1529, CVE-2022-1802
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Alpine Linux has released a security update for firefox to fix the vulnerabilities.

    Affected versions:
    Alpine Linux 3.16


    Affected Package versions prior to 100.0.2-r0.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Alpine Linux advisory firefox for updates and patch information.
    Patches
    Alpine Linux firefox-100.0.2-r0
  • QID: 753838
    Recently Published

    SUSE Enterprise Linux Security Update for oracleasm (SUSE-SU-2023:0867-1)

    Severity
    Critical4
    Qualys ID
    753838
    Date Published
    March 23, 2023
    Vendor Reference
    SUSE-SU-2023:0867-1
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    SUSE has released a security update for suse_enterprise_linux to fix the vulnerabilities.

    Affected product(s):
    SUSE Linux Enterprise Server 15 SP3|SUSE Linux Enterprise Server for SAP Applications 15 SP3
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to SUSE security advisory SUSE-SU-2023:0867-1 for updates and patch information.
    Patches
    SUSE Enterprise Linux SUSE-SU-2023:0867-1
  • CVE-2023-0464
    QID: 502683
    Recently Published

    Alpine Linux Security Update for Open Secure Sockets Layer (OpenSSL) 3

    Severity
    Critical4
    Qualys ID
    502683
    Date Published
    March 23, 2023
    Vendor Reference
    openssl3
    CVE Reference
    CVE-2023-0464
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Alpine Linux has released a security update for openssl3 to fix the vulnerabilities.

    Affected versions:
    Alpine Linux 3.15
    Alpine Linux 3.16


    Affected Package versions prior to 3.0.8-r1.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Alpine Linux advisory openssl3 for updates and patch information.
    Patches
    Alpine Linux openssl3-3.0.8-r1
  • CVE-2023-0464
    QID: 502682
    Recently Published

    Alpine Linux Security Update for Open Secure Sockets Layer (OpenSSL)

    Severity
    Critical4
    Qualys ID
    502682
    Date Published
    March 23, 2023
    Vendor Reference
    openssl
    CVE Reference
    CVE-2023-0464
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Alpine Linux has released a security update for openssl to fix the vulnerabilities.

    Affected versions:
    Alpine Linux 3.15


    Affected Package versions prior to 1.1.1t-r2.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Alpine Linux advisory openssl for updates and patch information.
    Patches
    Alpine Linux openssl-1.1.1t-r2
  • CVE-2023-0464
    QID: 502681
    Recently Published

    Alpine Linux Security Update for Open Secure Sockets Layer (OpenSSL)

    Severity
    Critical4
    Qualys ID
    502681
    Date Published
    March 23, 2023
    Vendor Reference
    openssl
    CVE Reference
    CVE-2023-0464
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Alpine Linux has released a security update for openssl to fix the vulnerabilities.

    Affected versions:
    Alpine Linux 3.14
    Alpine Linux 3.16


    Affected Package versions prior to 1.1.1t-r1.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Alpine Linux advisory openssl for updates and patch information.
    Patches
    Alpine Linux openssl-1.1.1t-r1
  • CVE-2023-0494
    QID: 354840
    Recently Published

    Amazon Linux Security Advisory for xorg-x11-server : ALAS-2023-1702

    Severity
    Critical4
    Qualys ID
    354840
    Date Published
    March 23, 2023
    Vendor Reference
    ALAS-2023-1702
    CVE Reference
    CVE-2023-0494
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description

    A vulnerability was found in x.org.
    This issue occurs due to a dangling pointer in deepcopypointerclasses that can be exploited by procxkbsetdeviceinfo() and procxkbgetdeviceinfo() to read and write into freed memory.
    This can lead to local privilege elevation on systems where the x server runs privileged and remote code execution for ssh x forwarding sessions. (
    ( CVE-2023-0494)



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.
    Solution
    Please refer to Amazon advisory: ALAS-2023-1702 for affected packages and patching details, or update with your package manager.
    Patches
    amazon linux ALAS-2023-1702
  • CVE-2023-25751+
    QID: 257232
    Recently Published

    CentOS Security Update for firefox (CESA-2023:1333)

    Severity
    Critical4
    Qualys ID
    257232
    Date Published
    March 23, 2023
    Vendor Reference
    CESA-2023:1333
    CVE Reference
    CVE-2023-25751, CVE-2023-28176, CVE-2023-28162, CVE-2023-25752, CVE-2023-28164
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    CentOS has released a security update for firefox security update to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to CentOS security advisory CESA-2023:1333 for updates and patch information.
    Patches
    centos 7 CESA-2023:1333
  • CVE-2023-0767
    QID: 257230
    Recently Published

    CentOS Security Update for nss (CESA-2023:1332)

    Severity
    Critical4
    Qualys ID
    257230
    Date Published
    March 23, 2023
    Vendor Reference
    CESA-2023:1332
    CVE Reference
    CVE-2023-0767
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    CentOS has released a security update for nss security update to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to CentOS security advisory CESA-2023:1332 for updates and patch information.
    Patches
    centos 7 CESA-2023:1332
  • CVE-2023-25751+
    QID: 160522
    Recently Published

    Oracle Enterprise Linux Security Update for thunderbird (ELSA-2023-1407)

    Severity
    Critical4
    Qualys ID
    160522
    Date Published
    March 23, 2023
    Vendor Reference
    ELSA-2023-1407
    CVE Reference
    CVE-2023-25751, CVE-2023-28176, CVE-2023-28162, CVE-2023-25752, CVE-2023-28164
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Oracle Enterprise Linux has released a security update for thunderbird to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2023-1407
    Patches
    Oracle Linux ELSA-2023-1407
  • CVE-2023-25751+
    QID: 160520
    Recently Published

    Oracle Enterprise Linux Security Update for thunderbird (ELSA-2023-1403)

    Severity
    Critical4
    Qualys ID
    160520
    Date Published
    March 23, 2023
    Vendor Reference
    ELSA-2023-1403
    CVE Reference
    CVE-2023-25751, CVE-2023-28176, CVE-2023-28162, CVE-2023-25752, CVE-2023-28164
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Oracle Enterprise Linux has released a security update for thunderbird to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2023-1403
    Patches
    Oracle Linux ELSA-2023-1403
  • CVE-2023-25751+
    QID: 160518
    Recently Published

    Oracle Enterprise Linux Security Update for thunderbird (ELSA-2023-1401)

    Severity
    Critical4
    Qualys ID
    160518
    Date Published
    March 23, 2023
    Vendor Reference
    ELSA-2023-1401
    CVE Reference
    CVE-2023-25751, CVE-2023-28176, CVE-2023-28162, CVE-2023-25752, CVE-2023-28164
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Oracle Enterprise Linux has released a security update for thunderbird to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2023-1401
    Patches
    Oracle Linux ELSA-2023-1401
  • CVE-2023-26545
    QID: 354843
    Recently Published

    Amazon Linux Security Advisory for kernel : ALAS-2023-1701

    Severity
    Critical4
    Qualys ID
    354843
    Date Published
    March 23, 2023
    Vendor Reference
    ALAS-2023-1701
    CVE Reference
    CVE-2023-26545
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description

    In the linux kernel before 6.1.13, there is a double free in net/mpls/af_mpls.c upon an allocation failure (for registering the sysctl table under a new location) during the renaming of a device. (
    ( CVE-2023-26545)



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.
    Solution
    Please refer to Amazon advisory: ALAS-2023-1701 for affected packages and patching details, or update with your package manager.
    Patches
    amazon linux ALAS-2023-1701
  • CVE-2022-48303
    QID: 354839
    Recently Published

    Amazon Linux Security Advisory for tar : ALAS-2023-1704

    Severity
    Critical4
    Qualys ID
    354839
    Date Published
    March 23, 2023
    Vendor Reference
    ALAS-2023-1704
    CVE Reference
    CVE-2022-48303
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description

    Gnu tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump.
    Exploitation to change the flow of control has not been demonstrated.
    The issue occurs in from_header in list.c via a v7 archive in which mtime has approximately 11 whitespace characters. (
    ( CVE-2022-48303)



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.
    Solution
    Please refer to Amazon advisory: ALAS-2023-1704 for affected packages and patching details, or update with your package manager.
    Patches
    amazon linux ALAS-2023-1704
  • CVE-2023-0512+
    QID: 354838
    Recently Published

    Amazon Linux Security Advisory for vim : ALAS-2023-1703

    Severity
    Critical4
    Qualys ID
    354838
    Date Published
    March 23, 2023
    Vendor Reference
    ALAS-2023-1703
    CVE Reference
    CVE-2023-0512, CVE-2023-1127, CVE-2023-0288, CVE-2023-0433
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description

    Heap-based buffer overflow in github repository vim/vim prior to 9.0.1189. (
    ( CVE-2023-0288) heap-based buffer overflow in github repository vim/vim prior to 9.0.1225. (
    ( CVE-2023-0433) divide by zero in github repository vim/vim prior to 9.0.1247. (
    ( CVE-2023-0512) divide by zero in github repository vim/vim prior to 9.0.1367. (
    ( CVE-2023-1127)



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.
    Solution
    Please refer to Amazon advisory: ALAS-2023-1703 for affected packages and patching details, or update with your package manager.
    Patches
    amazon linux ALAS-2023-1703
  • CVE-2022-41720+
    QID: 753839
    Recently Published

    SUSE Enterprise Linux Security Update for container-suseconnect (SUSE-SU-2023:0871-1)

    Severity
    Critical4
    Qualys ID
    753839
    Date Published
    March 23, 2023
    Vendor Reference
    SUSE-SU-2023:0871-1
    CVE Reference
    CVE-2022-41720, CVE-2022-41723, CVE-2022-41724, CVE-2022-41725, CVE-2023-24532
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    SUSE has released a security update for container-suseconnect to fix the vulnerabilities.

    Affected product(s):
    SUSE Linux Enterprise Server 15 SP2|SUSE Linux Enterprise Server for SAP Applications 15 SP2
    SUSE Linux Enterprise Server 15 SP1|SUSE Linux Enterprise Server for SAP Applications 15 SP1
    SUSE Linux Enterprise Server 15 SP3|SUSE Linux Enterprise Server for SAP Applications 15 SP3
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to SUSE security advisory SUSE-SU-2023:0871-1 for updates and patch information.
    Patches
    SUSE Enterprise Linux SUSE-SU-2023:0871-1
  • CVE-2023-24329
    QID: 753837
    Recently Published

    SUSE Enterprise Linux Security Update for python3 (SUSE-SU-2023:0868-1)

    Severity
    Critical4
    Qualys ID
    753837
    Date Published
    March 23, 2023
    Vendor Reference
    SUSE-SU-2023:0868-1
    CVE Reference
    CVE-2023-24329
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    SUSE has released a security update for python3 to fix the vulnerabilities.

    Affected product(s):
    SUSE Linux Enterprise Server 15 SP3|SUSE Linux Enterprise Server for SAP Applications 15 SP3
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to SUSE security advisory SUSE-SU-2023:0868-1 for updates and patch information.
    Patches
    SUSE Enterprise Linux SUSE-SU-2023:0868-1
  • CVE-2022-41723+
    QID: 753836
    Recently Published

    SUSE Enterprise Linux Security Update for go1.18 (SUSE-SU-2023:0869-1)

    Severity
    Critical4
    Qualys ID
    753836
    Date Published
    March 23, 2023
    Vendor Reference
    SUSE-SU-2023:0869-1
    CVE Reference
    CVE-2022-41723, CVE-2022-41724, CVE-2022-41725
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    SUSE has released a security update for go1.18 to fix the vulnerabilities.

    Affected product(s):
    SUSE Linux Enterprise Server 15 SP3|SUSE Linux Enterprise Server for SAP Applications 15 SP3
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to SUSE security advisory SUSE-SU-2023:0869-1 for updates and patch information.
    Patches
    SUSE Enterprise Linux SUSE-SU-2023:0869-1
  • CVE-2022-37797
    QID: 354847
    Recently Published

    Amazon Linux Security Advisory for lighttpd : ALAS-2023-1705

    Severity
    Critical4
    Qualys ID
    354847
    Date Published
    March 23, 2023
    Vendor Reference
    ALAS-2023-1705
    CVE Reference
    CVE-2022-37797
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description

    In lighttpd 1.4.65, mod_wstunnel does not initialize a handler function pointer if an invalid http request (websocket handshake) is received.
    It leads to null pointer dereference which crashes the server.
    It could be used by an external attacker to cause denial of service condition. (
    ( CVE-2022-37797)



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.
    Solution
    Please refer to Amazon advisory: ALAS-2023-1705 for affected packages and patching details, or update with your package manager.
    Patches
    amazon linux ALAS-2023-1705
  • CVE-2022-4304+
    QID: 160521
    Recently Published

    Oracle Enterprise Linux Security Update for Open Secure Sockets Layer (OpenSSL) (ELSA-2023-1405)

    Severity
    Critical4
    Qualys ID
    160521
    Date Published
    March 23, 2023
    Vendor Reference
    ELSA-2023-1405
    CVE Reference
    CVE-2022-4304, CVE-2023-0215, CVE-2022-4450, CVE-2023-0286
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Oracle Enterprise Linux has released a security update for openssl to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2023-1405
    Patches
    Oracle Linux ELSA-2023-1405
  • CVE-2023-0286
    QID: 257231
    Recently Published

    CentOS Security Update for Open Secure Sockets Layer (OpenSSL) (CESA-2023:1335)

    Severity
    Critical4
    Qualys ID
    257231
    Date Published
    March 23, 2023
    Vendor Reference
    CESA-2023:1335
    CVE Reference
    CVE-2023-0286
    CVSS Scores
    Base 7.4 / Temporal 6.4
    Description
    CentOS has released a security update for openssl security update to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to CentOS security advisory CESA-2023:1335 for updates and patch information.
    Patches
    centos 7 CESA-2023:1335
  • CVE-2023-0286
    QID: 160519
    Recently Published

    Oracle Enterprise Linux Security Update for Open Secure Sockets Layer (OpenSSL) (ELSA-2023-12210)

    Severity
    Critical4
    Qualys ID
    160519
    Date Published
    March 23, 2023
    Vendor Reference
    ELSA-2023-12210
    CVE Reference
    CVE-2023-0286
    CVSS Scores
    Base 7.4 / Temporal 6.4
    Description
    Oracle Enterprise Linux has released a security update for openssl to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2023-12210
    Patches
    Oracle Linux ELSA-2023-12210
  • CVE-2023-0286
    QID: 160517
    Recently Published

    Oracle Enterprise Linux Security Update for Open Secure Sockets Layer (OpenSSL) (ELSA-2023-12205)

    Severity
    Critical4
    Qualys ID
    160517
    Date Published
    March 23, 2023
    Vendor Reference
    ELSA-2023-12205
    CVE Reference
    CVE-2023-0286
    CVSS Scores
    Base 7.4 / Temporal 6.4
    Description
    Oracle Enterprise Linux has released a security update for openssl to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2023-12205
    Patches
    Oracle Linux ELSA-2023-12205
  • CVE-2020-27783+
    QID: 354846
    Recently Published

    Amazon Linux Security Advisory for python-lxml : ALAS-2023-1709

    Severity
    Critical4
    Qualys ID
    354846
    Date Published
    March 23, 2023
    Vendor Reference
    ALAS-2023-1709
    CVE Reference
    CVE-2020-27783, CVE-2021-43818
    CVSS Scores
    Base 7.1 / Temporal 6.2
    Description

    A cross-site scripting (xss) vulnerability was found in the python-lxml's clean module.
    The module's parser did not properly imitate browsers, causing different behaviors between the sanitizer and the user's page.
    This flaw allows a remote attacker to run arbitrary html/js code.
    The highest threat from this vulnerability is to confidentiality and integrity. (
    ( CVE-2020-27783) there's a flaw in python-lxml's html cleaner component, which is responsible for sanitizing html and javascript.
    An attacker who is able to submit a crafted payload to a web service using python-lxml's html cleaner may be able to trigger script execution in clients such as web browsers.
    This can occur because the html cleaner did not remove scripts within svg images in data urls such as <img src=>.
    Xss can result in impacts to the integrity and availability of the web page, as well as a potential impact to data confidentiality in some circumstances. (
    ( CVE-2021-43818)



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.
    Solution
    Please refer to Amazon advisory: ALAS-2023-1709 for affected packages and patching details, or update with your package manager.
    Patches
    amazon linux ALAS-2023-1709
  • CVE-2022-3524
    QID: 354844
    Recently Published

    Amazon Linux Security Advisory for kernel : ALAS-2023-1707

    Severity
    Serious3
    Qualys ID
    354844
    Date Published
    March 23, 2023
    Vendor Reference
    ALAS-2023-1707
    CVE Reference
    CVE-2022-3524
    CVSS Scores
    Base 5.5 / Temporal 4.8
    Description

    A vulnerability was found in linux kernel.
    It has been declared as problematic.
    Affected by this vulnerability is the function ipv6_renew_options of the component ipv6 handler.
    The manipulation leads to memory leak.
    The attack can be launched remotely.
    It is recommended to apply a patch to fix this issue.
    The identifier vdb-211021 was assigned to this vulnerability. (
    ( CVE-2022-3524)



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.
    Solution
    Please refer to Amazon advisory: ALAS-2023-1707 for affected packages and patching details, or update with your package manager.
    Patches
    amazon linux ALAS-2023-1707
  • CVE-2019-14834
    QID: 354841
    Recently Published

    Amazon Linux Security Advisory for dnsmasq : ALAS-2020-1458

    Severity
    Medium2
    Qualys ID
    354841
    Date Published
    March 23, 2023
    Vendor Reference
    ALAS-2020-1458
    CVE Reference
    CVE-2019-14834
    CVSS Scores
    Base 3.7 / Temporal 3.2
    Description

    A flaw was found in the dnsmasq application where a remote attacker can trigger a memory leak by sending specially crafted dhcp responses to the server.
    A successful attack is dependent on a specific configuration regarding the domain name set into the dnsmasq.conf file.
    Over time, the memory leak may cause the process to run out of memory and terminate, causing a denial of service. (
    ( CVE-2019-14834)



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.
    Solution
    Please refer to Amazon advisory: ALAS-2020-1458 for affected packages and patching details, or update with your package manager.
    Patches
    amazon linux ALAS-2020-1458
  • CVE-2022-36949+
    QID: 378124
    Recently Published

    Veritas NetBackup OpsCenter Multiple Vulnerabilities

    Severity
    Urgent5
    Qualys ID
    378124
    Date Published
    March 23, 2023
    Vendor Reference
    VTS22-009
    CVE Reference
    CVE-2022-36949, CVE-2022-36950, CVE-2022-36953
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Veritas NetBackup OpsCenter gives the user the ability to display customizable, multi-level views of backup and archive resources and customizable reports for tracking service usage and expenditures.

    Affected Versions:
    Veritas NetBackup OpsCenter 8.2.x and earlier

    QID Detection Logic (Authenticated):
    Operating Systems: Windows
    The QID checks for the registry to check the vulnerable version.

    Consequence
    An attacker can comprise the Veritas NetBackup via Multiple Attack Vectors.

    Solution
    The vendor has issued a fix for these vulnerabilities. Please refer to the vendor advisory VTS22-009 which addresses this issue.

    Patches
    VTS22-009
  • CVE-2023-25690+
    QID: 354828
    Recently Published

    Amazon Linux Security Advisory for httpd : ALAS2-2023-1989

    Severity
    Urgent5
    Qualys ID
    354828
    Date Published
    March 23, 2023
    Vendor Reference
    ALAS2-2023-1989
    CVE Reference
    CVE-2023-25690, CVE-2023-27522
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description

    Some mod_proxy configurations on apache http server versions 2.4.0 through 2.4.55 allow a http request smuggling attack.
    Configurations are affected when mod_proxy is enabled along with some form of rewriterule or proxypassmatch in which a non-specific pattern matches some portion of the user-supplied request-target (url) data and is then re-inserted into the proxied request-target using variable substitution.
    For example, something like: rewriteengine on rewriterule "^/here/(.*)" "
    Http://example.com:8080/elsewhere?$1"; [p] proxypassreverse /here/ http://example.com:8080/ request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended urls to existing origin servers, and cache poisoning.
    Users are recommended to update to at least version 2.4.56 of apache http server. (
    ( CVE-2023-25690) http response smuggling vulnerability in apache http server via mod_proxy_uwsgi.
    This issue affects apache http server: from 2.4.30 through 2.4.55.
    Special characters in the origin response header can truncate/split the response forwarded to the client. (
    ( CVE-2023-27522)



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.
    Solution
    Please refer to Amazon advisory: ALAS2-2023-1989 for affected packages and patching details, or update with your package manager.
    Patches
    amazon linux 2 ALAS2-2023-1989
  • CVE-2022-2196
    QID: 906557
    Recently Published

    Common Base Linux Mariner (CBL-Mariner) Security Update for kernel (12947-1)

    Severity
    Critical4
    Qualys ID
    906557
    Date Published
    March 23, 2023
    Vendor Reference
    12947-1
    CVE Reference
    CVE-2022-2196
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for kernel to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 12947-1
  • CVE-2021-3929+
    QID: 753824
    Recently Published

    SUSE Enterprise Linux Security Update for qemu (SUSE-SU-2023:0840-1)

    Severity
    Critical4
    Qualys ID
    753824
    Date Published
    March 23, 2023
    Vendor Reference
    SUSE-SU-2023:0840-1
    CVE Reference
    CVE-2021-3929, CVE-2021-3507, CVE-2022-1050, CVE-2020-14394, CVE-2022-0216, CVE-2022-4144
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    SUSE has released a security update for qemu to fix the vulnerabilities.

    Affected product(s):
    SUSE Linux Enterprise Server 15 SP3|SUSE Linux Enterprise Server for SAP Applications 15 SP3
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to SUSE security advisory SUSE-SU-2023:0840-1 for updates and patch information.
    Patches
    SUSE Enterprise Linux SUSE-SU-2023:0840-1
  • CVE-2023-1077+
    QID: 354837
    Recently Published

    Amazon Linux Security Advisory for kernel : ALAS2KERNEL-5.10-2023-028

    Severity
    Critical4
    Qualys ID
    354837
    Date Published
    March 23, 2023
    Vendor Reference
    ALAS2KERNEL-5.10-2023-028
    CVE Reference
    CVE-2023-1077, CVE-2023-26545, CVE-2023-22998, CVE-2022-2196, CVE-2023-1078, CVE-2022-27672
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description

    a regression exists in the linux kernel within kvm: nvmx that allowed for speculative execution attacks.
    L2 can carry out spectre v2 attacks on l1 due to l1 thinking it doesnt need retpolines or ibpb after running l2 due to kvm (l0) advertising eibrs support to l1.
    An attacker at l2 with code execution can execute code on an indirect branch on the host machine.
    We recommend upgrading to kernel 6.2 or past commit 2e7eab81425a (cve-2022-2196) it has been discovered that on some amd cpus, the ras (return address stack, also called rap - return address predictor - in some amd documentation, and rsb - return stack buffer - in intel terminology) is dynamically partitioned between non-idle threads.
    this allows an attacker to control speculative execution on the adjacent thread. (
    ( CVE-2022-27672) kernel: type confusion in pick_next_rt_entity(), which can result in memory corruption. (
    ( CVE-2023-1077) the upstream bug report describes this issue as follows: a flaw found in the linux kernel in rds (reliable datagram sockets) protocol.
    The rds_rm_zerocopy_callback() uses list_entry() on the head of a list causing a type confusion.
    Local user can trigger this with rds_message_put().
    Type confusion leads to `struct rds_msg_zcopy_info *info` actually points to something else that is potentially controlled by local user.
    It is known how to trigger this, which causes an oob access, and a lock corruption. (
    ( CVE-2023-1078) in the linux kernel before 6.0.3, drivers/gpu/drm/virtio/virtgpu_object.c misinterprets the drm_gem_shmem_get_sg_table return value (expects it to be null in the error case, whereas it is actually an error pointer). (
    ( CVE-2023-26545)



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.
    Solution
    Please refer to Amazon advisory: ALAS2KERNEL-5.10-2023-028 for affected packages and patching details, or update with your package manager.
    Patches
    amazon linux 2 ALAS2KERNEL-5.10-2023-028
  • CVE-2022-4254
    QID: 354824
    Recently Published

    Amazon Linux Security Advisory for sssd : ALAS2-2023-1995

    Severity
    Critical4
    Qualys ID
    354824
    Date Published
    March 23, 2023
    Vendor Reference
    ALAS2-2023-1995
    CVE Reference
    CVE-2022-4254
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description

    A vulnerability was found in sssd, in the libsss_certmap functionality.
    Pkinit enables a client to authenticate to the kdc using an x.509 certificate and the corresponding private key, rather than a passphrase or keytab.
    Freeipa uses mapping rules to map a certificate presented during a pkinit authentication request to the corresponding principal.
    The mapping filter is vulnerable to ldap filter injection.
    The search result can be influenced by values in the certificate, which may be attacker controlled.
    In the most extreme case, an attacker could gain control of the admin account, leading to full domain takeover. (
    ( CVE-2022-4254)



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.
    Solution
    Please refer to Amazon advisory: ALAS2-2023-1995 for affected packages and patching details, or update with your package manager.
    Patches
    amazon linux 2 ALAS2-2023-1995
  • CVE-2023-1077+
    QID: 354822
    Recently Published

    Amazon Linux Security Advisory for kernel : ALAS2KERNEL-5.15-2023-015

    Severity
    Critical4
    Qualys ID
    354822
    Date Published
    March 23, 2023
    Vendor Reference
    ALAS2KERNEL-5.15-2023-015
    CVE Reference
    CVE-2023-1077, CVE-2023-26545, CVE-2022-2196, CVE-2023-1078, CVE-2022-27672
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description

    A regression exists in the linux kernel within kvm: nvmx that allowed for speculative execution attacks.
    L2 can carry out spectre v2 attacks on l1 due to l1 thinking it doesn't need retpolines or ibpb after running l2 due to kvm (l0) advertising eibrs support to l1.
    An attacker at l2 with code execution can execute code on an indirect branch on the host machine.
    We recommend upgrading to kernel 6.2 or past commit 2e7eab81425a (cve-2022-2196) it has been discovered that on some amd cpus, the ras (return address stack, also called rap - return address predictor - in some amd documentation, and rsb - return stack buffer - in intel terminology) is dynamically partitioned between non-idle threads.
    This allows an attacker to control speculative execution on the adjacent thread. (
    ( CVE-2022-27672) kernel: type confusion in pick_next_rt_entity(), which can result in memory corruption. (
    ( CVE-2023-1077) the upstream bug report describes this issue as follows: a flaw found in the linux kernel in rds (reliable datagram sockets) protocol.
    The rds_rm_zerocopy_callback() uses list_entry() on the head of a list causing a type confusion.
    Local user can trigger this with rds_message_put().
    Type confusion leads to `struct rds_msg_zcopy_info *info` actually points to something else that is potentially controlled by local user.
    It is known how to trigger this, which causes an oob access, and a lock corruption. (
    ( CVE-2023-1078) in the linux kernel before 6.1.13, there is a double free in net/mpls/af_mpls.c upon an allocation failure (for registering the sysctl table under a new location) during the renaming of a device. (
    ( CVE-2023-26545)



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.
    Solution
    Please refer to Amazon advisory: ALAS2KERNEL-5.15-2023-015 for affected packages and patching details, or update with your package manager.
    Patches
    amazon linux 2 ALAS2KERNEL-5.15-2023-015
  • CVE-2023-1077+
    QID: 354820
    Recently Published

