#vulnerability

Red Hat Security Advisory 2024-1316-03 - Red Hat JBoss Core Services Apache HTTP Server 2.4.57 Service Pack 3 is now available. Issues addressed include cross site scripting, information leakage, and out of bounds read vulnerabilities.

Red Hat Security Advisory 2024-1255-03 - Red Hat OpenShift Container Platform release 4.15.3 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a traversal vulnerability.

Red Hat Security Advisory 2024-0722-03 - An update is now available for Red Hat build of Quarkus. Issues addressed include a denial of service vulnerability.

Ubuntu Security Notice 6700-1 - It was discovered that the Layer 2 Tunneling Protocol implementation in the Linux kernel contained a race condition when releasing PPPoL2TP sockets in certain conditions, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that the ext4 file system implementation in the Linux kernel did not properly handle block device modification while it is mounted. A privileged attacker could use this to cause a denial of service or possibly expose sensitive information.

Atlassian Confluence versions 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, and 8.5.0 through 8.5.3 suffer from a remote code execution vulnerability.

Ubuntu Security Notice 6699-1 - Reima Ishii discovered that the nested KVM implementation for Intel x86 processors in the Linux kernel did not properly validate control registers in certain situations. An attacker in a guest VM could use this to cause a denial of service. It was discovered that the Quick Fair Queueing scheduler implementation in the Linux kernel did not properly handle network packets in certain conditions, leading to a use after free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

Backdrop CMS version 1.23.0 suffers from a persistent cross site scripting vulnerability.

ZoneMinder Snapshots versions prior to 1.37.33 suffer from an unauthenticated remote code execution vulnerability.

An error in the evaluation of the fetch metadata headers could allow a bypass of the CSRF protection in Apache Wicket. This issue affects Apache Wicket: from 9.1.0 through 9.16.0, and the milestone releases for the 10.0 series. Apache Wicket 8.x does not support CSRF protection via the fetch metadata headers and as such is not affected. Users are recommended to upgrade to version 9.17.0 or 10.0.0, which fixes the issue.

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.7 ATTENTION: Exploitable remotely/low attack complexity Vendor: Franklin Fueling System Equipment: EVO 550, EVO 5000 Vulnerability: Path Traversal 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to read arbitrary files on the system. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Franklin Fueling System EVO 550 and EVO 5000, an automatic tank gauge (ATG), are affected: EVO 550: All versions prior to 2.26.3.8963 EVO 5000: All versions prior to 2.26.3.8963 3.2 Vulnerability Overview 3.2.1 PATH TRAVERSAL: '/../FILEDIR' CWE-25 Franklin Fueling System EVO 550 and EVO 5000 are vulnerable to a Path Traversal vulnerability that could allow an attacker to access sensitive files on the system. CVE-2024-2442 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). A CVSS v4 score has been calcula...