Log

AVG-2231 edited at 28 Jul 2021 08:51:08
Severity
- Unknown
+ Low
CVE-2021-3658 edited at 28 Jul 2021 08:51:08
Severity
- Unknown
+ Low
Remote
- Unknown
+ Remote
Type
- Unknown
+ Information disclosure
Description
+ bluetoothd from bluez incorrectly saves adapters' Discoverable status when a device is powered down, and restores it when powered up. If a device is powered down while discoverable, it will be discoverable when powered on again. This could lead to inadvertent exposure of the bluetooth stack to physically nearby attackers.
References
+ https://bugzilla.redhat.com/show_bug.cgi?id=1984728
+ https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=b497b5942a8beb8f89ca1c359c54ad67ec843055
Notes
AVG-2231 created at 28 Jul 2021 08:49:57
Packages
+ bluez
Issues
+ CVE-2021-3658
Status
+ Vulnerable
Severity
+ Unknown
Affected
+ 5.60-1
Fixed
Ticket
Advisory qualified
+ Yes
References
Notes
CVE-2021-3658 created at 28 Jul 2021 08:49:57
AVG-1393 edited at 28 Jul 2021 08:48:46
Severity
- Low
+ Medium
CVE-2021-3660 edited at 28 Jul 2021 08:48:46
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Remote
Type
- Unknown
+ Insufficient validation
Description
+ Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website, inside an <iFrame> HTML entry. This may be used by a malicious website in clickjacking or similar attacks.
References
+ https://bugzilla.redhat.com/show_bug.cgi?id=1980688
+ https://github.com/cockpit-project/cockpit/issues/16122
+ https://cockpit-project.org/guide/latest/embedding.html
AVG-1393 edited at 28 Jul 2021 08:45:59
Issues
CVE-2020-35850
+ CVE-2021-3660
CVE-2021-3660 created at 28 Jul 2021 08:45:59
Severity
+ Unknown
Remote
+ Unknown
Type
+ Unknown
Description
References
Notes
AVG-2230 edited at 28 Jul 2021 08:45:06
Severity
- Unknown
+ Low
CVE-2021-3667 edited at 28 Jul 2021 08:45:06
Severity
- Unknown
+ Low
Remote
- Unknown
+ Local
Type
- Unknown
+ Denial of service
Description
+ An improper locking issue was found in the virStoragePoolLookupByTargetPath API of libvirt. It occurs in the storagePoolLookupByTargetPath function where a locked virStoragePoolObj object is not properly released on ACL permission failure. Clients connecting to the read-write socket with limited ACL permissions could use this flaw to acquire the lock and prevent other users from accessing storage pool/volume APIs, resulting in a denial of service condition.
References
+ https://bugzilla.redhat.com/show_bug.cgi?id=1986094
+ https://bugzilla.redhat.com/show_bug.cgi?id=1984318
+ https://libvirt.org/git/?p=libvirt.git;a=commitdiff;h=447f69dec47e1b0bd15ecd7cd49a9fd3b050fb87
Notes
AVG-2230 created at 28 Jul 2021 08:43:01
Packages
+ libvirt
Issues
+ CVE-2021-3667
Status
+ Vulnerable
Severity
+ Unknown
Affected
+ 1:7.5.0-1
Fixed
Ticket
Advisory qualified
+ Yes
References
Notes
CVE-2021-3667 created at 28 Jul 2021 08:43:01
CVE-2021-2389 edited at 28 Jul 2021 08:40:14
References
- https://www.oracle.com/security-alerts/cpujul2021verbose.html#MSQL
+ https://mariadb.com/kb/en/mariadb-1064-release-notes/
CVE-2021-2372 edited at 28 Jul 2021 08:40:04
References
- https://mariadb.com/kb/en/security/
+ https://mariadb.com/kb/en/mariadb-1064-release-notes/
CVE-2021-2389 edited at 28 Jul 2021 08:38:17
Description
- Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.34 and prior and 8.0.25 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.
+ A security issue has been found in the InnoDB component of MariaDB before version 10.6.4. A difficult to exploit vulnerability allows an unauthenticated attacker with network access via multiple protocols to compromise the MariaDB server. Successful attacks of this vulnerability can result in the unauthorized ability to cause a hang or frequently repeatable crash (complete denial of service) of the MariaDB server.
Notes
CVE-2021-2372 edited at 28 Jul 2021 08:37:44
Description
- Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.34 and prior and 8.0.25 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.
+ A security issue has been found in the InnoDB component of MariaDB before version 10.6.4. A difficult to exploit vulnerability allows a high privileged attacker with network access via multiple protocols to compromise the MariaDB server. Successful attacks of this vulnerability can result in the unauthorized ability to cause a hang or frequently repeatable crash (complete denial of service) of the MariaDB server.
References
- https://www.oracle.com/security-alerts/cpujul2021verbose.html#MSQL
+ https://mariadb.com/kb/en/security/