bcrypt password hashing in Botan before 2.1.0 does not correctly handle passwords with a length between 57 and 72 characters, which makes it easier for attackers to determine the cleartext password.

If you think you have found a security bug in Botan please contact Jack Lloyd (jack@randombit.net). If you would like to encrypt your mail please use:

pub   rsa3072/57123B60 2015-03-23
      Key fingerprint = 4E60 C735 51AF 2188 DF0A  5A62 78E9 8043 5712 3B60
      uid         Jack Lloyd <jack@randombit.net>

This key can be found in the file doc/pgpkey.txt or online at https://keybase.io/jacklloyd and on most PGP keyservers.

**2022¶**

*   2022-11-16: Failure to correctly check OCSP responder embedded certificate
    
    OCSP responses for some end entity are either signed by the issuing CA certificate of the PKI, or an OCSP responder certificate that the PKI authorized to sign responses in their name. In the latter case, the responder certificate (and its validation path certificate) may be embedded into the OCSP response and clients must verify that such certificates are indeed authorized by the CA when validating OCSP responses.
    
    The OCSP implementation failed to verify that an authorized responder certificate embedded in an OCSP response is authorized by the issuing CA. As a result, any valid signature by an embedded certificate passed the check and was allowed to make claims about the revocation status of certificates of any CA.
    
    Attackers that are in a position to spoof OCSP responses for a client could therefore render legitimate certificates of a 3rd party CA as revoked or even use a compromised (and actually revoked) certificate by spoofing an OCSP-“OK” response. E.g. an attacker could exploit this to impersonate a legitimate TLS server using a compromised certificate of that host and get around the revocation check using OCSP stapling.
    
    Introduced in 1.11.34, fixed in 2.19.3
    

**2020¶**

*   2020-12-21 (CVE-2021-24115): Codec encoding/decoding was not constant time
    
    The base64, base32, base58 and hex encoding/decoding routines used lookup tables which could leak information via a cache-based side channel attack. The encoding tables were small and unlikely to be exploitable, but the decoding tables were large enough to cause non-negligible information leakage. In particular parsing an unencrypted PEM-encoded private key within an SGX enclave could be easily attacked to leak key material.
    
    Identified and reported by Jan Wichelmann, Thomas Eisenbarth, Sebastian Berndt, and Florian Sieck.
    
    Fixed in 2.17.3
    
*   2020-07-05: Failure to enforce name constraints on alternative names
    
    The path validation algorithm enforced name constraints on the primary DN included in the certificate but failed to do so against alternative DNs which may be included in the subject alternative name. This would allow a corrupted sub-CA which was constrained by a name constraints extension in its own certificate to issue a certificate containing a prohibited DN. Until 2.15.0, there was no API to access these alternative name DNs so it is unlikely that any application would make incorrect access control decisions on the basis of the incorrect DN. Reported by Mario Korth of Ruhr-Universität Bochum.
    
    Introduced in 1.11.29, fixed in 2.15.0
    
*   2020-03-24: Side channel during CBC padding
    
    The CBC padding operations were not constant time and as a result would leak the length of the plaintext values which were being padded to an attacker running a side channel attack via shared resources such as cache or branch predictor. No information about the contents was leaked, but the length alone might be used to make inferences about the contents. This issue affects TLS CBC ciphersuites as well as CBC encryption using PKCS7 or other similar padding mechanisms. In all cases, the unpadding operations were already constant time and are not affected. Reported by Maximilian Blochberger of Universität Hamburg.
    
    Fixed in 2.14.0, all prior versions affected.
    

**2018¶**

*   2018-12-17 (CVE-2018-20187): Side channel during ECC key generation
    
    A timing side channel during ECC key generation could leak information about the high bits of the secret scalar. Such information allows an attacker to perform a brute force attack on the key somewhat more efficiently than they would otherwise. Found by Ján Jančár using ECTester.
    
    Introduced in 1.11.20, fixed in 2.8.0.
    
*   2018-06-13 (CVE-2018-12435): ECDSA side channel
    
    A side channel in the ECDSA signature operation could allow a local attacker to recover the secret key. Found by Keegan Ryan of NCC Group.
    
    Bug introduced in 2.5.0, fixed in 2.7.0. The 1.10 branch is not affected.
    
*   2018-04-10 (CVE-2018-9860): Memory overread in TLS CBC decryption
    
    An off by one error in TLS CBC decryption meant that for a particular malformed ciphertext, the receiver would miscompute a length field and HMAC exactly 64K bytes of data following the record buffer as if it was part of the message. This cannot be used to leak information since the MAC comparison will subsequently fail and the connection will be closed. However it might be used for denial of service. Found by OSS-Fuzz.
    
    Bug introduced in 1.11.32, fixed in 2.6.0
    
*   2018-03-29 (CVE-2018-9127): Invalid wildcard match
    
    RFC 6125 wildcard matching was incorrectly implemented, so that a wildcard certificate such as b*.domain.com would match any hosts *b*.domain.com instead of just server names beginning with b. The host and certificate would still have to be in the same domain name. Reported by Fabian Weißberg of Rohde and Schwarz Cybersecurity.
    
    Bug introduced in 2.2.0, fixed in 2.5.0
    

**2017¶**

*   2017-10-02 (CVE-2017-14737): Potential side channel using cache information
    
    In the Montgomery exponentiation code, a table of precomputed values is used. An attacker able to analyze which cache lines were accessed (perhaps via an active attack such as Prime+Probe) could recover information about the exponent. Identified in “CacheD: Identifying Cache-Based Timing Channels in Production Software” by Wang, Wang, Liu, Zhang, and Wu (Usenix Security 2017).
    
    Fixed in 1.10.17 and 2.3.0, all prior versions affected.
    
*   2017-07-16: Failure to fully zeroize memory before free
    
    The secure\_allocator type attempts to zeroize memory before freeing it. Due to a error sometimes only a portion of the memory would be zeroed, because of a confusion between the number of elements vs the number of bytes that those elements use. So byte vectors would always be fully zeroed (since the two notions result in the same value), but for example with an array of 32-bit integers, only the first 1/4 of the elements would be zeroed before being deallocated. This may result in information leakage, if an attacker can access memory on the heap. Reported by Roman Pozlevich.
    
    Bug introduced in 1.11.10, fixed in 2.2.0
    
*   2017-04-04 (CVE-2017-2801): Incorrect comparison in X.509 DN strings
    
    Botan’s implementation of X.509 name comparisons had a flaw which could result in an out of bound memory read while processing a specially formed DN. This could potentially be exploited for information disclosure or denial of service, or result in incorrect validation results. Found independently by Aleksandar Nikolic of Cisco Talos, and OSS-Fuzz automated fuzzing infrastructure.
    
    Bug introduced in 1.6.0 or earlier, fixed in 2.1.0 and 1.10.16
    
*   2017-03-23 (CVE-2017-7252): Incorrect bcrypt computation
    
    Botan’s implementation of bcrypt password hashing scheme truncated long passwords at 56 characters, instead of at bcrypt’s standard 72 characters limit. Passwords with lengths between these two bounds could be cracked more easily than should be the case due to the final password bytes being ignored. Found and reported by Solar Designer.
    
