2023-08-19
ALT-BU-2023-5020-1
Branch c10f1 update bulletin.
Closed vulnerabilities
Published: 2023-07-22
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2023-38633
A directory traversal problem in the URL decoder of librsvg before 2.56.3 could be used by local or remote attackers to disclose files (on the local filesystem outside of the expected area), as demonstrated by href=".?../../../../../../../../../../etc/passwd" in an xi:include element.
Severity: MEDIUM (5.5)
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
References:
- http://seclists.org/fulldisclosure/2023/Jul/43
- http://www.openwall.com/lists/oss-security/2023/07/27/1
- http://www.openwall.com/lists/oss-security/2023/09/06/10
- https://bugzilla.suse.com/show_bug.cgi?id=1213502
- https://gitlab.gnome.org/GNOME/librsvg/-/issues/996
- https://gitlab.gnome.org/GNOME/librsvg/-/releases/2.56.3
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/422NTIHIEBRASIG2DWXYBH4ADYMHY626/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5BCXT5GW6RCL45ZUHUZR4CJG2BAFDVC/
- https://news.ycombinator.com/item?id=37415799
- https://security.netapp.com/advisory/ntap-20230831-0011/
- https://www.canva.dev/blog/engineering/when-url-parsers-disagree-cve-2023-38633/
- https://www.debian.org/security/2023/dsa-5484
- http://seclists.org/fulldisclosure/2023/Jul/43
- http://www.openwall.com/lists/oss-security/2023/07/27/1
- http://www.openwall.com/lists/oss-security/2023/09/06/10
- https://bugzilla.suse.com/show_bug.cgi?id=1213502
- https://gitlab.gnome.org/GNOME/librsvg/-/issues/996
- https://gitlab.gnome.org/GNOME/librsvg/-/releases/2.56.3
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/422NTIHIEBRASIG2DWXYBH4ADYMHY626/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5BCXT5GW6RCL45ZUHUZR4CJG2BAFDVC/
- https://news.ycombinator.com/item?id=37415799
- https://security.netapp.com/advisory/ntap-20230831-0011/
- https://www.canva.dev/blog/engineering/when-url-parsers-disagree-cve-2023-38633/
- https://www.debian.org/security/2023/dsa-5484
Closed vulnerabilities
Published: 2023-07-18
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2022-26563
An issue was discovered in Tildeslash Monit before 5.31.0, allows remote attackers to gain escilated privlidges due to improper PAM-authorization.
Severity: HIGH (8.8)
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References: