CVE-2023-1024
published 2023-02-28CVE-2023-1024: The WP Meta SEO plugin for WordPress is vulnerable to unauthorized sitemap generation due to a missing capability check on the regenerateSitemaps function in…
PriorityP420medium4.3CVSS 3.1
AVNACLPRLUINSUCNILAN
EPSS
0.54%
41.2th percentile
The WP Meta SEO plugin for WordPress is vulnerable to unauthorized sitemap generation due to a missing capability check on the regenerateSitemaps function in versions up to, and including, 4.5.3. This makes it possible for authenticated attackers with subscriber-level access to generate sitemaps. This vulnerability occurred as a result of the plugin relying on nonce checks as a means of access control, and that nonce being accessible to all authenticated users regardless of role.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | ipfs_go-unixfsnode | >= 0 < 1.5.2 | 1.5.2 |
| github.com | prometheus_blackbox_exporter | 0 – 0.23.0 | — |
| joomunited | wp_meta_seo | <= 4.5.3 | — |
| juniper | junos_os | — | — |
| linux | linux_kernel | >= 5.16.0 < 6.1.110 | 6.1.110 |
| linux | linux_kernel | >= 6.2.0 < 6.4.7 | 6.4.7 |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vendor_redhat7.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
bpf: Silence a warning in btf_type_id_size()
osv·2025-12-30
CVE-2023-54247 bpf: Silence a warning in btf_type_id_size()
bpf: Silence a warning in btf_type_id_size()
In the Linux kernel, the following vulnerability has been resolved:
bpf: Silence a warning in btf_type_id_size()
syzbot reported a warning in [1] with the following stacktrace:
WARNING: CPU: 0 PID: 5005 at kernel/bpf/btf.c:1988 btf_type_id_size+0x2d9/0x9d0 kernel/bpf/btf.c:1988
...
RIP: 0010:btf_type_id_size+0x2d9/0x9d0 kernel/bpf/btf.c:1988
...
Call Trace:
map_check_btf kernel/bpf/syscall.c:1024 [inline]
map_create+0x1157/0x1860 kernel/bpf/syscall.c:1198
__sys_bpf+0x127f/0x5420 kernel/bpf/syscall.c:5040
__do_sys_bpf kernel/bpf/syscall.c:5162 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5160 [inline]
__x64_sys_bpf+0x79/0xc0 kernel/bpf/syscall.c:5160
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/commo
GHSA
Withdrawn Advisory: Access control issues in blackbox_exporter
ghsa·2023-04-26
CVE-2023-26735 [HIGH] CWE-918 Withdrawn Advisory: Access control issues in blackbox_exporter
Withdrawn Advisory: Access control issues in blackbox_exporter
# Withdrawn Advisory
This advisory has been withdrawn because it was determined to be a configuration issue rather than a vulnerability. This link is maintained to preserve external references. For more information, see the conversation [here](https://github.com/prometheus/blackbox_exporter/issues/1024#issuecomment-1449145854).
# Original Advisory
blackbox_exporter v0.23.0 was discovered to contain an access control issue in its probe interface. This vulnerability allows attackers to detect intranet ports and services, as well as download resources.
GHSA
GHSA-rqjh-2xp3-wp52: The WP Meta SEO plugin for WordPress is vulnerable to unauthorized sitemap generation due to a missing capability check on the regenerateSitemaps func
ghsa_unreviewed·2023-02-28
CVE-2023-1024 [MEDIUM] CWE-862 GHSA-rqjh-2xp3-wp52: The WP Meta SEO plugin for WordPress is vulnerable to unauthorized sitemap generation due to a missing capability check on the regenerateSitemaps func
The WP Meta SEO plugin for WordPress is vulnerable to unauthorized sitemap generation due to a missing capability check on the regenerateSitemaps function in versions up to, and including, 4.5.3. This makes it possible for authenticated attackers with subscriber-level access to generate sitemaps. This vulnerability occurred as a result of the plugin relying on nonce checks as a means of access control, and that nonce being accessible to all authenticated users regardless of role.
GHSA
IPFS go-unixfsnode subject to DOS via HAMT Decoding Panics
ghsa·2023-02-10
CVE-2023-23631 [HIGH] CWE-400 IPFS go-unixfsnode subject to DOS via HAMT Decoding Panics
IPFS go-unixfsnode subject to DOS via HAMT Decoding Panics
## Impact
Trying to read malformed HAMT sharded directories can cause panics and virtual memory leaks.
If you are reading untrusted user input, an attacker can then trigger a panic.
This is caused by a bogus fanout parameter in the HAMT directory nodes.
This includes checks returned in [ipfs/go-bitfield GHSA-2h6c-j3gf-xp9r](https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r), as well as limiting the fanout to <= 1024 (to avoid attempts of arbitrary sized allocations).
## Patches
- https://github.com/ipfs/go-unixfsnode/commit/91b3d39d33ef0cd2aff2c95d50b2329350944b68
- https://github.com/ipfs/go-unixfsnode/commit/a4ed723727e0bdc2277158337c2fc0d82802d122
## References
* https://github.com/ipfs/go-unixfs/
Red Hat
kernel: bpf: Silence a warning in btf_type_id_size()
vendor_redhat·2025-12-30·CVSS 4.4
CVE-2023-54247 [LOW] CWE-20 kernel: bpf: Silence a warning in btf_type_id_size()
kernel: bpf: Silence a warning in btf_type_id_size()
In the Linux kernel, the following vulnerability has been resolved:
bpf: Silence a warning in btf_type_id_size()
syzbot reported a warning in [1] with the following stacktrace:
WARNING: CPU: 0 PID: 5005 at kernel/bpf/btf.c:1988 btf_type_id_size+0x2d9/0x9d0 kernel/bpf/btf.c:1988
...
RIP: 0010:btf_type_id_size+0x2d9/0x9d0 kernel/bpf/btf.c:1988
...
Call Trace:
map_check_btf kernel/bpf/syscall.c:1024 [inline]
map_create+0x1157/0x1860 kernel/bpf/syscall.c:1198
__sys_bpf+0x127f/0x5420 kernel/bpf/syscall.c:5040
__do_sys_bpf kernel/bpf/syscall.c:5162 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5160 [inline]
__x64_sys_bpf+0x79/0xc0 kernel/bpf/syscall.c:5160
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry
Red Hat
kernel: Linux kernel: BPF verifier log truncation via crafted user input
vendor_redhat·2025-12-24·CVSS 3.3
CVE-2023-54145 [LOW] CWE-410 kernel: Linux kernel: BPF verifier log truncation via crafted user input
kernel: Linux kernel: BPF verifier log truncation via crafted user input
In the Linux kernel, the following vulnerability has been resolved:
bpf: drop unnecessary user-triggerable WARN_ONCE in verifierl log
It's trivial for user to trigger "verifier log line truncated" warning,
as verifier has a fixed-sized buffer of 1024 bytes (as of now), and there are at
least two pieces of user-provided information that can be output through
this buffer, and both can be arbitrarily sized by user:
- BTF names;
- BTF.ext source code lines strings.
Verifier log buffer should be properly sized for typical verifier state
output. But it's sort-of expected that this buffer won't be long enough
in some circumstances. So let's drop the check. In any case code will
work correctly, at worst truncating a part of
Red Hat
kernel: fs/ntfs3: Fix null-ptr-deref on inode->i_op in ntfs_lookup()
vendor_redhat·2025-09-16·CVSS 5.5
CVE-2023-53294 [MEDIUM] kernel: fs/ntfs3: Fix null-ptr-deref on inode->i_op in ntfs_lookup()
kernel: fs/ntfs3: Fix null-ptr-deref on inode->i_op in ntfs_lookup()
In the Linux kernel, the following vulnerability has been resolved:
fs/ntfs3: Fix null-ptr-deref on inode->i_op in ntfs_lookup()
Syzbot reported a null-ptr-deref bug:
ntfs3: loop0: Different NTFS' sector size (1024) and media sector size
(512)
ntfs3: loop0: Mark volume as dirty due to NTFS errors
general protection fault, probably for non-canonical address
0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
RIP: 0010:d_flags_for_inode fs/dcache.c:1980 [inline]
RIP: 0010:__d_add+0x5ce/0x800 fs/dcache.c:2796
Call Trace:
d_splice_alias+0x122/0x3b0 fs/dcache.c:3191
lookup_open fs/namei.c:3391 [inline]
open_last_lookups fs/namei.c:3481 [inline]
path_openat+0x
Red Hat
kernel: netfs: improper loop in netfs_rreq_unlock_folios()
vendor_redhat·2024-03-02·CVSS 5.5
CVE-2023-52582 [MEDIUM] CWE-606 kernel: netfs: improper loop in netfs_rreq_unlock_folios()
kernel: netfs: improper loop in netfs_rreq_unlock_folios()
In the Linux kernel, the following vulnerability has been resolved:
netfs: Only call folio_start_fscache() one time for each folio
If a network filesystem using netfs implements a clamp_length()
function, it can set subrequest lengths smaller than a page size.
