Msrc Cbl Mariner 2.0 X64 vulnerabilities

CVE-2023-25012 [MEDIUM] CWE-416 The Linux kernel through 6.1.9 has a Use-After-Free in bigben_remove in drivers/hid/hid-bigbenff.c via a crafted USB device because the LED controllers remain registered for too long. The Linux kernel through 6.1.9 has a Use-After-Free in bigben_remove in drivers/hid/hid-bigbenff.c via a crafted USB device because the LED controllers remain registered for too long. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is theref

CVE-2023-22996 [MEDIUM] CWE-772 In the Linux kernel before 5.17.2 drivers/soc/qcom/qcom_aoss.c does not release an of_find_device_by_node reference after use e.g. with put_device. In the Linux kernel before 5.17.2 drivers/soc/qcom/qcom_aoss.c does not release an of_find_device_by_node reference after use e.g. with put_device. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits

CVE-2023-23920 [MEDIUM] CWE-426 An untrusted search path vulnerability exists in Node.js. <19.6.1 <18.14.1 <16.19.1 and <14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privile An untrusted search path vulnerability exists in Node.js. Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azu

CVE-2023-22997 [MEDIUM] CWE-476 In the Linux kernel before 6.1.2 kernel/module/decompress.c misinterprets the module_get_next_page return value (expects it to be NULL in the error case whereas it is actually an error pointer). In the Linux kernel before 6.1.2 kernel/module/decompress.c misinterprets the module_get_next_page return value (expects it to be NULL in the error case whereas it is actually an error pointer). FAQ: Is Azure Linux the only Microsoft product that includes this open-source

CVE-2023-23936 [MEDIUM] CWE-74 CRLF Injection in Nodejs ‘undici’ via host CRLF Injection in Nodejs ‘undici’ via host FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Mi

CVE-2023-23916 [MEDIUM] CWE-770 An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the "chained" HTTP compression algorithms meaning that a server response can be compressed multip An allocation of resources without limits or throttling vulnerability exists in curl Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customer

CVE-2023-20052 [MEDIUM] CWE-776 On Feb 15 2023 the following vulnerability in the ClamAV scanning library was disclosed: A vulnerability in the DMG file parser of ClamAV versions 1.0.0 and earlier 0.105.1 and earlier and 0.103. On Feb 15 2023 the following vulnerability in the ClamAV scanning library was disclosed: A vulnerability in the DMG file parser of ClamAV versions 1.0.0 and earlier 0.105.1 and earlier and 0.103.7 and earlier could allow an unauthenticated remote attacker to acces

CVE-2023-23915 [MEDIUM] CWE-319 A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality to behave incorrectly when multiple URLs are requested in parallel. Using it A cleartext transmission of sensitive information vulnerability exists in curl Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who

CVE-2023-22999 [MEDIUM] CWE-476 In the Linux kernel before 5.16.3 drivers/usb/dwc3/dwc3-qcom.c misinterprets the dwc3_qcom_create_urs_usb_platdev return value (expects it to be NULL in the error case whereas it is actually an error In the Linux kernel before 5.16.3 drivers/usb/dwc3/dwc3-qcom.c misinterprets the dwc3_qcom_create_urs_usb_platdev return value (expects it to be NULL in the error case whereas it is actually an error pointer). FAQ: Is Azure Linux the only Microsoft product that incl

CVE-2023-26545 [MEDIUM] CWE-415 In the Linux kernel before 6.1.13 there is a double free in net/mpls/af_mpls.c upon an allocation failure (for registering the sysctl table under a new location) during the renaming of a device. In the Linux kernel before 6.1.13 there is a double free in net/mpls/af_mpls.c upon an allocation failure (for registering the sysctl table under a new location) during the renaming of a device. FAQ: Is Azure Linux the only Microsoft product that includes this open-source

CVE-2023-22998 [MEDIUM] CWE-436 In the Linux kernel before 6.0.3 drivers/gpu/drm/virtio/virtgpu_object.c misinterprets the drm_gem_shmem_get_sg_table return value (expects it to be NULL in the error case whereas it is actually an er In the Linux kernel before 6.0.3 drivers/gpu/drm/virtio/virtgpu_object.c misinterprets the drm_gem_shmem_get_sg_table return value (expects it to be NULL in the error case whereas it is actually an error pointer). FAQ: Is Azure Linux the only Microsoft product that

CVE-2023-23934 [LOW] CWE-20 Wrkzeug's incorrect parsing of nameless cookies leads to __Host- cookies bypass Wrkzeug's incorrect parsing of nameless cookies leads to __Host- cookies bypass FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure vers

CVE-2022-3515 [CRITICAL] CWE-190 A vulnerability was found in the Libksba library due to an integer overflow within the CRL parser. The vulnerability can be exploited remotely for code execution on the target system by passing specia A vulnerability was found in the Libksba library due to an integer overflow within the CRL parser. The vulnerability can be exploited remotely for code execution on the target system by passing specially crafted data to the application for example a malicious S/MIME

CVE-2023-0512 [HIGH] CWE-369 Divide By Zero in vim/vim Divide By Zero in vim/vim FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency

CVE-2022-2196 [MEDIUM] CWE-1188 Speculative execution attacks in KVM VMX Speculative execution attacks in KVM VMX FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Micro

CVE-2023-0266 [HIGH] CWE-416 Use after free in SNDRV_CTL_IOCTL_ELEM in Linux Kernel Use after free in SNDRV_CTL_IOCTL_ELEM in Linux Kernel FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the

CVE-2022-25882 [HIGH] CWE-22 Versions of the package onnx before 1.13.0 are vulnerable to Directory Traversal as the external_data field of the tensor proto can have a path to the file which is outside the model current directory Versions of the package onnx before 1.13.0 are vulnerable to Directory Traversal as the external_data field of the tensor proto can have a path to the file which is outside the model current directory or user-provided directory for example "../../../etc/passwd" FAQ: Is

CVE-2022-25881 [MEDIUM] CWE-1333 This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server when that server reads the cache policy from the This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server when that server reads the cache policy from the request using this library. FAQ: Is Azure Linux the only Microso

CVE-2022-3650 [HIGH] CWE-842 A privilege escalation flaw was found in Ceph. Ceph-crash.service allows a local attacker to escalate privileges to root in the form of a crash dump and dump privileged information. A privilege escalation flaw was found in Ceph. Ceph-crash.service allows a local attacker to escalate privileges to root in the form of a crash dump and dump privileged information. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore pot

CVE-2021-36647 [MEDIUM] CWE-327 Use of a Broken or Risky Cryptographic Algorithm in the function mbedtls_mpi_exp_mod() in lignum.c in Mbed TLS Mbed TLS all versions before 3.0.0 2.27.0 or 2.16.11 allows attackers with access to prec Use of a Broken or Risky Cryptographic Algorithm in the function mbedtls_mpi_exp_mod() in lignum.c in Mbed TLS Mbed TLS all versions before 3.0.0 2.27.0 or 2.16.11 allows attackers with access to precise enough timing and memory access information (typically an untru