diff --git a/cache/Nsfocus.dat b/cache/Nsfocus.dat index 9fda5c50ac3..283def936e7 100644 --- a/cache/Nsfocus.dat +++ b/cache/Nsfocus.dat @@ -113,3 +113,18 @@ d6658abbd16564ecc28787da9013447d 238e894cf448063264092e0bc606f943 363451852c122662b2202e47a2d88a11 9d18c1a1202465d8da8a4febcd3ea4cc +71669387c4b075652a58409547c31a4f +a171b437a2f8ab25bc8d914b98b75442 +ed48e8b228585e798354e55bd55c9d45 +b9500f4acc75740dc9dc59e4d407d324 +216e99355029fdd49ce1767701451226 +518652a714bd4883f27b4a8b79115a4f +873d725b0a9586e37c7eb1ffcb4e9bae +9d64037a67fd058e4776fa5a69d239e3 +9561c36cb6c8603290999f06c5f636f0 +b621a60d320d56d289b44ff22802636f +f4e542e1b1c72221bfc003491464ed6e +2276a5100caa798a772b5c8c54db3c2a +9cf52f7346715614d3c01906e6c4304e +bcb5f3f91fffaf066add7b5001fbfd44 +f7c6b5f957f75dc3d1233dc65a7e3d1d diff --git a/data/cves.db b/data/cves.db index 5fbee3efc99..f853b4b25ee 100644 Binary files a/data/cves.db and b/data/cves.db differ diff --git a/docs/index.html b/docs/index.html index c97bd7b47a7..554f2143c87 100644 --- a/docs/index.html +++ b/docs/index.html @@ -1,4 +1,4 @@ - + @@ -446,7 +446,7 @@

眈眈探求 | + 2024-10-28 04:15:02 SchedMD Slurm before 24.05.4 has Incorrect Authorization. A mistake in authentication handling in stepmgr could permit an attacker to execute processes under other users' jobs. This is limited to jobs explicitly running with --stepmgr, or on systems that have globally enabled stepmgr via SlurmctldParameters=enable_stepmgr in their configuration. 详情 @@ -454,7 +454,7 @@

眈眈探求 | + 2024-10-28 03:15:02 The eHDR CTMS from Sunnet has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL command to read, modify, and delete database contents. 详情 @@ -462,7 +462,7 @@

眈眈探求 | + 2024-10-28 03:15:02 The eHRD CTMS from Sunnet has an Insecure Direct Object Reference (IDOR) vulnerability, allowing unauthenticated remote attackers to modify a specific parameter to access arbitrary files uploaded by any user. 详情 @@ -470,7 +470,7 @@

眈眈探求 | + 2024-10-28 02:15:02 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Genians Genian NAC V5.0, Genians Genian NAC LTS V5.0.This issue affects Genian NAC V5.0: from V5.0.0 through V5.0.60; Genian NAC LTS V5.0: from 5.0.0 LTS through 5.0.55 LTS(Revision 125558), from 5.0.0 LTS through 5.0.56 LTS(Revision 125560). 详情 @@ -478,7 +478,7 @@

