CA Technologies, A Broadcom Company Security Vulnerabilities

Screen reader bug

In sendAccessibilityEvent of NotificationManagerService.java, there is a possible disclosure of notification data due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for...

3P apps can delete arbitrary system files via "am trace-ipc stop" command

In runTraceIpcStop of ActivityManagerShellCommand.java, there is a possible deletion of system files due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

writeToParcel/createFromParcel mismatch in ParsedIntentInfo

In ParsedIntentInfo of ParsedIntentInfo.java, there is a possible parcel serialization/deserialization mismatch due to unsafe deserialization. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

HeapDumpProvider is open to any app

In openFile of HeapDumpProvider.java, there is a possible way to retrieve generated heap dumps from debuggable apps due to an unprotected provider. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

avc_enc_fuzzer: Heap-buffer-overflow in ih264e_put_bits

In BITSTREAM_FLUSH of ih264e_bitstream.h, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

App can read iccId of sim card(s) without requiring READ_PRIVILEGED_PHONE_STATE permission.

In getAvailableSubscriptionInfoList of SubscriptionController.java, there is a possible disclosure of unique identifiers due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

Sensitive Iccid could be Sniffed by Intercepting ACTION_CONFIGURE_VOICEMAIL Implicit Intent in VoicemailSettingsFragment of Dialer

In onResume of VoicemailSettingsFragment.java, there is a possible way to retrieve a trackable identifier without permissions due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for...

Kernel exploit: futex fixup_pi_state_owner() fault causes stack UAF

In fixup_pi_state_owner of futex.c, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

[a remote root exploit chain to Pwn the latest Pixel Phone]

In several functions of the V8 library, there is a possible use after free due to a race condition. This could lead to remote code execution in an unprivileged process with no additional execution privileges needed. User interaction is not needed for...

[HIDL] libfmq security bug - a client may cause misaligned store and/or buffer overrun

In beginWrite and beginRead of MessageQueueBase.h, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for...

avc_enc_fuzzer: Invalid-free in Codec::encodeFrames

In encodeFrames of avc_enc_fuzzer.cpp, there is a possible out of bounds write due to a double free. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

Bluetooth security notice: (VU#799380.8 TLP:AMBER)

In smp_process_pairing_public_key of smp_act.cc, there is a possible interception of Bluetooth pairing from an on-path attacker due to improperly used crypto. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Bluetooth security notice (VU#799380.7 TLP:AMBER)

In btm_sec_pin_code_request of btm_sec.cc, there is a possible bypass of Bluetooth pairing pin-code due to improperly used crypto. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is needed for...

[Settings WifiScanModeActivity Could be Overlaid to Trick User Into Allow Scanning Even When Wi-Fi Turned Off]

In onCreate of WifiScanModeActivity.java, there is a possible way to enable Wi-Fi scanning without user consent due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for...

Assessment Bug for Security Vulnerability - Fi VPN prevents Chrome from working

In updateCapabilities of ConnectivityService.java, there is a possible incorrect network state determination due to a logic error in the code. This could lead to biasing of networking tasks to occur on non-VPN networks, which could lead to remote information disclosure, with no additional...

App pinning isn't requesting my PIN to exit app pinning mode

In shouldLockKeyguard of LockTaskController.java, there is a possible way to exit App Pinning without a PIN due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

[[statsd] out-of-bounds write in statsd when processing ExclusiveStateFieldIndex]

In parseExclusiveStateAnnotation of LogEvent.cpp, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

[DeviceChooserActivity Could be Overlaid to Trick User Into Associating a Rogue Companion Device]

In onCreate of DeviceChooserActivity.java, there is a possible way to bypass user consent when pairing a Bluetooth device due to a tapjacking/overlay attack. This could lead to local escalation of privilege and pairing malicious devices with no additional execution privileges needed. User...

Screenshots across multiple users on Android 11

In several functions of ScreenshotHelper.java and related files, there is a possible incorrectly saved screenshot due to a race condition. This could lead to local information disclosure across user profiles with no additional execution privileges needed. User interaction is needed for...

[ImportVCardActivity Could be Overlaid to Trick User into Importing Contacts]

In ImportVCardActivity, there is a possible way to bypass user consent due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for...