    Amazon Linux Security Advisory for kernel : ALAS2KERNEL-5.4-2023-043

    Severity
    Critical4
    Qualys ID
    354820
    Date Published
    March 23, 2023
    Vendor Reference
    ALAS2KERNEL-5.4-2023-043
    CVE Reference
    CVE-2023-1077, CVE-2023-26545, CVE-2022-2196, CVE-2023-1078, CVE-2022-27672
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description

    A regression exists in the linux kernel within kvm: nvmx that allowed for speculative execution attacks.
    L2 can carry out spectre v2 attacks on l1 due to l1 thinking it doesn't need retpolines or ibpb after running l2 due to kvm (l0) advertising eibrs support to l1.
    An attacker at l2 with code execution can execute code on an indirect branch on the host machine.
    We recommend upgrading to kernel 6.2 or past commit 2e7eab81425a (cve-2022-2196) it has been discovered that on some amd cpus, the ras (return address stack, also called rap - return address predictor - in some amd documentation, and rsb - return stack buffer - in intel terminology) is dynamically partitioned between non-idle threads.
    This allows an attacker to control speculative execution on the adjacent thread. (
    ( CVE-2022-27672) kernel: type confusion in pick_next_rt_entity(), which can result in memory corruption. (
    ( CVE-2023-1077) the upstream bug report describes this issue as follows: a flaw found in the linux kernel in rds (reliable datagram sockets) protocol.
    The rds_rm_zerocopy_callback() uses list_entry() on the head of a list causing a type confusion.
    Local user can trigger this with rds_message_put().
    Type confusion leads to `struct rds_msg_zcopy_info *info` actually points to something else that is potentially controlled by local user.
    It is known how to trigger this, which causes an oob access, and a lock corruption. (
    ( CVE-2023-1078) in the linux kernel before 6.1.13, there is a double free in net/mpls/af_mpls.c upon an allocation failure (for registering the sysctl table under a new location) during the renaming of a device. (
    ( CVE-2023-26545)



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.
    Solution
    Please refer to Amazon advisory: ALAS2KERNEL-5.4-2023-043 for affected packages and patching details, or update with your package manager.
    Patches
    amazon linux 2 ALAS2KERNEL-5.4-2023-043
  • QID: 753835
    Recently Published

    SUSE Enterprise Linux Security Update for oracleasm (SUSE-SU-2023:0864-1)

    Severity
    Critical4
    Qualys ID
    753835
    Date Published
    March 23, 2023
    Vendor Reference
    SUSE-SU-2023:0864-1
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    SUSE has released a security update for suse_enterprise_linux to fix the vulnerabilities.

    Affected product(s):
    SUSE Linux Enterprise Server 12 SP5
    SUSE Linux Enterprise Server 12 SP5|SUSE Linux Enterprise Server for SAP Applications 12 SP5
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to SUSE security advisory SUSE-SU-2023:0864-1 for updates and patch information.
    Patches
    SUSE Enterprise Linux SUSE-SU-2023:0864-1
  • QID: 753834
    Recently Published

    SUSE Enterprise Linux Security Update for oracleasm (SUSE-SU-2023:0854-1)

    Severity
    Critical4
    Qualys ID
    753834
    Date Published
    March 23, 2023
    Vendor Reference
    SUSE-SU-2023:0854-1
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    SUSE has released a security update for suse_enterprise_linux to fix the vulnerabilities.

    Affected product(s):
    SUSE Linux Enterprise Server 12 SP4|SUSE Linux Enterprise Server for SAP Applications 12 SP4
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to SUSE security advisory SUSE-SU-2023:0854-1 for updates and patch information.
    Patches
    SUSE Enterprise Linux SUSE-SU-2023:0854-1
  • CVE-2022-42331+
    QID: 753833
    Recently Published

    SUSE Enterprise Linux Security Update for xen (SUSE-SU-2023:0859-1)

    Severity
    Critical4
    Qualys ID
    753833
    Date Published
    March 23, 2023
    Vendor Reference
    SUSE-SU-2023:0859-1
    CVE Reference
    CVE-2022-42331, CVE-2022-42332, CVE-2022-42333, CVE-2022-42334
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    SUSE has released a security update for xen to fix the vulnerabilities.

    Affected product(s):
    SUSE Linux Enterprise Server 12 SP4|SUSE Linux Enterprise Server for SAP Applications 12 SP4
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to SUSE security advisory SUSE-SU-2023:0859-1 for updates and patch information.
    Patches
    SUSE Enterprise Linux SUSE-SU-2023:0859-1
  • CVE-2023-25748+
    QID: 753830
    Recently Published

    SUSE Enterprise Linux Security Update for MozillaFirefox (SUSE-SU-2023:0835-1)

    Severity
    Critical4
    Qualys ID
    753830
    Date Published
    March 23, 2023
    Vendor Reference
    SUSE-SU-2023:0835-1
    CVE Reference
    CVE-2023-25748, CVE-2023-25749, CVE-2023-25750, CVE-2023-25751, CVE-2023-25752, CVE-2023-28159, CVE-2023-28160, CVE-2023-28161, CVE-2023-28162, CVE-2023-28163, CVE-2023-28164, CVE-2023-28176, CVE-2023-28177
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    SUSE has released a security update for firefox to fix the vulnerabilities.

    Affected product(s):
    SUSE Linux Enterprise Server 15 SP3|SUSE Linux Enterprise Server for SAP Applications 15 SP3
    SUSE Linux Enterprise Server 15 SP2|SUSE Linux Enterprise Server for SAP Applications 15 SP2
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to SUSE security advisory SUSE-SU-2023:0835-1 for updates and patch information.
    Patches
    SUSE Enterprise Linux SUSE-SU-2023:0835-1
  • QID: 753829
    Recently Published

    SUSE Enterprise Linux Security Update for dpdk (SUSE-SU-2023:0836-1)

    Severity
    Critical4
    Qualys ID
    753829
    Date Published
    March 23, 2023
    Vendor Reference
    SUSE-SU-2023:0836-1
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    SUSE has released a security update for suse_enterprise_linux to fix the vulnerabilities.

    Affected product(s):
    SUSE Linux Enterprise Server 15 SP1|SUSE Linux Enterprise Server for SAP Applications 15 SP1
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to SUSE security advisory SUSE-SU-2023:0836-1 for updates and patch information.
    Patches
    SUSE Enterprise Linux SUSE-SU-2023:0836-1
  • QID: 753828
    Recently Published

    SUSE Enterprise Linux Security Update for dpdk (SUSE-SU-2023:0863-1)

    Severity
    Critical4
    Qualys ID
    753828
    Date Published
    March 23, 2023
    Vendor Reference
    SUSE-SU-2023:0863-1
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    SUSE has released a security update for suse_enterprise_linux to fix the vulnerabilities.

    Affected product(s):
    SUSE Linux Enterprise Server 15 SP2|SUSE Linux Enterprise Server for SAP Applications 15 SP2
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to SUSE security advisory SUSE-SU-2023:0863-1 for updates and patch information.
    Patches
    SUSE Enterprise Linux SUSE-SU-2023:0863-1
  • CVE-2022-42332+
    QID: 753827
    Recently Published

    SUSE Enterprise Linux Security Update for xen (SUSE-SU-2023:0862-1)

    Severity
    Critical4
    Qualys ID
    753827
    Date Published
    March 23, 2023
    Vendor Reference
    SUSE-SU-2023:0862-1
    CVE Reference
    CVE-2022-42332, CVE-2022-42334, CVE-2022-42333, CVE-2022-42331
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    SUSE has released a security update for xen to fix the vulnerabilities.

    Affected product(s):
    SUSE Linux Enterprise Server 15 SP2|SUSE Linux Enterprise Server for SAP Applications 15 SP2
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to SUSE security advisory SUSE-SU-2023:0862-1 for updates and patch information.
    Patches
    SUSE Enterprise Linux SUSE-SU-2023:0862-1
  • QID: 753826
    Recently Published

    SUSE Enterprise Linux Security Update for drbd (SUSE-SU-2023:0857-1)

    Severity
    Critical4
    Qualys ID
    753826
    Date Published
    March 23, 2023
    Vendor Reference
    SUSE-SU-2023:0857-1
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    SUSE has released a security update for suse_enterprise_linux to fix the vulnerabilities.

    Affected product(s):
    SUSE Linux Enterprise Server for SAP Applications Applications 12 SP4
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to SUSE security advisory SUSE-SU-2023:0857-1 for updates and patch information.
    Patches
    SUSE Enterprise Linux SUSE-SU-2023:0857-1
  • CVE-2022-42332+
    QID: 753825
    Recently Published

    SUSE Enterprise Linux Security Update for xen (SUSE-SU-2023:0847-1)

    Severity
    Critical4
    Qualys ID
    753825
    Date Published
    March 23, 2023
    Vendor Reference
    SUSE-SU-2023:0847-1
    CVE Reference
    CVE-2022-42332, CVE-2022-42334, CVE-2022-42333, CVE-2022-42331
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    SUSE has released a security update for xen to fix the vulnerabilities.

    Affected product(s):
    SUSE Linux Enterprise Server 15 SP3|SUSE Linux Enterprise Server for SAP Applications 15 SP3
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to SUSE security advisory SUSE-SU-2023:0847-1 for updates and patch information.
    Patches
    SUSE Enterprise Linux SUSE-SU-2023:0847-1
  • QID: 753823
    Recently Published

    SUSE Enterprise Linux Security Update for dpdk (SUSE-SU-2023:0841-1)

    Severity
    Critical4
    Qualys ID
    753823
    Date Published
    March 23, 2023
    Vendor Reference
    SUSE-SU-2023:0841-1
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    SUSE has released a security update for suse_enterprise_linux to fix the vulnerabilities.

    Affected product(s):
    SUSE Linux Enterprise Server 15 SP3|SUSE Linux Enterprise Server for SAP Applications 15 SP3
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to SUSE security advisory SUSE-SU-2023:0841-1 for updates and patch information.
    Patches
    SUSE Enterprise Linux SUSE-SU-2023:0841-1
  • CVE-2022-42332+
    QID: 753822
    Recently Published

    SUSE Enterprise Linux Security Update for xen (SUSE-SU-2023:0858-1)

    Severity
    Critical4
    Qualys ID
    753822
    Date Published
    March 23, 2023
    Vendor Reference
    SUSE-SU-2023:0858-1
    CVE Reference
    CVE-2022-42332, CVE-2022-42334, CVE-2022-42333, CVE-2022-42331
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    SUSE has released a security update for xen to fix the vulnerabilities.

    Affected product(s):
    SUSE Linux Enterprise Server 15 SP1|SUSE Linux Enterprise Server for SAP Applications 15 SP1
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to SUSE security advisory SUSE-SU-2023:0858-1 for updates and patch information.
    Patches
    SUSE Enterprise Linux SUSE-SU-2023:0858-1
  • QID: 753821
    Recently Published

    SUSE Enterprise Linux Security Update for oracleasm (SUSE-SU-2023:0853-1)

    Severity
    Critical4
    Qualys ID
    753821
    Date Published
    March 23, 2023
    Vendor Reference
    SUSE-SU-2023:0853-1
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    SUSE has released a security update for suse_enterprise_linux to fix the vulnerabilities.

    Affected product(s):
    SUSE Linux Enterprise Server 15 SP2|SUSE Linux Enterprise Server for SAP Applications 15 SP2
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to SUSE security advisory SUSE-SU-2023:0853-1 for updates and patch information.
    Patches
    SUSE Enterprise Linux SUSE-SU-2023:0853-1
  • CVE-2022-42332+
    QID: 753820
    Recently Published

    SUSE Enterprise Linux Security Update for xen (SUSE-SU-2023:0845-1)

    Severity
    Critical4
    Qualys ID
    753820
    Date Published
    March 23, 2023
    Vendor Reference
    SUSE-SU-2023:0845-1
    CVE Reference
    CVE-2022-42332, CVE-2022-42334, CVE-2022-42333, CVE-2022-42331
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    SUSE has released a security update for xen to fix the vulnerabilities.

    Affected product(s):
    SUSE Linux Enterprise (Desktop|Server) 12 SP5
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to SUSE security advisory SUSE-SU-2023:0845-1 for updates and patch information.
    Patches
    SUSE Enterprise Linux SUSE-SU-2023:0845-1
  • CVE-2023-27534+
    QID: 753819
    Recently Published

    SUSE Enterprise Linux Security Update for curl (SUSE-SU-2023:0865-1)

    Severity
    Critical4
    Qualys ID
    753819
    Date Published
    March 23, 2023
    Vendor Reference
    SUSE-SU-2023:0865-1
    CVE Reference
    CVE-2023-27534, CVE-2023-27535, CVE-2023-27533, CVE-2023-27536, CVE-2023-27538
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    SUSE has released a security update for curl to fix the vulnerabilities.

