Log

CVE-2019-3861 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Information disclosure
Description
+ An issue has been found in libssh2 before 1.8.1 where a server could send a specially crafted SSH packet with a padding length value greater than the packet length. This would result in a buffer read out of bounds when decompressing the packet or result in a corrupted packet value.
References
+ https://www.libssh2.org/CVE-2019-3861.html
+ https://libssh2.org/1.8.0-CVE/CVE-2019-3861.patch
Notes
CVE-2019-3862 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Information disclosure
Description
+ An issue has been found in libssh2 before 1.8.1 where a server could send a specially crafted SSH_MSG_CHANNEL_REQUEST packet with an exit status message and no payload. This would result in an out of bounds memory comparison.
References
+ https://www.libssh2.org/CVE-2019-3862.html
+ https://libssh2.org/1.8.0-CVE/CVE-2019-3862.patch
Notes
CVE-2019-3863 created at 25 Sep 2019 19:31:40
Severity
+ Critical
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ An issue has been found in libssh2 before 1.8.1 where a server could send a multiple keyboard interactive response messages whose total length are greater than unsigned char max characters. This value is used as an index to copy memory causing in an out of bounds memory write error.
References
+ https://www.libssh2.org/CVE-2019-3863.html
+ https://libssh2.org/1.8.0-CVE/CVE-2019-3863.patch
Notes
CVE-2019-3871 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Insufficient validation
Description
+ An issue has been found in PowerDNS Authoritative Server before 4.1.7, when the HTTP remote backend is used in RESTful mode (without post=1 set), allowing a remote user to cause the HTTP backend to connect to an attacker-specified host instead of the configured one, via a crafted DNS query. This can be used to cause a denial of service by preventing the remote backend from getting a response, content spoofing if the attacker can time its own query so that subsequent queries will use an attacker-controlled HTTP server instead of the configured one, and possibly information disclosure if the Authoritative Server has access to internal servers.
References
+ https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-03.html
+ https://github.com/PowerDNS/pdns/issues/7573
+ https://github.com/PowerDNS/pdns/pull/7577
Notes
CVE-2019-5435 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ libcurl before 7.65.0 contains two integer overflows in the curl_url_set() function that if triggered, can lead to a too small buffer allocation and a subsequent heap buffer overflow. The flaws only exist on 32 bit architectures and require excessive string input lengths.
References
+ https://curl.haxx.se/docs/CVE-2019-5435.html
+ https://github.com/curl/curl/commit/5fc28510a4664f4
Notes
CVE-2019-5436 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ libcurl before 7.65.0 contains a heap buffer overflow in the function (tftp_receive_packet()) that receives data from a TFTP server. It calls recvfrom() with the default size for the buffer rather than with the size that was used to allocate it. Thus, the content that might overwrite the heap memory is entirely controlled by the server.
+
+ The flaw exists if the user selects to use a "blksize" of 504 or smaller (default is 512). The smaller size that is used, the larger the possible overflow becomes. Users choosing a smaller size than default should be rare as the primary use case for changing the size is to make it larger.
References
+ https://curl.haxx.se/docs/CVE-2019-5436.html
+ https://github.com/curl/curl/commit/2576003415625d7b5f0e390902f8097830b82275
Notes
CVE-2019-5439 created at 25 Sep 2019 19:31:40
Severity
+ Critical
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ VideoLAN VLC media player 3.0.6 and earlier has a out-of-bounds write has been found in the ReadFrame function of the AVI decoder.
References
+ https://www.videolan.org/security/sa1901.html
+ https://hackerone.com/reports/484398
Notes
CVE-2019-5481 created at 25 Sep 2019 19:31:40
Severity
+ Low
Remote
+ Remote
Type
+ Denial of service
Description
+ libcurl can be told to use kerberos over FTP to a server, as set with the CURLOPT_KRBLEVEL option. During such kerberos FTP data transfer, the server sends data to curl in blocks with the 32 bit size of each block first and then that amount of data immediately following. A malicious or just broken server can claim to send a very large block and if by doing that it makes curl's subsequent call to realloc() to fail, curl would then misbehave in the exit path and double-free the memory. In practical terms, an up to 4 GB memory area may very well be fine to allocate on a modern 64 bit system but on 32 bit systems it will fail. Kerberos FTP is a rarely used protocol with curl. Also, Kerberos authentication is usually only attempted and used with servers that the client has a previous association with.
References
+ https://curl.haxx.se/docs/CVE-2019-5481.html
+ https://github.com/curl/curl/commit/0649433da53c7165f839e2
Notes
CVE-2019-5482 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ libcurl contains a heap buffer overflow in the function (tftp_receive_packet()) that receives data from a TFTP server. It can call recvfrom() with the default size for the buffer rather than with the size that was used to allocate it. Thus, the content that might overwrite the heap memory is controlled by the server. This flaw is only triggered if the TFTP server sends an OACK without the BLKSIZE option, when a BLKSIZE smaller than 512 bytes was requested by the TFTP client. OACK is a TFTP extension and is not used by all TFTP servers. Users choosing a smaller block size than default should be rare as the primary use case for changing the size is to make it larger. It is rare for users to use TFTP across the Internet. It is most commonly used within local networks. TFTP as a protocol is always inherently insecure. This issue was introduced by the add of the TFTP BLKSIZE option handling. It was previously incompletely fixed by an almost identical issue called CVE-2019-5436.
References
+ https://curl.haxx.se/docs/CVE-2019-5482.html
+ https://github.com/curl/curl/commit/facb0e4662415b5f28163e853dc6742ac5fafb3d
Notes
CVE-2019-5489 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Information disclosure
Description
+ The mincore() implementation in mm/mincore.c in the Linux kernel through 4.19.13 allowed local attackers to observe page cache access patterns of other processes on the same system, potentially allowing sniffing of secret information. (Fixing this affects the output of the fincore program.) Limited remote exploitation may be possible, as demonstrated by latency differences in accessing public files from an Apache HTTP Server.
References
+ https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=574823bfab82d9d8fa47f422778043fbb4b4f50e
Notes