Msrc Cbl Mariner 2.0 X64 vulnerabilities

CVE-2023-25725 [CRITICAL] HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations aka "request smuggling." The HTTP header parsers in HAProxy may accept empty HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations aka "request smuggling." The HTTP header parsers in HAProxy may accept empty header field names which could be used to truncate the list of HTTP heade

CVE-2023-24807 [HIGH] CWE-1333 Undici vulnerable to Regular Expression Denial of Service in Headers Undici vulnerable to Regular Expression Denial of Service in Headers FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open so

CVE-2023-25173 [MEDIUM] CWE-863 containerd supplementary groups are not set up properly containerd supplementary groups are not set up properly FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which

CVE-2023-22995 [HIGH] In the Linux kernel before 5.17 an error path in dwc3_qcom_acpi_register_core in drivers/usb/dwc3/dwc3-qcom.c lacks certain platform_device_put and kfree calls. In the Linux kernel before 5.17 an error path in dwc3_qcom_acpi_register_core in drivers/usb/dwc3/dwc3-qcom.c lacks certain platform_device_put and kfree calls. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of t

CVE-2022-41722 [HIGH] CWE-22 Path traversal on Windows in path/filepath Path traversal on Windows in path/filepath FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Micr

CVE-2023-23919 [HIGH] CWE-310 A cryptographic vulnerability exists in Node.js <19.2.0 <18.14.1 <16.19.1 <14.21.3 that in some cases did does not clear the OpenSSL error stack after operations that may set it. This may lead to fals A cryptographic vulnerability exists in Node.js Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux dis

CVE-2023-23918 [HIGH] CWE-863 A privilege escalation vulnerability exists in Node.js <19.6.1 <18.14.1 <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) fea A privilege escalation vulnerability exists in Node.js Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Li

CVE-2021-37501 [HIGH] CWE-787 Buffer Overflow vulnerability in HDFGroup hdf5-h5dump 1.12.0 through 1.13.0 allows attackers to cause a denial of service via h5tools_str_sprint in /hdf5/tools/lib/h5tools_str.c. Buffer Overflow vulnerability in HDFGroup hdf5-h5dump 1.12.0 through 1.13.0 allows attackers to cause a denial of service via h5tools_str_sprint in /hdf5/tools/lib/h5tools_str.c. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentia

CVE-2022-31394 [HIGH] CWE-770 Hyperium Hyper before 0.14.19 does not allow for customization of the max_header_list_size method in the H2 third-party software allowing attackers to perform HTTP2 attacks. Hyperium Hyper before 0.14.19 does not allow for customization of the max_header_list_size method in the H2 third-party software allowing attackers to perform HTTP2 attacks. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affect

CVE-2022-48339 [HIGH] CWE-116 An issue was discovered in GNU Emacs through 28.2. htmlfontify.el has a command injection vulnerability. In the hfy-istext-command function the parameter file and parameter srcdir come from external i An issue was discovered in GNU Emacs through 28.2. htmlfontify.el has a command injection vulnerability. In the hfy-istext-command function the parameter file and parameter srcdir come from external input and parameters are not escaped. If a file name or directory name

CVE-2023-24329 [HIGH] CWE-20 An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters. An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerab

CVE-2023-0461 [HIGH] CWE-416 Use-after-free vulnerability in the Linux Kernel Use-after-free vulnerability in the Linux Kernel FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is co

CVE-2023-22795 [HIGH] CWE-1333 A regular expression based DoS vulnerability in Action Dispatch <6.1.7.1 and <7.0.4.1 related to the If-None-Match header. A specially crafted HTTP If-None-Match header can cause the regular expressio A regular expression based DoS vulnerability in Action Dispatch Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use th

CVE-2023-27320 [HIGH] CWE-415 Sudo before 1.9.13p2 has a double free in the per-command chroot feature. Sudo before 1.9.13p2 has a double free in the per-command chroot feature. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of th

CVE-2022-48338 [HIGH] CWE-77 An issue was discovered in GNU Emacs through 28.2. In ruby-mode.el the ruby-find-library-file function has a local command injection vulnerability. The ruby-find-library-file function is an interactiv An issue was discovered in GNU Emacs through 28.2. In ruby-mode.el the ruby-find-library-file function has a local command injection vulnerability. The ruby-find-library-file function is an interactive function and bound to C-c C-f. Inside the function the external comm

CVE-2023-1095 [MEDIUM] CWE-476 In nf_tables_updtable if nf_tables_table_enable returns an error nft_trans_destroy is called to free the transaction object. nft_trans_destroy() calls list_del() but the transaction was never placed o In nf_tables_updtable if nf_tables_table_enable returns an error nft_trans_destroy is called to free the transaction object. nft_trans_destroy() calls list_del() but the transaction was never placed on a list -- the list head is all zeroes this results in a NULL point

CVE-2023-23931 [MEDIUM] CWE-754 Cipher.update_into can corrupt memory in pyca cryptography Cipher.update_into can corrupt memory in pyca cryptography FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with

CVE-2023-0567 [HIGH] CWE-916 password_verify() always returns true for some invalid hashes password_verify() always returns true for some invalid hashes FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries w

CVE-2023-25165 [MEDIUM] CWE-200 getHostByName Function Information Disclosure getHostByName Function Information Disclosure FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is compo

CVE-2023-25153 [MEDIUM] CWE-770 containerd OCI image importer memory exhaustion containerd OCI image importer memory exhaustion FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is c