    Affected product(s):
    SUSE Linux Enterprise (Desktop|Server) 12 SP5
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to SUSE security advisory SUSE-SU-2023:0865-1 for updates and patch information.
    Patches
    SUSE Enterprise Linux SUSE-SU-2023:0865-1
  • CVE-2023-0767
    QID: 354832
    Recently Published

    Amazon Linux Security Advisory for nss : ALAS2-2023-1992

    Severity
    Critical4
    Qualys ID
    354832
    Date Published
    March 23, 2023
    Vendor Reference
    ALAS2-2023-1992
    CVE Reference
    CVE-2023-0767
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description

    Firefox-esr , thunderbird and nss only are affected by this package. (
    ( CVE-2023-0767)



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.
    Solution
    Please refer to Amazon advisory: ALAS2-2023-1992 for affected packages and patching details, or update with your package manager.
    Patches
    amazon linux 2 ALAS2-2023-1992
  • CVE-2023-28162+
    QID: 354816
    Recently Published

    Amazon Linux Security Advisory for thunderbird : ALAS2-2023-1988

    Severity
    Critical4
    Qualys ID
    354816
    Date Published
    March 23, 2023
    Vendor Reference
    ALAS2-2023-1988
    CVE Reference
    CVE-2023-28162, CVE-2023-28176, CVE-2023-28163, CVE-2023-25751, CVE-2023-25752
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description

    The mozilla foundation describes this issue as follows: sometimes, when invalidating jit code while following an iterator, the newly generated code could be overwritten incorrectly.
    This could lead to a potentially exploitable crash. (
    ( CVE-2023-25751) the mozilla foundation describes this issue as follows: when accessing throttled streams, the count of available bytes needed to be checked in the calling function to be within bounds.
    This may have lead future code to be incorrect and vulnerable. (
    ( CVE-2023-25752) this issue affects firefox and thunderbird esr 102.8 and earlier.
    The mozilla foundation describes this issue as follows: while implementing audioworklets, some code may have casted one type to another, invalid, dynamic type.
    This could have led to a potentially exploitable crash. (
    ( CVE-2023-28162) a flaw was found in mozilla.
    The mozilla foundation security advisory describes the issue that when downloading files through the save as dialog on windows with suggested filenames containing environment variable names, windows would have resolved those in the current user's context.
    This bug only affects firefox on windows.
    Other versions of firefox are unaffected. (
    ( CVE-2023-28163) mozilla fuzzing team reported memory safety bugs present in firefox 110 and esr 102.8.
    Some of these bugs showed evidence of memory corruption, and we presume that with enough effort, some of these could have been exploited to run arbitrary code. (
    ( CVE-2023-28176)



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.
    Solution
    Please refer to Amazon advisory: ALAS2-2023-1988 for affected packages and patching details, or update with your package manager.
    Patches
    amazon linux 2 ALAS2-2023-1988
  • QID: 283808
    Recently Published

    Fedora Security Update for firefox (FEDORA-2023-24b2b22eca)

    Severity
    Critical4
    Qualys ID
    283808
    Date Published
    March 23, 2023
    Vendor Reference
    FEDORA-2023-24b2b22eca
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Fedora has released a security update for firefox to fix the vulnerabilities.

    Affected OS:
    Fedora 37


    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Refer to Fedora security advisory Fedora 37 for updates and patch information.
    Patches
    Fedora 37 FEDORA-2023-24b2b22eca
  • CVE-2023-25751+
    QID: 241288
    Recently Published

    Red Hat Update for thunderbird (RHSA-2023:1401)

    Severity
    Critical4
    Qualys ID
    241288
    Date Published
    March 23, 2023
    Vendor Reference
    RHSA-2023:1401
    CVE Reference
    CVE-2023-25751, CVE-2023-25752, CVE-2023-28162, CVE-2023-28164, CVE-2023-28176
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Mozilla thunderbird is a standalone mail and newsgroup client...Security Fix(es):
      mozilla: incorrect code generation during jit compilation (cve-2023-25751).
      Mozilla: memory safety bugs fixed in firefox 111 and firefox esr 102.9 (cve-2023-28176).
      Mozilla: potential out-of-bounds when accessing throttled streams (cve-2023-25752).
      Mozilla: invalid downcast in worklets (cve-2023-28162).
      Mozilla: url being dragged from a removed cross-origin iframe into the same tab triggered navigation (cve-2023-28164).
    Affected Products:
      Red Hat enterprise linux server 7 x86_64.
      Red hat enterprise linux workstation 7 x86_64.
      Red hat enterprise linux desktop 7 x86_64.
      Red hat enterprise linux for power, little endian 7 ppc64le.
    .

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Red Hat security advisory RHSA-2023:1401 for updates and patch information.
    Patches
    Red Hat Enterprise Linux RHSA-2023:1401
  • CVE-2023-25751+
    QID: 241287
    Recently Published

    Red Hat Update for thunderbird (RHSA-2023:1407)

    Severity
    Critical4
    Qualys ID
    241287
    Date Published
    March 23, 2023
    Vendor Reference
    RHSA-2023:1407
    CVE Reference
    CVE-2023-25751, CVE-2023-25752, CVE-2023-28162, CVE-2023-28164, CVE-2023-28176
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Mozilla thunderbird is a standalone mail and newsgroup client...Security Fix(es):
      mozilla: incorrect code generation during jit compilation (cve-2023-25751).
      Mozilla: memory safety bugs fixed in firefox 111 and firefox esr 102.9 (cve-2023-28176).
      Mozilla: potential out-of-bounds when accessing throttled streams (cve-2023-25752).
      Mozilla: invalid downcast in worklets (cve-2023-28162).
      Mozilla: url being dragged from a removed cross-origin iframe into the same tab triggered navigation (cve-2023-28164).
    Affected Products:
      Red Hat enterprise linux for x86_64 9 x86_64.
      Red hat enterprise linux for ibm z systems 9 s390x.
      Red hat enterprise linux for power, little endian 9 ppc64le.
      Red hat enterprise linux for arm 64 9 aarch64.
    .

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Red Hat security advisory RHSA-2023:1407 for updates and patch information.
    Patches
    Red Hat Enterprise Linux RHSA-2023:1407
  • CVE-2023-25751+
    QID: 241286
    Recently Published

    Red Hat Update for thunderbird (RHSA-2023:1402)

    Severity
    Critical4
    Qualys ID
    241286
    Date Published
    March 23, 2023
    Vendor Reference
    RHSA-2023:1402
    CVE Reference
    CVE-2023-25751, CVE-2023-25752, CVE-2023-28162, CVE-2023-28164, CVE-2023-28176
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Mozilla thunderbird is a standalone mail and newsgroup client...Security Fix(es):
      mozilla: incorrect code generation during jit compilation (cve-2023-25751).
      Mozilla: memory safety bugs fixed in firefox 111 and firefox esr 102.9 (cve-2023-28176).
      Mozilla: potential out-of-bounds when accessing throttled streams (cve-2023-25752).
      Mozilla: invalid downcast in worklets (cve-2023-28162).
      Mozilla: url being dragged from a removed cross-origin iframe into the same tab triggered navigation (cve-2023-28164).
    Affected Products:
      Red Hat enterprise linux for x86_64 - extended update support 9.0 x86_64.
      Red hat enterprise linux for ibm z systems - extended update support 9.0 s390x.
      Red hat enterprise linux for power, little endian - extended update support 9.0 ppc64le.
      Red hat enterprise linux for arm 64 - extended update support 9.0 aarch64.
      Red hat enterprise linux server for power le - update services for sap solutions 9.0 ppc64le.
      Red hat enterprise linux for x86_64 - update services for sap solutions 9.0 x86_64.
      Red hat enterprise linux server for arm 64 - 4 years of updates 9.0 aarch64.
      Red hat enterprise linux server for ibm z systems - 4 years of updates 9.0 s390x.
    .

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Red Hat security advisory RHSA-2023:1402 for updates and patch information.
    Patches
    Red Hat Enterprise Linux RHSA-2023:1402
  • CVE-2023-25751+
    QID: 241284
    Recently Published

    Red Hat Update for thunderbird (RHSA-2023:1403)

    Severity
    Critical4
    Qualys ID
    241284
    Date Published
    March 23, 2023
    Vendor Reference
    RHSA-2023:1403
    CVE Reference
    CVE-2023-25751, CVE-2023-25752, CVE-2023-28162, CVE-2023-28164, CVE-2023-28176
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Mozilla thunderbird is a standalone mail and newsgroup client...Security Fix(es):
      mozilla: incorrect code generation during jit compilation (cve-2023-25751).
      Mozilla: memory safety bugs fixed in firefox 111 and firefox esr 102.9 (cve-2023-28176).
      Mozilla: potential out-of-bounds when accessing throttled streams (cve-2023-25752).
      Mozilla: invalid downcast in worklets (cve-2023-28162).
      Mozilla: url being dragged from a removed cross-origin iframe into the same tab triggered navigation (cve-2023-28164).
    Affected Products:
      Red Hat enterprise linux for x86_64 8 x86_64.
      Red hat enterprise linux for ibm z systems 8 s390x.
      Red hat enterprise linux for power, little endian 8 ppc64le.
      Red hat enterprise linux for arm 64 8 aarch64.
    .

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Red Hat security advisory RHSA-2023:1403 for updates and patch information.
    Patches
    Red Hat Enterprise Linux RHSA-2023:1403
  • CVE-2023-25751+
    QID: 241283
    Recently Published

    Red Hat Update for thunderbird (RHSA-2023:1404)

    Severity
    Critical4
    Qualys ID
    241283
    Date Published
    March 23, 2023
    Vendor Reference
    RHSA-2023:1404
    CVE Reference
    CVE-2023-25751, CVE-2023-25752, CVE-2023-28162, CVE-2023-28164, CVE-2023-28176
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Mozilla thunderbird is a standalone mail and newsgroup client...Security Fix(es):
      mozilla: incorrect code generation during jit compilation (cve-2023-25751).
      Mozilla: memory safety bugs fixed in firefox 111 and firefox esr 102.9 (cve-2023-28176).
      Mozilla: potential out-of-bounds when accessing throttled streams (cve-2023-25752).
      Mozilla: invalid downcast in worklets (cve-2023-28162).
      Mozilla: url being dragged from a removed cross-origin iframe into the same tab triggered navigation (cve-2023-28164).
    Affected Products:
      Red Hat enterprise linux for x86_64 - extended update support 8.6 x86_64.
      Red hat enterprise linux server - aus 8.6 x86_64.
      Red hat enterprise linux for ibm z systems - extended update support 8.6 s390x.
      Red hat enterprise linux for power, little endian - extended update support 8.6 ppc64le.
      Red hat enterprise linux server - tus 8.6 x86_64.
      Red hat enterprise linux for arm 64 - extended update support 8.6 aarch64.
      Red hat enterprise linux server for power le - update services for sap solutions 8.6 ppc64le.
      Red hat enterprise linux for x86_64 - update services for sap solutions 8.6 x86_64.
    .

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Red Hat security advisory RHSA-2023:1404 for updates and patch information.
    Patches
    Red Hat Enterprise Linux RHSA-2023:1404
  • CVE-2023-26545
    QID: 906547
    Recently Published

    Common Base Linux Mariner (CBL-Mariner) Security Update for kernel (13753-1)

    Severity
    Critical4
    Qualys ID
    906547
    Date Published
    March 23, 2023
    Vendor Reference
    13753-1
    CVE Reference
    CVE-2023-26545
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for kernel to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 13753-1
  • CVE-2023-25173
    QID: 906541
    Recently Published

    Common Base Linux Mariner (CBL-Mariner) Security Update for moby-containerd (13591-1)

    Severity
    Critical4
    Qualys ID
    906541
    Date Published
    March 23, 2023
    Vendor Reference
    13591-1
    CVE Reference
    CVE-2023-25173
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for moby-containerd to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 13591-1
  • CVE-2021-4203+
    QID: 753832
    Recently Published

    SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2023:0852-1)

    Severity
    Critical4
    Qualys ID
    753832
    Date Published
    March 23, 2023
    Vendor Reference
    SUSE-SU-2023:0852-1
    CVE Reference
    CVE-2021-4203, CVE-2022-2991, CVE-2022-36280, CVE-2022-38096, CVE-2022-4129, CVE-2023-0045, CVE-2023-0590, CVE-2023-23559, CVE-2023-26545
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    SUSE has released a security update for kernel to fix the vulnerabilities.

    Affected product(s):
    SUSE Linux Enterprise Server 12 SP4|SUSE Linux Enterprise Server for SAP Applications 12 SP4
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to SUSE security advisory SUSE-SU-2023:0852-1 for updates and patch information.
    Patches
    SUSE Enterprise Linux SUSE-SU-2023:0852-1
  • CVE-2022-40303+
    QID: 354834
    Recently Published

    Amazon Linux Security Advisory for libxml2 : ALAS2-2023-1996

    Severity
    Critical4
    Qualys ID
    354834
    Date Published
    March 23, 2023
    Vendor Reference
    ALAS2-2023-1996
    CVE Reference
    CVE-2022-40303, CVE-2022-40304
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description

    An issue was discovered in libxml2 before 2.10.3.
    When parsing a multi-gigabyte xml document with the xml_parse_huge parser option enabled, several integer counters can overflow.
    This results in an attempt to access an array at a negative 2gb offset, typically leading to a segmentation fault. (
    ( CVE-2022-40303) an issue was discovered in libxml2 before 2.10.3.
    Certain invalid xml entity definitions can corrupt a hash table key, potentially leading to subsequent logic errors.
    In one case, a double-free can be provoked. (
    ( CVE-2022-40304)



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.
    Solution
    Please refer to Amazon advisory: ALAS2-2023-1996 for affected packages and patching details, or update with your package manager.
    Patches
    amazon linux 2 ALAS2-2023-1996
  • CVE-2021-3575
    QID: 354833
    Recently Published

    Amazon Linux Security Advisory for openjpeg : ALAS2-2023-1999

    Severity
    Critical4
    Qualys ID
    354833
    Date Published
    March 23, 2023
    Vendor Reference
    ALAS2-2023-1999
    CVE Reference
    CVE-2021-3575
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description

    A heap-based buffer overflow was found in openjpeg.
    This flaw allows an attacker to execute arbitrary code with the permissions of the application compiled against openjpeg. (
    ( CVE-2021-3575)



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.
    Solution
    Please refer to Amazon advisory: ALAS2-2023-1999 for affected packages and patching details, or update with your package manager.
    Patches
    amazon linux 2 ALAS2-2023-1999
  • CVE-2022-48303
    QID: 354827
    Recently Published

    Amazon Linux Security Advisory for tar : ALAS2-2023-1994

    Severity
    Critical4
    Qualys ID
    354827
    Date Published
    March 23, 2023
    Vendor Reference
    ALAS2-2023-1994
    CVE Reference
    CVE-2022-48303
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description

