Msrc Cbl Mariner 1.0 X64 vulnerabilities

CVE-2023-31124 [LOW] CWE-330 AutoTools does not set CARES_RANDOM_FILE during cross compilation AutoTools does not set CARES_RANDOM_FILE during cross compilation FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source lib

CVE-2023-31975 [LOW] CWE-401 yasm v1.3.0 was discovered to contain a memory leak via the function yasm_intnum_copy at /libyasm/intnum.c. Note: Multiple third parties dispute this as a bug and not a vulnerability according to the yasm v1.3.0 was discovered to contain a memory leak via the function yasm_intnum_copy at /libyasm/intnum.c. Note: Multiple third parties dispute this as a bug and not a vulnerability according to the YASM security policy. FAQ: Is Azure Linux the only Microsoft product

CVE-2021-46879 [HIGH] CWE-787 An issue was discovered in Treasure Data Fluent Bit 1.7.1 a wrong variable is used to get the msgpack data resulting in a heap overflow in flb_msgpack_gelf_value_ext. An attacker can craft a malicious An issue was discovered in Treasure Data Fluent Bit 1.7.1 a wrong variable is used to get the msgpack data resulting in a heap overflow in flb_msgpack_gelf_value_ext. An attacker can craft a malicious file and tick the victim to open the file with the software triggeri

CVE-2023-31486 [HIGH] CWE-295 HTTP::Tiny before 0.083 a Perl core module since 5.13.9 and available standalone on CPAN has an insecure default TLS configuration where users must opt in to verify certificates. HTTP::Tiny before 0.083 a Perl core module since 5.13.9 and available standalone on CPAN has an insecure default TLS configuration where users must opt in to verify certificates. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentia

CVE-2023-24607 [HIGH] Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13 6.x before 6.2.8 and Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13 6.x before 6.2.8 and 6.3.x before 6.4.3. FAQ: Is Azure Linux the only Microsoft product that inc

CVE-2021-46878 [HIGH] CWE-843 An issue was discovered in Treasure Data Fluent Bit 1.7.1 erroneous parsing in flb_pack_msgpack_to_json_format leads to type confusion bug that interprets whatever is on the stack as msgpack maps and An issue was discovered in Treasure Data Fluent Bit 1.7.1 erroneous parsing in flb_pack_msgpack_to_json_format leads to type confusion bug that interprets whatever is on the stack as msgpack maps and arrays leading to use-after-free. This can be used by an attacker to

CVE-2023-1838 [HIGH] CWE-416 A use-after-free flaw was found in vhost_net_set_backend in drivers/vhost/net.c in virtio network subcomponent in the Linux kernel due to a double fget. This flaw could allow a local attacker to crash A use-after-free flaw was found in vhost_net_set_backend in drivers/vhost/net.c in virtio network subcomponent in the Linux kernel due to a double fget. This flaw could allow a local attacker to crash the system and could even lead to a kernel information leak problem.

CVE-2023-31436 [HIGH] CWE-787 qfq_change_class in net/sched/sch_qfq.c in the Linux kernel before 6.2.13 allows an out-of-bounds write because lmax can exceed QFQ_MIN_LMAX. qfq_change_class in net/sched/sch_qfq.c in the Linux kernel before 6.2.13 allows an out-of-bounds write because lmax can exceed QFQ_MIN_LMAX. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our custom

CVE-2023-2008 [HIGH] CWE-129 A flaw was found in the Linux kernel's udmabuf device driver. The specific flaw exists within a fault handler. The issue results from the lack of proper validation of user-supplied data which can resu A flaw was found in the Linux kernel's udmabuf device driver. The specific flaw exists within a fault handler. The issue results from the lack of proper validation of user-supplied data which can result in a memory access past the end of an array. An attacker can levera

CVE-2023-29491 [HIGH] CWE-787 ncurses before 6.4 20230408 when used by a setuid application allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.t ncurses before 6.4 20230408 when used by a setuid application allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable. FA

CVE-2023-2006 [HIGH] CWE-362 A race condition was found in the Linux kernel's RxRPC network protocol within the processing of RxRPC bundles. This issue results from the lack of proper locking when performing operations on an obje A race condition was found in the Linux kernel's RxRPC network protocol within the processing of RxRPC bundles. This issue results from the lack of proper locking when performing operations on an object. This may allow an attacker to escalate privileges and execute arbi

CVE-2023-1872 [HIGH] CWE-416 Use-after-free in Linux kernel's io_uring subsystem Use-after-free in Linux kernel's io_uring subsystem FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro

CVE-2023-1829 [HIGH] CWE-416 Use-after-free in tcindex (traffic control index filter) in the Linux Kernel Use-after-free in tcindex (traffic control index filter) in the Linux Kernel FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions

CVE-2023-1786 [MEDIUM] CWE-532 sensitive data exposure in cloud-init logs sensitive data exposure in cloud-init logs FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Mi

CVE-2022-48468 [MEDIUM] CWE-190 protobuf-c before 1.4.1 has an unsigned integer overflow in parse_required_member. protobuf-c before 1.4.1 has an unsigned integer overflow in parse_required_member. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most s

CVE-2023-30456 [MEDIUM] An issue was discovered in arch/x86/kvm/vmx/nested.c in the Linux kernel before 6.2.8. nVMX on x86_64 lacks consistency checks for CR0 and CR4. An issue was discovered in arch/x86/kvm/vmx/nested.c in the Linux kernel before 6.2.8. nVMX on x86_64 lacks consistency checks for CR0 and CR4. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customer

CVE-2023-1998 [MEDIUM] CWE-203 Spectre v2 SMT mitigations problem in Linux kernel Spectre v2 SMT mitigations problem in Linux kernel FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro

CVE-2022-2084 [MEDIUM] CWE-532 sensitive data exposure in cloud-init logs sensitive data exposure in cloud-init logs FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Mi

CVE-2023-1916 [MEDIUM] CWE-125 A flaw was found in tiffcrop a program distributed by the libtiff package. A specially crafted tiff file can lead to an out-of-bounds read in the extractImageSection function in tools/tiffcrop.c resul A flaw was found in tiffcrop a program distributed by the libtiff package. A specially crafted tiff file can lead to an out-of-bounds read in the extractImageSection function in tools/tiffcrop.c resulting in a denial of service and limited information disclosure. This

CVE-2023-0458 [MEDIUM] CWE-476 Spectre V1 Gadget in do_prlimit in the Linux Kernel Spectre V1 Gadget in do_prlimit in the Linux Kernel FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the dist