Effectively, a double-fetch vulnerability in Intel SMM’s SMI handler that could allow a local attacker to escelate into System manage Mode.It recieves a CommBuffer
that contains a Data
pointer and a size value…
When using the ssrfFilter
library in conjunction with the Request library in JavaScript there is a bug that can result in the SSRF filter being disabled.The way the anti-SSRF library, ssrfFilter
works is that is creates its own object that cna be used in=place of Node’s default request agent for http/http requests…
Three vulns in Apollo Configuration Management System (two of which were recognized as CVEs).The first vuln (which isn’t acknowledged by the vendor) is a Spring Expression Language (SpEL) issue where various settings are merged with spring framework properties, allowing SpEL injection for RCE…
A few vulnerabilities in Azure Web Services via Kudu Git repo manager used for git deployments.Kudu exports a source control management (SCM) portal that can be accessed if you’re authenticated into the instance through Azure Active Directory (AAD), which allows you to manage your web app…
Solid post document some of the practical aspects of pulling off this attack, but the root issue was a change in Android’s parcel API, without going into details about parcels you can think about this as similar to just opening a file.You usually need to provide a mode
, like w
for write, or r
for read access…
Yet another case of bad syncronization or just performing operations in the wrong order.IIn this case ene_remove
called when removing the device, will remove its internal allocations and everything before it actually unregisters the device…
A type-confusion happens in during the initialization of TUN/TAP sockets that leads to the UID being fixed to 0.The root cause of this bug is in the incorrect assumption made by sock_init_data()
regarding the struct socket
input…
Two vulnerabilities in the TPM 2.0 reference implementation’s CryptParameterDecryption()
.The Trusted Platform Module (TPM) is used for key storage, key generation, and attestation via storing and taking “measurements” (integrity checks) in the boot process…
A straightforward integer underflow issue in OpenBSD TCP/IP socket’s sockopt
handling.While ip_dooptions()
and the IPOPT_SSRR
option handler will check the user-provided optlen
isn’t too large, it won’t check if it’s too small…
An information disclosure in GitHub through the Security Advisories feature.GitHub allows maintainers to draft public advisories, and in doing so you can create a temporary private fork to collaborate on and review fixes without disclosing them publicly…