Msrc Cbl Mariner 1.0 Arm vulnerabilities

CVE-2021-2307 [MEDIUM] Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Packaging). Supported versions that are affected are 5.7.33 and prior and 8.0.23 and prior. Easily exploitable vulnerabili Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Packaging). Supported versions that are affected are 5.7.33 and prior and 8.0.23 and prior. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where My

CVE-2021-2308 [LOW] Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows hi Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise

CVE-2021-2232 [LOW] Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Group Replication Plugin). Supported versions that are affected are 8.0.23 and prior. Difficult to exploit vulnerability a Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Group Replication Plugin). Supported versions that are affected are 8.0.23 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Ser

CVE-2021-2301 [LOW] Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows hi Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise

CVE-2021-27291 [HIGH] CWE-1333 In pygments 1.1+ fixed in 2.7.4 the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and In pygments 1.1+ fixed in 2.7.4 the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input an attacker can

CVE-2021-20270 [HIGH] CWE-835 An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file as demonstrated by input that only c An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file as demonstrated by input that only contains the "exception" keyword. FAQ: Is Azure Linux the only Micros

CVE-2021-27918 [HIGH] CWE-835 encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode D encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode DecodeElement or Skip method. FAQ: Is Azure Linux the only Microsoft

CVE-2021-29649 [MEDIUM] CWE-401 An issue was discovered in the Linux kernel before 5.11.11. The user mode driver (UMD) has a copy_process() memory leak related to a lack of cleanup steps in kernel/usermode_driver.c and kernel/bpf/pr An issue was discovered in the Linux kernel before 5.11.11. The user mode driver (UMD) has a copy_process() memory leak related to a lack of cleanup steps in kernel/usermode_driver.c and kernel/bpf/preload/bpf_preload_kern.c aka CID-f60a85cad677. FAQ: Is Azure Linux

CVE-2021-29648 [MEDIUM] CWE-307 An issue was discovered in the Linux kernel before 5.11.11. The BPF subsystem does not properly consider that resolved_ids and resolved_sizes are intentionally uninitialized in the vmlinux BPF Type Fo An issue was discovered in the Linux kernel before 5.11.11. The BPF subsystem does not properly consider that resolved_ids and resolved_sizes are intentionally uninitialized in the vmlinux BPF Type Format (BTF) which can cause a system crash upon an unexpected access

CVE-2021-21334 [MEDIUM] CWE-668 environment variable leak environment variable leak FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transpare

CVE-2021-29646 [MEDIUM] An issue was discovered in the Linux kernel before 5.11.11. tipc_nl_retrieve_key in net/tipc/node.c does not properly validate certain data sizes aka CID-0217ed2848e8. An issue was discovered in the Linux kernel before 5.11.11. tipc_nl_retrieve_key in net/tipc/node.c does not properly validate certain data sizes aka CID-0217ed2848e8. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnera

CVE-2021-28957 [MEDIUM] CWE-79 An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments the Cleaner class does not remove the formaction attribu An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could

CVE-2021-29650 [MEDIUM] An issue was discovered in the Linux kernel before 5.11.11. The netfilter subsystem allows attackers to cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x An issue was discovered in the Linux kernel before 5.11.11. The netfilter subsystem allows attackers to cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a full memory barrier upon the assignment of a new table val

CVE-2021-3470 [MEDIUM] CWE-787 A heap overflow issue was found in Redis in versions before 5.0.10 before 6.0.9 and before 6.2.0 when using a heap allocator other than jemalloc or glibc's malloc leading to potential out of bound wri A heap overflow issue was found in Redis in versions before 5.0.10 before 6.0.9 and before 6.2.0 when using a heap allocator other than jemalloc or glibc's malloc leading to potential out of bound write or process crash. Effectively this flaw does not affect the vast

CVE-2021-20197 [MEDIUM] CWE-59 There is an open race window when writing output in the following utilities in GNU binutils version 2.35 and earlier:ar objcopy strip ranlib. When these utilities are run as a privileged user (presuma There is an open race window when writing output in the following utilities in GNU binutils version 2.35 and earlier:ar objcopy strip ranlib. When these utilities are run as a privileged user (presumably as part of a script updating binaries across different users) an

CVE-2021-20255 [MEDIUM] CWE-674 A stack overflow via an infinite recursion vulnerability was found in the eepro100 i8255x device emulator of QEMU. This issue occurs while processing controller commands due to a DMA reentry issue. Th A stack overflow via an infinite recursion vulnerability was found in the eepro100 i8255x device emulator of QEMU. This issue occurs while processing controller commands due to a DMA reentry issue. This flaw allows a guest user or process to consume CPU cycles or cra

CVE-2021-24032 [MEDIUM] CWE-276 Beginning in v1.4.1 and prior to v1.4.9 due to an incomplete fix for CVE-2021-24031 the Zstandard command-line utility created output files with default permissions and restricted those permissions im Beginning in v1.4.1 and prior to v1.4.9 due to an incomplete fix for CVE-2021-24031 the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwards. Output files could therefore momentarily be r

CVE-2021-29647 [MEDIUM] CWE-909 An issue was discovered in the Linux kernel before 5.11.11. qrtr_recvmsg in net/qrtr/qrtr.c allows attackers to obtain sensitive information from kernel memory because of a partially uninitialized dat An issue was discovered in the Linux kernel before 5.11.11. qrtr_recvmsg in net/qrtr/qrtr.c allows attackers to obtain sensitive information from kernel memory because of a partially uninitialized data structure aka CID-50535249f624. FAQ: Is Azure Linux the only Mic

CVE-2021-27803 [HIGH] A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potent A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code) for an attacker within radio range. FAQ:

CVE-2020-8032 [MEDIUM] CWE-377 Local privilege escalation to root due to insecure tmp file usage Local privilege escalation to root due to insecure tmp file usage FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source l