Log

CVE-2019-2435 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Authentication bypass
Description
+ A flaw was found in mysql-connector prior to version 8.0.13. Unauthenticated attacker with network access via TLS could compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker and can result in unauthorized creation, deletion or modification access to critical data.
References
+ https://github.com/mysql/mysql-connector-python/commit/069bc6737dd13b7f3a41d7fc23b789b659d8e205
+ https://security.netapp.com/advisory/ntap-20190118-0002/
+ https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
Notes
CVE-2019-3459 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Information disclosure
Description
+ In the functions l2cap_parse_conf_rsp, l2cap_parse_conf_req (l2cap_core.c), and other locations, there is a while loop which is used to parse configuration elements during an L2cap connection negotiation process.
+
+ In this function, the processing of data is performed in the while loop before the check if all the data processed is inside the buffer. In addition, if data outside of the buffer is processed, the function will not return an error.
+
+ Therefore, data that is out of bands can be processed, and in some cases returned to the attacker.
References
+ https://lore.kernel.org/linux-bluetooth/20190110062917.GB15047@kroah.com/
Notes
CVE-2019-3460 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Information disclosure
Description
+ In the function l2cap_get_conf_opt (l2cap_core.c), which is used to parse configuration elements during an L2cap connection negotiation process.
+
+ In this function, there is a "dual use" for the output parameter "val". If the length of the data is 1,2 or 4, then the returned value Is a value copied from an input buffer (received over BT) and returned ?by value?. If the length is different, the value is returned as a pointer to the buffer ?by reference?. The buffer is from a kernel SKB. Since the length is taken from the same buffer and the buffer is received via BT, the attacker controls whether the val is returned as a pointer or as a value.
+
+ The val is later used as a value or as a pointer depending on a different field called ?type?, which is attacker controlled and taken from the same buffer. The ?val? output parameter is assumed to match the "type" and is either used by reference or by value accordingly. This assumption is where the bug is. An attacker can send a response where - for example ? the type is MTU (which uses 2 bytes from "val" by-value), and the length is 3, and so the returned MTU will actually be comprised of the 2 lower bytes of the pointer to the buffer, which will be leaked to the attacker. It is a form of type confusion without having a sophisticated type system.
References
+ https://lore.kernel.org/linux-bluetooth/8616937378cec9330c27a3b08c24ab15ebb42ecf.camel@perches.com/
Notes
CVE-2019-3498 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Content spoofing
Description
+ A content spoofing issue has been found in django before 2.1.5 and 1.11.18, where an attacker could craft a malicious URL that could make spoofed content appear on the default page generated by the django.views.defaults.page_not_found() view.
References
+ https://www.djangoproject.com/weblog/2019/jan/04/security-releases/
+ https://github.com/django/django/commit/64d2396e83aedba3fcc84ca40f23fbd22f0b9b5b
+ https://github.com/django/django/commit/1cd00fcf52d089ef0fe03beabd05d59df8ea052a
Notes
CVE-2019-3806 created at 25 Sep 2019 19:31:40
Severity
+ Low
Remote
+ Remote
Type
+ Access restriction bypass
Description
+ An issue has been found in PowerDNS Recursor before 4.1.9 where Lua hooks are not properly applied to queries received over TCP in some specific combination of settings, possibly bypassing security policies enforced using Lua.
References
Notes
CVE-2019-3807 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Insufficient validation
Description
+ An issue has been found in PowerDNS Recursor before 4.1.9 where records in the answer section of responses received from authoritative servers with the AA flag not set were not properly validated, allowing an attacker to bypass DNSSEC validation.
References
Notes
CVE-2019-3812 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Local
Type
+ Arbitrary code execution
Description
+ QEMU, through version 2.10 and through version 3.1.0, is vulnerable to an out-of-bounds read of up to 128 bytes in the hw/i2c/i2c-ddc.c:i2c_ddc() function. A local attacker with permission to execute i2c commands could exploit this to read stack memory of the qemu process on the host.
References
+ https://github.com/qemu/qemu/commit/b05b267840515730dbf6753495d5b7bd8b04ad1c
Notes
CVE-2019-3813 created at 25 Sep 2019 19:31:40
Severity
+ Critical
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ Spice, versions 0.5.2 through 0.14.1, are vulnerable to an out-of-bounds read due to an off-by-one error in memslot_get_virt. This may lead to a denial of service, or, in the worst case, code-execution by unauthenticated attackers.
References
+ https://gitlab.freedesktop.org/spice/spice/commit/a4a16ac42d2f19a17e36556546aa94d5cd83745f
+ https://access.redhat.com/errata/RHSA-2019:0231
Notes
CVE-2019-3814 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Authentication bypass
Description
+ A vulnerability has been found in Dovecot versions prior to 2.3.4.1, allowing a remote client in possession of a trusted SSL certificate to log in as any user, in some configurations.
+ This affects only installations using auth_ssl_require_client_cert = yes and auth_ssl_username_from_cert = yes, and the the attacker might have access to a trusted certificate without the ssl_cert_username_field (default to commonName) set in it.
References
+ https://www.dovecot.org/pipermail/dovecot/2019-February/114575.html
+ https://github.com/dovecot/core/commit/61471a5c42528090cffcca9bceded316746637b7
Notes
+ Needs better description
CVE-2019-3820 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Local
Type
+ Access restriction bypass
Description
+ A partial screen lock bypass via keybindings has been found in gdm <= 3.30.2, allowing a local attacker to unlock a session under certain circumstances.
References
+ https://gitlab.gnome.org/GNOME/gnome-shell/issues/851
Notes