Msrc Azure Linux 3.0 Arm vulnerabilities

CVE-2022-21698 [HIGH] CWE-770 Uncontrolled Resource Consumption in promhttp Uncontrolled Resource Consumption in promhttp FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is compose

CVE-2020-25722 [HIGH] CWE-863 Multiple flaws were found in the way samba AD DC implemented access and conformance checking of stored data. An attacker could use this flaw to cause total domain compromise. Multiple flaws were found in the way samba AD DC implemented access and conformance checking of stored data. An attacker could use this flaw to cause total domain compromise. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affe

CVE-2020-25718 [HIGH] CWE-862 A flaw was found in the way samba as an Active Directory Domain Controller is able to support an RODC (read-only domain controller). This would allow an RODC to print administrator tickets. A flaw was found in the way samba as an Active Directory Domain Controller is able to support an RODC (read-only domain controller). This would allow an RODC to print administrator tickets. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and

CVE-2021-44142 [HIGH] CWE-125 The Samba vfs_fruit module uses extended file attributes (EA xattr) to provide "...enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver." Samba versions The Samba vfs_fruit module uses extended file attributes (EA xattr) to provide "...enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver." Samba versions prior to 4.13.17 4.14.12 and 4.15.5 with vfs_fruit configured allow o

CVE-2022-23639 [HIGH] CWE-362 Improper Restriction of Operations within the Bounds of a Memory Buffer and Race Condition in crossbeam-utils Improper Restriction of Operations within the Bounds of a Memory Buffer and Race Condition in crossbeam-utils FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment t

CVE-2016-2124 [MEDIUM] CWE-287 A flaw was found in the way samba implemented SMB1 authentication. An attacker could use this flaw to retrieve the plaintext password sent over the wire even if Kerberos authentication was required. A flaw was found in the way samba implemented SMB1 authentication. An attacker could use this flaw to retrieve the plaintext password sent over the wire even if Kerberos authentication was required. FAQ: Is Azure Linux the only Microsoft product that includes this open

CVE-2021-44141 [MEDIUM] CWE-59 All versions of Samba prior to 4.15.5 are vulnerable to a malicious client using a server symlink to determine if a file or directory exists in an area of the server file system not exported under the All versions of Samba prior to 4.15.5 are vulnerable to a malicious client using a server symlink to determine if a file or directory exists in an area of the server file system not exported under the share definition. SMB1 with unix extensions has to be enabled in or

CVE-2022-0530 [MEDIUM] Conversion of a wide string to a local string that leads to a heap of out-of-bound write Conversion of a wide string to a local string that leads to a heap of out-of-bound write FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and mos

CVE-2022-0529 [MEDIUM] CWE-787 Conversion of a wide string to a local string that leads to a heap of out-of-bound write Conversion of a wide string to a local string that leads to a heap of out-of-bound write FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent

CVE-2021-44716 [HIGH] CWE-400 net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests. net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main be

CVE-2021-22569 [HIGH] CWE-696 Denial of Service of protobuf-java parsing procedure Denial of Service of protobuf-java parsing procedure FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the dis

CVE-2021-4160 [MEDIUM] BN_mod_exp may produce incorrect results on MIPS BN_mod_exp may produce incorrect results on MIPS FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed

CVE-2021-43566 [LOW] CWE-362 All versions of Samba prior to 4.13.16 are vulnerable to a malicious client using an SMB1 or NFS race to allow a directory to be created in an area of the server file system not exported under the sha All versions of Samba prior to 4.13.16 are vulnerable to a malicious client using an SMB1 or NFS race to allow a directory to be created in an area of the server file system not exported under the share definition. Note that SMB1 has to be enabled or the share also avai

CVE-2021-45707 [CRITICAL] CWE-787 An issue was discovered in the nix crate 0.16.0 and later before 0.20.2 0.21.x before 0.21.2 and 0.22.x before 0.22.2 for Rust. unistd::getgrouplist has an out-of-bounds write if a user is in more tha An issue was discovered in the nix crate 0.16.0 and later before 0.20.2 0.21.x before 0.21.2 and 0.22.x before 0.22.2 for Rust. unistd::getgrouplist has an out-of-bounds write if a user is in more than 16 /etc/groups groups. FAQ: Is Azure Linux the only Microsoft

CVE-2021-41771 [HIGH] CWE-119 ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 Accesses a Memory Location After the End of a Buffer aka an out-of-bounds slice situation. ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 Accesses a Memory Location After the End of a Buffer aka an out-of-bounds slice situation. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and

CVE-2021-41772 [HIGH] CWE-20 Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field. Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerabil

CVE-2020-27304 [CRITICAL] CWE-22 The CivetWeb web library does not validate uploaded filepaths when running on an OS other than Windows when using the built-in HTTP form-based file upload mechanism via the mg_handle_form_request API. The CivetWeb web library does not validate uploaded filepaths when running on an OS other than Windows when using the built-in HTTP form-based file upload mechanism via the mg_handle_form_request API. Web applications that use the file upload form handler and use pa

CVE-2021-42836 [HIGH] CWE-400 GJSON before 1.9.3 allows a ReDoS (regular expression denial of service) attack. GJSON before 1.9.3 allows a ReDoS (regular expression denial of service) attack. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure

CVE-2021-3671 [MEDIUM] CWE-476 A null pointer de-reference was found in the way samba kerberos server handled missing sname in TGS-REQ (Ticket Granting Server - Request). An authenticated user could use this flaw to crash the samba A null pointer de-reference was found in the way samba kerberos server handled missing sname in TGS-REQ (Ticket Granting Server - Request). An authenticated user could use this flaw to crash the samba server. FAQ: Is Azure Linux the only Microsoft product that includ

CVE-2021-38190 [CRITICAL] CWE-119 An issue was discovered in the nalgebra crate before 0.27.1 for Rust. It allows out-of-bounds memory access because it does not ensure that the number of elements is equal to the product of the row co An issue was discovered in the nalgebra crate before 0.27.1 for Rust. It allows out-of-bounds memory access because it does not ensure that the number of elements is equal to the product of the row count and column count. FAQ: Is Azure Linux the only Microsoft pro