Msrc Cbl Mariner 2.0 X64 vulnerabilities

CVE-2023-32681 [MEDIUM] CWE-200 Unintended leak of Proxy-Authorization header in requests Unintended leak of Proxy-Authorization header in requests FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with w

CVE-2023-1972 [MEDIUM] CWE-119 A potential heap based buffer overflow was found in _bfd_elf_slurp_version_tables() in bfd/elf.c. A potential heap based buffer overflow was found in _bfd_elf_slurp_version_tables() in bfd/elf.c. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date wi

CVE-2023-1981 [MEDIUM] CWE-400 A vulnerability was found in the avahi library. This flaw allows an unprivileged user to make a dbus call causing the avahi daemon to crash. A vulnerability was found in the avahi library. This flaw allows an unprivileged user to make a dbus call causing the avahi daemon to crash. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our custome

CVE-2023-29195 [MEDIUM] CWE-20 Vitess VTAdmin users that can create shards can deny access to other functions Vitess VTAdmin users that can create shards can deny access to other functions FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure ver

CVE-2023-2002 [MEDIUM] CWE-863 A vulnerability was found in the HCI sockets implementation due to a missing capability check in net/bluetooth/hci_sock.c in the Linux Kernel. This flaw allows an attacker to unauthorized execution of A vulnerability was found in the HCI sockets implementation due to a missing capability check in net/bluetooth/hci_sock.c in the Linux Kernel. This flaw allows an attacker to unauthorized execution of management commands compromising the confidentiality integrity and

CVE-2023-28322 [LOW] CWE-200 An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send even when t An information disclosure vulnerability exists in curl Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Lin

CVE-2023-31975 [LOW] CWE-401 yasm v1.3.0 was discovered to contain a memory leak via the function yasm_intnum_copy at /libyasm/intnum.c. Note: Multiple third parties dispute this as a bug and not a vulnerability according to the yasm v1.3.0 was discovered to contain a memory leak via the function yasm_intnum_copy at /libyasm/intnum.c. Note: Multiple third parties dispute this as a bug and not a vulnerability according to the YASM security policy. FAQ: Is Azure Linux the only Microsoft product

CVE-2023-26463 [CRITICAL] CWE-476 strongSwan 5.9.8 and 5.9.9 potentially allows remote code execution because it uses a variable named "public" for two different purposes within the same function. There is initially incorrect access c strongSwan 5.9.8 and 5.9.9 potentially allows remote code execution because it uses a variable named "public" for two different purposes within the same function. There is initially incorrect access control later followed by an expired pointer dereference. One atta

CVE-2023-30630 [HIGH] CWE-23 Dmidecode before 3.5 allows -dump-bin to overwrite a local file. This has security relevance because for example execution of Dmidecode via Sudo is plausible. Dmidecode before 3.5 allows -dump-bin to overwrite a local file. This has security relevance because for example execution of Dmidecode via Sudo is plausible. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One o

CVE-2023-26917 [HIGH] CWE-476 libyang from v2.0.164 to v2.1.30 was discovered to contain a NULL pointer dereference via the function lysp_stmt_validate_value at lys_parse_mem.c. libyang from v2.0.164 to v2.1.30 was discovered to contain a NULL pointer dereference via the function lysp_stmt_validate_value at lys_parse_mem.c. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits t

CVE-2023-31486 [HIGH] CWE-295 HTTP::Tiny before 0.083 a Perl core module since 5.13.9 and available standalone on CPAN has an insecure default TLS configuration where users must opt in to verify certificates. HTTP::Tiny before 0.083 a Perl core module since 5.13.9 and available standalone on CPAN has an insecure default TLS configuration where users must opt in to verify certificates. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentia

CVE-2023-21980 [HIGH] CWE-284 Vulnerability in the MySQL Server product of Oracle MySQL (component: Client programs). Supported versions that are affected are 5.7.41 and prior and 8.0.32 and prior. Difficult to exploit vulnerabi Vulnerability in the MySQL Server product of Oracle MySQL (component: Client programs). Supported versions that are affected are 5.7.41 and prior and 8.0.32 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple pr

CVE-2023-1668 [HIGH] CWE-670 A flaw was found in openvswitch (OVS). When processing an IP packet with protocol 0 OVS will install the datapath flow without the action modifying the IP header. This issue results (for both kernel a A flaw was found in openvswitch (OVS). When processing an IP packet with protocol 0 OVS will install the datapath flow without the action modifying the IP header. This issue results (for both kernel and userspace datapath) in installing a datapath flow matching all IP p

CVE-2023-24607 [HIGH] Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13 6.x before 6.2.8 and Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13 6.x before 6.2.8 and 6.3.x before 6.4.3. FAQ: Is Azure Linux the only Microsoft product that inc

CVE-2023-1838 [HIGH] CWE-416 A use-after-free flaw was found in vhost_net_set_backend in drivers/vhost/net.c in virtio network subcomponent in the Linux kernel due to a double fget. This flaw could allow a local attacker to crash A use-after-free flaw was found in vhost_net_set_backend in drivers/vhost/net.c in virtio network subcomponent in the Linux kernel due to a double fget. This flaw could allow a local attacker to crash the system and could even lead to a kernel information leak problem.

CVE-2023-31436 [HIGH] CWE-787 qfq_change_class in net/sched/sch_qfq.c in the Linux kernel before 6.2.13 allows an out-of-bounds write because lmax can exceed QFQ_MIN_LMAX. qfq_change_class in net/sched/sch_qfq.c in the Linux kernel before 6.2.13 allows an out-of-bounds write because lmax can exceed QFQ_MIN_LMAX. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our custom

CVE-2023-2008 [HIGH] CWE-129 A flaw was found in the Linux kernel's udmabuf device driver. The specific flaw exists within a fault handler. The issue results from the lack of proper validation of user-supplied data which can resu A flaw was found in the Linux kernel's udmabuf device driver. The specific flaw exists within a fault handler. The issue results from the lack of proper validation of user-supplied data which can result in a memory access past the end of an array. An attacker can levera

CVE-2023-29491 [HIGH] CWE-787 ncurses before 6.4 20230408 when used by a setuid application allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.t ncurses before 6.4 20230408 when used by a setuid application allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable. FA

CVE-2023-2006 [HIGH] CWE-362 A race condition was found in the Linux kernel's RxRPC network protocol within the processing of RxRPC bundles. This issue results from the lack of proper locking when performing operations on an obje A race condition was found in the Linux kernel's RxRPC network protocol within the processing of RxRPC bundles. This issue results from the lack of proper locking when performing operations on an object. This may allow an attacker to escalate privileges and execute arbi

CVE-2023-1872 [HIGH] CWE-416 Use-after-free in Linux kernel's io_uring subsystem Use-after-free in Linux kernel's io_uring subsystem FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro