Headline
glibc syslog() Heap-Based Buffer Overflow
Qualys discovered a heap-based buffer overflow in the GNU C Library’s __vsyslog_internal() function, which is called by both syslog() and vsyslog(). This vulnerability was introduced in glibc 2.37 (in August 2022).
Qualys Security AdvisoryCVE-2023-6246: Heap-based buffer overflow in the glibc's syslog()========================================================================Contents========================================================================SummaryAnalysisProof of conceptExploitationAcknowledgmentsTimeline========================================================================Summary========================================================================We discovered a heap-based buffer overflow in the GNU C Library's__vsyslog_internal() function, which is called by both syslog() andvsyslog(). This vulnerability was introduced in glibc 2.37 (in August2022) by the following commit: https://sourceware.org/git?p=glibc.git;a=commit;h=52a5be0df411ef3ff45c10c7c308cb92993d15b1and was also backported to glibc 2.36 because this commit was a fix foranother, minor vulnerability in __vsyslog_internal() (CVE-2022-39046, an"uninitialized memory [read] from the heap"): https://sourceware.org/bugzilla/show_bug.cgi?id=29536For example, we confirmed that Debian 12 and 13, Ubuntu 23.04 and 23.10,and Fedora 37 to 39 are vulnerable to this buffer overflow. Furthermore,we successfully exploited an up-to-date, default installation of Fedora38 (on amd64): a Local Privilege Escalation, from any unprivileged userto full root. Other distributions are probably also exploitable.To the best of our knowledge, this vulnerability cannot be triggeredremotely in any likely scenario (because it requires an argv[0], or anopenlog() ident argument, longer than 1024 bytes to be triggered).Last-minute note: in December 1997 Solar Designer published informationabout a very similar vulnerability in the vsyslog() of the old Linuxlibc (https://insecure.org/sploits/linux.libc.5.4.38.vsyslog.html).========================================================================Analysis========================================================================In the glibc, both syslog() and vsyslog() call the vulnerable function__vsyslog_internal():------------------------------------------------------------------------122 __vsyslog_internal (int pri, const char *fmt, va_list ap,123 unsigned int mode_flags)124 {125 /* Try to use a static buffer as an optimization. */126 char bufs[1024];127 char *buf = NULL;128 size_t bufsize = 0;...171 #define SYSLOG_HEADER(__pri, __timestamp, __msgoff, pid) \172 "<%d>%s%n%s%s%.0d%s: ", \173 __pri, __timestamp, __msgoff, \174 LogTag == NULL ? __progname : LogTag, \175 "[" + (pid == 0), pid, "]" + (pid == 0)...182 l = __snprintf (bufs, sizeof bufs,183 SYSLOG_HEADER (pri, timestamp, &msgoff, pid));...187 if (0 <= l && l < sizeof bufs)188 {...202 }203 204 if (buf == NULL)205 {206 buf = malloc ((bufsize + 1) * sizeof (char));...213 __snprintf (buf, l + 1,214 SYSLOG_HEADER (pri, timestamp, &msgoff, pid));...221 __vsnprintf_internal (buf + l, bufsize - l + 1, fmt, apc,222 mode_flags);------------------------------------------------------------------------- at lines 182-183, SYSLOG_HEADER() includes __progname (the basename() of argv[0]) if LogTag is NULL (e.g., if openlog() was not called, or called with a NULL ident argument);- because a local attacker fully controls argv[0] and hence __progname (even when executing a SUID-root program such as su), at line 187 l (the return value of __snprintf()) can be larger than sizeof bufs (1024), in which case the code block at lines 188-202 is skipped;- consequently, at line 203 buf is still NULL and bufsize is still 0, and at line 206 a very small 1-byte buf is malloc()ated (because bufsize is 0);- at lines 213-214 this small buf is overflowed with the attacker- controlled __progname (because l is larger than 1024), and at lines 221-222 this small buf is further overflowed (because bufsize - l + 1 is 0 - l + 1, a very large size_t).