Security Bulletin: Multiple vulnerabilities have been identified with the DS8900F and DS8A00 Hardware Management Console (HMC)

Vulnerability Details

CVEID:   CVE-2023-22081
DESCRIPTION:   An unspecified vulnerability in Java SE related to the JSSE component could allow a remote attacker to cause no confidentiality impact, no integrity impact, and low availability impact.
CVSS Source:   IBM X-Force
CVSS Base score:   5.3
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:   CVE-2023-22067
DESCRIPTION:   An unspecified vulnerability in Java SE related to the CORBA component could allow a remote attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVSS Source:   IBM X-Force
CVSS Base score:   5.3
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:   CVE-2023-5676
DESCRIPTION:   Eclipse OpenJ9 is vulnerable to a denial of service, caused by a flaw when a shutdown signal (SIGTERM, SIGINT or SIGHUP) is received before the JVM has finished initializing. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause an infinite busy hang on a spinlock or a segmentation fault.
CWE:   CWE-364: Signal Handler Race Condition
CVSS Source:   IBM X-Force
CVSS Base score:   4.1
CVSS Vector:   (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2024-22329
DESCRIPTION:   IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.3 are vulnerable to server-side request forgery (SSRF). By sending a specially crafted request, an attacker could exploit this vulnerability to conduct the SSRF attack. X-Force ID: 279951.
CWE:   CWE-918: Server-Side Request Forgery (SSRF)
CVSS Source:   IBM
CVSS Base score:   4.3
CVSS Vector:   (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)

CVEID:   CVE-2023-38709
DESCRIPTION:   Apache HTTP Server is vulnerable to HTTP response splitting attacks, caused by improper input validation in the core. A remote attacker could exploit this vulnerability to inject arbitrary HTTP headers and cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning or cross-site scripting, and possibly obtain sensitive information.
CWE:   CWE-1284: Improper Validation of Specified Quantity in Input
CVSS Source:   IBM X-Force
CVSS Base score:   6.5
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

CVEID:   CVE-2023-22745
DESCRIPTION:   tpm2-tss is vulnerable to a buffer overflow, caused by improper bounds checking by the Tss2_RC_SetHandler and Tss2_RC_Decode function. By sending a specially-crafted request, a local authenticated attacker could overflow a buffer and execute arbitrary code on the system.
CWE:   CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CVSS Source:   IBM X-Force
CVSS Base score:   6.4
CVSS Vector:   (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)

CVEID:   CVE-2023-20584
DESCRIPTION:   IOMMU improperly handles certain special address ranges with invalid device table entries (DTEs), which may allow an attacker with privileges and a compromised Hypervisor to induce DTE faults to bypass RMP checks in SEV-SNP, potentially leading to a loss of guest integrity.
CVSS Source:   NVD
CVSS Base score:   6
CVSS Vector:   (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N)

CVEID:   CVE-2023-31315
DESCRIPTION:   Multiple AMD Processors could allow a local authenticated attacker to execute arbitrary code on the system, caused by improper validation in a model specific register (MSR). By modifying SMM configuration while SMI lock is enabled, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CWE:   CWE-94: Improper Control of Generation of Code ('Code Injection')
CVSS Source:   CVE.org
CVSS Base score:   7.5
CVSS Vector:   (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H)

CVEID:   CVE-2023-31356
DESCRIPTION:   Incomplete system memory cleanup in SEV firmware could allow a privileged attacker to corrupt guest private memory, potentially resulting in a loss of data integrity.
CWE:   CWE-459: Incomplete Cleanup
CVSS Source:   Advanced Micro Devices Inc.
CVSS Base score:   4.4
CVSS Vector:   (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N)

CVEID:   CVE-2024-38473
DESCRIPTION:   Apache HTTP Server could allow a remote attacker to bypass security restrictions, caused by an encoding flaw in mod_proxy. By sending specially crafted requests with incorrect encoding an attacker could exploit this vulnerability to bypass authentication validation.
CWE:   CWE-116: Improper Encoding or Escaping of Output
CVSS Source:   IBM X-Force
CVSS Base score:   8.1
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H)