眈眈探求 | + 2024-10-28 01:15:02 In the Linux kernel, the following vulnerability has been resolved: uprobe: avoid out-of-bounds memory access of fetching args Uprobe needs to fetch args into a percpu buffer, and then copy to ring buffer to avoid non-atomic context problem. Sometimes user-space strings, arrays can be very large, but the size of percpu buffer is only page size. And store_trace_args() won't check whether these data exceeds a single page or not, caused out-of-bounds memory access. It could be reproduced by following steps: 1. build kernel with CONFIG_KASAN enabled 2. save follow program as test.c ``` \#include \#include \#include // If string length large than MAX_STRING_SIZE, the fetch_store_strlen() // will return 0, cause __get_data_size() return shorter size, and // store_trace_args() will not trigger out-of-bounds access. // So make string length less than 4096. \#define STRLEN 4093 void generate_string(char *str, int n) { int i; for (i = 0; i < n; ++i) { char c = i % 26 + 'a'; str[i] = c; } str[n-1] = '\0'; } void print_string(char *str) { printf("%s\n", str); } int main() { char tmp[STRLEN]; generate_string(tmp, STRLEN); print_string(tmp); return 0; } ``` 3. compile program `gcc -o test test.c` 4. get the offset of `print_string()` ``` objdump -t test | grep -w print_string 0000000000401199 g F .text 000000000000001b print_string ``` 5. configure uprobe with offset 0x1199 ``` off=0x1199 cd /sys/kernel/debug/tracing/ echo "p /root/test:${off} arg1=+0(%di):ustring arg2=\$comm arg3=+0(%di):ustring" > uprobe_events echo 1 > events/uprobes/enable echo 1 > tracing_on ``` 6. run `test`, and kasan will report error. ================================================================== BUG: KASAN: use-after-free in strncpy_from_user+0x1d6/0x1f0 Write of size 8 at addr ffff88812311c004 by task test/499CPU: 0 UID: 0 PID: 499 Comm: test Not tainted 6.12.0-rc3+ #18 Hardware name: Red Hat KVM, BIOS 1.16.0-4.al8 04/01/2014 Call Trace: dump_stack_lvl+0x55/0x70 print_address_description.constprop.0+0x27/0x310 kasan_report+0x10f/0x120 ? strncpy_from_user+0x1d6/0x1f0 strncpy_from_user+0x1d6/0x1f0 ? rmqueue.constprop.0+0x70d/0x2ad0 process_fetch_insn+0xb26/0x1470 ? __pfx_process_fetch_insn+0x10/0x10 ? _raw_spin_lock+0x85/0xe0 ? __pfx__raw_spin_lock+0x10/0x10 ? __pte_offset_map+0x1f/0x2d0 ? unwind_next_frame+0xc5f/0x1f80 ? arch_stack_walk+0x68/0xf0 ? is_bpf_text_address+0x23/0x30 ? kernel_text_address.part.0+0xbb/0xd0 ? __kernel_text_address+0x66/0xb0 ? unwind_get_return_address+0x5e/0xa0 ? __pfx_stack_trace_consume_entry+0x10/0x10 ? arch_stack_walk+0xa2/0xf0 ? _raw_spin_lock_irqsave+0x8b/0xf0 ? __pfx__raw_spin_lock_irqsave+0x10/0x10 ? depot_alloc_stack+0x4c/0x1f0 ? _raw_spin_unlock_irqrestore+0xe/0x30 ? stack_depot_save_flags+0x35d/0x4f0 ? kasan_save_stack+0x34/0x50 ? kasan_save_stack+0x24/0x50 ? mutex_lock+0x91/0xe0 ? __pfx_mutex_lock+0x10/0x10 prepare_uprobe_buffer.part.0+0x2cd/0x500 uprobe_dispatcher+0x2c3/0x6a0 ? __pfx_uprobe_dispatcher+0x10/0x10 ? __kasan_slab_alloc+0x4d/0x90 handler_chain+0xdd/0x3e0 handle_swbp+0x26e/0x3d0 ? __pfx_handle_swbp+0x10/0x10 ? uprobe_pre_sstep_notifier+0x151/0x1b0 irqentry_exit_to_user_mode+0xe2/0x1b0 asm_exc_int3+0x39/0x40 RIP: 0033:0x401199 Code: 01 c2 0f b6 45 fb 88 02 83 45 fc 01 8b 45 fc 3b 45 e4 7c b7 8b 45 e4 48 98 48 8d 50 ff 48 8b 45 e8 48 01 d0 ce RSP: 002b:00007ffdf00576a8 EFLAGS: 00000206 RAX: 00007ffdf00576b0 RBX: 0000000000000000 RCX: 0000000000000ff2 RDX: 0000000000000ffc RSI: 0000000000000ffd RDI: 00007ffdf00576b0 RBP: 00007ffdf00586b0 R08: 00007feb2f9c0d20 R09: 00007feb2f9c0d20 R10: 0000000000000001 R11: 0000000000000202 R12: 0000000000401040 R13: 00007ffdf0058780 R14: 0000000000000000 R15: 0000000000000000 This commit enforces the buffer's maxlen less than a page-size to avoid store_trace_args() out-of-memory access. 详情 @@ -486,7 +486,7 @@

眈眈探求 | + 2024-10-28 01:15:02 A vulnerability was found in didi Super-Jacoco 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /cov/triggerEnvCov. The manipulation of the argument uuid leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. 详情 @@ -494,7 +494,7 @@

眈眈探求 | + 2024-10-28 01:15:02 A vulnerability was found in Tenda AC1206 up to 20241027. It has been classified as critical. This affects the function ate_Tenda_mfg_check_usb/ate_Tenda_mfg_check_usb3 of the file /goform/ate. The manipulation of the argument arg leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. 详情 @@ -502,7 +502,7 @@

眈眈探求 | + 2024-10-28 00:15:03 ispdbservice.cpp in KDE Kmail before 6.2.0 allows man-in-the-middle attackers to trigger use of an attacker-controlled mail server because cleartext HTTP is used for a URL such as http://autoconfig.example.com or http://example.com/.well-known/autoconfig for retrieving the configuration. This is related to kmail-account-wizard. 详情 @@ -510,7 +510,7 @@

眈眈探求 | + 2024-10-28 00:15:03 In Cleo Harmony before 5.8.0.20, VLTrader before 5.8.0.20, and LexiCom before 5.8.0.20, there is a JavaScript Injection vulnerability. 详情 @@ -518,7 +518,7 @@

眈眈探求 | + 2024-10-28 00:15:03 A vulnerability was found in Project Worlds Simple Web-Based Chat Application 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /index.php. The manipulation of the argument Name/Comment leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The initial researcher advisory mentions different parameters to be affected which do not correlate with the screenshots of a successful attack. 详情 @@ -2148,75 +2148,75 @@

眈眈探求 | - WordPress Flaming Forms Plugin跨站脚本漏洞 - 详情 + 71669387c4b075652a58409547c31a4f + CVE-2024-3903 + 2024-10-29 03:28:34 + WordPress plugin Add Custom CSS and JS存储型跨站脚本漏洞 + 详情 - eca9172b335850116c780bb129d0904a - CVE-2024-5053 - 2024-10-28 09:24:46 - WordPress Contact Form Plugin未授权Malichimp API密钥更新漏洞 - 详情 + a171b437a2f8ab25bc8d914b98b75442 + CVE-2024-8335 + 2024-10-29 03:28:34 + OpenRapid RapidCMS SQL注入漏洞 + 详情 - 221c725f8954f8c62d704406ab6f406e - CVE-2024-42058 - 2024-10-28 09:24:46 - Zyxel ATP和USG多款产品空指针解引用漏洞 - 详情 + ed48e8b228585e798354e55bd55c9d45 + CVE-2024-8260 + 2024-10-29 03:28:34 + Open Policy Agent输入验证不当漏洞 + 详情 - 802e7fd04affb3b5063801d81b995297 - CVE-2024-5148 - 2024-10-28 09:24:46 - GNOME Remote desktop数据元素泄露漏洞 - 详情 + b9500f4acc75740dc9dc59e4d407d324 + CVE-2024-8336 + 2024-10-29 03:28:34 + SourceCodester Music Gallery Site SQL注入漏洞 + 详情 - d1d5593dc6561405819cab9e902fac5b - CVE-2024-28044 - 2024-10-28 09:24:46 - OpenHarmony整数溢出漏洞 - 详情 + 216e99355029fdd49ce1767701451226 + CVE-2024-8337 + 2024-10-29 03:28:34 + SourceCodester Contact Manager with Export to VCF跨站脚本执行漏洞 + 详情 - 6810c049fec26809f456e928b74f3c61 - CVE-2024-43775 - 2024-10-28 09:24:46 - Huachu Digital Easytest Online Test Platform SQL注入漏洞 - 详情 + 518652a714bd4883f27b4a8b79115a4f + CVE-2024-3916 + 2024-10-29 03:28:34 + WordPress plugin Swift Framework存储型跨站脚本漏洞 + 详情 - e9f5a9f3eabd8a23016e026558b05b4b - CVE-2024-8365 - 2024-10-28 09:24:46 - HashiCorp Vault Community Edition和Vault Enterprise信息泄露漏洞 - 详情 + 873d725b0a9586e37c7eb1ffcb4e9bae + CVE-2024-8285 + 2024-10-29 03:28:34 + Kroylicious主机名验证不当漏洞 + 详情 - cc8c1b4e5c481b517d034f709500659b - CVE-2024-42471 - 2024-10-28 09:24:46 - actions/artifact任意文件写入漏洞 - 详情 + 9d64037a67fd058e4776fa5a69d239e3 + CVE-2024-4082 + 2024-10-29 03:28:34 + WordPress plugin Joli FAQ SEO跨站请求伪造漏洞 + 详情 - 9d1c820515e429480cb35251a676af5e - CVE-2024-43774 - 2024-10-28 09:24:46 - Huachu Digital Easytest Online Test Platform SQL注入漏洞 - 详情 + 9561c36cb6c8603290999f06c5f636f0 + CVE-2024-3915 + 2024-10-29 03:28:34 + WordPress plugin Swift Framework未授权的信息修改漏洞 + 详情