    Bug introduced in 1.11.0, fixed in 2.1.0.
    

**2016¶**

*   2016-11-27 (CVE-2016-9132) Integer overflow in BER decoder
    
    While decoding BER length fields, an integer overflow could occur. This could occur while parsing untrusted inputs such as X.509 certificates. The overflow does not seem to lead to any obviously exploitable condition, but exploitation cannot be positively ruled out. Only 32-bit platforms are likely affected; to cause an overflow on 64-bit the parsed data would have to be many gigabytes. Bug found by Falko Strenzke, cryptosource GmbH.
    
    Fixed in 1.10.14 and 1.11.34, all prior versions affected.
    
*   2016-10-26 (CVE-2016-8871) OAEP side channel
    
    A side channel in OAEP decoding could be used to distinguish RSA ciphertexts that did or did not have a leading 0 byte. For an attacker capable of precisely measuring the time taken for OAEP decoding, this could be used as an oracle allowing decryption of arbitrary RSA ciphertexts. Remote exploitation seems difficult as OAEP decoding is always paired with RSA decryption, which takes substantially more (and variable) time, and so will tend to mask the timing channel. This attack does seems well within reach of a local attacker capable of a cache or branch predictor based side channel attack. Finding, analysis, and patch by Juraj Somorovsky.
    
    Introduced in 1.11.29, fixed in 1.11.33
    
*   2016-08-30 (CVE-2016-6878) Undefined behavior in Curve25519
    
    On systems without a native 128-bit integer type, the Curve25519 code invoked undefined behavior. This was known to produce incorrect results on 32-bit ARM when compiled by Clang.
    
    Introduced in 1.11.12, fixed in 1.11.31
    
*   2016-08-30 (CVE-2016-6879) Bad result from X509\_Certificate::allowed\_usage
    
    If allowed\_usage was called with more than one Key\_Usage set in the enum value, the function would return true if _any_ of the allowed usages were set, instead of if _all_ of the allowed usages are set. This could be used to bypass an application key usage check. Credit to Daniel Neus of Rohde & Schwarz Cybersecurity for finding this issue.
    
    Introduced in 1.11.0, fixed in 1.11.31
    
*   2016-03-17 (CVE-2016-2849): ECDSA side channel
    
    ECDSA (and DSA) signature algorithms perform a modular inverse on the signature nonce k. The modular inverse algorithm used had input dependent loops, and it is possible a side channel attack could recover sufficient information about the nonce to eventually recover the ECDSA secret key. Found by Sean Devlin.
    
    Introduced in 1.7.15, fixed in 1.10.13 and 1.11.29
    
*   2016-03-17 (CVE-2016-2850): Failure to enforce TLS policy
    
    TLS v1.2 allows negotiating which signature algorithms and hash functions each side is willing to accept. However received signatures were not actually checked against the specified policy. This had the effect of allowing a server to use an MD5 or SHA-1 signature, even though the default policy prohibits it. The same issue affected client cert authentication.
    
    The TLS client also failed to verify that the ECC curve the server chose to use was one which was acceptable by the client policy.
    
    Introduced in 1.11.0, fixed in 1.11.29
    
*   2016-02-01 (CVE-2016-2196): Overwrite in P-521 reduction
    
    The P-521 reduction function would overwrite zero to one word following the allocated block. This could potentially result in remote code execution or a crash. Found with AFL
    
    Introduced in 1.11.10, fixed in 1.11.27
    
*   2016-02-01 (CVE-2016-2195): Heap overflow on invalid ECC point
    
    The PointGFp constructor did not check that the affine coordinate arguments were less than the prime, but then in curve multiplication assumed that both arguments if multiplied would fit into an integer twice the size of the prime.
    
    The bigint\_mul and bigint\_sqr functions received the size of the output buffer, but only used it to dispatch to a faster algorithm in cases where there was sufficient output space to call an unrolled multiplication function.
    
    The result is a heap overflow accessible via ECC point decoding, which accepted untrusted inputs. This is likely exploitable for remote code execution.
    
    On systems which use the mlock pool allocator, it would allow an attacker to overwrite memory held in secure\_vector objects. After this point the write will hit the guard page at the end of the mmap’ed region so it probably could not be used for code execution directly, but would allow overwriting adjacent key material.
    
    Found by Alex Gaynor fuzzing with AFL
    
    Introduced in 1.9.18, fixed in 1.11.27 and 1.10.11
    
*   2016-02-01 (CVE-2016-2194): Infinite loop in modular square root algorithm
    
    The ressol function implements the Tonelli-Shanks algorithm for finding square roots could be sent into a nearly infinite loop due to a misplaced conditional check. This could occur if a composite modulus is provided, as this algorithm is only defined for primes. This function is exposed to attacker controlled input via the OS2ECP function during ECC point decompression. Found by AFL
    
    Introduced in 1.7.15, fixed in 1.11.27 and 1.10.11
    

**2015¶**

*   2015-11-04: TLS certificate authentication bypass
    
    When the bugs affecting X.509 path validation were fixed in 1.11.22, a check in Credentials\_Manager::verify\_certificate\_chain was accidentally removed which caused path validation failures not to be signaled to the TLS layer. So for affected versions, certificate authentication in TLS is bypassed. As a workaround, applications can override the call and implement the correct check. Reported by Florent Le Coz in GH #324
    
    Introduced in 1.11.22, fixed in 1.11.24
    
*   2015-10-26 (CVE-2015-7824): Padding oracle attack on TLS
    
    A padding oracle attack was possible against TLS CBC ciphersuites because if a certain length check on the packet fields failed, a different alert type than one used for message authentication failure would be returned to the sender. This check triggering would leak information about the value of the padding bytes and could be used to perform iterative decryption.
    
    As with most such oracle attacks, the danger depends on the underlying protocol - HTTP servers are particularly vulnerable. The current analysis suggests that to exploit it an attacker would first have to guess several bytes of plaintext, but again this is quite possible in many situations including HTTP.
    
    Found in a review by Sirrix AG and 3curity GmbH.
    
    Introduced in 1.11.0, fixed in 1.11.22
    
*   2015-10-26 (CVE-2015-7825): Infinite loop during certificate path validation
    
    When evaluating a certificate path, if a loop in the certificate chain was encountered (for instance where C1 certifies C2, which certifies C1) an infinite loop would occur eventually resulting in memory exhaustion. Found in a review by Sirrix AG and 3curity GmbH.
    
    Introduced in 1.11.6, fixed in 1.11.22
    
*   2015-10-26 (CVE-2015-7826): Acceptance of invalid certificate names
    
    RFC 6125 specifies how to match a X.509v3 certificate against a DNS name for application usage.
    
    Otherwise valid certificates using wildcards would be accepted as matching certain hostnames that should they should not according to RFC 6125. For example a certificate issued for *.example.com should match foo.example.com but not example.com or bar.foo.example.com. Previously Botan would accept such a certificate as also valid for bar.foo.example.com.
    
    RFC 6125 also requires that when matching a X.509 certificate against a DNS name, the CN entry is only compared if no subjectAlternativeName entry is available. Previously X509\_Certificate::matches\_dns\_name would always check both names.
    
    Found in a review by Sirrix AG and 3curity GmbH.
    
    Introduced in 1.11.0, fixed in 1.11.22
    
*   2015-10-26 (CVE-2015-7827): PKCS #1 v1.5 decoding was not constant time
    
    During RSA decryption, how long decoding of PKCS #1 v1.5 padding took was input dependent. If these differences could be measured by an attacker, it could be used to mount a Bleichenbacher million-message attack. PKCS #1 v1.5 decoding has been rewritten to use a sequence of operations which do not contain any input-dependent indexes or jumps. Notations for checking constant time blocks with ctgrind (https://github.com/agl/ctgrind) were added to PKCS #1 decoding among other areas. Found in a review by Sirrix AG and 3curity GmbH.
    
    Fixed in 1.11.22 and 1.10.13. Affected all previous versions.
    
*   2015-08-03 (CVE-2015-5726): Crash in BER decoder
    
    The BER decoder would crash due to reading from offset 0 of an empty vector if it encountered a BIT STRING which did not contain any data at all. This can be used to easily crash applications reading untrusted ASN.1 data, but does not seem exploitable for code execution. Found with afl.
    
    Fixed in 1.11.19 and 1.10.10, affected all previous versions of 1.10 and 1.11
    
*   2015-08-03 (CVE-2015-5727): Excess memory allocation in BER decoder
    
    The BER decoder would allocate a fairly arbitrary amount of memory in a length field, even if there was no chance the read request would succeed. This might cause the process to run out of memory or invoke the OOM killer. Found with afl.
    
    Fixed in 1.11.19 and 1.10.10, affected all previous versions of 1.10 and 1.11
    

**2014¶**

*   2014-04-10 (CVE-2014-9742): Insufficient randomness in Miller-Rabin primality check
    
    A bug in the Miller-Rabin primality test resulted in only a single random base being used instead of a sequence of such bases. This increased the probability that a non-prime would be accepted by is\_prime or that a randomly generated prime might actually be composite. The probability of a random 1024 bit number being incorrectly classed as prime with a single base is around 2^-40. Reported by Jeff Marrison.
    
    Introduced in 1.8.3, fixed in 1.10.8 and 1.11.9

CVE-2017-7252: Security Advisories — Botan

Dromara Lamp-Cloud before v3.8.1 was discovered to use a hardcoded cryptographic key when creating and verifying a Json Web Token. This vulnerability allows attackers to authenticate to the application via a crafted JWT token.

**Dromara Lamp-Cloud Use of Hard-coded Cryptographic Key**

High severity GitHub Reviewed Published Nov 3, 2023 to the GitHub Advisory Database • Updated Nov 3, 2023

GHSA-xr8c-mq5x-5f56: Dromara Lamp-Cloud Use of Hard-coded Cryptographic Key

IBM CICS TX Standard 11.1, Advanced 10.1, 11.1, and TXSeries for Multiplatforms 8.1, 8.2, 9.1 are vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.  IBM X-Force ID:  266057.

  

**Summary**

"Cross Site Request Forgery" affects IBM CICS TX Advanced and IBM CICS TX Standard. IBM CICS TX Advanced and IBM CICS TX Standard have addressed the applicable vulnerability.

**Vulnerability Details**

**CVEID:**   CVE-2023-42027  
**DESCRIPTION:**   IBM CICS TX is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.  
CVSS Base score: 4.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/266057 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)

**Affected Products and Versions**

Affected Product(s)

Version(s)

IBM CICS TX Advanced

10.1

IBM CICS TX Advanced

11.1

IBM CICS TX Standard

11.1

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

**Change History**

31 Oct 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSZ5810","label":"CICS TX"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"10.1, 11.1","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}\]

CVE-2023-42027: Security Bulletin: "Cross Site Request Forgery" affects IBM CICS TX Advanced and IBM CICS TX Standard

In the module "Pixel Plus: Events + CAPI + Pixel Catalog for Facebook Module" (facebookconversiontrackingplus) up to version 2.4.9 from Smart Modules for PrestaShop, a guest can download personal information without restriction. Due to a lack of permissions control, a guest can access exports from the module which can lead to a leak of personal information from ps_customer table such as name / surname / email.

**IMPORTANT NOTICE**: DO NOT REPORT VULNERABILITIES SOLELY TO THE AUTHOR OR MARKETPLACE.

We urge you to report any vulnerabilities directly to us. Our mission is to ensure the safety and security of the PrestaShop ecosystem. Unfortunately, many module developers may not always recognize or acknowledge the vulnerabilities in their code, whether due to lack of awareness, or inability to properly evaluate the associated risk, or other reasons.

Given the rise in professional cybercrime networks actively seeking out these vulnerabilities, it's crucial that any potential threats are promptly addressed and the community is informed. The most effective method to do this is by publishing a CVE, like the one provided below.

Should you discover any vulnerabilities, **please report them to us at: report\[@\]security-presta.org** or visit https://security-presta.org for more information.

Every vulnerability report helps make the community more secure, and we are profoundly grateful for any information shared with us.

In the module “Pixel Plus: Events + CAPI + Pixel Catalog for Facebook” (facebookconversiontrackingplus) up to version 2.4.8 from Smart Modules for PrestaShop, a guest can download personal informations without restriction.

**Summary**

*   **CVE ID**: CVE-2023-46352
*   **Published at**: 2023-10-31
*   **Platform**: PrestaShop
*   **Product**: facebookconversiontrackingplus
*   **Impacted release**: <= 2.4.8 (2.4.9 fixed the vulnerability)
*   **Product author**: Smart Modules
*   **Weakness**: CWE-359
*   **Severity**: medium (7.5), GDPR violation

**Description**

Due to a lack of permissions control, a guest can access exports from the module which can lead to leak of personal informations from ps\_customer table such as name / surname / email

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: none
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: none
*   **Availability**: none

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

**Possible malicious usage**

*   Steal personal data

**Timeline**

Date

Action

2023-05-24

Issue discovered during a code review by TouchWeb.fr

2023-05-24

Contact PrestaShop Addons security Team to confirm version scope by author

2023-10-10

PrestaShop Addons security Team confirm versions scope by author

2023-10-11

Author provide patch

2023-10-17

Request a CVE ID

2023-10-23

Received CVE ID

2023-10-31

Publish this security advisory

**Other recommendations**

*   It’s recommended to upgrade to the latest version of the module **facebookconversiontrackingplus**.
*   You should restrict access to this URI pattern : modules/facebookconversiontrackingplus/csv/ to a given whitelist
*   You should restrict access to .csv file to a given whitelist

**Links**

*   PrestaShop addons product page
*   National Vulnerability Database

**DISCLAIMER:** _The French Association Friends Of Presta (FOP) acts as an intermediary to help hosting this advisory. While we strive to ensure the information and advice provided are accurate, FOP cannot be held liable for any consequences arising from reported vulnerabilities or any subsequent actions taken._

CVE-2023-46352: [CVE-2023-46352] Exposure of Private Personal Information to an Unauthorized Actor in Smart Modules - Pixel Plus: Events + CAPI + Pixel Catalog for Facebook module for PrestaShop

Submitty before v22.06.00 is vulnerable to Incorrect Access Control. An attacker can delete any post in the forum by modifying request parameter.