When we loop through the folios in netfs_rreq_unlock_folios() to
set any folios to be written back, we need to make sure we only
call folio_start_fscache() once for each folio.
Otherwise, this simple testcase:
mount -o fsc,rsize=1024,wsize=1024 127.0.0.1:/export /mnt/nfs
dd if=/dev/zero of=/mnt/nfs/file.bin bs=4096 count=1
1+0 records in
1+0 records out
4096 bytes (4.1 kB, 4.0 KiB) copied, 0.0126359 s, 324 kB/s
echo 3 > /proc/sys/vm/drop_caches
cat /mnt/nfs/file.bin > /dev/n
Red Hat
kernel: EDAC/thunderx: Incorrect buffer size in drivers/edac/thunderx_edac.c
vendor_redhat·2024-02-23·CVSS 7.8
CVE-2023-52464 [HIGH] CWE-805 kernel: EDAC/thunderx: Incorrect buffer size in drivers/edac/thunderx_edac.c
kernel: EDAC/thunderx: Incorrect buffer size in drivers/edac/thunderx_edac.c
In the Linux kernel, the following vulnerability has been resolved:
EDAC/thunderx: Fix possible out-of-bounds string access
Enabling -Wstringop-overflow globally exposes a warning for a common bug
in the usage of strncat():
drivers/edac/thunderx_edac.c: In function 'thunderx_ocx_com_threaded_isr':
drivers/edac/thunderx_edac.c:1136:17: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
1136 | strncat(msg, other, OCX_MESSAGE_SIZE);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
...
1145 | strncat(msg, other, OCX_MESSAGE_SIZE);
...
1150 | strncat(msg, other, OCX_MESSAGE_SIZE);
...
Apparently the author of this driver expected strncat() to behave the
way that strlcat() does, which use
Suricata
ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2022-22274) M1
suricata·2025-04-02·CVSS 9.8
CVE-2022-22274 [CRITICAL] ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2022-22274) M1
ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2022-22274) M1
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2022-22274) M1"; flow:established,to_server; urilen:>1024; http.uri; content:"/resources/"; startswith; http.protocol; bsize:>8; reference:url,github.com/BishopFox/CVE-2022-22274_CVE-2023-0656; reference:cve,2022-22274; classtype:attempted-dos; sid:2061248; rev:1; metadata:affected_product SonicWall, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_02, cve CVE_2022_22274, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Moderate, confidence High, signature_severity Major, tag Exploit, updated_at
Suricata
ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2023-0656) M1
suricata·2025-04-02·CVSS 9.8
CVE-2023-0656 [CRITICAL] ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2023-0656) M1
ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2023-0656) M1
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2023-0656) M1"; flow:established,to_server; urilen:>1024; http.uri; content:"/stats/"; startswith; http.protocol; bsize:>8; reference:url,github.com/BishopFox/CVE-2022-22274_CVE-2023-0656; reference:cve,2023-0656; classtype:attempted-dos; sid:2061253; rev:1; metadata:affected_product SonicWall, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_02, cve CVE_2023_0656, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Moderate, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04
Suricata
ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2023-0656) M2
suricata·2025-04-02·CVSS 9.8
CVE-2023-0656 [CRITICAL] ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2023-0656) M2
ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2023-0656) M2
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2023-0656) M2"; flow:established,to_server; urilen:>1024; http.uri; content:"/Security_Services"; startswith; http.protocol; bsize:>8; reference:url,github.com/BishopFox/CVE-2022-22274_CVE-2023-0656; reference:cve,2023-0656; classtype:attempted-dos; sid:2061256; rev:1; metadata:affected_product SonicWall, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_02, cve CVE_2023_0656, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2
Nuclei
glibc's syslog - Local Privilege Escalation
nuclei·CVSS 7.8
CVE-2023-6246 [HIGH] glibc's syslog - Local Privilege Escalation
glibc's syslog - Local Privilege Escalation
A heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when the openlog function was not called, or called with the ident argument set to NULL, and the program name (the basename of argv[0]) is bigger than 1024 bytes, resulting in an application crash or local privilege escalation. This issue affects glibc 2.36 and newer.