CVEID:   CVE-2024-38474
DESCRIPTION:   Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI. Users are recommended to upgrade to version 2.4.60, which fixes this issue. Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag "UnsafeAllow3F" is specified.
CWE:   CWE-116: Improper Encoding or Escaping of Output
CVSS Source:   IBM X-Force
CVSS Base score:   8.2
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N)

CVEID:   CVE-2024-38477
DESCRIPTION:   null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request. Users are recommended to upgrade to version 2.4.60, which fixes this issue.
CWE:   CWE-476: NULL Pointer Dereference
CVSS Source:   IBM X-Force
CVSS Base score:   7.5
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2024-39573
DESCRIPTION:   Apache HTTP Server is vulnerable to server-side request forgery, caused by a flaw in the mod_rewrite. By sending a specially crafted request, an attacker could exploit this vulnerability to cause unsafe RewriteRules to unexpectedly setup URL's to be handled by mod_proxy.
CWE:   CWE-20: Improper Input Validation
CVSS Source:   IBM X-Force
CVSS Base score:   7.5
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:   CVE-2024-38475
DESCRIPTION:   Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected.  Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained.
CWE:   CWE-116: Improper Encoding or Escaping of Output
CVSS Source:   CISA ADP
CVSS Base score:   9.1
CVSS Vector:   (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)

CVEID:   CVE-2023-39615
DESCRIPTION:   Xmlsoft Libxml2 is vulnerable to a denial of service, caused by a global buffer overflow in the xmlSAX2StartElement() function at /libxml2/SAX2.c. By supplying a crafted XML file, a remote attacker could exploit this vulnerability to cause a denial of service.
CWE:   CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CVSS Source:   IBM X-Force
CVSS Base score:   5.3
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:   CVE-2024-27316
DESCRIPTION:   Apache HTTP Server is vulnerable to a denial of service, caused by the failure to check or limit the use of HTTP/2 CONTINUATION frames that can be sent within a single stream. By sending a stream of CONTINUATION frames that will not be appended to the header list in memory but will still be processed and decoded by the server or will be appended to the header list, a remote attacker could exploit this vulnerability to cause an out of memory (OOM) crash.
CWE:   CWE-770: Allocation of Resources Without Limits or Throttling
CVSS Source:   IBM X-Force
CVSS Base score:   7.5
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2020-15778
DESCRIPTION:   OpenSSH could allow a remote attacker to execute arbitrary commands on the system, caused by improper input validation in the remote function in scp.c. By opening a specially crafted file containing backtick characters in the destination argument, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
CWE:   CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSS Source:   IBM X-Force
CVSS Base score:   7.8
CVSS Vector:   (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVEID:   CVE-2022-48624
DESCRIPTION:   close_altfile in filename.c in less before 606 omits shell_quote calls for LESSCLOSE.
CWE:   CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSS Source:   NVD
CVSS Base score:   7.8
CVSS Vector:   (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID:   CVE-2024-32487
DESCRIPTION:   less could allow a remote attacker to execute arbitrary commands on the system. By using a newline character in the name of a file, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
CWE:   CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
CVSS Source:   IBM X-Force
CVSS Base score:   8.6
CVSS Vector:   (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID:   CVE-2024-25062
DESCRIPTION:   An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.
CWE:   CWE-416: Use After Free
CVSS Source:   NVD
CVSS Base score:   7.5
CVSS Vector:   (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2024-20952
DESCRIPTION:   An unspecified vulnerability in Java SE related to the Security component could allow a remote attacker to cause high confidentiality impact and high integrity impact.
CWE:   CWE-284: Improper Access Control
CVSS Source:   secalert_us@oracle.com
CVSS Base score:   7.4
CVSS Vector:   (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

CVEID:   CVE-2024-20918
DESCRIPTION:   An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause high confidentiality impact and high integrity impact.
CVSS Source:   IBM X-Force
CVSS Base score:   7.4
CVSS Vector:   (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

CVEID:   CVE-2024-20921
DESCRIPTION:   An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause high confidentiality impact.
CWE:   CWE-276: Incorrect Default Permissions
CVSS Source:   IBM X-Force
CVSS Base score:   5.9
CVSS Vector:   (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:   CVE-2024-20919
DESCRIPTION:   An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause high integrity impact.
CVSS Source:   IBM X-Force
CVSS Base score:   4.7
CVSS Vector:   (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N)