**Introduction**

Submitty before v22.06.00 is vulnerable to Incorrect Access Control. An attacker can delete any post in the forum by modifying request parameter.

**CVSS Score****Score**

*   **CVSS v3.1:** 5.4
*   **Vector:** AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

**Impact**

*   **Confidentiality:** This vulnerability has no direct impact on confidentiality.
*   **Integrity:** The attcker can delete any post in the forum.
*   **Availability:** The attcker can delete any post in the forum.

**Likelihood**

*   **Skill Required:** This attack requires basic knowledge of HTTP request.
*   **Conditions:** The attcker must be able to create a post and delete its own post.
*   **Discoverability:** This vulnerability is easy to find.

**Problem Details****Overview**

This report identifies an Incorrect Access Control vulnerability within Submitty, specifically within the post deletion functionality of the forum component. The vulnerability arises due to insufficient parameter validation. An attacker can exploit this flaw by modifying the request body.

The core issue lies in the inadequate validation of user privileges when a request is made to delete a forum post. In a typical scenario, a user should only be able to delete their own posts or, in the case of an administrator, any post. However, due to the lack of proper access control checks within the system, an unauthorized user can manipulate the HTTP request sent to the server. By altering parameters such as the post identifier within the request body, an attacker can bypass the standard permission model.

The most alarming consequence of this vulnerability is the ability of an attacker to delete any post on the forum, regardless of their permission level. This can lead to several significant issues:

1.  Important educational discussions or announcements can be removed, leading to a loss of valuable information for users.
2.  The vulnerability can be exploited to disrupt the normal operation of the forum, causing confusion and mistrust among users.

**Affected Area**

The forum component of Submitty.

**Root Cause**

The service used following code to check if an user can modify a post.

    $post_id = $_POST["post_id"] ?? $_POST["edit_post_id"];
    $post = $this->core->getQueries()->getPost($post_id);
    if (!$this->core->getAccess()->canI("forum.modify_post", ['post_author' => $post['author_user_id']])) {
        return $this->core->getOutput()->renderJsonFail('You do not have permissions to do that.');
    }
    

However, the service uses another parameter from POST request as delete parameter. The parameter thread_id is not validated by the previous check.

    $thread_id = $_POST["thread_id"];
    $thread_title = $this->core->getQueries()->getThread($thread_id)['title'];
    if ($this->core->getQueries()->setDeletePostStatus($post_id, $thread_id, 1)) {
        $type = "thread";
    }
    else {
        $type = "post";
    }
    

Therefore, an attacker can modify the request parameter in the post body and delete the post in another thread.

**Steps to Reproduce**

Following steps are required to reproduce the issue. An HTTP traffic interceptor is also required, such as Burp Suite.

1.  Create two accounts for Submitty.
2.  Access to the forum component of Submitty (any version before v22.06.00) with account A.
3.  Create a new post in a nre thread to the forum.
4.  Log in with account B, create another post in a new thread.
5.  Enable interceptor, click delete button to send a delete request.
6.  Modify the request body, change thread_id to the thread that created by account A.
7.  Foward the modified request, notice that the post created by account A has been deleted.

Verify all parameters at server side. Be aware of parameter mismatches.

**References**

The vulnerability has been fixed as a part of pull request 8032.

_Report prepared by: Fu Chai_ _Date: 10/31/2023_

CVE-2023-43194: CVE-2023-43194: Submitty Incorrect Access Control Vulnerability Report

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-31579: JWTissues/lamp issue.md at main · xubowenW/JWTissues

The ongoing struggle between YouTube and ad blockers is turning ugly. Users are left with the choice between paying for Premium or watching ads.

The ongoing struggle between YouTube and ad blockers is turning users into the victims.

YouTube has gone all out in its fight against the use of add-ons, extensions and programs that prevent it from serving ads to viewers around the world. It started out as just a small experiment, but it looks like the company has opened the floodgates for most users now.

A spokesperson for YouTube told Engadget:

> “We’ve launched a global effort to urge viewers with ad blockers enabled to allow ads on YouTube or try YouTube Premium for an ad free experience. Ads support a diverse ecosystem of creators globally and allow billions to access their favorite content on YouTube.”

On a support page, YouTube says that if you use ad blockers, you’ll be asked to allow ads on YouTube or sign up for YouTube Premium. If you continue to use ad blockers, YouTube may block you from watching videos at all.

Now, users are flocking to places like Reddit to complain about YouTube’s hardened stance against ad blockers.

Privacy expert Alexander Hanff has filed a complaint with the Irish DPC (Data Protection Commission) about YouTube’s ad block blocking. Hanff says that YouTube needs permission to detect adblockers because by doing so it’s looking at something that is on the visitor’s system. In his complaint, Hanff demands that YouTube stop its anti-ad blocking policy, saying some experts call it “illegal”. 

The DPC is the Irish supervisory authority for the General Data Protection Regulation (GDPR), so any outcome of this complaint might only cause changes for EU residents. We have reported about plans to introduce ad free services by Meta, TikTok, and YouTube as a way to circumvent EU rules that require platforms to get users’ consent in order to show them targeted ads.

**Watch out for fakes**

With all this going on, users should be extra careful about downloading new ad blockers that claim to circumvent YouTube’s blocking. Oftentimes we’ll see miscreants trying to rip off users by launching non-functional products and promoting potentially unwanted programs (PUPs).

There are many examples of fake ad blocker extensions in the Chrome Web Store that we would advise against installing.

**Browser Guard**

As you may know, Malwarebytes Browser Guard has a built-in ad blocker. If you still need to access an important site but you’re being asked to disable your ad blocker, you can do this by clicking on the blue M logo in your browser taskbar and set the Ad/Trackers to be disabled for that site.

_Browser Guard blocks two entities on www.youtube.com_

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 YouTube launches &#8220;global effort&#8221; to block ad blockers 

It’s very convenient to store your passwords in your browser. But is it a good idea?

At Malwarebytes we’ve been telling people for years not to reuse passwords, and that a password manager is a secure way of remembering all the passwords you need for your online accounts.

But we also know that a password manager can be overwhelming, especially when you’re just getting started. Once you’ve stored your tens or even hundreds of passwords, a password manager is relatively convenient to use and keep updated. But you have to get to that stage first and not everyone is at the same level of computer literacy.

So, you may have wondered if there’s another way. No doubt, you’ll have seen the pop ups in your browser asking if you’d like it to save your password for next time. In fact, many browsers refer to that as their password manager.

It’s very convenient, since your browser is usually the application that needs the password, but is it a good idea?

As usual, there are pros and cons.

**Encryption.** With a browser password manager, someone with access to your browser could see your passwords in clear text, although Windows can be set to ask for authentication (the same you use at startup of your device).

_The “Show password’ option_

To see the passwords in an actual password manager, an attacker would need to know the password for the password manager or the recovery phrase, which are usually a lot harder to find out than the Windows authentication (if set).

A word of warning here, some password managers have the option to keep you logged in for hours or even days. If there is any chance that anyone may acquire physical access, such settings defeat the added security of a password manager, since the attacker could open the password manager and look at your passwords in more or less the same way as they could in your browser.

**Lookalike phishing sites.** Both a standalone password manager and the one in your browser will protect you here. They will not fill out your password if the domain doesn’t match the one you saved the password for, which could indicate a phishing site. This can be very useful and this is where it beats writing down the password on a piece of paper or storing it in a text file. I should add that the domains that are worth setting up a fake site for are usually the ones that we would advise you add multi-factor-authentication (MFA) to.

**Syncing.** If you’ve stored your passwords in the browser and have chosen to synchronize your browser between devices, your passwords will port over as well. This is obviously very convenient, but it’s also a potential danger if someone gets access to one of your devices. A true password manager doesn’t rely on syncing between the same browser on different devices. Once you have the password manager installed on a device, you have it handy to use in any browser or other apps.

**Offline.** Many password managers cache your passwords locally, so you still have access when your connection is broken. Browser password storage doesn’t allow for this.

**Business devices.** It’s hard for the IT department to keep track of which user has which passwords saved in their browser. Password managers for businesses give them a better insight and make it easier to revoke passwords when needed.

**Password stealers.** There are types of malware that are capable of harvesting passwords from your device. They know exactly where browsers store their passwords and the encryption key, so they can steal and send the credentials to the attacker. Password managers are separate to the browser so they’re not at risk in the same way.

**Data breaches.** Several password managers will warn you if they find that your credentials are involved in a data breach, so you can change them. Browser storage doesn’t do this.

**Complex passwords.** Humans are bad at creating and remembering complex passwords. A password manager and some browsers can help you create a password that meets the required complexity and store it so you don’t have to remember it.

**Side channel attacks.** As we saw with a recent bug in Safari, attackers can use the autofill feature in a browser to harvest login credentials for a site. This only works if you have autofill enabled, so to make things a bit safer you can tell your browser to wait for your OK before it fills out the data. Here’s how…

**How to disabled autofill**

*   **Brave:** Settings > Autofill and passwords > Password Manager > Settings. Toggle off “Sign in automatically”

*   **Chrome:** Settings > Autofill and passwords > Google Password Manager > Settings. Toggle off “Sign in automatically.”

*   **Edge:** Settings > Profiles > Passwords > Settings. There you can toggle off autofill for passwords and for Personal data separately.

*   **Firefox:** Settings > Privacy & Security. Scroll down to Logins and Passwords and uncheck “Autofill logins and passwords.”

*   **Opera:** Settings > Advanced Settings > Autofill > Password Manager > Settings. Toggle off “Auto Sign-in.”

*   **Safari:** Safari (in the menu bar) > Settings > Autofill. Uncheck “Usernames and passwords” and “Credit cards”.

Your browser password manager gives you “ease of use” but that costs you some of your security. Of course, password managers aren’t foolproof either, so it’s important to decide for yourself where you store your passwords.

If you’re confident the website is safe and anyone that can access it under your account will not learn anything new, feel free to store the password in your browser, but disable autofill so you are the one that is in control.

Use MFA where possible. It enormously reduces the risk should someone get hold of your password. And refrain from using the browser password manager to store your credit card details or other sensitive personally identifiable information (e.g. medical information).

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Should you allow your browser to remember your passwords? 

One of the largest cybercrime services for laundering stolen merchandise was hacked recently, exposing its internal operations, finances and organizational structure. Here’s a closer look at the Russia-based SWAT USA Drop Service, which currently employs more than 1,200 people across the United States who are knowingly or unwittingly involved in reshipping expensive consumer goods purchased with stolen credit cards.

The login page for the criminal reshipping service SWAT USA Drop.

One of the largest cybercrime services for laundering stolen merchandise was hacked recently, exposing its internal operations, finances and organizational structure. Here’s a closer look at the Russia-based **SWAT USA Drop Service**, which currently employs more than 1,200 people across the United States who are knowingly or unwittingly involved in reshipping expensive consumer goods purchased with stolen credit cards.

Among the most common ways that thieves extract cash from stolen credit card accounts is through purchasing pricey consumer goods online and reselling them on the black market. Most online retailers grew wise to these scams years ago and stopped shipping to regions of the world most frequently associated with credit card fraud, including Eastern Europe, North Africa, and Russia.

But such restrictions have created a burgeoning underground market for reshipping scams, which rely on willing or unwitting residents in the United States and Europe to receive stolen goods and relay them to crooks living in the embargoed areas.

Services like SWAT are known as “Drops for stuff” on cybercrime forums. The “**drops**” are people who have responded to work-at-home package reshipping jobs advertised on craigslist.com and job search sites. Most reshipping scams promise employees a monthly salary and even cash bonuses. In reality, the crooks in charge almost always stop communicating with drops just before the first payday, usually about a month after the drop ships their first package.

The packages arrive with prepaid shipping labels that are paid for with stolen credit card numbers, or with hijacked online accounts at FedEx and the US Postal Service. Drops are responsible for inspecting and verifying the contents of shipments, attaching the correct shipping label to each package, and sending them off via the appropriate shipping company.

SWAT takes a percentage cut (up to 50 percent) where “**stuffers**” — thieves armed with stolen credit card numbers — pay a portion of each product’s retail value to SWAT as the reshipping fee. The stuffers use stolen cards to purchase high-value products from merchants and have the merchants ship the items to the drops’ address. Once the drops receive and successfully reship the stolen packages, the stuffers then sell the products on the local black market.

The SWAT drop service has been around in various names and under different ownership for almost a decade. But in early October 2023, SWAT’s current co-owner — a Russian-speaking individual who uses the handle “**Fearlless**” — took to his favorite cybercrime forum to lodge a formal complaint against the owner of a competing reshipping service, alleging his rival had hacked SWAT and was trying to poach his stuffers and reshippers by emailing them directly.

Milwaukee-based security firm Hold Security shared recent screenshots of a working SWAT stuffer’s user panel, and those images show that SWAT currently lists more than 1,200 drops in the United States that are available for stuffers to rent. The contact information for **Kareem**, a young man from Maryland, was listed as an active drop. Contacted by KrebsOnSecurity, Kareem agreed to speak on condition that his full name not be used in this story.

A SWAT panel for stuffers/customers. This page lists the rules of the service, which do not reimburse stuffers for “acts of god,” i.e. authorities seizing stolen goods or arresting the drop.

Kareem said he’d been hired via an online job board to reship packages on behalf of a company calling itself **CTSI**, and that he’s been receiving and reshipping iPads and Apple watches for several weeks now. Kareem was less than thrilled to learn he would probably not be getting his salary on the promised payday, which was coming up in a few days.

Kareem said he was instructed to create an account at a website called **portal-ctsi\[.\]com**, where each day he was expected to log in and check for new messages about pending shipments. Anyone can sign up at this website as a potential reshipping mule, although doing so requires applicants to share a great deal of personal and financial information, as well as copies of an ID or passport matching the supplied name.

A SWAT panel for stuffers/customers, listing hundreds of drops in the United States by their status. “Going to die” are those who are about to be let go without promised payment, or who have quit on their own.

On a suspicion that the login page for portal-ctsi\[.\]com might be a custom coding job, KrebsOnSecurity selected “view source” from the homepage to expose the site’s HTML code. Grabbing a snippet of that code (e.g., “smarty/default/jui/js/jquery-ui-1.9.2.min.js”) and searching on it at **publicwww.com** reveals more than four dozen other websites running the same login panel. And all of those appear to be geared toward either stuffers or drops.

In fact, more than half of the domains that use this same login panel actually include the word “stuffer” in the login URL, according to publicwww. Each of the domains below that end in “/user/login.php” are sites for active and prospective drops, and each corresponds to a unique fake company that is responsible for managing its own stable of drops:

lvlup-store\[.\]com/stuffer/login.php  
personalsp\[.\]com/user/login.php  
destaf\[.\]com/stuffer/login.php  
jaderaplus\[.\]com/stuffer/login.php  
33cow\[.\]com/stuffer/login.php  
panelka\[.\]net/stuffer/login.php  
aaservice\[.\]net/stuffer/login.php  
re-shipping\[.\]ru/stuffer/login.php  
bashar\[.\]cc/stuffer/login.php  
marketingyoursmall\[.\]biz/stuffer/login.php  
hovard\[.\]xyz/stuffer/login.php  
pullback\[.\]xyz/stuffer/login.php  
telollevoexpress\[.\]com/stuffer/login.php  
postme\[.\]today/stuffer/login.php  
wint-job\[.\]com/stuffer/login.php  
squadup\[.\]club/stuffer/login.php  
mmmpack\[.\]pro/stuffer/login.php  
yoursmartpanel\[.\]com/user/login.php  
opt257\[.\]org/user/login.php  
touchpad\[.\]online/stuffer/login.php  
peresyloff\[.\]top/stuffer/login.php  
ruzke\[.\]vodka/stuffer/login.php  
staf-manager\[.\]net/stuffer/login.php  
data-job\[.\]club/stuffer/login.php  
logistics-services\[.\]org/user/login.php  
swatship\[.\]club/stuffer/login.php  
logistikmanager\[.\]online/user/login.php  
endorphine\[.\]world/stuffer/login.php  
burbon\[.\]club/stuffer/login.php  
bigdropproject\[.\]com/stuffer/login.php  
jobspaket\[.\]net/user/login.php  
yourcontrolboard\[.\]com/stuffer/login.php  
packmania\[.\]online/stuffer/login.php  
shopping-bro\[.\]com/stuffer/login.php  
dash-redtag\[.\]com/user/login.php  
mnger\[.\]net/stuffer/login.php  
begg\[.\]work/stuffer/login.php  
dashboard-lime\[.\]com/user/login.php  
control-logistic\[.\]xyz/user/login.php  
povetru\[.\]biz/stuffer/login.php  
dash-nitrologistics\[.\]com/user/login.php  
cbpanel\[.\]top/stuffer/login.php  
hrparidise\[.\]pro/stuffer/login.php  
d-cctv\[.\]top/user/login.php  
versandproject\[.\]com/user/login.php  
packitdash\[.\]com/user/login.php  
avissanti-dash\[.\]com/user/login.php  
e-host\[.\]life/user/login.php  
pacmania\[.\]club/stuffer/login.php

Why so many websites? In practice, all drops are cut loose within approximately 30 days of their first shipment — just before the promised paycheck is due. Because of this constant churn, each stuff shop operator must be constantly recruiting new drops. Also, with this distributed setup, even if one reshipping operation gets shut down (or exposed online), the rest can keep on pumping out dozens of packages a day.

A 2015 academic study (PDF) on criminal reshipping services found the average financial hit from a reshipping scheme per cardholder was $1,156.93. That study looked into the financial operations of several reshipping schemes, and estimated that approximately 1.6 million credit and debit cards are used to commit at least $1.8 billion in reshipping fraud each year.

It’s not hard to see how reshipping can be a profitable enterprise for card crooks. For example, a stuffer buys a stolen payment card off the black market for $10, and uses that card to purchase more than $1,100 worth of goods. After the reshipping service takes its cut (~$550), and the stuffer pays for his reshipping label (~$100), the stuffer receives the stolen goods and sells them on the black market in Russia for $1,400. He has just turned a $10 investment into more than $700. Rinse, wash, and repeat.

The breach at SWAT exposed not only the nicknames and contact information for all of its stuffers and drops, but also the group’s monthly earnings and payouts. SWAT apparently kept its books in a publicly accessible Google Sheets document, and that document reveals Fearlless and his business partner each routinely made more than $100,000 every month operating their various reshipping businesses.

The exposed SWAT financial records show this crime group has tens of thousands of dollars worth of expenses each month, including payments for the following recurring costs:

\-advertising the service on crime forums and via spam;  
\-people hired to re-route packages, usually by voice over the phone;  
\-third-party services that sell hacked/stolen USPS/Fedex labels;  
\-“drops test” services, contractors who will test the honesty of drops by sending them fake jewelry;  
\-“documents,” e.g. sending drops to physically pick up legal documents for new phony front companies.

The spreadsheet also included the cryptocurrency account numbers that were to be credited each month with SWAT’s earnings. Unsurprisingly, a review of the blockchain activity tied to the bitcoin addresses listed in that document shows that many of them have a deep association with cybercrime, including ransomware activity and transactions at darknet sites that peddle stolen credit cards and residential proxy services.

The information leaked from SWAT also has exposed the real-life identity and financial dealings of its principal owner — Fearlless, a.k.a. “SwatVerified.” We’ll hear more about Fearlless in Part II of this story. Stay tuned.

Russian Reshipping Service ‘SWAT USA Drop’ Exposed

NVIDIA GPU Display Driver for Windows contains a vulnerability that allows Windows users with low levels of privilege to escalate privileges when an administrator is updating GPU drivers, which may lead to escalation of privileges.

**Details**

This section provides a summary of potential vulnerabilities that this security update addresses and their impact. Descriptions use CWE™, and base scores and vectors use CVSS v3.1 standards.

**NVIDIA GPU Display Driver**

**CVE ID**

**Description**

**Base Score**

**CWE and Vector**

CVE‑2023‑31027

NVIDIA GPU Display Driver for Windows contains a vulnerability that allows Windows users with low levels of privilege to escalate privileges when an administrator is updating GPU drivers, which may lead to escalation of privileges.

8.2

CWE-427  
AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CVE‑2023‑31019

NVIDIA GPU Display Driver for Windows contains a vulnerability in wksServicePlugin.dll, where the driver implementation does not restrict or incorrectly restricts access from the named pipe server to a connecting client, which may lead to potential impersonation to the client's secure context.

7.8

CWE-284  
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE‑2023‑31017

NVIDIA GPU Display Driver for Windows contains a vulnerability where an attacker may be able to write arbitrary data to privileged locations by using reparse points. A successful exploit of this vulnerability may lead to code execution, denial of service, escalation of privileges, information disclosure, or data tampering.

7.8

CWE: 552  
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE‑2023‑31016

NVIDIA GPU Display Driver for Windows contains a vulnerability where an uncontrolled search path element may allow an attacker to execute arbitrary code, which may lead to code execution, denial of service, escalation of privileges, information disclosure, or data tampering.

7.3

CWE-427  
AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVE‑2023‑31020

NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer, where an unprivileged regular user can cause improper access control, which may lead to denial of service or data tampering.

6.1

CWE-284  
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

CVE‑2023‑31022

NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer, where a NULL-pointer dereference may lead to denial of service.

5.5

CWE: 476  
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVE‑2023‑31023

NVIDIA Display Driver for Windows contains a vulnerability where an attacker may cause a pointer dereference of an untrusted value, which may lead to denial of service.

5.5

CWE: 822  
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

**NVIDIA vGPU Software**

**CVE ID**

**Description**

**Base Score**

**CWE and Vector**

CVE‑2023‑31018

NVIDIA GPU Driver for Windows and Linux contains a vulnerability in the kernel mode layer, where an unprivileged regular user can cause a NULL-pointer dereference, which may lead to denial of service.

6.5

CWE: 476  
AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

CVE‑2023‑31026

NVIDIA vGPU software for Windows and Linux contains a vulnerability in the Virtual GPU Manager (vGPU plugin), where a NULL-pointer dereference may lead to denial of service.

6.0

CWE: 476  
AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H

CVE‑2023‑31021

NVIDIA vGPU software for Windows and Linux contains a vulnerability in the Virtual GPU Manager (vGPU plugin), where a malicious user in the guest VM can cause a NULL-pointer dereference, which may lead to denial of service.

5.5

CWE: 476  
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

The NVIDIA risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk to your local installation. NVIDIA recommends consulting a security or IT professional to evaluate the risk to your specific configuration.

**Security Updates for NVIDIA GPU Display Driver****CVE IDs Addressed in Each Windows Driver Branch**

The following table lists the CVE IDs addressed by the update in each Windows driver branch.

**Windows Driver Branch**

**CVE IDs Addressed**

R545, R535, R525

CVE‑2023‑31016, CVE‑2023‑31017, CVE‑2023‑31019, CVE‑2023‑31020, CVE‑2023‑31022, CVE‑2023‑31023, CVE‑2023‑31027

R470

CVE‑2023‑31017, CVE‑2023‑31019, CVE‑2023‑31020, CVE‑2023‑31022, CVE‑2023‑31023, CVE‑2023‑31027

**Security Updates for NVIDIA GPU Windows Display Driver**

The following table lists the NVIDIA software products affected, Windows driver versions affected, and the updated version available from nvidia.com that includes this security update. Download the updates from the NVIDIA Driver Downloads page.

**Software Product**

**Operating System**

**Driver Branch**

**Affected Driver Versions**

**Updated Driver Version**

GeForce

Windows

R545

All driver versions prior to 546.01

546.01

Windows 10 and 11

R470

All driver versions prior to 474.64 for support of GeForce Kepler desktop

474.64

Windows 7 and 8._x_

R470

All driver versions prior to 474.64

474.64

Studio

Windows

R545

All driver versions prior to 546.01

546.01

NVIDIA RTX,  
Quadro,  
NVS

Windows

R545

All driver versions prior to 546.01

546.01

R535

All driver versions prior to 537.70

537.70

R525

All driver versions prior to 529.19

529.19

R470

All driver versions prior to 474.64

474.64

Tesla

Windows

R535

All driver versions prior to 537.70

537.70

R525

All driver versions prior to 529.19

529.19

R470

All driver versions prior to 474.64

474.64

**CVE IDs Addressed in Each Linux Driver Branch**

The following table lists the CVE IDs addressed by the update in each Linux driver branch.

**Linux Driver Branch**

**CVE IDs Addressed**

R545, R535, R525, R470

CVE‑2023‑31022

**Security Updates for NVIDIA GPU Linux Display Driver**

The following table lists the NVIDIA software products affected, Linux driver versions affected, and the updated version available from nvidia.com that includes this security update. Download the updates from the NVIDIA Driver Downloads page.

**Software Product**

**Operating System**

**Driver Branch**

**Affected Driver Versions**

**Updated Driver Version**

GeForce

Linux

R545

All driver versions prior to 545.29.02

545.29.02

R535

All driver versions prior to 535.129.03

535.129.03

R525

All driver versions prior to 525.147.05

525.147.05

R470

All driver versions prior to 470.223.02

470.223.02

NVIDIA RTX, Quadro, NVS

Linux

R545

All driver versions prior to 545.29.02

545.29.02

R535

All driver versions prior to 535.129.03

535.129.03

R525

All driver versions prior to 525.147.05

525.147.05

R470

All driver versions prior to 470.223.02

470.223.02

Tesla

Linux

R535

All driver versions prior to 535.129.03

535.129.03

R525

All driver versions prior to 525.147.05

525.147.05

R470

All driver versions prior to 470.223.02

470.223.02

**Notes**

*   Your computer hardware vendor may provide you with Windows GPU display driver versions including 545.91, 537.70, 529.19 and 474.64, which also contain the security updates.
*   The tables above may not be a comprehensive list of all affected supported versions or branch releases and may be updated as more information becomes available.
*   Earlier software branch releases that support these products may also be affected. If you are using an earlier branch release for which an update version is not listed above, we recommend upgrading to the latest branch release.

**Security Updates for NVIDIA vGPU Software****CVE IDs Addressed in Each Windows vGPU Driver Branch**

The following table lists the CVE IDs addressed by the update in each Windows vGPU driver branch.

**Windows Driver Branch**

**CVE IDs Addressed**

R535

CVE‑2023‑31016, CVE‑2023‑31017, CVE‑2023‑31018, CVE‑2023‑31019, CVE‑2023‑31020, CVE‑2023‑31021, CVE‑2023‑31022, CVE‑2023‑31023, CVE‑2023‑31027

R525

CVE‑2023‑31016, CVE‑2023‑31017, CVE‑2023‑31018, CVE‑2023‑31019, CVE‑2023‑31020, CVE‑2023‑31022, CVE‑2023‑31023, CVE‑2023‑31027

R470

CVE‑2023‑31017, CVE‑2023‑31018, CVE‑2023‑31019, CVE‑2023‑31020, CVE‑2023‑31022, CVE‑2023‑31023, CVE‑2023‑31027

**CVE IDs Addressed in Each Linux vGPU Driver Branch**

The following table lists the CVE IDs addressed by the update in each Linux vGPU driver branch.

**Linux Driver Branch**

**CVE IDs Addressed**

R535, R525, R470

CVE‑2023‑31018, CVE‑2023‑31022

**CVE IDs Addressed in Each vGPU Manager Driver Branch**

The following table lists the CVE IDs addressed by the update in each vGPU Manager driver branch.

**vGPU Manager Driver Branch**

**CVE IDs Addressed**

R535

CVE‑2023‑31018, CVE‑2023‑31021, CVE‑2023‑31022, CVE‑2023‑31026

R525

CVE‑2023‑31018, CVE‑2023‑31022, CVE‑2023‑31026

R470

CVE‑2023‑31018, CVE‑2023‑31022

**Affected Components, Affected Versions, and Updated Versions**

The following table lists NVIDIA vGPU software components affected, versions affected, and the updated version that includes this security update.

