Log

CVE-2018-5702 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Arbitrary command execution
Description
+ The transmission-daemon in Transmission before 2.93 relies on X-Transmission-Session-Id (which is not a forbidden header for Fetch) for access control, which allows remote attackers to execute arbitrary RPC commands, and consequently write to arbitrary files, via POST requests to /transmission/rpc in conjunction with a DNS rebinding attack.
References
+ http://www.openwall.com/lists/oss-security/2018/01/12/1
+ https://bugs.chromium.org/p/project-zero/issues/detail?id=1447
+ https://github.com/transmission/transmission/commit/eb5d1a79cbe1b9bc5b22fdcc598694ecd4d02f43
+ https://github.com/transmission/transmission/pull/468
Notes
CVE-2018-5709 created at 25 Sep 2019 19:31:40
Severity
+ Low
Remote
+ Remote
Type
+ Information disclosure
Description
+ An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.
References
Notes
CVE-2018-5711 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Denial of service
Description
+ gd_gif_in.c in the GD Graphics Library (aka libgd), as used in PHP 7.2.x before 7.2.1, has an integer signedness error that leads to an infinite loop via a crafted GIF file, as demonstrated by a call to the imagecreatefromgif or imagecreatefromstring PHP function. This is related to GetCode_ and gdImageCreateFromGifCtx.
References
+ https://lists.debian.org/debian-lts-announce/2019/01/msg00028.html
+ https://lists.debian.org/debian-lts-announce/2018/01/msg00022.html
Notes
CVE-2018-5729 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Insufficient validation
Description
+ A flaw was found in MIT krb5 1.6 or later, an authenticated kadmin user with permission to add principals to an LDAP Kerberos database can cause a null dereference in kadmind, or circumvent a DN container check, by supplying tagged data intended to be internal to the database module.
References
+ https://github.com/krb5/krb5/commit/e1caf6fb74981da62039846931ebdffed71309d1
Notes
+ Fixed in 1.16.1
CVE-2018-5730 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Insufficient validation
Description
+ A flaw was found in MIT krb5 1.6 or later, an authenticated kadmin user with permission to add principals to an LDAP Kerberos database can circumvent a DN containership check by supplying both a "linkdn" and "containerdn" database argument, or by supplying a DN string which is a left extension of a container DN string but is not hierarchically within the container DN.
References
+ https://github.com/krb5/krb5/commit/e1caf6fb74981da62039846931ebdffed71309d1
Notes
+ Fixed in 1.16.1
CVE-2018-5732 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Denial of service
Description
+ An out-of-bound memory access flaw was found in the way dhclient processed a DHCP response packet. A malicious DHCP server could potentially use this flaw to crash dhclient processes running on DHCP client machines via a crafted DHCP response packet.
References
+ https://kb.isc.org/article/AA-01565
+ https://lists.isc.org/pipermail/dhcp-announce/2018-February/000418.html
+ https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commitdiff;h=c5931725b48b121d232df4ba9e45bc41e0ba114d
+ https://bugs.isc.org/Public/Bug/Display.html?id=47139
Notes
CVE-2018-5733 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Denial of service
Description
+ A denial of service flaw was found in the way dhcpd handled reference counting when processing client requests. A malicious DHCP client could use this flaw to trigger a reference count overflow on the server side, potentially causing dhcpd to crash, by sending large amounts of traffic.
References
+ https://kb.isc.org/article/AA-01567
+ https://lists.isc.org/pipermail/dhcp-announce/2018-February/000418.html
+ https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commitdiff;h=197b26f25309f947b97a83b8fdfc414b767798f8
+ https://bugs.isc.org/Public/Bug/Display.html?id=47140
Notes
CVE-2018-5736 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Denial of service
Description
+ An error in zone database reference counting can lead to an assertion failure if a server which is running an affected version of BIND attempts several transfers of a slave zone in quick succession.
References
+ https://kb.isc.org/article/AA-01602/74/CVE-2018-5736
Notes
+ Workaround:
+
+ For servers which must receive notifies to keep slave zone contents current, no complete workarounds are known although restricting BIND to only accept NOTIFY messages from authorized sources can greatly mitigate the risk of attack.
CVE-2018-5737 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Denial of service
Description
+ A problem with the implementation of the new serve-stale feature in BIND 9.12 can lead to an assertion failure in rbtdb.c, even when stale-answer-enable is off.
References
+ https://kb.isc.org/article/AA-01606/74/CVE-2018-5737
Notes
+ Workaround:
+
+ Setting "max-stale-ttl 0;" in named.conf will prevent exploitation of this vulnerability (but will effectively disable the serve-stale feature.)
+
+ Setting "stale-answer enable off;" is not sufficient to prevent exploitation, max-stale-ttl needs to be set to zero.
CVE-2018-5738 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Access restriction bypass
Description
+ BIND <= 9.13.0 can improperly permit recursive query service to unauthorized clients. When "recursion yes;" is in effect and no match list values are provided for "allow-query-cache" or "allow-query", it is possible for the setting of "allow-recursion" to inherit a setting of all hosts from the "allow-query" setting default, improperly permitting recursion to all clients.
References
+ https://kb.isc.org/article/AA-01616/0/CVE-2018-5738
+ https://marc.info/?l=oss-security&m=152886256217742
Notes
+ A number of configuration workarounds are available which completely avoid the problem.
+
+ If an operator has not chosen to specify some other permission, explicitly specifying "allow-query {localnets; localhost;};" in named.conf will provide behavior equivalent to the intended default.
+
+ If the default setting is not appropriate (because the operator wants a different behavior) then depending on which clients are intended to be able to receive service for recursive queries, explicitly setting a match list value for any of:
+
+ allow-recursion
+ allow-query
+ allow-query-cache
+
+ will prevent the "allow-recursion" control from improperly inheriting a setting from the allow-query default. If a value is set for any of those values the behavior of allow-recursion will be set directly or inherited from one of the other values as described in the BIND Adminstrator Reference Manual section 6.2
+
+ Servers which are not intended to perform recursion at all may also effectively prevent this condition by setting "recursion no;" in named.conf