Msrc Cbl Mariner 1.0 X64 vulnerabilities

CVE-2021-38593 [HIGH] CWE-787 Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke). Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke). FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this v

CVE-2021-36370 [HIGH] CWE-287 An issue was discovered in Midnight Commander through 4.8.26. When establishing an SFTP connection the fingerprint of the server is neither checked nor displayed. As a result a user connects to the se An issue was discovered in Midnight Commander through 4.8.26. When establishing an SFTP connection the fingerprint of the server is neither checked nor displayed. As a result a user connects to the server without the ability to verify its authenticity. FAQ: Is Azure L

CVE-2021-3713 [HIGH] CWE-787 An out-of-bounds write flaw was found in the UAS (USB Attached SCSI) device emulation of QEMU in versions prior to 6.2.0-rc0. The device uses the guest supplied stream number unchecked which can lead An out-of-bounds write flaw was found in the UAS (USB Attached SCSI) device emulation of QEMU in versions prior to 6.2.0-rc0. The device uses the guest supplied stream number unchecked which can lead to out-of-bounds access to the UASDevice->data3 and UASDevice->status3

CVE-2021-3682 [HIGH] CWE-763 A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs when dropping packets during a bulk transfer from a SPICE client due to the packet queue being A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A malicious SPICE client could use this flaw to make QEMU call

CVE-2021-29923 [HIGH] Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet which (in some situations) allows attackers to bypass access control that is based on IP ad Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet which (in some situations) allows attackers to bypass access control that is based on IP addresses because of unexpected octal interpretation. This affects net.ParseIP

CVE-2021-35942 [CRITICAL] CWE-190 The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted crafted pattern potentially resu The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted crafted pattern potentially resulting in a denial of service or disclosure of information. This o

CVE-2015-3627 [HIGH] CVE-2015-3627: NIST NVD Details: https://nvd NIST NVD Details: https://nvd.nist.gov/vuln/detail/CVE-2015-3627 Mariner: Mariner [email protected]: [email protected] Exploit Status: DOS:N/A Remediation: moby-buildx

CVE-2014-6407 [HIGH] CVE-2014-6407: NIST NVD Details: https://nvd NIST NVD Details: https://nvd.nist.gov/vuln/detail/CVE-2014-6407 Mariner: Mariner [email protected]: [email protected] Exploit Status: DOS:N/A Remediation: moby-buildx

CVE-2015-3630 [HIGH] CVE-2015-3630: NIST NVD Details: https://nvd NIST NVD Details: https://nvd.nist.gov/vuln/detail/CVE-2015-3630 Mariner: Mariner [email protected]: [email protected] Exploit Status: DOS:N/A Remediation: moby-buildx

CVE-2014-7204 [MEDIUM] CVE-2014-7204: NIST NVD Details: https://nvd NIST NVD Details: https://nvd.nist.gov/vuln/detail/CVE-2014-7204 Mariner: Mariner [email protected]: [email protected] Exploit Status: DOS:N/A Remediation: ctags

CVE-2021-37600 [MEDIUM] CWE-190 An integer overflow in util-linux through 2.37.1 can potentially cause a buffer overflow if an attacker were able to use system resources in a way that leads to a large number in the /proc/sysvipc/sem An integer overflow in util-linux through 2.37.1 can potentially cause a buffer overflow if an attacker were able to use system resources in a way that leads to a large number in the /proc/sysvipc/sem file. NOTE: this is unexploitable in GNU C Library environments an

CVE-2014-9358 [MEDIUM] CVE-2014-9358: NIST NVD Details: https://nvd NIST NVD Details: https://nvd.nist.gov/vuln/detail/CVE-2014-9358 Mariner: Mariner [email protected]: [email protected] Exploit Status: DOS:N/A Remediation: moby-buildx

CVE-2014-5277 [MEDIUM] CVE-2014-5277: NIST NVD Details: https://nvd NIST NVD Details: https://nvd.nist.gov/vuln/detail/CVE-2014-5277 Mariner: Mariner [email protected]: [email protected] Exploit Status: DOS:N/A Remediation: moby-buildx

CVE-2015-3631 [LOW] CVE-2015-3631: NIST NVD Details: https://nvd NIST NVD Details: https://nvd.nist.gov/vuln/detail/CVE-2015-3631 Mariner: Mariner [email protected]: [email protected] Exploit Status: DOS:N/A Remediation: moby-buildx

CVE-2021-28691 [HIGH] CWE-416 Guest triggered use-after-free in Linux xen-netback A malicious or buggy network PV frontend can force Linux netback to disable the interface and terminate the receive kernel thread associated with qu Guest triggered use-after-free in Linux xen-netback A malicious or buggy network PV frontend can force Linux netback to disable the interface and terminate the receive kernel thread associated with queue 0 in response to the frontend sending a malformed packet. Such ke

CVE-2021-33503 [HIGH] CWE-400 An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component the authority regular expression exhibits catastrophic backtracking c An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component the authority regular expression exhibits catastrophic backtracking causing a denial of service if a URL were passed as a parameter or red

CVE-2021-32690 [MEDIUM] CWE-200 Repository credentials passed to alternate domain Repository credentials passed to alternate domain FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro

CVE-2021-33624 [MEDIUM] CWE-843 In kernel/bpf/verifier.c in the Linux kernel before 5.12.13 a branch can be mispredicted (e.g. because of type confusion) and consequently an unprivileged BPF program can read arbitrary memory locatio In kernel/bpf/verifier.c in the Linux kernel before 5.12.13 a branch can be mispredicted (e.g. because of type confusion) and consequently an unprivileged BPF program can read arbitrary memory locations via a side-channel attack aka CID-9183671af6db. FAQ: Is Azure L

CVE-2020-26558 [MEDIUM] CWE-287 Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authen Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authent

CVE-2021-28879 [CRITICAL] CWE-190 In the standard library in Rust before 1.52.0 the Zip implementation can report an incorrect size due to an integer overflow. This bug can lead to a buffer overflow when a consumed Zip iterator is use In the standard library in Rust before 1.52.0 the Zip implementation can report an incorrect size due to an integer overflow. This bug can lead to a buffer overflow when a consumed Zip iterator is used again. FAQ: Is Azure Linux the only Microsoft product that inc