    Gnu tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump.
    Exploitation to change the flow of control has not been demonstrated.
    The issue occurs in from_header in list.c via a v7 archive in which mtime has approximately 11 whitespace characters. (
    ( CVE-2022-48303)



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.
    Solution
    Please refer to Amazon advisory: ALAS2-2023-1994 for affected packages and patching details, or update with your package manager.
    Patches
    amazon linux 2 ALAS2-2023-1994
  • CVE-2023-1127
    QID: 354826
    Recently Published

    Amazon Linux Security Advisory for vim : ALAS2-2023-1991

    Severity
    Critical4
    Qualys ID
    354826
    Date Published
    March 23, 2023
    Vendor Reference
    ALAS2-2023-1991
    CVE Reference
    CVE-2023-1127
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description

    Divide by zero in github repository vim/vim prior to 9.0.1367. (
    ( CVE-2023-1127)



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.
    Solution
    Please refer to Amazon advisory: ALAS2-2023-1991 for affected packages and patching details, or update with your package manager.
    Patches
    amazon linux 2 ALAS2-2023-1991
  • CVE-2023-26545
    QID: 354821
    Recently Published

    Amazon Linux Security Advisory for kernel : ALAS2-2023-1987

    Severity
    Critical4
    Qualys ID
    354821
    Date Published
    March 23, 2023
    Vendor Reference
    ALAS2-2023-1987
    CVE Reference
    CVE-2023-26545
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description

    In the linux kernel before 6.1.13, there is a double free in net/mpls/af_mpls.c upon an allocation failure (for registering the sysctl table under a new location) during the renaming of a device. (
    ( CVE-2023-26545)



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.
    Solution
    Please refer to Amazon advisory: ALAS2-2023-1987 for affected packages and patching details, or update with your package manager.
    Patches
    amazon linux 2 ALAS2-2023-1987
  • CVE-2019-25059
    QID: 354818
    Recently Published

    Amazon Linux Security Advisory for ghostscript : ALAS2-2023-2003

    Severity
    Critical4
    Qualys ID
    354818
    Date Published
    March 23, 2023
    Vendor Reference
    ALAS2-2023-2003
    CVE Reference
    CVE-2019-25059
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description

    Artifex ghostscript through 9.26 mishandles .completefont.
    Note: this issue exists because of an incomplete fix for( CVE-2019-3839. (
    ( CVE-2019-25059)



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.
    Solution
    Please refer to Amazon advisory: ALAS2-2023-2003 for affected packages and patching details, or update with your package manager.
    Patches
    amazon linux 2 ALAS2-2023-2003
  • CVE-2023-25193
    QID: 906552
    Recently Published

    Common Base Linux Mariner (CBL-Mariner) Security Update for harfbuzz (13321-1)

    Severity
    Critical4
    Qualys ID
    906552
    Date Published
    March 23, 2023
    Vendor Reference
    13321-1
    CVE Reference
    CVE-2023-25193
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for harfbuzz to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 13321-1
  • CVE-2023-24329
    QID: 906550
    Recently Published

    Common Base Linux Mariner (CBL-Mariner) Security Update for python3 (13679-1)

    Severity
    Critical4
    Qualys ID
    906550
    Date Published
    March 23, 2023
    Vendor Reference
    13679-1
    CVE Reference
    CVE-2023-24329
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for python3 to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 13679-1
  • CVE-2023-23946
    QID: 906549
    Recently Published

    Common Base Linux Mariner (CBL-Mariner) Security Update for git (13573-1)

    Severity
    Critical4
    Qualys ID
    906549
    Date Published
    March 23, 2023
    Vendor Reference
    13573-1
    CVE Reference
    CVE-2023-23946
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for git to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 13573-1
  • CVE-2023-24329
    QID: 906548
    Recently Published

    Common Base Linux Mariner (CBL-Mariner) Security Update for python2 (13699-1)

    Severity
    Critical4
    Qualys ID
    906548
    Date Published
    March 23, 2023
    Vendor Reference
    13699-1
    CVE Reference
    CVE-2023-24329
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for python2 to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 13699-1
  • CVE-2023-0361
    QID: 906543
    Recently Published

    Common Base Linux Mariner (CBL-Mariner) Security Update for gnutls (13574-1)

    Severity
    Critical4
    Qualys ID
    906543
    Date Published
    March 23, 2023
    Vendor Reference
    13574-1
    CVE Reference
    CVE-2023-0361
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for gnutls to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 13574-1
  • CVE-2022-2795+
    QID: 354835
    Recently Published

    Amazon Linux Security Advisory for bind : ALAS2-2023-2001

    Severity
    Critical4
    Qualys ID
    354835
    Date Published
    March 23, 2023
    Vendor Reference
    ALAS2-2023-2001
    CVE Reference
    CVE-2022-2795, CVE-2021-25220, CVE-2022-38177, CVE-2022-38178
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description

    A cache poisoning vulnerability was found in bind when using forwarders.
    Bogus ns records supplied by the forwarders may be cached and used by name if it needs to recurse for any reason.
    This issue causes it to obtain and pass on potentially incorrect answers.
    This flaw allows a remote attacker to manipulate cache results with incorrect records, leading to queries made to the wrong servers, possibly resulting in false information received on the client's end. (
    ( CVE-2021-25220) by flooding the target resolver with queries exploiting this flaw an attacker can significantly impair the resolver's performance, effectively denying legitimate clients access to the dns resolution service. (
    ( CVE-2022-2795) by spoofing the target resolver with responses that have a malformed ecdsa signature, an attacker can trigger a small memory leak.
    It is possible to gradually erode available memory to the point where named crashes for lack of resources. (
    ( CVE-2022-38177) by spoofing the target resolver with responses that have a malformed eddsa signature, an attacker can trigger a small memory leak.
    ( CVE-2022-38178)



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.
    Solution
    Please refer to Amazon advisory: ALAS2-2023-2001 for affected packages and patching details, or update with your package manager.
    Patches
    amazon linux 2 ALAS2-2023-2001
  • CVE-2022-31394
    QID: 354823
    Recently Published

    Amazon Linux Security Advisory for aws-nitro-enclaves-cli : ALAS2NITRO-ENCLAVES-2023-021

    Severity
    Critical4
    Qualys ID
    354823
    Date Published
    March 23, 2023
    Vendor Reference
    ALAS2NITRO-ENCLAVES-2023-021
    CVE Reference
    CVE-2022-31394
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description

    Hyperium hyper before 0.14.19 does not allow for customization of the max_header_list_size method in the h2 third-party software, allowing attackers to perform http2 attacks. (
    ( CVE-2022-31394)



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.
    Solution
    Please refer to Amazon advisory: ALAS2NITRO-ENCLAVES-2023-021 for affected packages and patching details, or update with your package manager.
    Patches
    amazon linux 2 ALAS2NITRO-ENCLAVES-2023-021
  • CVE-2023-24329
    QID: 354817
    Recently Published

    Amazon Linux Security Advisory for python3 : ALAS2-2023-1990

    Severity
    Critical4
    Qualys ID
    354817
    Date Published
    March 23, 2023
    Vendor Reference
    ALAS2-2023-1990
    CVE Reference
    CVE-2023-24329
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description

    An issue in the urllib.parse component of python before v3.11 allows attackers to bypass blocklisting methods by supplying a url that starts with blank characters. (
    ( CVE-2023-24329)



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.
    Solution
    Please refer to Amazon advisory: ALAS2-2023-1990 for affected packages and patching details, or update with your package manager.
    Patches
    amazon linux 2 ALAS2-2023-1990
  • CVE-2022-4304+
    QID: 241285
    Recently Published

    Red Hat Update for Open Secure Sockets Layer (OpenSSL) (RHSA-2023:1405)

    Severity
    Critical4
    Qualys ID
    241285
    Date Published
    March 23, 2023
    Vendor Reference
    RHSA-2023:1405
    CVE Reference
    CVE-2022-4304, CVE-2022-4450, CVE-2023-0215, CVE-2023-0286
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Openssl is a toolkit that implements the secure sockets layer (ssl) and transport layer security (tls) protocols, as well as a full-strength general-purpose cryptography library...Security Fix(es):
      openssl: x.400 address type confusion in x.509 generalname (cve-2023-0286).
      Openssl: timing attack in rsa decryption implementation (cve-2022-4304).
      Openssl: double free after calling pem_read_bio_ex (cve-2022-4450).
      Openssl: use-after-free following bio_new_ndef (cve-2023-0215).
    Affected Products:
      Red Hat enterprise linux for x86_64 8 x86_64.
      Red hat enterprise linux for ibm z systems 8 s390x.
      Red hat enterprise linux for power, little endian 8 ppc64le.
      Red hat enterprise linux for arm 64 8 aarch64.
    .

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Red Hat security advisory RHSA-2023:1405 for updates and patch information.
    Patches
    Red Hat Enterprise Linux RHSA-2023:1405
  • CVE-2022-4055+
    QID: 354830
    Recently Published

    Amazon Linux Security Advisory for xdg-utils : ALAS2-2023-2002

    Severity
    Critical4
    Qualys ID
    354830
    Date Published
    March 23, 2023
    Vendor Reference
    ALAS2-2023-2002
    CVE Reference
    CVE-2022-4055, CVE-2020-27748
    CVSS Scores
    Base 7.4 / Temporal 6.4
    Description

    A flaw was found in the xdg-email component of xdg-utils-1.1.0-rc1 and newer.
    When handling mailto: uris, xdg-email allows attachments to be discreetly added via the uri when being passed to thunderbird.
    An attacker could potentially send a victim a uri that automatically attaches a sensitive file to a new email.
    If a victim user does not notice that an attachment was added and sends the email, this could result in sensitive information disclosure.
    It has been confirmed that the code behind this issue is in xdg-email and not in thunderbird. (
    ( CVE-2020-27748) when xdg-mail is configured to use thunderbird for mailto urls, improper parsing of the url can lead to additional headers being passed to thunderbird that should not be included per rfc 2368.
    An attacker can use this method to create a mailto url that looks safe to users, but will actually attach files when clicked. (
    ( CVE-2022-4055)



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.
    Solution
    Please refer to Amazon advisory: ALAS2-2023-2002 for affected packages and patching details, or update with your package manager.
    Patches
    amazon linux 2 ALAS2-2023-2002
  • CVE-2021-4156
    QID: 354819
    Recently Published

    Amazon Linux Security Advisory for libsndfile : ALAS2-2023-1998

    Severity
    Critical4
    Qualys ID
    354819
    Date Published
    March 23, 2023
    Vendor Reference
    ALAS2-2023-1998
    CVE Reference
    CVE-2021-4156
    CVSS Scores
    Base 7.1 / Temporal 6.2
    Description

    An out-of-bounds read flaw was found in libsndfile's flac codec functionality.
    An attacker who is able to submit a specially crafted file (via tricking a user to open or otherwise) to an application linked with libsndfile and using the flac codec, could trigger an out-of-bounds read that would most likely cause a crash but could potentially leak memory information that could be used in further exploitation of other flaws. (
    ( CVE-2021-4156)



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.
    Solution
    Please refer to Amazon advisory: ALAS2-2023-1998 for affected packages and patching details, or update with your package manager.
    Patches
    amazon linux 2 ALAS2-2023-1998
  • CVE-2023-23931
    QID: 753831
    Recently Published

    SUSE Enterprise Linux Security Update for python-cffi (SUSE-SU-2023:0837-1)

    Severity
    Serious3
    Qualys ID
    753831
    Date Published
    March 23, 2023
    Vendor Reference
    SUSE-SU-2023:0837-1
    CVE Reference
    CVE-2023-23931
    CVSS Scores
    Base 6.5 / Temporal 5.7
    Description
    SUSE has released a security update for python-cffi to fix the vulnerabilities.

