Security Bulletin
Summary
IBM QRadar SIEM includes vulnerable components (e.g., framework libraries) that could be identified and exploited with automated tools. These have been addressed in the update.
Vulnerability Details
CVEID: CVE-2024-10977
DESCRIPTION: PostgreSQL could provide weaker than expected security, caused by a flaw with retaining an error message from man-in-the-middle. A remote attacker could exploit this vulnerability to launch further attacks on the system.
CWE: CWE-348: Use of Less Trusted Source
CVSS Source: IBM X-Force
CVSS Base score: 3.1
CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)
CVEID: CVE-2024-10978
DESCRIPTION: PostgreSQL could allow a remote authenticated attacker to bypass security restrictions, caused by an incorrect privilege assignment. By sending a specially crafted request, an attacker could exploit this vulnerability to perform unauthorized view or change to different rows.
CWE: CWE-266: Incorrect Privilege Assignment
CVSS Source: IBM X-Force
CVSS Base score: 4.2
CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N)
CVEID: CVE-2020-21469
DESCRIPTION: PostgreSQL is vulnerable to a denial of service, caused by a buffer overflow. By sending specially crafted SIGHUP signals, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CVSS Source: IBM X-Force
CVSS Base score: 7.5
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-32007
DESCRIPTION: Apache CXF is vulnerable to a denial of service, caused by improper input validation by the p2c parameter. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-20: Improper Input Validation
CVSS Source: IBM X-Force
CVSS Base score: 7.5
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-45769
DESCRIPTION: Performance Co-Pilot (PCP) is vulnerable to a denial of service, caused by an out-of-bounds write. By sending a specially crafted data, a local authenticated attacker could exploit this vulnerability to cause the program to misbehave or crash.
CWE: CWE-787: Out-of-bounds Write
CVSS Source: CVE.org
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-45770
DESCRIPTION: Performance Co-Pilot (PCP) could allow a local authenticated attacker to gain elevated privileges on the system, caused by a link following flaw, By sending a specially crafted request, an attacker could exploit this vulnerability to escalate privileges.
CWE: CWE-59: Improper Link Resolution Before File Access ('Link Following')
CVSS Source: CVE.org
CVSS Base score: 4.4
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)
CVEID: CVE-2024-0985
DESCRIPTION: Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. Versions before PostgreSQL 16.2, 15.6, 14.11, 13.14, and 12.18 are affected.
CWE: CWE-271: Privilege Dropping / Lowering Errors
CVSS Source: IBM X-Force
CVSS Base score: 8
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H)
CVEID: CVE-2024-4317
DESCRIPTION: PostgreSQL could allow a remote authenticated attacker to obtain sensitive information, caused by missing authorization in PostgreSQL built-in views pg_stats_ext and pg_stats_ext_exprs. By sending a specially crafted request, a remote attacker could exploit this vulnerability to obtain sensitive information.
CWE: CWE-862: Missing Authorization
CVSS Source: IBM X-Force
CVSS Base score: 3.1
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2023-7104
DESCRIPTION: SQLite SQLite3 is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the sessionReadRecord function in ext/session/sqlite3session.c. By sending a specially crafted request, a remote authenticated attacker could overflow a buffer and execute arbitrary code on the system.
CWE: CWE-122: Heap-based Buffer Overflow
CVSS Source: IBM X-Force
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2024-10976
DESCRIPTION: Incomplete tracking in PostgreSQL of tables with row security allows a reused query to view or change different rows from those intended. CVE-2023-2455 and CVE-2016-2193 fixed most interaction between row security and user ID changes. They missed cases where a subquery, WITH query, security invoker view, or SQL-language function references a table with a row-level security policy. This has the same consequences as the two earlier CVEs. That is to say, it leads to potentially incorrect polici
CWE: CWE-1250: Improper Preservation of Consistency Between Independent Representations of Shared State
CVSS Source: IBM X-Force
CVSS Base score: 4.2
CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N)
CVEID: CVE-2024-24786
DESCRIPTION: Protocol Buffers protobuf-go is vulnerable to a denial of service, caused by an infinite loop flaw in the rotojson.Unmarshal function when unmarshaling certain forms of invalid JSON. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')
CVSS Source: IBM X-Force
CVSS Base score: 5.9
CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-53677
DESCRIPTION: File upload logic in Apache Struts is flawed. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. This issue affects Apache Struts: from 2.0.0 before 6.4.0. Users are recommended to upgrade to version 6.4.0 at least and migrate to the new file upload mechanism https://struts.apache.org/core-developers/file-upload . If you are not using an old file upload logic based on FileuploadInterceptor your application is safe. You can find more details in https://cwiki.apache.org/confluence/display/WW/S2-067
CWE: CWE-434: Unrestricted Upload of File with Dangerous Type
CVSS Source: Apache Software Foundation
CVSS Base score: 9.5
CVSS Vector: (CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H)
CVEID: CVE-2023-2454
DESCRIPTION: schema_element defeats protective search_path changes; It was found that certain database calls in PostgreSQL could permit an authed attacker with elevated database-level privileges to execute arbitrary code.
