CVE-2016-2048
published 2016-02-08CVE-2016-2048: Django 1.9.x before 1.9.2, when ModelAdmin.save_as is set to True, allows remote authenticated users to bypass intended access restrictions and create…
PriorityP429medium5.5CVSS 3.0
AVNACLPRHUINSUCLIHAN
EPSS
1.52%
71.5th percentile
Django 1.9.x before 1.9.2, when ModelAdmin.save_as is set to True, allows remote authenticated users to bypass intended access restrictions and create ModelAdmin objects via the "Save as New" option when editing objects and leveraging the "change" permission.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-django | < python-django 1.9.2-1 (bookworm) | python-django 1.9.2-1 (bookworm) |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | >= 1.9 < 1.9.2 | 1.9.2 |
| github.com | kyverno_kyverno | >= 0 < 1.9.5 | 1.9.5 |
| libssh | libssh | >= 0 < 0.6.1-0ubuntu3.3 | 0.6.1-0ubuntu3.3 |
CVSS provenance
nvdv3.05.5MEDIUMCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N
nvdv2.06.0MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:P
ghsa7.5HIGH
osv7.5HIGH
vendor_redhat7.8HIGH
vendor_debian5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Kyverno vulnerable due to usage of insecure cipher
ghsa·2023-05-30·CVSS 7.5
CVE-2016-2183 [HIGH] Kyverno vulnerable due to usage of insecure cipher
Kyverno vulnerable due to usage of insecure cipher
### Summary
Insecure 3DES ciphers are used which may lead to exploitation of the [Sweet32 vulnerability](https://sweet32.info/). Specifically, the ciphers TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) and TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) are allowed. See CVE-2016-2183. This is fixed in Kyverno v1.9.5 and v1.10.0 and no known users have been affected.
### Details
The ciphers in affected versions can be read using the following command which uses `nmap`:
```sh
$ kubectl exec -it mypod -n kyverno sh
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
**nmap -sV --script ssl-enum-ciphers -p 443 kyverno-cleanup-controller** or
**nmap -sV --script ssl-enum
GHSA
Django Access Restrictions Bypass
ghsa·2022-05-17
CVE-2016-2048 [HIGH] CWE-284 Django Access Restrictions Bypass
Django Access Restrictions Bypass
Django 1.9.x before 1.9.2, when `ModelAdmin.save_as` is set to True, allows remote authenticated users to bypass intended access restrictions and create ModelAdmin objects via the "Save as New" option when editing objects and leveraging the "change" permission.
OSV
Django Access Restrictions Bypass
osv·2022-05-17
CVE-2016-2048 [HIGH] Django Access Restrictions Bypass
Django Access Restrictions Bypass
Django 1.9.x before 1.9.2, when `ModelAdmin.save_as` is set to True, allows remote authenticated users to bypass intended access restrictions and create ModelAdmin objects via the "Save as New" option when editing objects and leveraging the "change" permission.
OSV
libssh vulnerabilities
osv·2016-02-23·CVSS 7.5
CVE-2015-3146 libssh vulnerabilities
libssh vulnerabilities
Mariusz Ziulek discovered that libssh incorrectly handled certain packets.
A remote attacker could possibly use this issue to cause libssh to crash,
resulting in a denial of service.
(CVE-2015-3146)
Aris Adamantiadis discovered that libssh incorrectly generated ephemeral
secret keys of 128 bits instead of the recommended 1024 or 2048 bits when
using the diffie-hellman-group1 and diffie-hellman-group14 methods. If a
remote attacker were able to perform a machine-in-the-middle attack, this flaw
could be exploited to view sensitive information. (CVE-2016-0739)
OSV
CVE-2016-2048: Django 1
osv·2016-02-08·CVSS 5.5
CVE-2016-2048 [MEDIUM] CVE-2016-2048: Django 1
Django 1.9.x before 1.9.2, when ModelAdmin.save_as is set to True, allows remote authenticated users to bypass intended access restrictions and create ModelAdmin objects via the "Save as New" option when editing objects and leveraging the "change" permission.
Red Hat
libtiff: Heap-based buffer overflow in tif_next.c
vendor_redhat·2016-12-03·CVSS 7.8
CVE-2016-10272 [HIGH] CWE-122 libtiff: Heap-based buffer overflow in tif_next.c
libtiff: Heap-based buffer overflow in tif_next.c
LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted TIFF image, related to "WRITE of size 2048" and libtiff/tif_next.c:64:9.