    Affected product(s):
    SUSE Linux Enterprise Server 12 SP5
    SUSE Linux Enterprise Server 12 SP5|SUSE Linux Enterprise Server for SAP Applications 12 SP5
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to SUSE security advisory SUSE-SU-2023:0837-1 for updates and patch information.
    Patches
    SUSE Enterprise Linux SUSE-SU-2023:0837-1
  • CVE-2022-24599
    QID: 354825
    Recently Published

    Amazon Linux Security Advisory for audiofile : ALAS2-2023-1997

    Severity
    Serious3
    Qualys ID
    354825
    Date Published
    March 23, 2023
    Vendor Reference
    ALAS2-2023-1997
    CVE Reference
    CVE-2022-24599
    CVSS Scores
    Base 6.5 / Temporal 5.7
    Description

    In autofile audio file library 0.3.6, there exists one memory leak vulnerability in printfileinfo, in printinfo.c, which allows an attacker to leak sensitive information via a crafted file.
    The printfileinfo function calls the copyrightstring function to get data, however, it dosn't use zero bytes to truncate the data. (
    ( CVE-2022-24599)



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.
    Solution
    Please refer to Amazon advisory: ALAS2-2023-1997 for affected packages and patching details, or update with your package manager.
    Patches
    amazon linux 2 ALAS2-2023-1997
  • CVE-2023-0802
    QID: 906556
    Recently Published

    Common Base Linux Mariner (CBL-Mariner) Security Update for libtiff (13378-1)

    Severity
    Serious3
    Qualys ID
    906556
    Date Published
    March 23, 2023
    Vendor Reference
    13378-1
    CVE Reference
    CVE-2023-0802
    CVSS Scores
    Base 5.5 / Temporal 4.8
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for libtiff to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 13378-1
  • CVE-2023-0799
    QID: 906555
    Recently Published

    Common Base Linux Mariner (CBL-Mariner) Security Update for libtiff (13382-1)

    Severity
    Serious3
    Qualys ID
    906555
    Date Published
    March 23, 2023
    Vendor Reference
    13382-1
    CVE Reference
    CVE-2023-0799
    CVSS Scores
    Base 5.5 / Temporal 4.8
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for libtiff to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 13382-1
  • CVE-2023-1095
    QID: 906554
    Recently Published

    Common Base Linux Mariner (CBL-Mariner) Security Update for kernel (13808-1)

    Severity
    Serious3
    Qualys ID
    906554
    Date Published
    March 23, 2023
    Vendor Reference
    13808-1
    CVE Reference
    CVE-2023-1095
    CVSS Scores
    Base 5.5 / Temporal 4.8
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for kernel to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 13808-1
  • CVE-2023-0803
    QID: 906553
    Recently Published

    Common Base Linux Mariner (CBL-Mariner) Security Update for libtiff (13384-1)

    Severity
    Serious3
    Qualys ID
    906553
    Date Published
    March 23, 2023
    Vendor Reference
    13384-1
    CVE Reference
    CVE-2023-0803
    CVSS Scores
    Base 5.5 / Temporal 4.8
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for libtiff to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 13384-1
  • CVE-2023-0796
    QID: 906551
    Recently Published

    Common Base Linux Mariner (CBL-Mariner) Security Update for libtiff (13380-1)

    Severity
    Serious3
    Qualys ID
    906551
    Date Published
    March 23, 2023
    Vendor Reference
    13380-1
    CVE Reference
    CVE-2023-0796
    CVSS Scores
    Base 5.5 / Temporal 4.8
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for libtiff to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 13380-1
  • CVE-2023-0801
    QID: 906546
    Recently Published

    Common Base Linux Mariner (CBL-Mariner) Security Update for libtiff (13381-1)

    Severity
    Serious3
    Qualys ID
    906546
    Date Published
    March 23, 2023
    Vendor Reference
    13381-1
    CVE Reference
    CVE-2023-0801
    CVSS Scores
    Base 5.5 / Temporal 4.8
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for libtiff to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 13381-1
  • CVE-2023-22998
    QID: 906545
    Recently Published

    Common Base Linux Mariner (CBL-Mariner) Security Update for kernel (13754-1)

    Severity
    Serious3
    Qualys ID
    906545
    Date Published
    March 23, 2023
    Vendor Reference
    13754-1
    CVE Reference
    CVE-2023-22998
    CVSS Scores
    Base 5.5 / Temporal 4.8
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for kernel to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 13754-1
  • CVE-2023-25153
    QID: 906544
    Recently Published

    Common Base Linux Mariner (CBL-Mariner) Security Update for moby-containerd (13608-1)

    Severity
    Serious3
    Qualys ID
    906544
    Date Published
    March 23, 2023
    Vendor Reference
    13608-1
    CVE Reference
    CVE-2023-25153
    CVSS Scores
    Base 5.5 / Temporal 4.8
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for moby-containerd to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 13608-1
  • CVE-2023-22490
    QID: 906542
    Recently Published

    Common Base Linux Mariner (CBL-Mariner) Security Update for git (13607-1)

    Severity
    Serious3
    Qualys ID
    906542
    Date Published
    March 23, 2023
    Vendor Reference
    13607-1
    CVE Reference
    CVE-2023-22490
    CVSS Scores
    Base 5.5 / Temporal 4.8
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for git to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 13607-1
  • CVE-2022-4645
    QID: 906540
    Recently Published

    Common Base Linux Mariner (CBL-Mariner) Security Update for libtiff (13811-1)

    Severity
    Serious3
    Qualys ID
    906540
    Date Published
    March 23, 2023
    Vendor Reference
    13811-1
    CVE Reference
    CVE-2022-4645
    CVSS Scores
    Base 5.5 / Temporal 4.8
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for libtiff to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 13811-1
  • CVE-2023-0798
    QID: 906539
    Recently Published

    Common Base Linux Mariner (CBL-Mariner) Security Update for libtiff (13379-1)

    Severity
    Serious3
    Qualys ID
    906539
    Date Published
    March 23, 2023
    Vendor Reference
    13379-1
    CVE Reference
    CVE-2023-0798
    CVSS Scores
    Base 5.5 / Temporal 4.8
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for libtiff to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 13379-1
  • CVE-2023-0804
    QID: 906538
    Recently Published

    Common Base Linux Mariner (CBL-Mariner) Security Update for libtiff (13377-1)

    Severity
    Serious3
    Qualys ID
    906538
    Date Published
    March 23, 2023
    Vendor Reference
    13377-1
    CVE Reference
    CVE-2023-0804
    CVSS Scores
    Base 5.5 / Temporal 4.8
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for libtiff to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 13377-1
  • CVE-2023-0797
    QID: 906536
    Recently Published

    Common Base Linux Mariner (CBL-Mariner) Security Update for libtiff (13376-1)

    Severity
    Serious3
    Qualys ID
    906536
    Date Published
    March 23, 2023
    Vendor Reference
    13376-1
    CVE Reference
    CVE-2023-0797
    CVSS Scores
    Base 5.5 / Temporal 4.8
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for libtiff to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 13376-1
  • CVE-2023-22999
    QID: 906535
    Recently Published

    Common Base Linux Mariner (CBL-Mariner) Security Update for kernel (13809-1)

    Severity
    Serious3
    Qualys ID
    906535
    Date Published
    March 23, 2023
    Vendor Reference
    13809-1
    CVE Reference
    CVE-2023-22999
    CVSS Scores
    Base 5.5 / Temporal 4.8
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for kernel to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 13809-1
  • CVE-2021-3522
    QID: 354836
    Recently Published

    Amazon Linux Security Advisory for gstreamer1-plugins-base : ALAS2-2023-2000

    Severity
    Serious3
    Qualys ID
    354836
    Date Published
    March 23, 2023
    Vendor Reference
    ALAS2-2023-2000
    CVE Reference
    CVE-2021-3522
    CVSS Scores
    Base 5.5 / Temporal 4.8
    Description

    A flaw was found in gstreamer-plugins-base where an out-of-bounds read when handling certain id3v2 tags is possible.
    The highest threat from this vulnerability is to system availability. (
    ( CVE-2021-3522)



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.
    Solution
    Please refer to Amazon advisory: ALAS2-2023-2000 for affected packages and patching details, or update with your package manager.
    Patches
    amazon linux 2 ALAS2-2023-2000
  • CVE-2022-4129
    QID: 354831
    Recently Published

    Amazon Linux Security Advisory for kernel : ALAS2KERNEL-5.15-2023-014

    Severity
    Serious3
    Qualys ID
    354831
    Date Published
    March 23, 2023
    Vendor Reference
    ALAS2KERNEL-5.15-2023-014
    CVE Reference
    CVE-2022-4129
    CVSS Scores
    Base 5.5 / Temporal 4.8
    Description

    A flaw was found in the linux kernel's layer 2 tunneling protocol (l2tp).
    A missing lock when clearing sk_user_data can lead to a race condition and null pointer dereference.
    A local user could use this flaw to potentially crash the system causing a denial of service. (
    ( CVE-2022-4129)



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.
    Solution
    Please refer to Amazon advisory: ALAS2KERNEL-5.15-2023-014 for affected packages and patching details, or update with your package manager.
    Patches
    amazon linux 2 ALAS2KERNEL-5.15-2023-014
  • CVE-2022-4129
    QID: 354829
    Recently Published

    Amazon Linux Security Advisory for kernel : ALAS2KERNEL-5.10-2023-027

    Severity
    Serious3
    Qualys ID
    354829
    Date Published
    March 23, 2023
    Vendor Reference
    ALAS2KERNEL-5.10-2023-027
    CVE Reference
    CVE-2022-4129
    CVSS Scores
    Base 5.5 / Temporal 4.8
    Description

    A flaw was found in the linux kernel's layer 2 tunneling protocol (l2tp).
    A missing lock when clearing sk_user_data can lead to a race condition and null pointer dereference.
    A local user could use this flaw to potentially crash the system causing a denial of service. (
    ( CVE-2022-4129)



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.
    Solution
    Please refer to Amazon advisory: ALAS2KERNEL-5.10-2023-027 for affected packages and patching details, or update with your package manager.
    Patches
    amazon linux 2 ALAS2KERNEL-5.10-2023-027
  • CVE-2023-25165
    QID: 906537
    Recently Published

    Common Base Linux Mariner (CBL-Mariner) Security Update for helm (13557-1)

    Severity
    Medium2
    Qualys ID
    906537
    Date Published
    March 23, 2023
    Vendor Reference
    13557-1
    CVE Reference
    CVE-2023-25165
    CVSS Scores
    Base 4.3 / Temporal 3.8
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for helm to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 13557-1
  • CVE-2016-10195+
    QID: 378109
    Recently Published

    Virtuozzo Linux Security Update for thunderbird (VZLSA-2017:1201)

    Severity
    Urgent5
    Qualys ID
    378109
    Date Published
    March 23, 2023
    Vendor Reference
    VZLSA-2017:1201
    CVE Reference
    CVE-2016-10195, CVE-2016-10196, CVE-2016-10197, CVE-2017-5429, CVE-2017-5432, CVE-2017-5433, CVE-2017-5434, CVE-2017-5435, CVE-2017-5436, CVE-2017-5438, CVE-2017-5439, CVE-2017-5440, CVE-2017-5441, CVE-2017-5442, CVE-2017-5443, CVE-2017-5444, CVE-2017-5445, CVE-2017-5446, CVE-2017-5447, CVE-2017-5449, CVE-2017-5451, CVE-2017-5454, CVE-2017-5459, CVE-2017-5460, CVE-2017-5464, CVE-2017-5465, CVE-2017-5466, CVE-2017-5467, CVE-2017-5469
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Virtuozzo has released a security update for thunderbird to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2017:1201 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2017:1201
  • CVE-2016-9577+
    QID: 378110
    Recently Published

    Virtuozzo Linux Security Update for spice-server-devel (VZLSA-2017:0253)

    Severity
    Critical4
    Qualys ID
    378110
    Date Published
    March 23, 2023
    Vendor Reference
    VZLSA-2017:0253
    CVE Reference
    CVE-2016-9577, CVE-2016-9578
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Virtuozzo has released a security update for spice-server-devel to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2017:0253 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2017:0253
  • QID: 753818
    Recently Published

    SUSE Enterprise Linux Security Update for dpdk (SUSE-SU-2023:0833-1)

    Severity
    Critical4
    Qualys ID
    753818
    Date Published
    March 23, 2023
    Vendor Reference
    SUSE-SU-2023:0833-1
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    SUSE has released a security update for suse_enterprise_linux to fix the vulnerabilities.

    Affected product(s):
    SUSE Linux Enterprise (Desktop|Server) 12 SP5
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to SUSE security advisory SUSE-SU-2023:0833-1 for updates and patch information.
    Patches
    SUSE Enterprise Linux SUSE-SU-2023:0833-1
  • QID: 753817
    Recently Published

    SUSE Enterprise Linux Security Update for drbd (SUSE-SU-2023:0804-1)

    Severity
    Critical4
    Qualys ID
    753817
    Date Published
    March 23, 2023
    Vendor Reference
    SUSE-SU-2023:0804-1
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    SUSE has released a security update for suse_enterprise_linux to fix the vulnerabilities.

    Affected product(s):
    SUSE Linux Enterprise Server for SAP Applications Applications 12 SP5
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to SUSE security advisory SUSE-SU-2023:0804-1 for updates and patch information.
    Patches
    SUSE Enterprise Linux SUSE-SU-2023:0804-1
  • QID: 753816
    Recently Published

    SUSE Enterprise Linux Security Update for oracleasm (SUSE-SU-2023:0843-1)

    Severity
    Critical4
    Qualys ID
    753816
    Date Published
    March 23, 2023
    Vendor Reference
    SUSE-SU-2023:0843-1
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    SUSE has released a security update for suse_enterprise_linux to fix the vulnerabilities.