CVEID:   CVE-2024-20926
DESCRIPTION:   An unspecified vulnerability in Java SE related to the Scripting component could allow a remote attacker to cause high confidentiality impact.
CWE:   CWE-284: Improper Access Control
CVSS Source:   IBM X-Force
CVSS Base score:   5.9
CVSS Vector:   (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:   CVE-2024-20945
DESCRIPTION:   An unspecified vulnerability in Java SE related to the VM component could allow a local authenticated attacker to cause high confidentiality impact.
CVSS Source:   IBM X-Force
CVSS Base score:   4.7
CVSS Vector:   (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)

CVEID:   CVE-2023-33850
DESCRIPTION:   IBM GSKit-Crypto could allow a remote attacker to obtain sensitive information, caused by a timing-based side channel in the RSA Decryption implementation. By sending an overly large number of trial messages for decryption, an attacker could exploit this vulnerability to obtain sensitive information.
CWE:   CWE-203: Observable Discrepancy
CVSS Source:   IBM
CVSS Base score:   5.9
CVSS Vector:   (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:   CVE-2023-50312
DESCRIPTION:   IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.2 could provide weaker than expected security for outbound TLS connections caused by a failure to honor user configuration. IBM X-Force ID: 274711.
CWE:   CWE-327: Use of a Broken or Risky Cryptographic Algorithm
CVSS Source:   NVD
CVSS Base score:   6.5
CVSS Vector:   (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:   CVE-2024-45094
DESCRIPTION:   IBM System Storage DS8000 is vulnerable to stored cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CWE:   CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS Source:   IBM X-Force
CVSS Base score:   5.5
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N)

CVEID:   CVE-2023-52425
DESCRIPTION:   libexpat is vulnerable to a denial of service, caused by improper system resource allocation. By sending a specially crafted request using an overly large token, a remote attacker could exploit this vulnerability to cause a denial of service.
CWE:   CWE-400: Uncontrolled Resource Consumption
CVSS Source:   IBM X-Force
CVSS Base score:   7.5
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2023-3446
DESCRIPTION:   Issue summary: Checking excessively long DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. The function DH_check() performs various checks on DH parameters. One of those checks confirms that the modulus ('p' parameter) is not too large. Trying to use a very large modulus is slow and OpenSSL will not normally use a modulus which is over 10,000 bits in length. However the DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it has already been found to be too large. An application that calls DH_check() and supplies a key or parameters obtained from an untrusted source could be vulernable to a Denial of Service attack. The function DH_check() is itself called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_ex() and EVP_PKEY_param_check(). Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications when using the '-check' option. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.
CWE:   CWE-606: Unchecked Input for Loop Condition
CVSS Source:   IBM X-Force
CVSS Base score:   3.7
CVSS Vector:   (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:   CVE-2023-3817
DESCRIPTION:   Issue summary: Checking excessively long DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. The function DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p. An application that calls DH_check() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. The function DH_check() is itself called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_ex() and EVP_PKEY_param_check(). Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications when using the "-check" option. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.
CWE:   CWE-606: Unchecked Input for Loop Condition
CVSS Source:   IBM X-Force
CVSS Base score:   3.7
CVSS Vector:   (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:   CVE-2023-5678
DESCRIPTION:   Openssl is vulnerable to a denial of service, caused by a flaw when using DH_generate_key() function to generate an X9.42 DH key. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CWE:   CWE-606: Unchecked Input for Loop Condition
CVSS Source:   IBM X-Force
CVSS Base score:   3.7
CVSS Vector:   (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:   CVE-2022-46329
DESCRIPTION:   Intel PROSet/Wireless WiFi and Killer WiFi products could allow a local authenticated attacker to gain elevated privileges on the system, caused by protection mechanism failure. By sending a specially crafted request, an attacker could exploit this vulnerability to escalate privileges.
CWE:   CWE-693: Protection Mechanism Failure
CVSS Source:   IBM X-Force
CVSS Base score:   8.2
CVSS Vector:   (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)