OOB Write in NFC stack when handling MIFARE Classic TLVs

In rw_mfc_handle_read_op of rw_mfc.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution via a malicious NFC packet with no additional execution privileges needed. User interaction is not needed for...

Heap overflow due to integer overflow in libpac-chromium bundled v8

In Scanner::LiteralBuffer::NewCapacity of scanner.cc, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution if an attacker can supply a malicious PAC file, with no additional execution privileges needed. User interaction is not needed for...

Use setFilterTouchesWhenObscured() for potentially dangerous permission screens

In PackageInstaller, there is a possible tapjacking attack due to an insecure default value. This could lead to local escalation of privilege and permissions with no additional execution privileges needed. User interaction is needed for...

[UAF problem found in surfaceflinger caused by accessing mInputFlinger simultaneously in different threads]

In bootFinished of SurfaceFlinger.cpp, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for...

[UAF problem found in storaged]

In add_user_ce and remove_user_ce of storaged.cpp, there is a possible use-after-free due to improper locking. This could lead to local escalation of privilege in storaged with no additional execution privileges needed. User interaction is not needed for...

Symfony has a security issue when parsing the Authorization header

All 2.0.X, 2.1.X, 2.2.X, 2.3.X, 2.4.X, and 2.5.X versions of the Symfony HttpFoundation component are affected by this security issue. This issue has been fixed in Symfony 2.3.19, 2.4.9, and 2.5.4. Note that no fixes are provided for Symfony 2.0, 2.1, and 2.2 as they are not maintained anymore....

Security Bulletin: IBM InfoSphere Information Server is affected by a vulnerability in Psf Requests (CVE-2024-35195)

Summary A vulnerability in Psf Requests used by InfoSphere Information Server was addressed. Vulnerability Details ** CVEID: CVE-2024-35195 DESCRIPTION: **Psf Requests could allow a local authenticated attacker to bypass security restrictions, caused by an incorrect control flow implementation...

Apache Commons Compress: Denial of service caused by an infinite loop for a corrupted DUMP file

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress. This issue affects Apache Commons Compress: from 1.3 through 1.25.0. Users are recommended to upgrade to version 1.26.0 which fixes the...

opencontainers runc contains procfs race condition with a shared volume mount

Impact By crafting a malicious root filesystem (with /proc being a symlink to a directory which was inside a volume shared with another running container), an attacker in control of both containers can trick runc into not correctly configuring the container's security labels and not correctly...

Security Bulletin: Storage Virtualize Ansible Collection is affected by a vulnerability in the Python Cryptographic Authority package

Summary The Python cryptography package which provides both high level recipes and low level interfaces to common cryptographic algorithms such as symmetric ciphers, message digests, and key derivation functions, is used by IBM Ansible plug-in. This library is vulnerable to CVE-2024-26130....

Exploit for Path Traversal in Grafana

grafanaExp 利用grafana...

Security Bulletin: A vulnerability in github.com/containerd/containerd-v1.6.17 affects Data Replication on Cloud Pak for Data

Summary A vulnerability in the github.com/containerd/containerd-v1.6.17 package has been addressed. Vulnerability Details ** CVEID: CVE-2023-25173 DESCRIPTION: **containerd could allow a local authenticated attacker to bypass security restrictions, caused by improper setup for supplementary...

[No enforcement of PAP when MPPE is requested for PPTP VPN]

In startLegacyVpnPrivileged of Vpn.java, there is a possible way to retrieve VPN credentials due to a protocol downgrade attack. This could lead to remote escalation of privilege if a malicious Wi-Fi AP is used, with no additional execution privileges needed. User interaction is not needed for...

Corrupt system by adding many AutomaticZenRules via NotificationManager#addAutomaticZenRule

In addAutomaticZenRule of ZenModeHelper.java, there is a possible permanent denial of service due to resource exhaustion. This could lead to local denial of service with User execution privileges needed. User interaction is not needed for...

Security Bulletin: A vulnerability in XML toolkit for Ruby affects IBM License Metric Tool (CVE-2024-35176).