    Affected product(s):
    SUSE Linux Enterprise Server 15 SP1|SUSE Linux Enterprise Server for SAP Applications 15 SP1
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to SUSE security advisory SUSE-SU-2023:0843-1 for updates and patch information.
    Patches
    SUSE Enterprise Linux SUSE-SU-2023:0843-1
  • CVE-2019-2602+
    QID: 378108
    Recently Published

    Virtuozzo Linux Security Update for java-1.8.0-openjdk-demo (VZLSA-2019:0774)

    Severity
    Critical4
    Qualys ID
    378108
    Date Published
    March 23, 2023
    Vendor Reference
    VZLSA-2019:0774
    CVE Reference
    CVE-2019-2602, CVE-2019-2684, CVE-2019-2698
    CVSS Scores
    Base 8.1 / Temporal 7.1
    Description
    Virtuozzo has released a security update for java-1.8.0-openjdk-demo to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2019:0774 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2019:0774
  • CVE-2017-1000366
    QID: 378114
    Recently Published

    Virtuozzo Linux Security Update for glibc-devel (VZLSA-2017:1480)

    Severity
    Critical4
    Qualys ID
    378114
    Date Published
    March 23, 2023
    Vendor Reference
    VZLSA-2017:1480
    CVE Reference
    CVE-2017-1000366
    CVSS Scores
    Base 7.8 / Temporal 7.2
    Description
    Virtuozzo has released a security update for glibc-devel to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2017:1480 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2017:1480
  • CVE-2017-1000366
    QID: 378113
    Recently Published

    Virtuozzo Linux Security Update for glibc-devel (VZLSA-2017:1481)

    Severity
    Critical4
    Qualys ID
    378113
    Date Published
    March 23, 2023
    Vendor Reference
    VZLSA-2017:1481
    CVE Reference
    CVE-2017-1000366
    CVSS Scores
    Base 7.8 / Temporal 7.2
    Description
    Virtuozzo has released a security update for glibc-devel to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2017:1481 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2017:1481
  • CVE-2017-6074+
    QID: 378112
    Recently Published

    Virtuozzo Linux Security Update for kernel-debug (VZLSA-2017:0323)

    Severity
    Critical4
    Qualys ID
    378112
    Date Published
    March 23, 2023
    Vendor Reference
    VZLSA-2017:0323
    CVE Reference
    CVE-2017-6074, CVE-2017-2634
    CVSS Scores
    Base 7.8 / Temporal 7.2
    Description
    Virtuozzo has released a security update for kernel-debug to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2017:0323 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2017:0323
  • CVE-2018-16509
    QID: 378106
    Recently Published

    Virtuozzo Linux Security Update for ghostscript-devel (VZLSA-2018:3760)

    Severity
    Critical4
    Qualys ID
    378106
    Date Published
    March 23, 2023
    Vendor Reference
    VZLSA-2018:3760
    CVE Reference
    CVE-2018-16509
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Virtuozzo has released a security update for ghostscript-devel to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2018:3760 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2018:3760
  • CVE-2016-9445+
    QID: 378105
    Recently Published

    Virtuozzo Linux Security Update for gstreamer-plugins-bad-free (VZLSA-2017:0018)

    Severity
    Critical4
    Qualys ID
    378105
    Date Published
    March 23, 2023
    Vendor Reference
    VZLSA-2017:0018
    CVE Reference
    CVE-2016-9445, CVE-2016-9447, CVE-2016-9809
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Virtuozzo has released a security update for gstreamer-plugins-bad-free to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2017:0018 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2017:0018
  • CVE-2016-7030+
    QID: 378104
    Recently Published

    Virtuozzo Linux Security Update for ipa-server (VZLSA-2017:0001)

    Severity
    Critical4
    Qualys ID
    378104
    Date Published
    March 23, 2023
    Vendor Reference
    VZLSA-2017:0001
    CVE Reference
    CVE-2016-7030, CVE-2016-9575
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Virtuozzo has released a security update for ipa-server to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2017:0001 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2017:0001
  • CVE-2017-3135
    QID: 378111
    Recently Published

    Virtuozzo Linux Security Update for bind-pkcs11-utils (VZLSA-2017:0276)

    Severity
    Serious3
    Qualys ID
    378111
    Date Published
    March 23, 2023
    Vendor Reference
    VZLSA-2017:0276
    CVE Reference
    CVE-2017-3135
    CVSS Scores
    Base 5.9 / Temporal 5.2
    Description
    Virtuozzo has released a security update for bind-pkcs11-utils to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2017:0276 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2017:0276
  • CVE-2019-2745+
    QID: 378107
    Recently Published

    Virtuozzo Linux Security Update for java-1.8.0-openjdk-demo (VZLSA-2019:1811)

    Severity
    Serious3
    Qualys ID
    378107
    Date Published
    March 23, 2023
    Vendor Reference
    VZLSA-2019:1811
    CVE Reference
    CVE-2019-2745, CVE-2019-2762, CVE-2019-2769, CVE-2019-2786, CVE-2019-2816, CVE-2019-2842
    CVSS Scores
    Base 5.3 / Temporal 4.6
    Description
    Virtuozzo has released a security update for java-1.8.0-openjdk-demo to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Virtuozzo security advisory VZLSA-2019:1811 for updates and patch information.
    Patches
    Virtuozzo Linux VZLSA-2019:1811
  • CVE-2022-47148
    QID: 150661
    Recently Published

    WordPress WooCommerce PDF Invoices and Packing Slips Plugin: Cross-Site Request Forgery Vulnerability (CVE-2022-47148)

    Severity
    Serious3
    Qualys ID
    150661
    Date Published
    March 23, 2023
    Vendor Reference
    Patchstack
    CVE Reference
    CVE-2022-47148
    CVSS Scores
    Base 4.3 / Temporal 3.8
    Description
    WooCommerce PDF Invoice and Packing Slips is a WooCommerce extension plugin that automatically adds a PDF invoice to the order confirmation emails sent out to your customers.

    The WordPress WooCommerce PDF Invoices and Packing Slips Plugin has been found to contain a security vulnerability known as Cross Site Request Forgery (CSRF). This vulnerability could potentially be exploited by an attacker to force users with higher privileges to perform unintended actions without their knowledge or consent. Such actions could include altering or deleting sensitive information, making unauthorized purchases, or performing other actions that could compromise the security and integrity of the system.

    Affected versions:
    WooCommerce PDF Invoice and Packing Slips prior to 3.2.6

    QID Detection Logic :
    This QID sends an HTTP GET request and retrieves a vulnerable version of a plugin running on the target application.

    Consequence
    Successful exploitation could allow an attacker to execute arbitrary JavaScript code in the context of the interface or allow the attacker to access sensitive browser-based information.

    Solution
    Customers are advised to upgrade to WooCommerce PDF Invoice and Packing Slips 3.2.6 or later version to remediate this vulnerability.
    Patches
    patchstack
  • CVE-2022-36280+
    QID: 753810
    Recently Published

    SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2023:0780-1)

    Severity
    Critical4
    Qualys ID
    753810
    Date Published
    March 23, 2023
    Vendor Reference
    SUSE-SU-2023:0780-1
    CVE Reference
    CVE-2022-36280, CVE-2022-38096, CVE-2023-0045, CVE-2023-0590, CVE-2023-0597, CVE-2023-1118, CVE-2023-22995, CVE-2023-22998, CVE-2023-23000, CVE-2023-23006, CVE-2023-23559, CVE-2023-26545
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    SUSE has released a security update for kernel to fix the vulnerabilities.

    Affected product(s):
    SUSE Linux Enterprise Server 15 SP3|SUSE Linux Enterprise Server for SAP Applications 15 SP3
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to SUSE security advisory SUSE-SU-2023:0780-1 for updates and patch information.
    Patches
    SUSE Enterprise Linux SUSE-SU-2023:0780-1
  • CVE-2022-36280+
    QID: 753808
    Recently Published

    SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2023:0778-1)

    Severity
    Critical4
    Qualys ID
    753808
    Date Published
    March 23, 2023
    Vendor Reference
    SUSE-SU-2023:0778-1
    CVE Reference
    CVE-2022-36280, CVE-2022-38096, CVE-2023-0045, CVE-2023-0590, CVE-2023-0597, CVE-2023-1118, CVE-2023-22995, CVE-2023-23000, CVE-2023-23006, CVE-2023-23559, CVE-2023-26545
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    SUSE has released a security update for kernel to fix the vulnerabilities.

    Affected product(s):
    SUSE Linux Enterprise Server 15 SP2|SUSE Linux Enterprise Server for SAP Applications 15 SP2
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to SUSE security advisory SUSE-SU-2023:0778-1 for updates and patch information.
    Patches
    SUSE Enterprise Linux SUSE-SU-2023:0778-1
  • CVE-2021-4203+
    QID: 753807
    Recently Published

    SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2023:0768-1)

    Severity
    Critical4
    Qualys ID
    753807
    Date Published
    March 23, 2023
    Vendor Reference
    SUSE-SU-2023:0768-1
    CVE Reference
    CVE-2021-4203, CVE-2022-2991, CVE-2022-36280, CVE-2022-38096, CVE-2022-4129, CVE-2023-0045, CVE-2023-0590, CVE-2023-0597, CVE-2023-1118, CVE-2023-23559, CVE-2023-26545
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    SUSE has released a security update for kernel to fix the vulnerabilities.

    Affected product(s):
    SUSE Linux Enterprise Server 15 SP1|SUSE Linux Enterprise Server for SAP Applications 15 SP1
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to SUSE security advisory SUSE-SU-2023:0768-1 for updates and patch information.
    Patches
    SUSE Enterprise Linux SUSE-SU-2023:0768-1
  • CVE-2023-22839
    QID: 378093
    Recently Published

    F5 BIG-IP Domain Name System (DNS), Local Traffic Manager (LTM) DNS Profile Vulnerability CVE-2023-22839 (K37708118)

    Severity
    Critical4
    Qualys ID
    378093
    Date Published
    March 23, 2023
    Vendor Reference
    K37708118
    CVE Reference
    CVE-2023-22839
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    When a DNS profile with the Rapid Response Mode setting enabled is configured on a virtual server with hardware SYN cookies enabled, undisclosed requests cause the Traffic Management Microkernel (TMM) to terminate. (CVE-2023-22839)

    Vulnerable Component: BIG-IP DNS,LTM

    Affected Versions:
    17.0.0
    16.1.0 - 16.1.3
    15.1.0 - 15.1.8
    14.1.0 - 14.1.5
    13.1.0 - 13.1.5

    QID Detection Logic(Authenticated):
    This QID checks for the vulnerable versions of F5 BIG-IP devices using the tmsh command.

    Consequence
    Traffic is disrupted while the TMM process restarts. This vulnerability allows a remote unauthenticated attacker to cause a denial-of-service (DoS) on the BIG-IP system. There is no control plane exposure; this is a data plane issue only.

    Solution
    Please refer to K37708118 for more information.
    Patches
    K37708118
  • CVE-2022-27490
    QID: 378070
    Recently Published

    Fortinet FortiManager FortiAnalyzer Information Disclosure Vulnerability (FG-IR-18-232)

    Severity
    Serious3
    Qualys ID
    378070
    Date Published
    March 23, 2023
    Vendor Reference
    FG-IR-18-232
    CVE Reference
    CVE-2022-27490
    CVSS Scores
    Base 6.5 / Temporal 5.7
    Description
    An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in FortiManager and FortiAnalyzer may allow an attacker which has obtained access to a restricted administrative account to obtain sensitive information via `diagnose debug` commands.

    Affected Products:
    FortiManager version 6.0.0 through 6.0.4
    FortiAnalyzer version 6.0.0 through 6.0.4

    QID Detection Logic (Authenticated):
    Detection checks for vulnerable versions of FortiManager,FortiAnalyzer

    Consequence
    Successful exploitation of this vulnerability may lead to Information disclosure

    Solution

    Vendor has released fixes to address this vulnerability
    For more details refer advisory FG-IR-18-232

    Patches
    FG-IR-18-232
  • CVE-2022-41329
    QID: 43995
    Recently Published

    FortiOS Information Disclosure Vulnerability (FG-IR-22-364)

    Severity
    Serious3
    Qualys ID
    43995
    Date Published
    March 23, 2023
    Vendor Reference
    FG-IR-22-364
    CVE Reference
    CVE-2022-41329
    CVSS Scores
    Base 5.3 / Temporal 4.6
    Description
    An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in FortiOS and FortiProxy administrative interface may allow an unauthenticated attacker to obtain sensitive logging information on the device via crafted HTTP GET requests.

    Affected Versions:
    FortiOS version 7.2.0 through 7.2.3
    FortiOS version 7.0.0 through 7.0.9
    FortiOS version 6.4.0 through 6.4.11
    FortiOS version 6.2.3 and above

    QID Detection Logic (Authenticated):
    Detection checks for vulnerable version of FortiOS.

    Consequence
    Vulnerable OS may allow an unauthenticated attacker to obtain sensitive logging information on the device via crafted HTTP GET requests.

    Solution
    Fortinet has released patch addressing the vulnerability. For more information please refer to FG-IR-22-364
    Patches
    FG-IR-22-364
  • CVE-2023-25611
    QID: 378069
    Recently Published

    Fortinet FortiAnalyzer CSV injection Vulnerability (FG-IR-22-488)

    Severity
    Medium2
    Qualys ID
    378069
    Date Published
    March 23, 2023
    Vendor Reference
    FG-IR-22-488
    CVE Reference
    CVE-2023-25611
    CVSS Scores
    Base 7.3 / Temporal 6.4
    Description
    An improper neutralization of formula elements vulnerability in FortiAnalyzer may allow a local authenticated privileged attacker to execute arbitrary code on the end-user's host via inserting spreadsheet formulas in the macro names

    Affected Products:
    FortiAnalyzer version 7.2.0 through 7.2.1
    FortiAnalyzer version 7.0.0 through 7.0.6
    FortiAnalyzer 6.4 all versions

    QID Detection Logic (Authenticated):
    Detection checks for vulnerable versions of FortiAnalyzer.

    Consequence
    Successful exploitation may allow a local authenticated privileged attacker to execute arbitrary code

    Solution

    Vendor has released fixes to address this vulnerability
    For more details please refer advisory FG-IR-22-488

    Patches
    FG-IR-22-488
  • CVE-2022-36948+
    QID: 378066
    Recently Published

    Veritas NetBackup OpsCenter Multiple Vulnerabilities

    Severity
    Urgent5
    Qualys ID
    378066
    Date Published
    March 23, 2023
    Vendor Reference
    VTS22-009
    CVE Reference
    CVE-2022-36948, CVE-2022-36951, CVE-2022-36952, CVE-2022-36954, CVE-2022-23457
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Veritas NetBackup OpsCenter gives the user the ability to display customizable, multi-level views of backup and archive resources and customizable reports for tracking service usage and expenditures.

    Affected Versions:
    Veritas NetBackup OpsCenter 8.2.x and earlier
    Veritas NetBackup OpsCenter 8.3.x through 8.3.0.2.
    Veritas NetBackup OpsCenter 9.0.0.0
    Veritas NetBackup OpsCenter 9.1.0.0

    Veritas NetBackup OpsCenter 10.0.0.0

    QID Detection Logic (Authenticated):
    Operating Systems: Windows
    The QID checks for the registry to check the vulnerable version.

    Note: QID is marked potential since there is no current check for hotfixes.

    Consequence
    An attacker can comprise the Veritas NetBackup via Multiple Attack Vectors.

    Solution
    The vendor has issued a fix for these vulnerabilities. Please refer to the vendor advisory VTS22-009 which addresses this issue.