========================================================================Proof of concept========================================================================$ (exec -a "`printf '%0128000x' 1`" /usr/bin/su < /dev/null)Password: Segmentation fault (core dumped)========================================================================Exploitation========================================================================We decided to exploit this vulnerability through su (the most commonSUID-root program) on Fedora 38. To authenticate a user, su calls thePAM library, and if the password provided by the user is incorrect, thenPAM calls the glibc's syslog() function without calling openlog() first,thus allowing us to trigger the buffer overflow in __vsyslog_internal():------------------------------------------------------------------------782 pam_syslog(pamh, LOG_NOTICE,783 "authentication failure; "784 "logname=%s uid=%d euid=%d "785 "tty=%s ruser=%s rhost=%s "786 "%s%s",787 new->name, new->uid, new->euid,788 tty ? (const char *)tty : "",789 ruser ? (const char *)ruser : "",790 rhost ? (const char *)rhost : "",791 (new->user && new->user[0] != '\0')792 ? " user=" : "",793 new->user794 );------------------------------------------------------------------------107 pam_syslog (const pam_handle_t *pamh, int priority,108 const char *fmt, ...)109 {...113 pam_vsyslog (pamh, priority, fmt, args);------------------------------------------------------------------------ 73 pam_vsyslog (const pam_handle_t *pamh, int priority, 74 const char *fmt, va_list args) 75 { .. 81 if (asprintf (&msgbuf1, "%s(%s:%s):", pamh->mod_name, 82 pamh->service_name?pamh->service_name:"<unknown>", 83 _pam_choice2str (pamh->choice)) < 0) .. 91 if (vasprintf (&msgbuf2, fmt, args) < 0) .. 99 syslog (LOG_AUTHPRIV|priority, "%s %s",100 (msgbuf1 ? msgbuf1 : _PAM_SYSTEM_LOG_PREFIX), msgbuf2);------------------------------------------------------------------------But what should we overwrite in the heap to successfully exploit thisbuffer overflow? Initially, because su calls setlocale(LC_ALL, ""); atthe very beginning of its su_main() function, we tried to reuse the keyidea from our Baron Samedit exploits (CVE-2021-3156 in Sudo): we wrote arudimentary fuzzer to execute su with a random argv[0] and random localeenvironment variables and automatically inspect the resulting crashes ingdb. Unfortunately this fuzzer failed to produce interesting results: weonly obtained a handful of unique crashes, and they did not look verypromising.However, we did not investigate the reasons for this failure, becausewhile browsing through su's source code we noticed that su_main() callsenv_whitelist_from_string() to parse the argument of the -w command-lineoption:------------------------------------------------------------------------1118 case 'w':1119 env_whitelist_from_string(su, optarg);1120 break;------------------------------------------------------------------------ 692 static int env_whitelist_from_string(struct su_context *su, const char *str) 693 { 694 char **all = strv_split(str, ","); ... 703 STRV_FOREACH(one, all) 704 env_whitelist_add(su, *one); 705 strv_free(all); 706 return 0; 707 }------------------------------------------------------------------------ 662 static int env_whitelist_add(struct su_context *su, const char *name) 663 { 664 const char *env = getenv(name); 665 666 if (!env) 667 return 1; 668 if (strv_extend(&su->env_whitelist_names, name)) 669 err_oom(); 670 if (strv_extend(&su->env_whitelist_vals, env)) 671 err_oom(); 672 return 0; 673 }------------------------------------------------------------------------Conveniently, env_whitelist_from_string() allows us (attackers) tomalloc()ate and free() an arbitrary number of arbitrary strings at thevery beginning of su's execution: an almost perfect heap feng shui. Wetherefore rewrote our fuzzer to execute su with a random argv[0] and arandom whitelist option (instead of random locale environment variables)and immediately observed numerous unique crashes; among these, three inparticular caught our attention.