Msrc Cbl Mariner 2.0 Arm vulnerabilities

CVE-2023-28642 [MEDIUM] CWE-59 AppArmor bypass with symlinked /proc in runc AppArmor bypass with symlinked /proc in runc FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed

CVE-2023-27534 [HIGH] CWE-22 A path traversal vulnerability exists in curl <8.0.0 SFTP implementation causes the tilde (~) character to be wrongly replaced when used as a prefix in the first path element in addition to its intend A path traversal vulnerability exists in curl Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro

CVE-2023-20958 [HIGH] CWE-125 In read_paint of ttcolr.c there is a possible out of bounds read due to a heap buffer overflow. This could lead to local information disclosure with no additional execution privileges needed. User int In read_paint of ttcolr.c there is a possible out of bounds read due to a heap buffer overflow. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: And

CVE-2023-28448 [MEDIUM] CWE-125 Versionize is lacking bound checks potentially leading to out of bounds memory access Versionize is lacking bound checks potentially leading to out of bounds memory access FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and

CVE-2022-48424 [HIGH] In the Linux kernel before 6.1.3 fs/ntfs3/inode.c does not validate the attribute name offset. An unhandled page fault may occur. In the Linux kernel before 6.1.3 fs/ntfs3/inode.c does not validate the attribute name offset. An unhandled page fault may occur. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure

CVE-2022-44370 [HIGH] CWE-787 NASM v2.16 was discovered to contain a heap buffer overflow in the component quote_for_pmake() asm/nasm.c:856 NASM v2.16 was discovered to contain a heap buffer overflow in the component quote_for_pmake() asm/nasm.c:856 FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment t

CVE-2023-27561 [HIGH] CWE-706 runc through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges related to libcontainer/rootfs_linux.go. To exploit this an attacker must be able to spawn two containers with custo runc through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges related to libcontainer/rootfs_linux.go. To exploit this an attacker must be able to spawn two containers with custom volume-mount configurations and be able to run custom images. NOTE:

CVE-2022-4899 [HIGH] CWE-400 A vulnerability was found in zstd v1.4.10 where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun. A vulnerability was found in zstd v1.4.10 where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits

CVE-2023-1670 [HIGH] CWE-416 A flaw use after free in the Linux kernel Xircom 16-bit PCMCIA (PC-card) Ethernet driver was found.A local user could use this flaw to crash the system or potentially escalate their privileges on the A flaw use after free in the Linux kernel Xircom 16-bit PCMCIA (PC-card) Ethernet driver was found.A local user could use this flaw to crash the system or potentially escalate their privileges on the system. FAQ: Is Azure Linux the only Microsoft product that includes

CVE-2023-1393 [HIGH] CWE-416 A flaw was found in X.Org Server Overlay Window. A Use-After-Free may lead to local privilege escalation. If a client explicitly destroys the compositor overlay window (aka COW) the Xserver would leav A flaw was found in X.Org Server Overlay Window. A Use-After-Free may lead to local privilege escalation. If a client explicitly destroys the compositor overlay window (aka COW) the Xserver would leave a dangling pointer to that window in the CompScreen structure which

CVE-2023-1281 [HIGH] CWE-416 UAF in Linux kernel's tcindex (traffic control index filter) implementation UAF in Linux kernel's tcindex (traffic control index filter) implementation FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of

CVE-2023-1252 [HIGH] CWE-416 A use-after-free flaw was found in the Linux kernel’s Ext4 File System in how a user triggers several file operations simultaneously with the overlay FS usage. This flaw allows a local user to crash o A use-after-free flaw was found in the Linux kernel’s Ext4 File System in how a user triggers several file operations simultaneously with the overlay FS usage. This flaw allows a local user to crash or potentially escalate their privileges on the system. Only if patch 9

CVE-2022-3116 [HIGH] CWE-476 The Heimdal Software Kerberos 5 implementation is vulnerable to a null pointer dereferance. An attacker with network access to an application that depends on the vulnerable code path can cause the app The Heimdal Software Kerberos 5 implementation is vulnerable to a null pointer dereferance. An attacker with network access to an application that depends on the vulnerable code path can cause the application to crash. FAQ: Is Azure Linux the only Microsoft product tha

CVE-2023-0179 [HIGH] CWE-190 A buffer overflow vulnerability was found in the Netfilter subsystem in the Linux Kernel. This issue could allow the leakage of both stack and heap addresses and potentially allow Local Privilege Esca A buffer overflow vulnerability was found in the Netfilter subsystem in the Linux Kernel. This issue could allow the leakage of both stack and heap addresses and potentially allow Local Privilege Escalation to the root user via arbitrary code execution. FAQ: Is Azure L

CVE-2022-48423 [HIGH] CWE-787 In the Linux kernel before 6.1.3 fs/ntfs3/record.c does not validate resident attribute names. An out-of-bounds write may occur. In the Linux kernel before 6.1.3 fs/ntfs3/record.c does not validate resident attribute names. An out-of-bounds write may occur. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the

CVE-2023-0386 [HIGH] CWE-282 A flaw was found in the Linux kernel where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable A flaw was found in the Linux kernel where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allo

CVE-2023-28425 [MEDIUM] CWE-77 Specially crafted MSETNX command can lead to denial-of-service Specially crafted MSETNX command can lead to denial-of-service FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source librari

CVE-2023-25661 [MEDIUM] CWE-20 Denial of Service in TensorFlow Denial of Service in TensorFlow FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed t

CVE-2023-23003 [MEDIUM] CWE-252 In the Linux kernel before 5.16 tools/perf/util/expr.c lacks a check for the hashmap__new return value. In the Linux kernel before 5.16 tools/perf/util/expr.c lacks a check for the hashmap__new return value. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it

CVE-2023-27538 [MEDIUM] CWE-287 An authentication bypass vulnerability exists in libcurl prior to v8.0.0 where it reuses a previously established SSH connection despite the fact that an SSH option was modified which should have prev An authentication bypass vulnerability exists in libcurl prior to v8.0.0 where it reuses a previously established SSH connection despite the fact that an SSH option was modified which should have prevented reuse. libcurl maintains a pool of previously used connection