    Patches
    VTS22-009
  • CVE-2018-15328
    QID: 378016
    Recently Published

    F5 BIG-IP Simple Network Management Protocol (SNMP) Vulnerability (K42027747)

    Severity
    Critical4
    Qualys ID
    378016
    Date Published
    March 23, 2023
    Vendor Reference
    K42027747
    CVE Reference
    CVE-2018-15328
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    The passphrases for SNMPv3 users and trap destinations that are used for authentication and privacy are not handled by the BIG-IP system Secure Vault feature; they are written in the clear to the various configuration files.CVE-2018-15328

    Vulnerable Component: BIG-IP ASM,APM,LTM

    Affected Versions:
    14.0.0
    13.0.0 - 13.1.1
    12.1.0 - 12.1.4
    11.2.1 - 11.6.3

    QID Detection Logic(Authenticated):
    This QID checks for the vulnerable versions of F5 BIG-IP devices using the tmsh command.

    Consequence
    BIG-IP, BIG-IQ, F5 iWorkflow, and Enterprise Manager

    Solution
    For more information about patch details please refer to K42027747
    Patches
    K42027747
  • CVE-2019-6597
    QID: 378015
    Recently Published

    F5 BIG-IP Configuration utility Vulnerability (K29280193)

    Severity
    Critical4
    Qualys ID
    378015
    Date Published
    March 23, 2023
    Vendor Reference
    K29280193
    CVE Reference
    CVE-2019-6597
    CVSS Scores
    Base 7.2 / Temporal 6.3
    Description
    When authenticated administrative users run commands in the Traffic Management User Interface (TMUI), also referred to as the BIG-IP Configuration utility, restrictions on allowed commands may not be enforced.CVE-2019-6597

    Vulnerable Component: BIG-IP ASM,APM,LTM

    Affected Versions:
    13.0.0 - 13.1.1
    12.1.0 - 12.1.3
    11.6.1 - 11.6.311.5.1 - 11.5.8

    QID Detection Logic(Authenticated):
    This QID checks for the vulnerable versions of F5 BIG-IP devices using the tmsh command.

    Consequence
    This vulnerability allows a privilege escalation for authenticated administrative users.

    Solution
    For more information about patch details please refer to K29280193
    Patches
    K29280193
  • CVE-2023-1533+
    QID: 378123
    Recently Published

    Google Chrome Prior to 111.0.5563.110 Multiple Vulnerabilities

    Severity
    Critical4
    Qualys ID
    378123
    Date Published
    March 22, 2023
    Vendor Reference
    Google Chrome 111.0.5563.110
    CVE Reference
    CVE-2023-1533, CVE-2023-1530, CVE-2023-1529, CVE-2023-1531, CVE-2023-1532, CVE-2023-1534, CVE-2023-1528
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Chrome has released security updates for Windows, Mac, and Linux to fix the vulnerabilities.


    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Chrome security advisory 111.0.5563.110 for updates and patch information.
    Patches
    Google Chrome 111.0.5563.110
  • CVE-2023-28164+
    QID: 940961
    Recently Published

    AlmaLinux Security Update for firefox (ALSA-2023:1337)

    Severity
    Critical4
    Qualys ID
    940961
    Date Published
    March 22, 2023
    Vendor Reference
    ALSA-2023:1337
    CVE Reference
    CVE-2023-28164, CVE-2023-25752, CVE-2023-28176, CVE-2023-25751, CVE-2023-28162
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    AlmaLinux has released a security update for firefox to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect confidentiality, integrity, and availability.
    Solution
    Refer to AlmaLinux security advisory ALSA-2023:1337 for updates and patch information.
    Patches
    AlmaLinux ALSA-2023:1337
  • CVE-2023-28164+
    QID: 940960
    Recently Published

    AlmaLinux Security Update for firefox (ALSA-2023:1336)

    Severity
    Critical4
    Qualys ID
    940960
    Date Published
    March 22, 2023
    Vendor Reference
    ALSA-2023:1336
    CVE Reference
    CVE-2023-28164, CVE-2023-25752, CVE-2023-28176, CVE-2023-25751, CVE-2023-28162
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    AlmaLinux has released a security update for firefox to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect confidentiality, integrity, and availability.
    Solution
    Refer to AlmaLinux security advisory ALSA-2023:1336 for updates and patch information.
    Patches
    AlmaLinux ALSA-2023:1336
  • CVE-2023-0767
    QID: 160514
    Recently Published

    Oracle Enterprise Linux Security Update for nss (ELSA-2023-1368)

    Severity
    Critical4
    Qualys ID
    160514
    Date Published
    March 22, 2023
    Vendor Reference
    ELSA-2023-1368
    CVE Reference
    CVE-2023-0767
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Oracle Enterprise Linux has released a security update for nss security and bug fix update to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2023-1368
    Patches
    Oracle Linux ELSA-2023-1368
  • CVE-2023-23454+
    QID: 160516
    Recently Published

    Oracle Enterprise Linux Security Update for unbreakable enterprise kernel (ELSA-2023-12206)

    Severity
    Critical4
    Qualys ID
    160516
    Date Published
    March 22, 2023
    Vendor Reference
    ELSA-2023-12206
    CVE Reference
    CVE-2023-23454, CVE-2023-23455, CVE-2022-45885, CVE-2022-2873, CVE-2022-47929, CVE-2022-45884, CVE-2023-0394, CVE-2022-45919, CVE-2022-41218, CVE-2022-45887, CVE-2022-45934, CVE-2022-45886
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Oracle Enterprise Linux has released a security update for unbreakable enterprise kernel to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2023-12206
    Patches
    Oracle Linux ELSA-2023-12206
  • CVE-2023-23454+
    QID: 160515
    Recently Published

    Oracle Enterprise Linux Security Update for unbreakable enterprise kernel-container (ELSA-2023-12207)

    Severity
    Critical4
    Qualys ID
    160515
    Date Published
    March 22, 2023
    Vendor Reference
    ELSA-2023-12207
    CVE Reference
    CVE-2023-23454, CVE-2023-23455, CVE-2022-45885, CVE-2022-2873, CVE-2022-47929, CVE-2022-45884, CVE-2022-45919, CVE-2023-0394, CVE-2022-41218, CVE-2022-45887, CVE-2022-45934, CVE-2022-45886
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Oracle Enterprise Linux has released a security update for unbreakable enterprise kernel-container to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2023-12207
    Patches
    Oracle Linux ELSA-2023-12207
  • CVE-2023-25725
    QID: 770180
    Recently Published

    Red Hat OpenShift Container Platform 4.12 Security Update (RHSA-2023:1268)

    Severity
    Urgent5
    Qualys ID
    770180
    Date Published
    March 22, 2023
    Vendor Reference
    RHSA-2023:1268
    CVE Reference
    CVE-2023-25725
    CVSS Scores
    Base 9.1 / Temporal 7.9
    Description

    Red Hat openshift container platform is Red Hat's cloud computing kubernetes application platform solution designed for on-premise or private cloud deployments.

    Security Fix(es):
    • haproxy: request smuggling attack in http/1 header parsing (cve-2023-25725)

    <H2></H2>

    • Red Hat openshift container platform 4.12 for rhel 9 x86_64
    • Red Hat openshift container platform 4.12 for rhel 8 x86_64
    • Red Hat openshift container platform for power 4.12 for rhel 9 ppc64le
    • Red Hat openshift container platform for power 4.12 for rhel 8 ppc64le
    • Red Hat openshift container platform for ibm z and linuxone 4.12 for rhel 9 s390x
    • Red Hat openshift container platform for ibm z and linuxone 4.12 for rhel 8 s390x
    • Red Hat openshift container platform for arm 64 4.12 for rhel 9 aarch64
    • Red Hat openshift container platform for arm 64 4.12 for rhel 8 aarch64



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Red Hat security advisory RHSA-2023:1268 for updates and patch information.
    Patches
    Red Hat Enterprise Linux CoreOS RHSA-2023:1268
  • CVE-2023-25725
    QID: 241280
    Recently Published

    Red Hat OpenShift Container Platform 4.12 Security Update (RHSA-2023:1268)

    Severity
    Urgent5
    Qualys ID
    241280
    Date Published
    March 22, 2023
    Vendor Reference
    RHSA-2023:1268
    CVE Reference
    CVE-2023-25725
    CVSS Scores
    Base 9.1 / Temporal 7.9
    Description
    Red hat openshift container platform is Red Hat's cloud computing kubernetes application platform solution designed for on-premise or private cloud deployments...Security Fix(es):
      haproxy: request smuggling attack in http/1 header parsing (cve-2023-25725).
    <H2></H2>
      Red Hat openshift container platform 4.12 for rhel 9 x86_64.
      Red hat openshift container platform 4.12 for rhel 8 x86_64.
      Red hat openshift container platform for power 4.12 for rhel 9 ppc64le.
      Red hat openshift container platform for power 4.12 for rhel 8 ppc64le.
      Red hat openshift container platform for ibm z and linuxone 4.12 for rhel 9 s390x.
      Red hat openshift container platform for ibm z and linuxone 4.12 for rhel 8 s390x.
      Red hat openshift container platform for arm 64 4.12 for rhel 9 aarch64.
      Red hat openshift container platform for arm 64 4.12 for rhel 8 aarch64.
    .

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Red Hat security advisory RHSA-2023:1268 for updates and patch information.
    Patches
    Red Hat Enterprise Linux RHSA-2023:1268
  • CVE-2022-23521+
    QID: 378118
    Recently Published

    Alibaba Cloud Linux Security Update for git (ALINUX2-SA-2023:0012)

    Severity
    Critical4
    Qualys ID
    378118
    Date Published
    March 22, 2023
    Vendor Reference
    ALINUX2-SA-2023:0012
    CVE Reference
    CVE-2022-23521, CVE-2022-41903
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Alibaba Cloud Linux has released a security update for git to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect confidentiality, integrity, and availability.
    Solution
    Refer to Alibaba Cloud Linux security advisory ALINUX2-SA-2023:0012 for updates and patch information.
    Patches
    Alibaba Cloud Linux ALINUX2-SA-2023:0012
  • CVE-2023-0255
    QID: 730767
    Recently Published

    WordPress Plugin Enable Media Replace Arbitrary File Upload Vulnerability

    Severity
    Critical4
    Qualys ID
    730767
    Date Published
    March 22, 2023
    Vendor Reference
    Enable Media Replace Plugin Release Notes
    CVE Reference
    CVE-2023-0255
    CVSS Scores
    Base 8.8 / Temporal 7.9
    Description
    Enable Media Replace is a free, lightweight and easy to use plugin that allows you to seamlessly replace an image or file in your Media Library by uploading a new file in its place.

    WordPress plugin Enable Media Replace before 4.0.2 does not prevent authors from uploading arbitrary files to the site, which may allow them to upload PHP shells on affected sites.

    Affected Versions:
    Enable Media Replace plugin versions prior to 4.0.2

    QID Detection Logic(Unauthenticated): This unauthenticated detection depends on the BlindElephant engine to detect the vulnerable version of the Enable Media Replace plugin.

    Consequence
    Successful exploitation of this vulnerability may allow remote attacker to upload and execute arbitrary code on the target system.
    Solution
    Customers are advised to install Enable Media Replace 4.0.2 or later version to remediate this vulnerability.
    Patches
    Enable Media Replace Plugin Release Notes
  • CVE-2023-0767
    QID: 241282
    Recently Published

    Red Hat Update for nss (RHSA-2023:1370)

    Severity
    Critical4
    Qualys ID
    241282
    Date Published
    March 22, 2023
    Vendor Reference
    RHSA-2023:1370
    CVE Reference
    CVE-2023-0767
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Network security services (nss) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications...Security Fix(es):
      nss: arbitrary memory write via pkcs 12 (cve-2023-0767).
    Affected Products:
      Red Hat enterprise linux for x86_64 - extended update support 8.4 x86_64.
      Red hat enterprise linux server - aus 8.4 x86_64.
      Red hat enterprise linux for ibm z systems - extended update support 8.4 s390x.
      Red hat enterprise linux for power, little endian - extended update support 8.4 ppc64le.
      Red hat enterprise linux server - tus 8.4 x86_64.
      Red hat enterprise linux for arm 64 - extended update support 8.4 aarch64.
      Red hat enterprise linux server for power le - update services for sap solutions 8.4 ppc64le.
      Red hat enterprise linux for x86_64 - update services for sap solutions 8.4 x86_64.
    .

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Red Hat security advisory RHSA-2023:1370 for updates and patch information.
    Patches
    Red Hat Enterprise Linux RHSA-2023:1370
  • CVE-2023-0767
    QID: 241281
    Recently Published

    Red Hat Update for nss (RHSA-2023:1369)

    Severity
    Critical4
    Qualys ID
    241281
    Date Published
    March 22, 2023
    Vendor Reference
    RHSA-2023:1369
    CVE Reference
    CVE-2023-0767
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Network security services (nss) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications...Security Fix(es):
      nss: arbitrary memory write via pkcs 12 (cve-2023-0767).
    Affected Products:
      Red Hat enterprise linux for x86_64 - extended update support 8.6 x86_64.
      Red hat enterprise linux server - aus 8.6 x86_64.
      Red hat enterprise linux for ibm z systems - extended update support 8.6 s390x.
      Red hat enterprise linux for power, little endian - extended update support 8.6 ppc64le.
      Red hat enterprise linux server - tus 8.6 x86_64.
      Red hat enterprise linux for arm 64 - extended update support 8.6 aarch64.
      Red hat enterprise linux server for power le - update services for sap solutions 8.6 ppc64le.
      Red hat enterprise linux for x86_64 - update services for sap solutions 8.6 x86_64.
    .

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Red Hat security advisory RHSA-2023:1369 for updates and patch information.
    Patches
    Red Hat Enterprise Linux RHSA-2023:1369
  • CVE-2023-0767
    QID: 241279
    Recently Published

    Red Hat Update for nss (RHSA-2023:1365)

    Severity
    Critical4
    Qualys ID
    241279
    Date Published
    March 22, 2023
    Vendor Reference
    RHSA-2023:1365
    CVE Reference