========================================================================1/ Corruption of PAM structures========================================================================Surprisingly, our fuzzer directly overwrote two PAM function pointers(in struct pam_data and struct handler):------------------------------------------------------------------------Thread 2.1 "su" received signal SIGSEGV, Segmentation fault.0x00007fa7d3b0e3ac in _pam_free_data (status=7, pamh=0x56211242ec10) at /usr/src/debug/pam-1.5.2-16.fc38.x86_64/libpam/pam_data.c:161161 last->cleanup(pamh, last->data, status);...=> 0x7fa7d3b0e3ac <pam_end+92>: call *%raxrax 0x4141414141414141 4702111234474983745------------------------------------------------------------------------Thread 2.1 "su" received signal SIGSEGV, Segmentation fault.0x00007f928b5e5781 in _pam_dispatch_aux (use_cached_chain=<optimized out>, resumed=<optimized out>, h=0x55f2e374aae0, flags=0, pamh=0x55f2e374aae0) at /usr/src/debug/pam-1.5.2-16.fc38.x86_64/libpam/pam_dispatch.c:110110 retval = h->func(pamh, flags, h->argc, h->argv);...=> 0x7f928b5e5781 <_pam_dispatch+465>: call *%raxrax 0x4545454545454545 4991471925827290437------------------------------------------------------------------------Although this sounds exciting at first (a call to 0x4141414141414141!)we decided to not pursue this avenue of exploitation:- we cannot overwrite such a function pointer with null bytes (because we overflow __vsyslog_internal()'s buffer with a null-terminated string), but userland addresses contain at least two null bytes;- we could try to partially overwrite such a function pointer, but we do not control the end of the string that overflows __vsyslog_internal()'s buffer (the end of the aforementioned pam_syslog() format string), and such an uncontrolled, partially overwritten function pointer is very unlikely to miraculously point to a useful ROP gadget.========================================================================2/ Corruption of heap metadata========================================================================Unsurprisingly, our fuzzer also overwrote various pieces of heapmetadata (chunk headers managed internally by the glibc's malloc), andtherefore triggered all kinds of assertion failures and security checks:------------------------------------------------------------------------$ grep -A1 __libc_message fuzzer.out | cut -d'"' -f2 | sort -u...chunk_main_arena (bck->bk)chunk_main_arena (fwd)corrupted double-linked listcorrupted double-linked list (not small)corrupted size vs. prev_sizecorrupted size vs. prev_size in fastbinsdouble free or corruption (out)free(): corrupted unsorted chunksfree(): invalid next size (fast)free(): invalid pointerfree(): invalid sizemalloc_consolidate(): invalid chunk sizemalloc(): corrupted top sizemalloc(): invalid size (unsorted)malloc(): smallbin double linked list corruptedmalloc(): unaligned tcache chunk detectedmalloc(): unsorted double linked list corruptedmunmap_chunk(): invalid pointer------------------------------------------------------------------------Although some of these corruptions might be exploitable, we decided tonot pursue this avenue of exploitation either:- we cannot overwrite a chunk header with a size field and an fd or bk pointer that are both valid (they must both contain null bytes to be valid), which severely limits our exploitation options;- in any case, we would probably need a specific heap, mmap, or stack address to exploit such a corruption, but we do not have the luxury of an information leak, and all these addresses are too heavily randomized by ASLR to be brute forced.========================================================================3/ Corruption of nss structures========================================================================Our fuzzer also produced two crashes that immediately caught ourattention because they are directly related to one of the techniquesthat we used to exploit Baron Samedit:------------------------------------------------------------------------Thread 2.1 "su" received signal SIGSEGV, Segmentation fault.__GI___nss_lookup (ni=ni@entry=0x7ffe876a05e8, fct_name=fct_name@entry=0x7fbba214e4e7 "getpwnam_r", fct2_name=fct2_name@entry=0x0, fctp=fctp@entry=0x7ffe876a05f0) at nsswitch.c:6767 *fctp = __nss_lookup_function (*ni, fct_name);...