Msrc Cbl Mariner 2.0 Arm vulnerabilities

CVE-2021-20257 [MEDIUM] CWE-835 An infinite loop flaw was found in the e1000 NIC emulator of the QEMU. This issue occurs while processing transmits (tx) descriptors in process_tx_desc if various descriptor fields are initialized wit An infinite loop flaw was found in the e1000 NIC emulator of the QEMU. This issue occurs while processing transmits (tx) descriptors in process_tx_desc if various descriptor fields are initialized with invalid values. This flaw allows a guest to consume CPU cycles on

CVE-2021-3638 [MEDIUM] CWE-787 An out-of-bounds memory access flaw was found in the ATI VGA device emulation of QEMU. This flaw occurs in the ati_2d_blt() routine while handling MMIO write operations when the guest provides invalid An out-of-bounds memory access flaw was found in the ATI VGA device emulation of QEMU. This flaw occurs in the ati_2d_blt() routine while handling MMIO write operations when the guest provides invalid values for the destination display parameters. A malicious guest co

CVE-2022-27950 [MEDIUM] CWE-401 In drivers/hid/hid-elo.c in the Linux kernel before 5.16.11 a memory leak exists for a certain hid_parse error condition. In drivers/hid/hid-elo.c in the Linux kernel before 5.16.11 a memory leak exists for a certain hid_parse error condition. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux

CVE-2022-0494 [MEDIUM] CWE-908 A kernel information leak flaw was identified in the scsi_ioctl function in drivers/scsi/scsi_ioctl.c in the Linux kernel. This flaw allows a local attacker with a special user privilege (CAP_SYS_ADMI A kernel information leak flaw was identified in the scsi_ioctl function in drivers/scsi/scsi_ioctl.c in the Linux kernel. This flaw allows a local attacker with a special user privilege (CAP_SYS_ADMIN or CAP_SYS_RAWIO) to create issues with confidentiality. FAQ: Is

CVE-2020-35501 [LOW] CWE-863 A flaw was found in the Linux kernels implementation of audit rules where a syscall can unexpectedly not be correctly not be logged by the audit subsystem A flaw was found in the Linux kernels implementation of audit rules where a syscall can unexpectedly not be correctly not be logged by the audit subsystem FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the ma

CVE-2022-26354 [LOW] CWE-772 A flaw was found in the vhost-vsock device of QEMU. In case of error an invalid element was not detached from the virtqueue before freeing its memory leading to memory leakage and other unexpected res A flaw was found in the vhost-vsock device of QEMU. In case of error an invalid element was not detached from the virtqueue before freeing its memory leading to memory leakage and other unexpected results. Affected QEMU versions Is Azure Linux the only Microsoft product

CVE-2022-23806 [CRITICAL] CWE-252 Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element. Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore pote

CVE-2022-21824 [HIGH] CWE-1321 Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter which could be "__prot

CVE-2022-24407 [HIGH] CWE-89 In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28 plugins/sql.c does not escape the password for a SQL INSERT or UPDATE statement. In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28 plugins/sql.c does not escape the password for a SQL INSERT or UPDATE statement. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use t

CVE-2022-23308 [HIGH] CWE-416 valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes. valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secur

CVE-2022-23772 [HIGH] CWE-190 Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption. Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who

CVE-2022-23773 [HIGH] CWE-436 cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags. FAQ: Is Azure Linux the only Micros

CVE-2022-21698 [HIGH] CWE-770 Uncontrolled Resource Consumption in promhttp Uncontrolled Resource Consumption in promhttp FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is compose

CVE-2022-0729 [HIGH] CWE-823 Use of Out-of-range Pointer Offset in vim/vim Use of Out-of-range Pointer Offset in vim/vim FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed

CVE-2021-44531 [HIGH] CWE-295 Accepting arbitrary Subject Alternative Name (SAN) types unless a PKI is specifically defined to use a particular SAN type can result in bypassing name-constrained intermediates. Node.js < 12.22.9 < 1 Accepting arbitrary Subject Alternative Name (SAN) types unless a PKI is specifically defined to use a particular SAN type can result in bypassing name-constrained intermediates. Node.js Is Azure Linux the only Microsoft product that includes this open-source library a

CVE-2022-25255 [HIGH] In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX QProcess could execute a binary from the current working directory when not found in the PATH. In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX QProcess could execute a binary from the current working directory when not found in the PATH. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by

CVE-2022-0696 [MEDIUM] CWE-476 NULL Pointer Dereference in vim/vim NULL Pointer Dereference in vim/vim FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is com

CVE-2022-0714 [MEDIUM] CWE-122 Heap-based Buffer Overflow in vim/vim Heap-based Buffer Overflow in vim/vim FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is

CVE-2022-0563 [MEDIUM] CWE-209 A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. Wh A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file it prints an error me

CVE-2021-3700 [MEDIUM] CWE-416 A use-after-free vulnerability was found in usbredir in versions prior to 0.11.0 in the usbredirparser_serialize() in usbredirparser/usbredirparser.c. This issue occurs when serializing large amounts A use-after-free vulnerability was found in usbredir in versions prior to 0.11.0 in the usbredirparser_serialize() in usbredirparser/usbredirparser.c. This issue occurs when serializing large amounts of buffered write data in the case of a slow or blocked destination.