Package: libtiff (Red Hat Enterprise Linux 5) - Will not fix
Package: libtiff (Red Hat Enterprise Linux 6) - Will not fix
Package: compat-libtiff3 (Red Hat Enterprise Linux 7) - Will not fix
Package: libtiff (Red Hat Enterprise Linux 7) - Will not fix
Red Hat
python-django: user with "change" but not "add" permission can create objects for ModelAdmin
vendor_redhat·2016-02-01·CVSS 5.5
CVE-2016-2048 [MEDIUM] python-django: user with "change" but not "add" permission can create objects for ModelAdmin
python-django: user with "change" but not "add" permission can create objects for ModelAdmin
Django 1.9.x before 1.9.2, when ModelAdmin.save_as is set to True, allows remote authenticated users to bypass intended access restrictions and create ModelAdmin objects via the "Save as New" option when editing objects and leveraging the "change" permission.
Package: Django (Red Hat Ceph Storage 1.2) - Not affected
Package: Django (Red Hat Ceph Storage 1.3) - Not affected
Package: python-django (Red Hat Enterprise Linux OpenStack Platform 5 (Icehouse)) - Not affected
Package: python-django (Red Hat Enterprise Linux OpenStack Platform 6 (Juno)) - Not affected
Package: python-django (Red Hat Enterprise Linux OpenStack Platform 7 (Kilo)) - Not affected
Package: python-django (Red Hat Enterpris
Debian
CVE-2016-2048: python-django - Django 1.9.x before 1.9.2, when ModelAdmin.save_as is set to True, allows remote...
vendor_debian·2016·CVSS 5.5
CVE-2016-2048 [MEDIUM] CVE-2016-2048: python-django - Django 1.9.x before 1.9.2, when ModelAdmin.save_as is set to True, allows remote...
Django 1.9.x before 1.9.2, when ModelAdmin.save_as is set to True, allows remote authenticated users to bypass intended access restrictions and create ModelAdmin objects via the "Save as New" option when editing objects and leveraging the "change" permission.
Scope: local
bookworm: resolved (fixed in 1.9.2-1)
bullseye: resolved (fixed in 1.9.2-1)
forky: resolved (fixed in 1.9.2-1)
sid: resolved (fixed in 1.9.2-1)
trixie: resolved (fixed in 1.9.2-1)
Suricata
ET EXPLOIT Possible CVE-2015-7547 Large Response to A/AAAA query
suricata·2016-02-18·CVSS 8.1
CVE-2015-7547 [HIGH] ET EXPLOIT Possible CVE-2015-7547 Large Response to A/AAAA query
ET EXPLOIT Possible CVE-2015-7547 Large Response to A/AAAA query
Rule: alert tcp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2015-7547 Large Response to A/AAAA query"; flow:established,to_client; flowbits:isset,ET.CVE20157547.primer; byte_test:2,>,2048,0; byte_test:1,&,128,4; byte_test:1,!&,64,4; byte_test:1,!&,32,4; byte_test:1,!&,16,4; byte_test:1,!&,8,4; content:"|00 01|"; offset:6; depth:2; reference:cve,2015-7547; classtype:attempted-user; sid:2022547; rev:2; metadata:created_at 2016_02_18, cve CVE_2015_7547, confidence Medium, signature_severity Major, updated_at 2024_03_07;)
Exploit-DB
Apple OS X/iOS Kernel - IOSurface Use-After-Free
exploitdb·2016-10-31
CVE-2016-4625 Apple OS X/iOS Kernel - IOSurface Use-After-Free
Apple OS X/iOS Kernel - IOSurface Use-After-Free
---
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=831
IOSurfaceRootUserClient stores a task struct pointer (passed in via IOServiceOpen) in the field at +0xf0 without taking a reference.
By killing the corrisponding task we can free this pointer leaving the user client with a dangling pointer. We can get this pointer used
by calling the create_surface_fast_path external method which will try to read and use the memory map off of the free'd task struct.
This bug could be leveraged for kernel memory corruption and is reachable from interesting sandboxes including safari and chrome.
build: clang -o surfaceroot_uaf surfaceroot_uaf.c -framework IOKit
You should set gzalloc_min=1024 gzalloc_max=2048 or similar to actuall
Exploit-DB
glibc - 'getaddrinfo' Stack Buffer Overflow (PoC)
exploitdb·2016-02-16·CVSS 8.1
CVE-2015-7547 [HIGH] glibc - 'getaddrinfo' Stack Buffer Overflow (PoC)
glibc - 'getaddrinfo' Stack Buffer Overflow (PoC)
---
Sources:
https://googleonlinesecurity.blogspot.sg/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
https://github.com/fjserna/CVE-2015-7547
Technical information:
glibc reserves 2048 bytes in the stack through alloca() for the DNS answer at _nss_dns_gethostbyname4_r() for hosting responses to a DNS query.
Later on, at send_dg() and send_vc(), if the response is larger than 2048 bytes, a new buffer is allocated from the heap and all the information (buffer pointer, new buffer size and response size) is updated.
Under certain conditions a mismatch between the stack buffer and the new heap allocation will happen. The final effect is that the stack buffer will be used to store the DNS response, even though the response is larger tha
2016-02-08
Published