CVEID:   CVE-2023-20592
DESCRIPTION:   AMD Processors could provide weaker than expected security, caused by improper or unexpected behavior of the INVD instruction. A remote authenticated attacker could exploit this vulnerability to affect cache line write-back behavior of the CPU leading to a potential loss of guest virtual machine (VM) memory integrity.
CVSS Source:   IBM X-Force
CVSS Base score:   4.3
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)

CVEID:   CVE-2022-3094
DESCRIPTION:   Sending a flood of dynamic DNS updates may cause `named` to allocate large amounts of memory. This, in turn, may cause `named` to exit due to a lack of free memory. We are not aware of any cases where this has been exploited. Memory is allocated prior to the checking of access permissions (ACLs) and is retained during the processing of a dynamic update from a client whose access credentials are accepted. Memory allocated to clients that are not permitted to send updates is released immediately upon rejection. The scope of this vulnerability is limited therefore to trusted clients who are permitted to make dynamic zone changes. If a dynamic update is REFUSED, memory will be released again very quickly. Therefore it is only likely to be possible to degrade or stop `named` by sending a flood of unaccepted dynamic updates comparable in magnitude to a query flood intended to achieve the same detrimental outcome. BIND 9.11 and earlier branches are also affected, but through exhaustion of internal resources rather than memory constraints. This may reduce performance but should not be a significant problem for most servers. Therefore we don't intend to address this for BIND versions prior to BIND 9.16. This issue affects BIND 9 versions 9.16.0 through 9.16.36, 9.18.0 through 9.18.10, 9.19.0 through 9.19.8, and 9.16.8-S1 through 9.16.36-S1.
CWE:   CWE-416: Use After Free
CVSS Source:   IBM X-Force
CVSS Base score:   7.5
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2023-4641
DESCRIPTION:   shadow-maint shadow-utils could allow a local authenticated attacker to obtain sensitive information, caused by failing to clean the buffer used to store password information. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain password information, and use this information to launch further attacks against the affected system.
CWE:   CWE-303: Incorrect Implementation of Authentication Algorithm
CVSS Source:   IBM X-Force
CVSS Base score:   4.7
CVSS Vector:   (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)

CVEID:   CVE-2024-22354
DESCRIPTION:   IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.5 are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information, consume memory resources, or to conduct a server-side request forgery attack. IBM X-Force ID: 280401.
CWE:   CWE-611: Improper Restriction of XML External Entity Reference
CVSS Source:   NVD
CVSS Base score:   7
CVSS Vector:   (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L)

CVEID:   CVE-2021-35937
DESCRIPTION:   RPM Project RPM could allow a local authenticated attacker to gain elevated privileges on the system, caused by a TOCTOU race in checks for unsafe symlinks. An attacker could exploit this vulnerability to bypass the checks that were introduced in response to CVE-2017-7500 and CVE-2017-7501 and gain root privileges on the system.
CWE:   CWE-59: Improper Link Resolution Before File Access ('Link Following')
CVSS Source:   IBM X-Force
CVSS Base score:   6.3
CVSS Vector:   (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H)

CVEID:   CVE-2021-35938
DESCRIPTION:   RPM Project RPM could allow a local authenticated attacker to gain elevated privileges on the system, caused by a symbolic link when setting the desired permissions and credentials after installing a file. An attacker could exploit this vulnerability to exchange the original file with a symbolic link to a security-critical file and gain elevated privileges on the system.
CWE:   CWE-59: Improper Link Resolution Before File Access ('Link Following')
CVSS Source:   IBM X-Force
CVSS Base score:   6.5
CVSS Vector:   (CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H)

CVEID:   CVE-2021-35939
DESCRIPTION:   RPM Project RPM could allow a local authenticated attacker to gain elevated privileges on the system, caused by the failure to perform checks for unsafe symlinks for intermediary directories. An attacker could exploit this vulnerability to gain root privileges on the system.
CWE:   CWE-59: Improper Link Resolution Before File Access ('Link Following')
CVSS Source:   IBM X-Force
CVSS Base score:   6.5
CVSS Vector:   (CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H)