=> 0x7fbba20ec50e <__GI___nss_lookup+30>: mov (%rax),%rdirax 0x4141414141414141 4702111234474983745------------------------------------------------------------------------Thread 2.1 "su" received signal SIGSEGV, Segmentation fault.__nss_module_get_function (module=0x4141414141414141, name=name@entry=0x7f0aed9034e7 "getpwnam_r") at nss_module.c:328328 if (!__nss_module_load (module))...=> 0x7f0aed8a34b7 <__nss_module_get_function+39>: mov (%rdi),%eaxrdi 0x4141414141414141 4702111234474983745------------------------------------------------------------------------As discussed in the "2/ struct service_user overwrite" subsection of ourBaron Samedit advisory, if we overwrite the name[] field of a heap-basedstruct nss_module with a string of characters that contains a slash (forexample "A/B/C"), then at lines 180-181 the name of a shared library isconstructed ("libnss_A/B/C.so.2"), and at line 187 this shared libraryis loaded from our current working directory (because its name containsa slash, but does not start with a slash) and executed as root (becausesu is a SUID-root program):------------------------------------------------------------------------170 module_load (struct nss_module *module)171 {...180 if (__asprintf (&shlib_name, "libnss_%s.so%s",181 module->name, __nss_shlib_revision) < 0)...187 handle = __libc_dlopen (shlib_name);------------------------------------------------------------------------Unfortunately, the __progname part (which we control) of the string thatoverflows __vsyslog_internal()'s buffer cannot contain a slash (because__progname is the basename() of argv[0]). Luckily, however, the part ofthe overflowing string that we do not control (the pam_syslog() formatstring) includes the absolute path of our tty, which contains a slash.For example, if:- our tty is /dev/pts/23 (we use forkpty() in our exploit);- our unprivileged local user is nobody (uid 65534);- the argv[0] (and hence __progname) that we use to execute su is a long string of 'A' characters (longer than 1024);then we can overwrite the name[] field of a heap-based struct nss_modulewith a string of the form: "AAAAAAAAAA: pam_unix(su:auth): authentication failure; logname= uid=65534 euid=0 tty=/dev/pts/23 ruser=nobody rhost= user=root"Consequently, if we first create the following three directories (in ourcurrent working directory): "libnss_AAAAAAAAAA: pam_unix(su:auth): authentication failure; logname= uid=65534 euid=0 tty=" "libnss_AAAAAAAAAA: pam_unix(su:auth): authentication failure; logname= uid=65534 euid=0 tty=/dev" "libnss_AAAAAAAAAA: pam_unix(su:auth): authentication failure; logname= uid=65534 euid=0 tty=/dev/pts"and also create the following shared library (in our current workingdirectory): "libnss_AAAAAAAAAA: pam_unix(su:auth): authentication failure; logname= uid=65534 euid=0 tty=/dev/pts/23 ruser=nobody rhost= user=root.so.2"then this shared library will eventually be loaded and executed withfull root privileges. In our tests, it takes a few 10,000s of tries tosuccessfully brute force the exploit parameters (the length of argv[0],and the whitelist option and its associated environment variables).Note: this exploit could certainly be made much more efficient; intheory, it could even be a one-shot exploit, because we do not need tobrute force the ASLR, only the heap layout.========================================================================Acknowledgments========================================================================We thank the glibc developers (Carlos O'Donell, Siddhesh Poyarekar,Arjun Shankar, Florian Weimer, and Adhemerval Zanella in particular),Red Hat Product Security (Guilherme Suckevicz in particular), and themembers of linux-distros@openwall (Salvatore Bonaccorso in particular).========================================================================Timeline========================================================================2023-11-07: We sent a preliminary draft of our advisory to Red HatProduct Security.2023-11-15: Red Hat Product Security acknowledged receipt of our email.2023-11-16: Red Hat Product Security asked us if we could share ourexploit with them.2023-11-17: We sent our exploit to Red Hat Product Security.2023-11-21: Red Hat Product Security confirmed that our exploit worked,and assigned CVE-2023-6246 to this heap-based buffer overflow in__vsyslog_internal().2023-12-05: Red Hat Product Security sent us a patch for CVE-2023-6246(written by the glibc developers), and asked us for our feedback.2023-12-07: While reviewing this patch, we discovered two more minorvulnerabilities in the same function (an off-by-one buffer overflow andan integer overflow). We immediately sent an analysis, proof of concept,and patch proposal to Red Hat Product Security, and suggested that wedirectly involve the glibc security team.2023-12-08: Red Hat Product Security acknowledged receipt of our email,and agreed that we should directly involve the glibc security team. Wecontacted them on the same day, and they immediately replied with veryconstructive comments.2023-12-11: The glibc security team suggested that we postpone thecoordinated disclosure of all three vulnerabilities until January 2024(because of the upcoming holiday season). We agreed.2023-12-13: Red Hat Product Security assigned CVE-2023-6779 to theoff-by-one buffer overflow and CVE-2023-6780 to the integer overflow in__vsyslog_internal().2024-01-04: We suggested either January 23 or January 30 for theCoordinated Release Date of these vulnerabilities. The glibc developersagreed on January 30.2024-01-12: The glibc developers sent us an updated version of thepatches for these vulnerabilities.2024-01-13: We reviewed these patches, and sent our feedback to theglibc developers.2024-01-15: The glibc developers sent us the final version of thepatches for these vulnerabilities.2024-01-16: We sent these patches and a draft of our advisory to thelinux-distros@openwall. They immediately acknowledged receipt of ouremail.2024-01-30: Coordinated Release Date (18:00 UTC).
Related news
Russian organizations have been targeted by a cybercrime gang called ExCobalt using a previously unknown Golang-based backdoor known as GoRed. "ExCobalt focuses on cyber espionage and includes several members active since at least 2016 and presumably once part of the notorious Cobalt Gang," Positive Technologies researchers Vladislav Lunin and Alexander Badayev said in a technical report
Hello everyone! In this episode, I will talk about the February updates of my open source projects, also about projects at my main job at Positive Technologies and interesting vulnerabilities. Alternative video link (for Russia): https://vk.com/video-149273431_456239140 Let’s start with my open source projects. Vulremi A simple vulnerability remediation utility, Vulremi, now has a logo and […]
Gentoo Linux Security Advisory 202402-1 - Multiple vulnerabilities in glibc could result in Local Privilege Escalation. Versions greater than or equal to 2.38-r10 are affected.
Ubuntu Security Notice 6620-1 - It was discovered that the GNU C Library incorrectly handled the syslog function call. A local attacker could use this issue to execute arbitrary code and possibly escalate privileges.
Qualys discovered a memory corruption in the glibc's qsort() function, due to a missing bounds check. To be vulnerable, a program must call qsort() with a nontransitive comparison function (a function cmp(int a, int b) that returns (a - b), for example) and with a large number of attacker-controlled elements (to cause a malloc() failure inside qsort()). They have not tried to find such a vulnerable program in the real world. All glibc versions from at least September 1992 (glibc 1.04) to the current release (glibc 2.38) are affected, but the glibc's developers have independently discovered and patched this memory corruption in the master branch (commit b9390ba, "stdlib: Fix array bounds protection in insertion sort phase of qsort") during a recent refactoring of qsort().
Debian Linux Security Advisory 5611-1 - The Qualys Research Labs discovered several vulnerabilities in the GNU C Library's __vsyslog_internal() function (called by syslog() and vsyslog()). A heap-based buffer overflow (CVE-2023-6246), an off-by-one heap overflow (CVE-2023-6779) and an integer overflow (CVE-2023-6780) can be exploited for privilege escalation or denial of service.
