Msrc Cbl Mariner 1.0 X64 vulnerabilities

CVE-2019-13139 [HIGH] CWE-78 In Docker before 18.09.4 an attacker who is capable of supplying or manipulating the build path for the "docker build" command would be able to gain command execution. An issue exists in the way "dock In Docker before 18.09.4 an attacker who is capable of supplying or manipulating the build path for the "docker build" command would be able to gain command execution. An issue exists in the way "docker build" processes remote git URLs and results in command injection i

CVE-2018-20969 [HIGH] CWE-78 do_ed_script in pch.c in GNU patch through 2.7.6 does not block strings beginning with a ! character. NOTE: this is the same commit as for CVE-2019-13638 but the ! syntax is specific to ed and is unre do_ed_script in pch.c in GNU patch through 2.7.6 does not block strings beginning with a ! character. NOTE: this is the same commit as for CVE-2019-13638 but the ! syntax is specific to ed and is unrelated to a shell metacharacter. FAQ: Is Azure Linux the only Microsof

CVE-2019-9516 [MEDIUM] CWE-770 Some HTTP/2 implementations are vulnerable to a header leak potentially leading to a denial of service Some HTTP/2 implementations are vulnerable to a header leak potentially leading to a denial of service FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up

CVE-2019-1010180 [HIGH] CWE-125 GNU gdb All versions is affected by: Buffer Overflow - Out of bound memory access. The impact is: Deny of Service, Memory Disclosure, and Possible Code Execution. The component is: The main gdb module GNU gdb All versions is affected by: Buffer Overflow - Out of bound memory access. The impact is: Deny of Service, Memory Disclosure, and Possible Code Execution. The component is: The main gdb module. The attack vector is: Open an ELF for debugging. The fixed versio

CVE-2019-13509 [HIGH] CWE-532 In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before 18.03.1-ee-10) Docker Engine in debug mode may sometimes add secrets to the debug log. This applies to a s In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before 18.03.1-ee-10) Docker Engine in debug mode may sometimes add secrets to the debug log. This applies to a scenario where docker stack deploy is run to redeploy a stack that inc

CVE-2019-13638 [HIGH] CWE-78 GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. The ed edito GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. The ed editor does not need to be present on the vulnerable system. This is differ

CVE-2019-13636 [MEDIUM] CWE-59 In GNU patch through 2.7.6 the following of symlinks is mishandled in certain cases other than input files. This affects inp.c and util.c. In GNU patch through 2.7.6 the following of symlinks is mishandled in certain cases other than input files. This affects inp.c and util.c. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers w

CVE-2019-14250 [MEDIUM] CWE-787 An issue was discovered in GNU libiberty as distributed in GNU Binutils 2.32. simple_object_elf_match in simple-object-elf.c does not check for a zero shstrndx value leading to an integer overflow and An issue was discovered in GNU libiberty as distributed in GNU Binutils 2.32. simple_object_elf_match in simple-object-elf.c does not check for a zero shstrndx value leading to an integer overflow and resultant heap-based buffer overflow. FAQ: Is Azure Linux the onl

CVE-2019-14444 [MEDIUM] CWE-190 apply_relocations in readelf.c in GNU Binutils 2.32 contains an integer overflow that allows attackers to trigger a write access violation (in byte_put_little_endian function in elfcomm.c) via an ELF apply_relocations in readelf.c in GNU Binutils 2.32 contains an integer overflow that allows attackers to trigger a write access violation (in byte_put_little_endian function in elfcomm.c) via an ELF file as demonstrated by readelf. FAQ: Is Azure Linux the only Micr

CVE-2019-13232 [LOW] CWE-400 Info-ZIP UnZip 6.0 mishandles the overlapping of files inside a ZIP container leading to denial of service (resource consumption) aka a "better zip bomb" issue. Info-ZIP UnZip 6.0 mishandles the overlapping of files inside a ZIP container leading to denial of service (resource consumption) aka a "better zip bomb" issue. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? O

CVE-2019-12900 [CRITICAL] CWE-787 BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors. BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the comm

CVE-2019-12735 [HIGH] CWE-78 getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline as demonstrated by execute in Vim and assert_fa getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline as demonstrated by execute in Vim and assert_fails or nvim_input in Neovim. FAQ: Is Azure Linux the only Microsoft p

CVE-2019-13012 [CRITICAL] CWE-732 The keyfile settings backend in GNOME GLib (aka glib2.0) before 2.60.0 creates directories using g_file_make_directory_with_parents (kfsb->dir NULL NULL) and files using g_file_replace_contents (kfsb- The keyfile settings backend in GNOME GLib (aka glib2.0) before 2.60.0 creates directories using g_file_make_directory_with_parents (kfsb->dir NULL NULL) and files using g_file_replace_contents (kfsb->file contents length NULL FALSE G_FILE_CREATE_REPLACE_DESTINATIO

CVE-2019-12855 [HIGH] CWE-295 In words.protocols.jabber.xmlstream in Twisted through 19.2.1 XMPP support did not verify certificates when used with TLS allowing an attacker to MITM connections. In words.protocols.jabber.xmlstream in Twisted through 19.2.1 XMPP support did not verify certificates when used with TLS allowing an attacker to MITM connections. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerabi

CVE-2018-20843 [HIGH] CWE-611 In libexpat in Expat before 2.2.7 XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough In libexpat in Expat before 2.2.7 XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks). FAQ: Is Azure Linux the

CVE-2019-12972 [MEDIUM] CWE-125 An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd) as distributed in GNU Binutils 2.32. There is a heap-based buffer over-read in _bfd_doprnt in bfd.c because elf_object_ An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd) as distributed in GNU Binutils 2.32. There is a heap-based buffer over-read in _bfd_doprnt in bfd.c because elf_object_p in elfcode.h mishandles an e_shstrndx section of type SHT_GROUP b

CVE-2019-12450 [CRITICAL] CWE-362 file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 does not properly restrict file permissions while a copy operation is in progress. Instead default permissions are used. file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 does not properly restrict file permissions while a copy operation is in progress. Instead default permissions are used. FAQ: Is Azure Linux the only Microsoft product that includes this open-source libra

CVE-2019-12439 [HIGH] CWE-20 bubblewrap.c in Bubblewrap before 0.3.3 misuses temporary directories in /tmp as a mount point. In some particular configurations (related to XDG_RUNTIME_DIR) a local attacker may abuse this flaw to p bubblewrap.c in Bubblewrap before 0.3.3 misuses temporary directories in /tmp as a mount point. In some particular configurations (related to XDG_RUNTIME_DIR) a local attacker may abuse this flaw to prevent other users from executing bubblewrap or potentially execute co

CVE-2019-3843 [HIGH] CWE-269 It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be

CVE-2019-3844 [HIGH] CWE-268 It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries which would allow to create binaries owned by the service transien It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries which would allow to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to