Template:
id: CVE-2023-6246
info:
name: glibc's syslog - Local Privilege Escalation
author: gy741
severity: high
description: |
A heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when
Bugzilla
CVE-2023-54247 kernel: bpf: Silence a warning in btf_type_id_size()
bugzilla·2025-12-30
CVE-2023-54247 [LOW] CVE-2023-54247 kernel: bpf: Silence a warning in btf_type_id_size()
CVE-2023-54247 kernel: bpf: Silence a warning in btf_type_id_size()
In the Linux kernel, the following vulnerability has been resolved:
bpf: Silence a warning in btf_type_id_size()
syzbot reported a warning in [1] with the following stacktrace:
WARNING: CPU: 0 PID: 5005 at kernel/bpf/btf.c:1988 btf_type_id_size+0x2d9/0x9d0 kernel/bpf/btf.c:1988
...
RIP: 0010:btf_type_id_size+0x2d9/0x9d0 kernel/bpf/btf.c:1988
...
Call Trace:
map_check_btf kernel/bpf/syscall.c:1024 [inline]
map_create+0x1157/0x1860 kernel/bpf/syscall.c:1198
__sys_bpf+0x127f/0x5420 kernel/bpf/syscall.c:5040
__do_sys_bpf kernel/bpf/syscall.c:5162 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5160 [inline]
__x64_sys_bpf+0x79/0xc0 kernel/bpf/syscall.c:5160
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0x
Bugzilla
CVE-2023-54145 kernel: Linux kernel: BPF verifier log truncation via crafted user input
bugzilla·2025-12-24
CVE-2023-54145 [LOW] CVE-2023-54145 kernel: Linux kernel: BPF verifier log truncation via crafted user input
CVE-2023-54145 kernel: Linux kernel: BPF verifier log truncation via crafted user input
In the Linux kernel, the following vulnerability has been resolved:
bpf: drop unnecessary user-triggerable WARN_ONCE in verifierl log
It's trivial for user to trigger "verifier log line truncated" warning,
as verifier has a fixed-sized buffer of 1024 bytes (as of now), and there are at
least two pieces of user-provided information that can be output through
this buffer, and both can be arbitrarily sized by user:
- BTF names;
- BTF.ext source code lines strings.
Verifier log buffer should be properly sized for typical verifier state
output. But it's sort-of expected that this buffer won't be long enough
in some circumstances. So let's drop the check. In any case code will
work correctly, at worst tru
Bugzilla
CVE-2023-54108 kernel: scsi: qla2xxx: Fix DMA-API call trace on NVMe LS requests
bugzilla·2025-12-24
CVE-2023-54108 [LOW] CVE-2023-54108 kernel: scsi: qla2xxx: Fix DMA-API call trace on NVMe LS requests
CVE-2023-54108 kernel: scsi: qla2xxx: Fix DMA-API call trace on NVMe LS requests
In the Linux kernel, the following vulnerability has been resolved:
scsi: qla2xxx: Fix DMA-API call trace on NVMe LS requests
The following message and call trace was seen with debug kernels:
DMA-API: qla2xxx 0000:41:00.0: device driver failed to check map
error [device address=0x00000002a3ff38d8] [size=1024 bytes] [mapped as
single]
WARNING: CPU: 0 PID: 2930 at kernel/dma/debug.c:1017
check_unmap+0xf42/0x1990
Call Trace:
debug_dma_unmap_page+0xc9/0x100
qla_nvme_ls_unmap+0x141/0x210 [qla2xxx]
Remove DMA mapping from the driver altogether, as it is already done by FC
layer. This prevents the warning.