By Deeba Ahmed Patch Now or Pay Later: Qsort Flaw Leaves Millions of Linux Systems Exposed. This is a post from HackRead.com Read the original post: Critical Flaws Found in GNU C Library, Major Linux Distros at Risk
By Deeba Ahmed Patch Now or Pay Later: Qsort Flaw Leaves Millions of Linux Systems Exposed. This is a post from HackRead.com Read the original post: Critical Flaws Found in GNU C Library, Major Linux Distros at Risk
By Deeba Ahmed Patch Now or Pay Later: Qsort Flaw Leaves Millions of Linux Systems Exposed. This is a post from HackRead.com Read the original post: Critical Flaws Found in GNU C Library, Major Linux Distros at Risk
Malicious local attackers can obtain full root access on Linux machines by taking advantage of a newly disclosed security flaw in the GNU C library (aka glibc). Tracked as CVE-2023-6246, the heap-based buffer overflow vulnerability is rooted in glibc's __vsyslog_internal() function, which is used by syslog() and vsyslog() for system logging purposes. It's said to have been accidentally
Malicious local attackers can obtain full root access on Linux machines by taking advantage of a newly disclosed security flaw in the GNU C library (aka glibc). Tracked as CVE-2023-6246, the heap-based buffer overflow vulnerability is rooted in glibc's __vsyslog_internal() function, which is used by syslog() and vsyslog() for system logging purposes. It's said to have been accidentally
Malicious local attackers can obtain full root access on Linux machines by taking advantage of a newly disclosed security flaw in the GNU C library (aka glibc). Tracked as CVE-2023-6246, the heap-based buffer overflow vulnerability is rooted in glibc's __vsyslog_internal() function, which is used by syslog() and vsyslog() for system logging purposes. It's said to have been accidentally
Gentoo Linux Security Advisory 202310-3 - Multiple vulnerabilities in glibc could result in Local Privilege Escalation. Versions greater than or equal to 2.37-r7 are affected.
gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/ Three vectors were found that allow the following DOS attacks: - Unbounded memory buffering in the HPACK parser - Unbounded CPU consumption in the HPACK parser The unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with an O(n^2) parsing loop, with n selected by the client. The unbounded memory buffering bugs: - The header size limit check was behind the string reading code, so we needed to first buffer up to a 4 gigabyte string before rejecting it as longer than 8 or 16kb. - HPACK varints have an encoding quirk whereby an infinite number of 0’s can be added at the start of an integer. gRPC’s hpack parser needed to read all of them before concluding a parse. - gRPC’s metadata overflow check was performed per frame, so ...
Dell EMC Unisphere for PowerMax versions before 9.1.0.27, Dell EMC Unisphere for PowerMax Virtual Appliance versions before 9.1.0.27, and PowerMax OS Release 5978 contain an improper certificate validation vulnerability. An unauthenticated remote attacker may potentially exploit this vulnerability to carry out a man-in-the-middle attack by supplying a crafted certificate and intercepting the victim's traffic to view or modify a victim’s data in transit.
Sudo before 1.9.13p2 has a double free in the per-command chroot feature.
WALLIX Access Manager 3.x through 4.0.x allows a remote attacker to access sensitive information.
ISOS firmwares from versions 1.81 to 2.00 contain hardcoded credentials from embedded StreamX installer that integrators are not forced to change.
A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.
An issue was discovered in the GNU C Library (glibc) 2.36. When the syslog function is passed a crafted input string larger than 1024 bytes, it reads uninitialized memory from the heap and prints it to the target log file, potentially revealing a portion of the contents of the heap.
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service ...
Vulnerability in the Oracle Database Enterprise Edition Unified Audit component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1 and 19c. Easily exploitable vulnerability allows high privileged attacker having Local Logon privilege with network access via Oracle Net to compromise Oracle Database Enterprise Edition Unified Audit. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database Enterprise Edition Unified Audit accessible data. CVSS 3.1 Base Score 2.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N).
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Library). Supported versions that are affected are Java SE: 7u301, 8u291, 11.0.11, 16.0.1; Oracle GraalVM Enterprise Edition: 20.3.2 and 21.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically i...
The sudoedit personality of Sudo before 1.9.5 may allow a local unprivileged user to perform arbitrary directory-existence tests by winning a sudo_edit.c race condition in replacing a user-controlled directory by a symlink to an arbitrary path.