Summary There is a vulnerability in the XML toolkit for Ruby component used by IBM License Metric Tool. Vulnerability Details ** CVEID: CVE-2024-35176 DESCRIPTION: **Ruby REXML is vulnerable to a denial of service, caused by improper input validation. By parsing a specially crafted XML content...

Rancher does not automatically clean up a user deleted or disabled from the configured Authentication Provider

Impact A vulnerability has been identified in which Rancher does not automatically clean up a user which has been deleted from the configured authentication provider (AP). This characteristic also applies to disabled or revoked users, Rancher will not reflect these modifications which may leave...

How to Properly Off-Board a Namespace From Veeam Kasten for Kubernetes Backups

This article documents the procedure to properly off-board a namespace in Veeam Kasten for...

Use Of A Broken Or Risky Cryptographic Algorithm

asymmetricrypt/asymmetricrypt is vulnerable to Use Of A Broken Or Risky Cryptographic Algorithm. The vulnerability is due to insecure padding within PKCS v1.5, which allows an attacker to brute force the encrypted...

App can set Scan Mode of device' s Bluetooth without showing system dialog to user.

In setScanMode of AdapterService.java, there is a possible way to enable Bluetooth discovery mode without user interaction due to a missing permission check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for...

App can set discoverable timeout of device' s Bluetooth without showing system dialog to user.

In setDiscoverableTimeout of AdapterService.java, there is a possible bypass of user interaction due to a missing permission check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for...

[Multiple users can share WI-FI and change WI-FI network]

In onCreateContextMenu of NetworkProviderSettings.java, there is a possible way for non-owner users to change WiFi settings due to a missing permission check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for...

[Out of Bounds Read in phNciNfc_RecvMfResp Function in phNxpExtns_MifareStd.cpp in nfc]

In phNciNfc_RecvMfResp of phNxpExtns_MifareStd.cpp, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for...

Cluster Monitoring Operator contains a credentials leak in github.com/openshift/cluster-monitoring-operator

Cluster Monitoring Operator contains a credentials leak in...

K000139592: libxml2 vulnerability CVE-2023-29469

Security Advisory Description An issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce non-deterministic values, leading to various logic and memory errors, such as a double free. This behavior occurs...

Security Bulletin: IBM® Db2® is vulnerable to a denial of service as the server may crash when using a specially crafted query on certain columnar tables. (CVE-2024-31881)

Summary IBM® Db2® is vulnerable to a denial of service as the server may crash when using a specially crafted query on certain columnar tables by an authenticated user. Vulnerability Details ** CVEID: CVE-2024-31881 DESCRIPTION: **IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server)...

How to Reinstall the Veeam Transport Service on a Linux Server

This article documents the procedure for redeploying the Veeam Transport (Data Mover) Service on a Linux server managed by Veeam Backup & Replication without removing it from Veeam Backup &...

Directus is soft-locked by providing a string value to random string util

Describe the Bug Providing a non-numeric length value to the random string generation utility will create a memory issue breaking the capability to generate random strings platform wide. This creates a denial of service situation where logged in sessions can no longer be refreshed as sessions...

Security Bulletin: IBM InfoSphere Information Server is vulnerable due to information exposure in a URL (CVE-2023-50954)

Summary An information exposure vulnerability in InfoSphere Information Server was addressed. Vulnerability Details ** CVEID: CVE-2023-50954 DESCRIPTION: **IBM InfoSphere Information Server returns sensitive information in URL information that could be used in further attacks against the system....

Denial of service while parsing a tar file due to lack of folders count validation

Description: During some analysis today on npm's node-tar package I came across the folder creation process, Basicly if you provide node-tar with a path like this ./a/b/c/foo.txt it would create every folder and sub-folder here a, b and c until it reaches the last folder to create foo.txt, In-this....

Symfony allows direct access of ESI URLs behind a trusted proxy

All 2.2.X, 2.3.X, 2.4.X, and 2.5.X versions of the Symfony HttpKernel component are affected by this security issue. Your application is vulnerable only if the ESI feature is enabled and there is a proxy in front of the web application. This issue has been fixed in Symfony 2.3.19, 2.4.9, and...