Vulnerabilities

An issue was discovered in GitLab CE/EE affecting all versions starting from 13.6 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, where viewing diffs of MR with conflicts can be slow.

IBM Cognos Analytics 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 12.0.0, 12.0.1, 12.0.2, 12.0.3, and 12.0.4 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.

A denial of service vulnerability was identified in GitLab CE/EE, affecting all versions from 15.11 prior to 16.6.7, 16.7 prior to 16.7.5 and 16.8 prior to 16.8.2 which allows an attacker to spike the GitLab instance resource usage resulting in service degradation.

An issue has been discovered in GitLab EE affecting all versions starting from 15.2 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. It was possible to disclose updates to issues to a banned group member using the API.

An issue was discovered in GitLab EE affecting all versions starting from 16.0 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2, which allowed cross project access for Security policy bot.

libcurl would wrongly close the same eventfd file descriptor twice when taking<br /> down a connection channel after having completed a threaded name resolve.

When asked to use a `.netrc` file for credentials **and** to follow HTTP<br /> redirects, curl could leak the password used for the first host to the<br /> followed-to host under certain circumstances.<br /> <br /> This flaw only manifests itself if the netrc file has a `default` entry that<br /> omits both login and password. A rare circumstance.

When libcurl is asked to perform automatic gzip decompression of<br /> content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option,<br /> **using zlib 1.2.0.3 or older**, an attacker-controlled integer overflow would<br /> make libcurl perform a buffer overflow.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nf_tables: don&amp;#39;t skip expired elements during walk<br /> <br /> There is an asymmetry between commit/abort and preparation phase if the<br /> following conditions are met:<br /> <br /> 1. set is a verdict map ("1.2.3.4 : jump foo")<br /> 2. timeouts are enabled<br /> <br /> In this case, following sequence is problematic:<br /> <br /> 1. element E in set S refers to chain C<br /> 2. userspace requests removal of set S<br /> 3. kernel does a set walk to decrement chain-&gt;use count for all elements<br /> from preparation phase<br /> 4. kernel does another set walk to remove elements from the commit phase<br /> (or another walk to do a chain-&gt;use increment for all elements from<br /> abort phase)<br /> <br /> If E has already expired in 1), it will be ignored during list walk, so its use count<br /> won&amp;#39;t have been changed.<br /> <br /> Then, when set is culled, -&gt;destroy callback will zap the element via<br /> nf_tables_set_elem_destroy(), but this function is only safe for<br /> elements that have been deactivated earlier from the preparation phase:<br /> lack of earlier deactivate removes the element but leaks the chain use<br /> count, which results in a WARN splat when the chain gets removed later,<br /> plus a leak of the nft_chain structure.<br /> <br /> Update pipapo_get() not to skip expired elements, otherwise flush<br /> command reports bogus ENOENT errors.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nf_tables: don&amp;#39;t fail inserts if duplicate has expired<br /> <br /> nftables selftests fail:<br /> run-tests.sh testcases/sets/0044interval_overlap_0<br /> Expected: 0-2 . 0-3, got:<br /> W: [FAILED] ./testcases/sets/0044interval_overlap_0: got 1<br /> <br /> Insertion must ignore duplicate but expired entries.<br /> <br /> Moreover, there is a strange asymmetry in nft_pipapo_activate:<br /> <br /> It refetches the current element, whereas the other -&gt;activate callbacks<br /> (bitmap, hash, rhash, rbtree) use elem-&gt;priv.<br /> Same for .remove: other set implementations take elem-&gt;priv,<br /> nft_pipapo_remove fetches elem-&gt;priv, then does a relookup,<br /> remove this.<br /> <br /> I suspect this was the reason for the change that prompted the<br /> removal of the expired check in pipapo_get() in the first place,<br /> but skipping exired elements there makes no sense to me, this helper<br /> is used for normal get requests, insertions (duplicate check)<br /> and deactivate callback.<br /> <br /> In first two cases expired elements must be skipped.<br /> <br /> For -&gt;deactivate(), this gets called for DELSETELEM, so it<br /> seems to me that expired elements should be skipped as well, i.e.<br /> delete request should fail with -ENOENT error.

The WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 8.0.8 via the &amp;#39;attachments.php&amp;#39; file. This makes it possible for unauthenticated attackers to extract sensitive data including files uploaded via forms.

NETGEAR XR1000 before 1.0.0.74, XR1000v2 before 1.1.0.22, and XR500 before 2.3.2.134 allow remote code execution by unauthenticated users.