CVEID:   CVE-2023-6135
DESCRIPTION:   Mozilla Network Security Services (NSS) NIST curves, as used in Mozilla Firefox, could allow a remote attacker to obtain sensitive information, caused by a side-channel attack known as "Minerva". By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to recover private keys.
CWE:   CWE-203: Observable Discrepancy
CVSS Source:   IBM X-Force
CVSS Base score:   6.5
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)

CVEID:   CVE-2023-40546
DESCRIPTION:   rhboot shim is vulnerable to a denial of service, caused by a NULL pointer dereference f;aw in the mirror_one_esl() function in mok.c. By sending a specially crafted request, a local attacker could exploit this vulnerability to cause the application to crash.
CWE:   CWE-476: NULL Pointer Dereference
CVSS Source:   IBM X-Force
CVSS Base score:   6.2
CVSS Vector:   (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2023-40547
DESCRIPTION:   rhboot shim could allow a remote attacker to execute arbitrary code on the system, caused by a out-of-bounds write flaw in the http boot support (httpboot.c). By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CWE:   CWE-787: Out-of-bounds Write
CVSS Source:   IBM X-Force
CVSS Base score:   8.3
CVSS Vector:   (CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

CVEID:   CVE-2023-40548
DESCRIPTION:   rhboot shim could allow a local attacker to execute arbitrary code on the system, caused by an integer overflow leads to a heap-based buffer overflow in verify_sbat_section on 32-bits systems. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CWE:   CWE-787: Out-of-bounds Write
CVSS Source:   IBM X-Force
CVSS Base score:   4.9
CVSS Vector:   (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:   CVE-2023-40549
DESCRIPTION:   rhboot shim is vulnerable to a denial of service, caused by an out-of-bounds read flaw in the verify_buffer_authenticode() function in shim.c. By providing a specially crafted PE file, a local attacker could exploit this vulnerability to cause the application to crash.
CWE:   CWE-125: Out-of-bounds Read
CVSS Source:   IBM X-Force
CVSS Base score:   6.2
CVSS Vector:   (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2023-40550
DESCRIPTION:   rhboot shim could allow a remote authenticated attacker to obtain sensitive information, caused by an out-of-bound read flaw in the verify_buffer_sbat() function. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CWE:   CWE-125: Out-of-bounds Read
CVSS Source:   IBM X-Force
CVSS Base score:   5.5
CVSS Vector:   (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

CVEID:   CVE-2023-40551
DESCRIPTION:   rhboot shim is vulnerable to a denial of service, caused by an out-of-bounds read flaw when parsing MZ binaries. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause the application to crash or obtain sensitive information.
CWE:   CWE-125: Out-of-bounds Read
CVSS Source:   IBM X-Force
CVSS Base score:   5.1
CVSS Vector:   (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:H)

CVEID:   CVE-2023-5388
DESCRIPTION:   NSS was susceptible to a timing side-channel attack when performing RSA decryption. This attack could potentially allow an attacker to recover the private data. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9.
CVSS Source:   IBM X-Force
CVSS Base score:   6.5
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

CVEID:   CVE-2024-5564
DESCRIPTION:   libndp is vulnerable to a buffer overflow, caused by improper bounds checking by NetworkManager. By sending a specially crafted IPv6 router advertisement packet, an attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CWE:   CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CVSS Source:   IBM X-Force
CVSS Base score:   8.1
CVSS Vector:   (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:   CVE-2023-1667
DESCRIPTION:   libssh is vulnerable to a denial of service, caused by a NULL pointer dereference during rekeying with algorithm guessing. A remote authenticated attacker could exploit this vulnerability to cause the daemon to crash.
CWE:   CWE-476: NULL Pointer Dereference
CVSS Source:   IBM X-Force
CVSS Base score:   6.5
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2023-2283
DESCRIPTION:   libssh could allow a remote attacker to bypass security restrictions, caused by a memory allocation flaw in thepki_verify_data_signature function. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass the authentication check of the connecting client.
CWE:   CWE-287: Improper Authentication
CVSS Source:   IBM X-Force
CVSS Base score:   4.8
CVSS Vector:   (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)