Log

AVG-2038 edited at 04 Jun 2021 21:21:01
Severity
- Unknown
+ Medium
CVE-2021-33503 edited at 04 Jun 2021 21:21:01
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Remote
Type
- Unknown
+ Denial of service
Description
+ A security issue has been found in python-urllib3 before version 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL was passed as a parameter or redirected to via an HTTP redirect.
References
+ https://github.com/urllib3/urllib3/security/advisories/GHSA-q2q7-5pp4-w6pg
+ https://github.com/urllib3/urllib3/commit/2d4a3fee6de2fa45eb82169361918f759269b4ec
Notes
AVG-2038 created at 04 Jun 2021 21:18:41
Packages
+ python-urllib3
Issues
+ CVE-2021-33503
Status
+ Fixed
Severity
+ Unknown
Affected
+ 1.26.4-2
Fixed
+ 1.26.5-1
Ticket
Advisory qualified
+ Yes
References
Notes
CVE-2021-33503 created at 04 Jun 2021 21:18:41
AVG-1516 edited at 04 Jun 2021 20:17:16
Affected
- 3.40.1-1
+ 3.40.2-1
CVE-2021-3565 edited at 04 Jun 2021 14:49:29
Description
- During the tpm2_import command invocation a fixed AES wrapping key is used. This presents a weakness in that, when no encrypted session with the TPM is used, the encrypted inner wrapper key is known and thus an entity performing a man-in-the-middle (MITM) attack on the TPM would be able to unwrap the inner portion and reveal the key being imported.
+ A security issue was found in tpm2-tools before version 5.1.1. tpm2_import used a fixed AES key for the inner wrapper, potentially allowing a man-in-the-middle (MITM) attacker to unwrap the inner portion and reveal the key being imported.
AVG-2037 edited at 04 Jun 2021 09:05:03
Severity
- High
+ Low
CVE-2021-22222 edited at 04 Jun 2021 09:05:03
Severity
- High
+ Low
AVG-2037 edited at 04 Jun 2021 09:03:48
Severity
- Unknown
+ High
CVE-2021-22222 edited at 04 Jun 2021 09:03:48
Severity
- Unknown
+ High
Remote
- Unknown
+ Remote
Type
- Unknown
+ Denial of service
Description
+ An infinite loop in the DVB-S2-BB dissector in Wireshark 3.4.0 to 3.4.5 allows a denial of service via packet injection or a crafted capture file.
References
+ https://www.wireshark.org/security/wnpa-sec-2021-05
+ https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22222.json
+ https://gitlab.com/wireshark/wireshark/-/merge_requests/3130
+ https://gitlab.com/wireshark/wireshark/-/commit/0d8be1fb797b3d65f1c2c204da76af8e8de6d3cc
Notes
AVG-2037 created at 04 Jun 2021 09:01:16
Packages
+ wireshark-cli
Issues
+ CVE-2021-22222
Status
+ Vulnerable
Severity
+ Unknown
Affected
+ 3.4.5-1
Fixed
Ticket
Advisory qualified
+ Yes
References
Notes
CVE-2021-22222 created at 04 Jun 2021 09:01:16
AVG-2036 edited at 04 Jun 2021 07:48:40
Severity
- Unknown
+ Medium
CVE-2021-3572 edited at 04 Jun 2021 07:48:40
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Remote
Type
- Unknown
+ Silent downgrade
Description
+ A security issue has been found in pip before version 21.1. Maliciously formatted tags could be used to hijack a commit-based pin. Using the fact that all of unicode's whitespace characters were allowed as separators - which git allows as a part of a tag name - it is possible to force a different revision to be installed if an attacker gains access to the repository.
References
+ https://github.com/pypa/pip/pull/9827
+ https://github.com/pypa/pip/commit/ca832b2836e0bffa7cf95589acdcd71230f5834e
Notes
AVG-2036 created at 04 Jun 2021 07:43:55
Packages
+ python-pip
Issues
+ CVE-2021-3572
Status
+ Vulnerable
Severity
+ Unknown
Affected
+ 20.3.1-1
Fixed
Ticket
Advisory qualified
+ Yes
References
Notes
CVE-2021-3572 created at 04 Jun 2021 07:43:55
CVE-2021-33198 edited at 04 Jun 2021 07:38:25
Severity
- Unknown
+ Low
Remote
- Unknown
+ Remote
Type
- Unknown
+ Denial of service
Description
+ A security issue has been found in Go before version 1.16.5. The SetString and UnmarshalText methods of math/big.Rat may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents.
References
+ https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI/m/r_EP-NlKBgAJ
+ https://github.com/golang/go/issues/45910
+ https://github.com/golang/go/commit/9210eaf7dc704612a6eda97c482012f779fd833b