Msrc Cbl Mariner 1.0 X64 vulnerabilities

CVE-2021-21309 [MEDIUM] CWE-190 Integer overflow on 32-bit systems Integer overflow on 32-bit systems FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is comm

CVE-2020-24455 [MEDIUM] CWE-909 Missing initialization of a variable in the TPM2 source may allow a privileged user to potentially enable an escalation of privilege via local access. This affects tpm2-tss before 3.0.1 and before 2.4 Missing initialization of a variable in the TPM2 source may allow a privileged user to potentially enable an escalation of privilege via local access. This affects tpm2-tss before 3.0.1 and before 2.4.3. FAQ: Is Azure Linux the only Microsoft product that includes t

CVE-2021-23336 [MEDIUM] CWE-444 Web Cache Poisoning Web Cache Poisoning FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this

CVE-2020-28493 [MEDIUM] CWE-400 Regular Expression Denial of Service (ReDoS) Regular Expression Denial of Service (ReDoS) FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is compose

CVE-2021-21284 [MEDIUM] CWE-22 privilege escalation in Moby privilege escalation in Moby FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to tran

CVE-2021-21285 [MEDIUM] CWE-754 Docker daemon crash during image pull of malicious image Docker daemon crash during image pull of malicious image FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with whi

CVE-2021-21303 [MEDIUM] CWE-74 Injection attack in Helm Injection attack in Helm FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency

CVE-2020-27618 [MEDIUM] CWE-835 The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier when processing invalid multi-byte input sequences in IBM1364 IBM1371 IBM1388 IBM1390 and IBM1399 encodings fails to advan The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier when processing invalid multi-byte input sequences in IBM1364 IBM1371 IBM1388 IBM1390 and IBM1399 encodings fails to advance the input state which could lead to an infinite loop in applicat

CVE-2021-20203 [LOW] CWE-190 An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for versions up to v5.2.0. It may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameters An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for versions up to v5.2.0. It may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameters. A privileged guest user may use this flaw to crash the QEMU process

CVE-2021-3326 [HIGH] CWE-617 The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier when processing invalid input sequences in the ISO-2022-JP-3 encoding fails an assertion in the code path and aborts the p The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier when processing invalid input sequences in the ISO-2022-JP-3 encoding fails an assertion in the code path and aborts the program potentially resulting in a denial of service. FAQ: Is Azure Li

CVE-2021-3347 [HIGH] CWE-416 An issue was discovered in the Linux kernel through 5.10.11. PI futexes have a kernel stack use-after-free during fault handling allowing local users to execute code in the kernel aka CID-34b1a1ce1458 An issue was discovered in the Linux kernel through 5.10.11. PI futexes have a kernel stack use-after-free during fault handling allowing local users to execute code in the kernel aka CID-34b1a1ce1458. FAQ: Is Azure Linux the only Microsoft product that includes this o

CVE-2021-3114 [MEDIUM] CWE-682 In Go before 1.14.14 and 1.15.x before 1.15.7 crypto/elliptic/p224.go can generate incorrect outputs related to an underflow of the lowest limb during the final complete reduction in the P-224 field. In Go before 1.14.14 and 1.15.x before 1.15.7 crypto/elliptic/p224.go can generate incorrect outputs related to an underflow of the lowest limb during the final complete reduction in the P-224 field. FAQ: Is Azure Linux the only Microsoft product that includes this op

CVE-2020-17380 [MEDIUM] CWE-787 A heap-based buffer overflow was found in QEMU through 5.0.0 in the SDHCI device emulation support. It could occur while doing a multi block SDMA transfer via the sdhci_sdma_transfer_multi_blocks() ro A heap-based buffer overflow was found in QEMU through 5.0.0 in the SDHCI device emulation support. It could occur while doing a multi block SDMA transfer via the sdhci_sdma_transfer_multi_blocks() routine in hw/sd/sdhci.c. A guest user or process could use this flaw

CVE-2020-27783 [MEDIUM] CWE-79 A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers which caused different behaviors between the sanitizer and the user's page. A rem A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code.

CVE-2020-27534 [MEDIUM] CWE-22 util/binfmt_misc/check.go in Builder in Docker Engine before 19.03.9 calls os.OpenFile with a potentially unsafe qemu-check temporary pathname constructed with an empty first argument in an ioutil.Tem util/binfmt_misc/check.go in Builder in Docker Engine before 19.03.9 calls os.OpenFile with a potentially unsafe qemu-check temporary pathname constructed with an empty first argument in an ioutil.TempDir call. FAQ: Is Azure Linux the only Microsoft product that incl

CVE-2020-28367 [HIGH] CWE-94 Arbitrary code execution via the go command with cgo in cmd/go Arbitrary code execution via the go command with cgo in cmd/go FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries

CVE-2020-28362 [HIGH] CWE-295 Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service. Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open sou

CVE-2020-8277 [HIGH] CWE-400 A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1 < 14.15.1 and < 12.19.1 by getting the applicat A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this

CVE-2009-4487 [MEDIUM] CVE-2009-4487: NIST NVD Details: https://nvd NIST NVD Details: https://nvd.nist.gov/vuln/detail/CVE-2009-4487 Mariner: Mariner [email protected]: [email protected] Customer Action Required: Yes Exploit Status: DOS:N/A Remediation: nginx

CVE-2020-15999 [CRITICAL] CWE-787 Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnera