CVE-2024-23638 |
Description: Squid is a caching proxy for the Web. Due to an expired pointer reference bug, Squid prior to version 6.6 is vulnerable to a Denial of Service attack against Cache Manager error responses. This problem allows a trusted client to perform Denial of Service when generating error pages for Client Manager reports. Squid older than 5.0.5 have not been tested and should be assumed to be vulnerable. All Squid-5.x up to and including 5.9 are vulnerable. All Squid-6.x up to and including 6.5 are vulnerable. This bug is fixed by Squid version 6.6. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives. As a workaround, prevent access to Cache Manager using Squid's main access control: `http_access deny manager`.
CVSS: MEDIUM (6.5) EPSS Score: 1.78%
February 14th, 2025 (5 months ago)
|
CVE-2024-23606 |
Description: An out-of-bounds write vulnerability exists in the sopen_FAMOS_read functionality of The Biosig Project libbiosig 2.5.0 and Master Branch (ab0ee111). A specially crafted .famos file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
CVSS: CRITICAL (9.8) EPSS Score: 0.04%
February 14th, 2025 (5 months ago)
|
CVE-2024-23601 |
Description: A code injection vulnerability exists in the scan_lib.bin functionality of AutomationDirect P3-550E 1.2.10.9. A specially crafted scan_lib.bin can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
CVSS: CRITICAL (9.8) EPSS Score: 0.05%
February 14th, 2025 (5 months ago)
|
CVE-2024-2357 |
Description: The Libreswan Project was notified of an issue causing libreswan to restart under some IKEv2 retransmit scenarios when a connection is configured to use PreSharedKeys (authby=secret) and the connection cannot find a matching configured secret. When such a connection is automatically added on startup using the auto= keyword, it can cause repeated crashes leading to a Denial of Service.
EPSS Score: 0.05%
February 14th, 2025 (5 months ago)
|
CVE-2024-23539 |
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Fineract.This issue affects Apache Fineract: <1.8.5.
Users are recommended to upgrade to version 1.8.5 or 1.9.0, which fix the issue.
EPSS Score: 0.98%
February 14th, 2025 (5 months ago)
|
CVE-2024-23538 |
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Fineract.This issue affects Apache Fineract: <1.8.5.
Users are recommended to upgrade to version 1.8.5 or 1.9.0, which fix the issue.
EPSS Score: 0.98%
February 14th, 2025 (5 months ago)
|
CVE-2024-23537 |
Description: Improper Privilege Management vulnerability in Apache Fineract.This issue affects Apache Fineract: <1.8.5.
Users are recommended to upgrade to version 1.9.0, which fixes the issue.
EPSS Score: 0.14%
February 14th, 2025 (5 months ago)
|
CVE-2024-23452 |
Description: Request smuggling vulnerability in HTTP server in Apache bRPC 0.9.5~1.7.0 on all platforms allows attacker to smuggle request.
Vulnerability Cause Description:
The http_parser does not comply with the RFC-7230 HTTP 1.1 specification.
Attack scenario:
If a message is received with both a Transfer-Encoding and a Content-Length header field, such a message might indicate an attempt to perform request smuggling or response splitting.
One particular attack scenario is that a bRPC made http server on the backend receiving requests in one persistent connection from frontend server that uses TE to parse request with the logic that 'chunk' is contained in the TE field. in that case an attacker can smuggle a request into the connection to the backend server.
Solution:
You can choose one solution from below:
1. Upgrade bRPC to version 1.8.0, which fixes this issue. Download link: https://github.com/apache/brpc/releases/tag/1.8.0
2. Apply this patch: https://github.com/apache/brpc/pull/2518
EPSS Score: 0.27%
February 14th, 2025 (5 months ago)
|
CVE-2024-23450 |
Description: A flaw was discovered in Elasticsearch, where processing a document in a deeply nested pipeline on an ingest node could cause the Elasticsearch node to crash.
CVSS: MEDIUM (4.9) EPSS Score: 0.06%
February 14th, 2025 (5 months ago)
|
CVE-2024-23349 |
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Answer.This issue affects Apache Answer: through 1.2.1.
XSS attack when user enters summary. A logged-in user, when modifying their own submitted question, can input malicious code in the summary to create such an attack.
Users are recommended to upgrade to version [1.2.5], which fixes the issue.
EPSS Score: 0.26%
February 14th, 2025 (5 months ago)
|