2023-08-19
ALT-BU-2023-5020-1
Branch c10f1 update bulletin.
Closed vulnerabilities
Published: 2023-07-22
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2023-38633
A directory traversal problem in the URL decoder of librsvg before 2.56.3 could be used by local or remote attackers to disclose files (on the local filesystem outside of the expected area), as demonstrated by href=".?../../../../../../../../../../etc/passwd" in an xi:include element.
Severity: MEDIUM (5.5)
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
References:
- 20230724 APPLE-SA-2023-07-24-1 Safari 16.6
- 20230724 APPLE-SA-2023-07-24-1 Safari 16.6
- [oss-security] 20230727 CVE-2023-38633 in librsvg: Arbitrary file read when xinclude href has special characters
- [oss-security] 20230727 CVE-2023-38633 in librsvg: Arbitrary file read when xinclude href has special characters
- [oss-security] 20230906 Re: CVE-2023-38633 in librsvg: Arbitrary file read when xinclude href has special characters
- [oss-security] 20230906 Re: CVE-2023-38633 in librsvg: Arbitrary file read when xinclude href has special characters
- https://bugzilla.suse.com/show_bug.cgi?id=1213502
- https://bugzilla.suse.com/show_bug.cgi?id=1213502
- https://gitlab.gnome.org/GNOME/librsvg/-/issues/996
- https://gitlab.gnome.org/GNOME/librsvg/-/issues/996
- https://gitlab.gnome.org/GNOME/librsvg/-/releases/2.56.3
- https://gitlab.gnome.org/GNOME/librsvg/-/releases/2.56.3
- FEDORA-2023-0873c38acd
- FEDORA-2023-0873c38acd
- FEDORA-2023-fc79ee273d
- FEDORA-2023-fc79ee273d
- https://news.ycombinator.com/item?id=37415799
- https://news.ycombinator.com/item?id=37415799
- https://security.netapp.com/advisory/ntap-20230831-0011/
- https://security.netapp.com/advisory/ntap-20230831-0011/
- https://www.canva.dev/blog/engineering/when-url-parsers-disagree-cve-2023-38633/
- https://www.canva.dev/blog/engineering/when-url-parsers-disagree-cve-2023-38633/
- DSA-5484
- DSA-5484
Closed vulnerabilities
Published: 2023-07-18
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2022-26563
An issue was discovered in Tildeslash Monit before 5.31.0, allows remote attackers to gain escilated privlidges due to improper PAM-authorization.
Severity: HIGH (8.8)
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References: