There is an out-of bounds read vulnerability in WindowsCodecsRaw.dll while processing a malformed Canon raw image. This can potentially lead to disclosing the memory of the affected process. All applications that use Windows Image Codecs for image parsing are potentially affected. The vulnerability has been confirmed on Windows 10 v2004 with the most recent patches applied.
1ea2260b2783f8f68dc9be4f978b3561Microsoft Windows suffers from a local spooler bypass vulnerability.
3f3c10cd2d2b0c404a73cddec7d03575Chrome on Android suffers from a ConvertToJavaBitmap heap buffer overflow vulnerability.
c8867dbfed920c86be64013795e08eb9Turbofan fails to deoptimize code after map deprecation, leading to a type confusion vulnerability.
8d2abc7a60f64a99e0af818daab042a7Github Actions supports a feature called workflow commands that is susceptible to widespread code injection vulnerabilities.
ed0cc8399b9664318e4cac10f05729b5The Microsoft Windows Kernel Cryptography Driver (cng.sys) exposes a \Device\CNG device to user-mode programs and supports a variety of IOCTLs with non-trivial input structures. It constitutes a locally accessible attack surface that can be exploited for privilege escalation (such as sandbox escape).
6e04f989132d4f0fcd1f22d984a8aedfFreeType suffers from a heap buffer overflow vulnerability due to integer truncation in Load_SBit_Png.
486d3f9f9d645b3bc7af767d7f2dd9cdChrome suffers from a use-after-free vulnerability in USB::OnServiceConnectionError.
5edb5820b7d1b2c0f59e318c98fb4d0bChrome suffers from a use-after-free vulnerability in WebIDBGetDBNamesCallbacksImpl::SuccessNamesAndVersionsList.
411e2d70af0ac966392cea6e525962e3Mocha for Android suffers from an issue where a call can cause the callee device to send audio without user interaction.
772edab5551c467389bb2fea0c6d8a2fChrome suffers from a use-after-free vulnerability in XRSystem::FocusedFrameChanged and FocusController::NotifyFocusChangedObservers.
62c2c4c58b3d2bdb3596a004e37edb33Chrome suffers from a MediaElementEventListener::UpdateSources use-after-free vulnerability.
b3898822e20bcb41c1fa9b902ee4ea6dKubernetes has multiple issues in aws-iam-authenticator where lax controls can lead to a lower security posture.
0efac33980805dcdab8d64773d7981d5JioChat for Android has an issue where a caller can cause the callee device to send audio without user interaction.
45419de88ff2e72571dce00f61068438HashiCorp Vault's GCP authentication method can be bypassed on gce type roles that do not specify bound_service_accounts. Vault does not enforce that the compute_engine data in a signed JWT token has any relationship to the service account that created the token. This makes it possible to impersonate arbitrary GCE instances, by creating a JWT token with a faked compute_engine struct, using an arbitrary attacker controlled service account.
7b83f776aff7e235a44aa2d4f4125bb8HashiCorp Vault's AWS IAM authentication method can be bypassed by sending a serialized request to the STS AssumeRoleWithWebIdentity method as part of the authentication flow. The request triggers a JSON encoded response from the STS server, which can contain a fully-attacker controlled fake GetCallerIdentityResponse as part of its body. As the Vault response parser ignores non-xml content before and after the malicious response, this can be used to spoof arbitrary AWS identities and roles.
c2e3c92a813a0ec7ee985df9b624b079udisks and the Linux kernel have an issue where udisks permits users to mount romfs and romfs leaks uninitialized memory to userspace.
c048313af977e032061fd3c992081768A race condition exists with munmap() downgrades in Linux kernel versions since 4.20.
af84b28deac71be6c5fa63ed3e242c89The StorageFolder class when used out of process can bypass security checks to read and write files not allowed to an AppContainer.
fcac5139eefb819b4a7b0e211caa1f0dThe Qualcomm Adreno GPU shares a global mapping called a "scratch" buffer with the Adreno KGSL kernel driver. The contents of the scratch buffer can be overwritten by untrusted GPU commands. This results in a logic error in the Adreno driver's ringbuffer allocation code, which can be used to corrupt ringbuffer data. A race condition exists between the ringbuffer corruption and a GPU context switch, and this results in a bypass of the GPU protected mode setting. This ultimately means that an attacker can read and write arbitrary physical addresses from userland by running GPU commands while protected mode disabled, which results in arbitrary kernel code execution.
1b8910b13d2d3595dcd217d98080e491The CloundExperienceHostBroker hosts unsafe COM objects accessible to a normal user leading to elevation of privilege.
c38651bc173d658ea5caddd8450163b6Apache2 suffers from an incorrect handling of large requests issue in mod_proxy_uwsgi.
794813ee73c7fb742550accd8b61f2e2Chrome suffers from a missing array size check in NewFixedArray.
3f2e8b27a8a3776f81ab7b46459f8a8eA Linux copy-on-write issue can wrongly grant write access.
cb589228c2f3845aa384c84f4717d60eThe handling of KTM logs when initializing a Registry Hive contains no bounds checks which results in privilege escalation.
47cc29fc3f9a4152d374689e8d8dbe44
© 2020 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed