Msrc Cbl Mariner 1.0 Arm vulnerabilities

CVE-2023-0590 [MEDIUM] CWE-416 A use-after-free flaw was found in qdisc_graft in net/sched/sch_api.c in the Linux Kernel due to a race problem. This flaw leads to a denial of service issue. If patch ebda44da44f6 ("net: sched: fix r A use-after-free flaw was found in qdisc_graft in net/sched/sch_api.c in the Linux Kernel due to a race problem. This flaw leads to a denial of service issue. If patch ebda44da44f6 ("net: sched: fix race condition in qdisc_graft()") not applied yet then kernel could b

CVE-2023-1079 [MEDIUM] CWE-416 A flaw was found in the Linux kernel. A use-after-free may be triggered in asus_kbd_backlight_set when plugging/disconnecting in a malicious USB device which advertises itself as an Asus device. Simil A flaw was found in the Linux kernel. A use-after-free may be triggered in asus_kbd_backlight_set when plugging/disconnecting in a malicious USB device which advertises itself as an Asus device. Similarly to the previous known CVE-2023-25012 but in asus devices the wo

CVE-2023-0466 [MEDIUM] CWE-295 Certificate policy check not enabled Certificate policy check not enabled FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is c

CVE-2023-1513 [LOW] CWE-665 A flaw was found in KVM. When calling the KVM_GET_DEBUGREGS ioctl on 32-bit systems there might be some uninitialized portions of the kvm_debugregs structure that could be copied to userspace causing A flaw was found in KVM. When calling the KVM_GET_DEBUGREGS ioctl on 32-bit systems there might be some uninitialized portions of the kvm_debugregs structure that could be copied to userspace causing an information leak. FAQ: Is Azure Linux the only Microsoft product th

CVE-2021-3923 [LOW] CWE-200 A flaw was found in the Linux kernel's implementation of RDMA over infiniband. An attacker with a privileged local account can leak kernel stack information when issuing commands to the /dev/infiniban A flaw was found in the Linux kernel's implementation of RDMA over infiniband. An attacker with a privileged local account can leak kernel stack information when issuing commands to the /dev/infiniband/rdma_cm device node. While this access is unlikely to leak sensitive

CVE-2023-23914 [CRITICAL] CWE-319 A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality fail when multiple URLs are requested serially. Using its HSTS support curl A cleartext transmission of sensitive information vulnerability exists in curl Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers wh

CVE-2023-25725 [CRITICAL] HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations aka "request smuggling." The HTTP header parsers in HAProxy may accept empty HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations aka "request smuggling." The HTTP header parsers in HAProxy may accept empty header field names which could be used to truncate the list of HTTP heade

CVE-2023-25173 [MEDIUM] CWE-863 containerd supplementary groups are not set up properly containerd supplementary groups are not set up properly FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which

CVE-2023-23919 [HIGH] CWE-310 A cryptographic vulnerability exists in Node.js <19.2.0 <18.14.1 <16.19.1 <14.21.3 that in some cases did does not clear the OpenSSL error stack after operations that may set it. This may lead to fals A cryptographic vulnerability exists in Node.js Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux dis

CVE-2023-23918 [HIGH] CWE-863 A privilege escalation vulnerability exists in Node.js <19.6.1 <18.14.1 <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) fea A privilege escalation vulnerability exists in Node.js Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Li

CVE-2023-24329 [HIGH] CWE-20 An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters. An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerab

CVE-2023-0461 [HIGH] CWE-416 Use-after-free vulnerability in the Linux Kernel Use-after-free vulnerability in the Linux Kernel FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is co

CVE-2023-27320 [HIGH] CWE-415 Sudo before 1.9.13p2 has a double free in the per-command chroot feature. Sudo before 1.9.13p2 has a double free in the per-command chroot feature. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of th

CVE-2023-1095 [MEDIUM] CWE-476 In nf_tables_updtable if nf_tables_table_enable returns an error nft_trans_destroy is called to free the transaction object. nft_trans_destroy() calls list_del() but the transaction was never placed o In nf_tables_updtable if nf_tables_table_enable returns an error nft_trans_destroy is called to free the transaction object. nft_trans_destroy() calls list_del() but the transaction was never placed on a list -- the list head is all zeroes this results in a NULL point

CVE-2023-23931 [MEDIUM] CWE-754 Cipher.update_into can corrupt memory in pyca cryptography Cipher.update_into can corrupt memory in pyca cryptography FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with

CVE-2023-25165 [MEDIUM] CWE-200 getHostByName Function Information Disclosure getHostByName Function Information Disclosure FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is compo

CVE-2023-25153 [MEDIUM] CWE-770 containerd OCI image importer memory exhaustion containerd OCI image importer memory exhaustion FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is c

CVE-2023-25012 [MEDIUM] CWE-416 The Linux kernel through 6.1.9 has a Use-After-Free in bigben_remove in drivers/hid/hid-bigbenff.c via a crafted USB device because the LED controllers remain registered for too long. The Linux kernel through 6.1.9 has a Use-After-Free in bigben_remove in drivers/hid/hid-bigbenff.c via a crafted USB device because the LED controllers remain registered for too long. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is theref

CVE-2023-22996 [MEDIUM] CWE-772 In the Linux kernel before 5.17.2 drivers/soc/qcom/qcom_aoss.c does not release an of_find_device_by_node reference after use e.g. with put_device. In the Linux kernel before 5.17.2 drivers/soc/qcom/qcom_aoss.c does not release an of_find_device_by_node reference after use e.g. with put_device. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits

CVE-2023-23920 [MEDIUM] CWE-426 An untrusted search path vulnerability exists in Node.js. <19.6.1 <18.14.1 <16.19.1 and <14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privile An untrusted search path vulnerability exists in Node.js. Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azu