Discussion:
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025122412-CVE-2023-54108-d5be
Bugzilla
CVE-2023-53611 kernel: ipmi_si: fix a memleak in try_smi_init()
bugzilla·2025-10-04·CVSS 5.5
CVE-2023-53611 [MEDIUM] CVE-2023-53611 kernel: ipmi_si: fix a memleak in try_smi_init()
CVE-2023-53611 kernel: ipmi_si: fix a memleak in try_smi_init()
In the Linux kernel, the following vulnerability has been resolved:
ipmi_si: fix a memleak in try_smi_init()
Kmemleak reported the following leak info in try_smi_init():
unreferenced object 0xffff00018ecf9400 (size 1024):
comm "modprobe", pid 2707763, jiffies 4300851415 (age 773.308s)
backtrace:
[] __kmalloc+0x4b8/0x7b0
[] try_smi_init+0x148/0x5dc [ipmi_si]
[] 0xffff800081b10148
[] do_one_initcall+0x64/0x2a4
[] do_init_module+0x50/0x300
[] load_module+0x7a8/0x9e0
[] __se_sys_init_module+0x104/0x180
[] __arm64_sys_init_module+0x24/0x30
[] el0_svc_common.constprop.0+0x94/0x250
[] do_el0_svc+0x48/0xe0
[] el0_svc+0x24/0x3c
[] el0_sync_handler+0x160/0x164
[] el0_sync+0x160/0x180
The problem was that when an error occurred befo
Bugzilla
CVE-2023-53468 kernel: ubifs: Fix memory leak in alloc_wbufs()
bugzilla·2025-10-01·CVSS 5.5
CVE-2023-53468 [MEDIUM] CVE-2023-53468 kernel: ubifs: Fix memory leak in alloc_wbufs()
CVE-2023-53468 kernel: ubifs: Fix memory leak in alloc_wbufs()
In the Linux kernel, the following vulnerability has been resolved:
ubifs: Fix memory leak in alloc_wbufs()
kmemleak reported a sequence of memory leaks, and show them as following:
unreferenced object 0xffff8881575f8400 (size 1024):
comm "mount", pid 19625, jiffies 4297119604 (age 20.383s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[] __kmalloc+0x4d/0x150
[] ubifs_mount+0x307b/0x7170 [ubifs]
[] legacy_get_tree+0xed/0x1d0
[] vfs_get_tree+0x7d/0x230
[] path_mount+0xdd4/0x17b0
[] __x64_sys_mount+0x1fa/0x270
[] do_syscall_64+0x35/0x80
[] entry_SYSCALL_64_after_hwframe+0x46/0xb0
unreferenced object 0xfff
Bugzilla
CVE-2023-53294 kernel: fs/ntfs3: Fix null-ptr-deref on inode->i_op in ntfs_lookup()
bugzilla·2025-09-16·CVSS 5.5
CVE-2023-53294 [MEDIUM] CVE-2023-53294 kernel: fs/ntfs3: Fix null-ptr-deref on inode->i_op in ntfs_lookup()
CVE-2023-53294 kernel: fs/ntfs3: Fix null-ptr-deref on inode->i_op in ntfs_lookup()
In the Linux kernel, the following vulnerability has been resolved:
fs/ntfs3: Fix null-ptr-deref on inode->i_op in ntfs_lookup()
Syzbot reported a null-ptr-deref bug:
ntfs3: loop0: Different NTFS' sector size (1024) and media sector size
(512)
ntfs3: loop0: Mark volume as dirty due to NTFS errors
general protection fault, probably for non-canonical address
0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
RIP: 0010:d_flags_for_inode fs/dcache.c:1980 [inline]
RIP: 0010:__d_add+0x5ce/0x800 fs/dcache.c:2796
Call Trace:
d_splice_alias+0x122/0x3b0 fs/dcache.c:3191
lookup_open fs/namei.c:3391 [inline]
open_last_lookups fs/namei.c:3481 [inli
Bugzilla
CVE-2023-1255 openssl: Input buffer over-read in AES-XTS implementation on 64 bit ARM
bugzilla·2023-04-20·CVSS 5.9
CVE-2023-1255 [MEDIUM] CVE-2023-1255 openssl: Input buffer over-read in AES-XTS implementation on 64 bit ARM
CVE-2023-1255 openssl: Input buffer over-read in AES-XTS implementation on 64 bit ARM
Issue summary: The AES-XTS cipher decryption implementation for 64 bit ARM
platform contains a bug that could cause it to read past the input buffer,
leading to a crash.
Impact summary: Applications that use the AES-XTS algorithm on the 64 bit ARM
platform can crash in rare circumstances. The AES-XTS algorithm is usually
used for disk encryption.
The AES-XTS cipher decryption implementation for 64 bit ARM platform will read
past the end of the ciphertext buffer if the ciphertext size is 4 mod 5, e.g.
144 bytes or 1024 bytes. If the memory after the ciphertext buffer is
unmapped, this will trigger a crash which results in a denial of service.
If an attacker can control the size and location of the ciph
https://plugins.trac.wordpress.org/changeset/2870465/wp-meta-seo/trunk?contextall=1&old=2869205&old_path=%2Fwp-meta-seo%2Ftrunk#file2https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2870465%40wp-meta-seo&new=2870465%40wp-meta-seo&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/4a3f835e-0aa9-4581-9150-fe5041e0f293?source=cvehttps://plugins.trac.wordpress.org/changeset/2870465/wp-meta-seo/trunk?contextall=1&old=2869205&old_path=%2Fwp-meta-seo%2Ftrunk#file2https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2870465%40wp-meta-seo&new=2870465%40wp-meta-seo&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/4a3f835e-0aa9-4581-9150-fe5041e0f293
2023-02-28
Published