**CVE IDs Addressed**

**vGPU Software Component**

**Operating System**

**Affected Versions**

**Updated Version**

**vGPU Software**

**Driver**

**vGPU Software**

**Driver**

CVE‑2023‑31016  
CVE‑2023‑31017  
CVE‑2023‑31018  
CVE‑2023‑31019  
CVE‑2023‑31020  
CVE‑2023‑31022  
CVE‑2023‑31023  
CVE‑2023‑31027

Guest driver

Windows

All versions prior to and including 16.1

537.13

16.2

537.70

All versions prior to and including 15.3

529.11

15.4

529.19

All versions prior to and including 13.8

474.44

13.9

474.64

CVE‑2023‑31018  
CVE‑2023‑31022

Guest driver

Linux

All versions prior to and including 16.1

535.104.05

16.2

535.109.03

All versions prior to and including 15.3

525.125.06

15.4

525.147.05

All versions prior to and including 13.8

470.199.02

13.9

470.223.02

CVE‑2023‑31018  
CVE‑2023‑31021  
CVE‑2023‑31022  
CVE‑2023‑31026

Virtual GPU Manager

Citrix Hypervisor,  
VMware vSphere,

Red Hat Enterprise Linux KVM,

Ubuntu

All versions prior to and including 16.1

535.104.06

16.2

535.109.03

All versions prior to and including 15.3

525.125.03

15.4

525.147.01

All versions prior to and including 13.8

470.199.03

13.9

470.223.02

CVE‑2023‑31018  
CVE‑2023‑31021  
CVE‑2023‑31022

Virtual GPU Manager

Azure Stack HCI

All versions prior to and including 16.1

537.13

16.2

537.70

All versions prior to and including 15.3

529.06

15.4

529.19

**Notes**

*   The table above may not be a comprehensive list of all affected supported versions or branch releases and may be updated as more information becomes available.
*   Earlier software branch releases that support these products may also be affected. If you are using an earlier branch release for which an update version is not listed above, we recommend upgrading to the latest branch release.

**Security Updates for NVIDIA Cloud Gaming****CVE IDs Addressed in Each Windows Cloud Gaming Driver Branch**

The following table lists the CVE IDs addressed by the update in each Windows Cloud Gaming driver branch.

**Windows Driver Branch**

**CVE IDs Addressed**

R545, R535

CVE‑2023‑31016, CVE‑2023‑31017, CVE‑2023‑31018, CVE‑2023‑31019, CVE‑2023‑31020, CVE‑2023‑31021, CVE‑2023‑31022, CVE‑2023‑31023, CVE‑2023‑31027

R525

CVE‑2023‑31016, CVE‑2023‑31017, CVE‑2023‑31018, CVE‑2023‑31019, CVE‑2023‑31020, CVE‑2023‑31022, CVE‑2023‑31023, CVE‑2023‑31027

R470

CVE‑2023‑31017, CVE‑2023‑31018, CVE‑2023‑31019, CVE‑2023‑31020, CVE‑2023‑31022, CVE‑2023‑31023, CVE‑2023‑31027

**CVE IDs Addressed in Each Linux Cloud Gaming Driver Branch**

The following table lists the CVE IDs addressed by the update in each Linux Cloud Gaming driver branch

**Linux Driver Branch**

**CVE IDs Addressed**

R545, R535, R525, R470

CVE‑2023‑31018, CVE‑2023‑31022

**CVE IDs Addressed in Each Cloud Gaming Manager Driver Branch**

The following table lists the CVE IDs addressed by the update in each Cloud Gaming Manager driver branch

**Gaming Manager Driver Branch**

**CVE IDs Addressed**

R545, R535

CVE‑2023‑31018, CVE‑2023‑31021, CVE‑2023‑31022, CVE‑2023‑31026

R525

CVE‑2023‑31018, CVE‑2023‑31022, CVE‑2023‑31026

R470

CVE‑2023‑31018, CVE‑2023‑31022

**Affected Components, Affected Versions, and Updated Versions**

The following table lists the NVIDIA software products affected, versions affected, and the updated version that includes this security update.

**CVE IDs Addressed**

**Cloud Gaming Component**

**Operating System**

**Affected Versions**

**Updated Version**

**Cloud Gaming Software**

**Driver**

**Cloud Gaming Software**

**Driver**

CVE‑2023‑31016  
CVE‑2023‑31017  
CVE‑2023‑31018  
CVE‑2023‑31019  
CVE‑2023‑31020  
CVE‑2023‑31022  
CVE‑2023‑31023  
CVE‑2023‑31027

Guest driver

Windows

All versions prior to and including September 2023 release

537.42

October 2023 release

546.01

CVE‑2023‑31018  
CVE‑2023‑31022

Guest driver

Linux

All versions prior to and including September 2023 release

535.113.01

October 2023 release

545.29.02

CVE‑2023‑31018  
CVE‑2023‑31021  
CVE‑2023‑31022  
CVE‑2023‑31026

Virtual GPU Manager

Red Hat Enterprise Linux KVM,

VMware vSphere

All versions prior to and including September 2023 release

535.113.01

October 2023 release

545.29.02

**Acknowledgements**

NVIDIA thanks the following people for reporting the issues to us:

CVE‑2023‑31027: Patryk Nowakowski

CVE‑2023‑31017: Lockheed Martin Red Team

**Get the Most Up to Date Product Security Information**

Visit the NVIDIA Product Security page to

*   Subscribe to security bulletin notifications
*   See the current list of NVIDIA security bulletins
*   Report a potential security issue in any NVIDIA supported product
*   Learn more about the vulnerability management process followed by the NVIDIA Product Security Incident Response Team (PSIRT)

**Revision History**

  

**Revision**

**Date**

**Description**

1.1

November 1, 2023

Updated Windows Studio Display Driver version to 546.01

1.0

October 31, 2023

Initial release

**Support**

If you have any questions about this security bulletin, contact NVIDIA Support.

**Frequently Asked Questions (FAQs)**

How do I determine which NVIDIA display driver version is currently installed on my PC?

**Disclaimer**

ALL NVIDIA INFORMATION, DESIGN SPECIFICATIONS, REFERENCE BOARDS, FILES, DRAWINGS, DIAGNOSTICS, LISTS, AND OTHER DOCUMENTS (TOGETHER AND SEPARATELY, “MATERIALS”) ARE BEING PROVIDED “AS IS.” NVIDIA MAKES NO WARRANTIES, EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE WITH RESPECT TO THE MATERIALS, AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OR CONDITION OF TITLE, MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT, ARE HEREBY EXCLUDED TO THE MAXIMUM EXTENT PERMITTED BY LAW.

Information is believed to be accurate and reliable at the time it is furnished. However, NVIDIA Corporation assumes no responsibility for the consequences of use of such information or for any infringement of patents or other rights of third parties that may result from its use. No license is granted by implication or otherwise under any patent or patent rights of NVIDIA Corporation. Specifications mentioned in this publication are subject to change without notice. This publication supersedes and replaces all information previously supplied. NVIDIA Corporation products are not authorized for use as critical components in life support devices or systems without express written approval of NVIDIA Corporation.

Tag

#auth