Log

CVE-2019-15043 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Denial of service
Description
+ This vulnerability allows any unauthenticated user/client to access the Grafana snapshot HTTP API and create a denial of service attack by posting large amounts of dashboard snapshot payloads to the /api/snapshotsHTTP API endpoint.
References
+ https://grafana.com/blog/2019/08/29/grafana-5.4.5-and-6.3.4-released-with-important-security-fix/
+ https://github.com/grafana/grafana/commit/be2e2330f5c1f92082841d7eb13c5583143963a4
Notes
CVE-2019-1543 created at 25 Sep 2019 19:31:40
Severity
+ Low
Remote
+ Remote
Type
+ Information disclosure
Description
+ An issue has been found in OpenSSL <= 1.1.1b, where an application using ChaCha20-Poly1305 could set a non-default nonce length to be longer than 12 bytes and then mistakenly reuse a nonce.
+ ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for every encryption operation. RFC 7539 specifies that the nonce value (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and front pads the nonce with 0 bytes if it is less than 12 bytes. However it also incorrectly allows a nonce to be set of up to 16 bytes. In this case only the last 12 bytes are significant and any additional leading bytes are ignored.
References
+ https://www.openssl.org/news/secadv/20190306.txt
+ https://github.com/openssl/openssl/commit/f426625b6a
Notes
CVE-2019-1559 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Information disclosure
Description
+ A padding oracle has been found in OpenSSL versions prior to 1.0.2r. This issue does not impact OpenSSL 1.1.1 or 1.1.0. If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data.
+ In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). AEAD ciphersuites are not impacted.
References
+ https://www.openssl.org/news/secadv/20190226.txt
Notes
CVE-2019-15717 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ Use after free when receiving duplicate CAP found.
References
+ https://irssi.org/security/irssi_sa_2019_08.txt
+ https://github.com/irssi/irssi/commit/401fff7c34acaff2f7b0d6ab31bda7fa8cc50df9
Notes
+ Most servers do not send duplicate CAP
CVE-2019-15718 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Local
Type
+ Access restriction bypass
Description
+ systemd-resolved before v234 does not properly enforce any access control to its dbus methods, allowing any unprivileged user to access its API. An attacker may use this flaw to configure the DNS, the Default Route or other properties of a network link. Those operations should be performed only by an high-privileged user.
References
+ https://bugzilla.redhat.com/show_bug.cgi?id=1746057
+ https://github.com/systemd/systemd/pull/13457/commits/35e528018f315798d3bffcb592b32a0d8f5162bd
Notes
CVE-2019-15846 created at 25 Sep 2019 19:31:40
Severity
+ Critical
Remote
+ Remote
Type
+ Arbitrary command execution
Description
+ Exim before 4.92.2 allows remote attackers to execute arbitrary code as root via a trailing backslash.
References
+ https://exim.org/static/doc/security/CVE-2019-15846.txt
Notes
CVE-2019-18511 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Same-origin policy bypass
Description
+ An issue has been found in Thunderbird before 60.7.0, where cross-origin images can be read from a canvas element in violation of the same-origin policy using the transferFromImageBitmap method.
References
+ https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2018-18511
+ https://bugzilla.mozilla.org/show_bug.cgi?id=1526218
Notes
CVE-2019-2435 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Authentication bypass
Description
+ A flaw was found in mysql-connector prior to version 8.0.13. Unauthenticated attacker with network access via TLS could compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker and can result in unauthorized creation, deletion or modification access to critical data.
References
+ https://github.com/mysql/mysql-connector-python/commit/069bc6737dd13b7f3a41d7fc23b789b659d8e205
+ https://security.netapp.com/advisory/ntap-20190118-0002/
+ https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
Notes
CVE-2019-3459 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Information disclosure
Description
+ In the functions l2cap_parse_conf_rsp, l2cap_parse_conf_req (l2cap_core.c), and other locations, there is a while loop which is used to parse configuration elements during an L2cap connection negotiation process.
+
+ In this function, the processing of data is performed in the while loop before the check if all the data processed is inside the buffer. In addition, if data outside of the buffer is processed, the function will not return an error.
+
+ Therefore, data that is out of bands can be processed, and in some cases returned to the attacker.
References
+ https://lore.kernel.org/linux-bluetooth/20190110062917.GB15047@kroah.com/
Notes
CVE-2019-3460 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Information disclosure
Description
+ In the function l2cap_get_conf_opt (l2cap_core.c), which is used to parse configuration elements during an L2cap connection negotiation process.
+
+ In this function, there is a "dual use" for the output parameter "val". If the length of the data is 1,2 or 4, then the returned value Is a value copied from an input buffer (received over BT) and returned ?by value?. If the length is different, the value is returned as a pointer to the buffer ?by reference?. The buffer is from a kernel SKB. Since the length is taken from the same buffer and the buffer is received via BT, the attacker controls whether the val is returned as a pointer or as a value.
+
+ The val is later used as a value or as a pointer depending on a different field called ?type?, which is attacker controlled and taken from the same buffer. The ?val? output parameter is assumed to match the "type" and is either used by reference or by value accordingly. This assumption is where the bug is. An attacker can send a response where - for example ? the type is MTU (which uses 2 bytes from "val" by-value), and the length is 3, and so the returned MTU will actually be comprised of the 2 lower bytes of the pointer to the buffer, which will be leaked to the attacker. It is a form of type confusion without having a sophisticated type system.
References
+ https://lore.kernel.org/linux-bluetooth/8616937378cec9330c27a3b08c24ab15ebb42ecf.camel@perches.com/
Notes