Msrc Cbl Mariner 2.0 Arm vulnerabilities

CVE-2021-37615 [MEDIUM] CWE-476 Null pointer dereference in Exiv2::Internal::resolveLens0x319 Null pointer dereference in Exiv2::Internal::resolveLens0x319 FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source librarie

CVE-2021-36230 [HIGH] CWE-863 HashiCorp Terraform Enterprise releases up to v202106-1 did not properly perform authorization checks on a subset of API requests executed using the run token allowing privilege escalation to organiza HashiCorp Terraform Enterprise releases up to v202106-1 did not properly perform authorization checks on a subset of API requests executed using the run token allowing privilege escalation to organization owner. Fixed in v202107-1. FAQ: Is Azure Linux the only Microso

CVE-2021-32785 [MEDIUM] CWE-134 Format string bug in the Redis cache implementation Format string bug in the Redis cache implementation FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the dis

CVE-2021-22235 [HIGH] CWE-835 Crash in DNP dissector in Wireshark 3.4.0 to 3.4.6 and 3.2.0 to 3.2.14 allows denial of service via packet injection or crafted capture file Crash in DNP dissector in Wireshark 3.4.0 to 3.4.6 and 3.2.0 to 3.2.14 allows denial of service via packet injection or crafted capture file FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customer

CVE-2019-25051 [HIGH] CWE-787 objstack in GNU Aspell 0.60.8 has a heap-based buffer overflow in acommon::ObjStack::dup_top (called from acommon::StringMap::add and acommon::Config::lookup_list). objstack in GNU Aspell 0.60.8 has a heap-based buffer overflow in acommon::ObjStack::dup_top (called from acommon::StringMap::add and acommon::Config::lookup_list). FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnera

CVE-2021-32792 [LOW] CWE-79 XSS vulnerability when using OIDCPreservePost On in mod_auth_openidc XSS vulnerability when using OIDCPreservePost On in mod_auth_openidc FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open sourc

CVE-2021-32791 [MEDIUM] CWE-323 Hardcoded static IV and AAD with a reused key in AES GCM encryption in mod_auth_openidc Hardcoded static IV and AAD with a reused key in AES GCM encryption in mod_auth_openidc FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent

CVE-2021-3636 [MEDIUM] CWE-287 It was found in OpenShift before version 4.8 that the generated certificate for the in-cluster Service CA incorrectly included additional certificates. The Service CA is automatically mounted into all It was found in OpenShift before version 4.8 that the generated certificate for the in-cluster Service CA incorrectly included additional certificates. The Service CA is automatically mounted into all pods allowing them to safely connect to trusted in-cluster services

CVE-2021-32786 [MEDIUM] CWE-601 Open Redirect in oidc_validate_redirect_url() Open Redirect in oidc_validate_redirect_url() FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is compo

CVE-2021-28691 [HIGH] CWE-416 Guest triggered use-after-free in Linux xen-netback A malicious or buggy network PV frontend can force Linux netback to disable the interface and terminate the receive kernel thread associated with qu Guest triggered use-after-free in Linux xen-netback A malicious or buggy network PV frontend can force Linux netback to disable the interface and terminate the receive kernel thread associated with queue 0 in response to the frontend sending a malformed packet. Such ke

CVE-2021-28091 [HIGH] CWE-347 Lasso all versions prior to 2.7.0 has improper verification of a cryptographic signature. Lasso all versions prior to 2.7.0 has improper verification of a cryptographic signature. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recen

CVE-2021-22222 [HIGH] CWE-835 Infinite loop in DVB-S2-BB dissector in Wireshark 3.4.0 to 3.4.5 allows denial of service via packet injection or crafted capture file Infinite loop in DVB-S2-BB dissector in Wireshark 3.4.0 to 3.4.5 allows denial of service via packet injection or crafted capture file FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose

CVE-2021-33503 [HIGH] CWE-400 An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component the authority regular expression exhibits catastrophic backtracking c An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component the authority regular expression exhibits catastrophic backtracking causing a denial of service if a URL were passed as a parameter or red

CVE-2021-32690 [MEDIUM] CWE-200 Repository credentials passed to alternate domain Repository credentials passed to alternate domain FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro

CVE-2021-3468 [MEDIUM] CWE-835 A flaw was found in avahi in versions 0.6 up to 0.8. The event used to signal the termination of the client connection on the avahi Unix socket is not correctly handled in the client_work function all A flaw was found in avahi in versions 0.6 up to 0.8. The event used to signal the termination of the client connection on the avahi Unix socket is not correctly handled in the client_work function allowing a local attacker to trigger an infinite loop. The highest thre

CVE-2021-33624 [MEDIUM] CWE-843 In kernel/bpf/verifier.c in the Linux kernel before 5.12.13 a branch can be mispredicted (e.g. because of type confusion) and consequently an unprivileged BPF program can read arbitrary memory locatio In kernel/bpf/verifier.c in the Linux kernel before 5.12.13 a branch can be mispredicted (e.g. because of type confusion) and consequently an unprivileged BPF program can read arbitrary memory locations via a side-channel attack aka CID-9183671af6db. FAQ: Is Azure L

CVE-2021-3588 [LOW] CWE-125 memory contents disclosure in cli_feat_read_cb memory contents disclosure in cli_feat_read_cb FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is compose

CVE-2021-32055 [CRITICAL] CWE-125 Mutt 1.11.0 through 2.0.x before 2.0.7 (and NeoMutt 2019-10-25 through 2021-05-04) has a $imap_qresync issue in which imap/util.c has an out-of-bounds read in situations where an IMAP sequence set end Mutt 1.11.0 through 2.0.x before 2.0.7 (and NeoMutt 2019-10-25 through 2021-05-04) has a $imap_qresync issue in which imap/util.c has an out-of-bounds read in situations where an IMAP sequence set ends with a comma. NOTE: the $imap_qresync setting for QRESYNC is no

CVE-2020-27815 [HIGH] CWE-119 A flaw was found in the JFS filesystem code in the Linux Kernel which allows a local attacker with the ability to set extended attributes to panic the system causing memory corruption or escalating pr A flaw was found in the JFS filesystem code in the Linux Kernel which allows a local attacker with the ability to set extended attributes to panic the system causing memory corruption or escalating privileges. The highest threat from this vulnerability is to confidenti

CVE-2020-14387 [HIGH] CWE-297 A flaw was found in rsync in versions since 3.2.0pre1. Rsync improperly validates certificate with host mismatch vulnerability. A remote unauthenticated attacker could exploit the flaw by performing a A flaw was found in rsync in versions since 3.2.0pre1. Rsync improperly validates certificate with host mismatch vulnerability. A remote unauthenticated attacker could exploit the flaw by performing a man-in-the-middle attack using a valid certificate for another hostn