CWE: CWE-20: Improper Input Validation
CVSS Source: IBM X-Force
CVSS Base score: 6
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N)
CVEID: CVE-2023-2455
DESCRIPTION: Row security policies disregard user ID changes after inlining; PostgreSQL could permit incorrect policies to be applied in certain cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy.
CWE: CWE-20: Improper Input Validation
CVSS Source: IBM X-Force
CVSS Base score: 7.1
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)
CVEID: CVE-2024-29736
DESCRIPTION: Apache CXF is vulnerable to server-side request forgery, caused by improper validation of WADL stylesheet parameter. By sending a specially crafted request, an attacker could exploit this vulnerability to conduct SSRF attack.
CWE: CWE-918: Server-Side Request Forgery (SSRF)
CVSS Source: IBM X-Force
CVSS Base score: 7.5
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2024-7348
DESCRIPTION: PostgreSQL could allow a remote authenticated attacker to gain elevated privileges on the system, caused by a tme-of-check time-of-use (TOCTOU) race condition in pg_dump. By sending a specially crafted request, an authenticated attacker could exploit this vulnerability to execute arbitrary SQL functions as the user running pg_dump.
CWE: CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition
CVSS Source: IBM X-Force
CVSS Base score: 8.8
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2023-5868
DESCRIPTION: PostgreSQL could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw when perform certain aggregate function calls. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain bytes of server memory from the end of the "unknown"-type value to the next zero byte, and use this information to launch further attacks against the affected system.
CWE: CWE-686: Function Call With Incorrect Argument Type
CVSS Source: IBM X-Force
CVSS Base score: 4.3
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2023-5869
DESCRIPTION: PostgreSQL is vulnerable to a buffer overflow, caused by improper bounds checking by the SQL array values. By sending a specially crafted request, a remote authenticated attacker could overflow a buffer and execute arbitrary code on the system.
CWE: CWE-190: Integer Overflow or Wraparound
CVSS Source: IBM X-Force
CVSS Base score: 8.8
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2022-48773
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by pointer derefs in Error Cases Of Rpcrdma_ep_create. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CWE: CWE-476: NULL Pointer Dereference
CVSS Source: IBM X-Force
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2023-52492
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference flaw in the channel unregistration function. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-476: NULL Pointer Dereference
CVSS Source: IBM X-Force
CVSS Base score: 4.4
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-24857
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a race condition in the conn_info_{min,max}_age_set() function in net/bluetooth. By sending a specially crafted request, a remote authenticated attacker could exploit this vulnerability to cause bluetooth connection abnormality or a denial of service condition.
CWE: CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSS Source: IBM X-Force
CVSS Base score: 4.6
CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:L)
CVEID: CVE-2024-26851
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a bmp length out of range flaw in nf_conntrack_h323. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-1286: Improper Validation of Syntactic Correctness of Input
CVSS Source: IBM X-Force
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-26924
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a flaw with the _remove function when more than one element that share the same key. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-476: NULL Pointer Dereference
CVSS Source: Red Hat
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-26976
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a flaw with when a vCPU is clearing its completion queue. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-400: Uncontrolled Resource Consumption
CVSS Source: Red Hat
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-27017
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by an error in netfilter: nft_set_pipapo. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVSS Source: IBM X-Force
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-27062
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a race condition in the nouveau module. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSS Source: Red Hat
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-35839
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by an error related to netfilter: bridge: replace physindev with physinif in nf_bridge_info. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CWE: CWE-427: Uncontrolled Search Path Element
CVSS Source: IBM X-Force
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-35898
DESCRIPTION: In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get() nft_unregister_flowtable_type() within nf_flow_inet_module_exit() can concurrent with __nft_flowtable_type_get() within nf_tables_newflowtable(). And thhere is not any protection when iterate over nf_tables_flowtables list in __nft_flowtable_type_get(). Therefore, there is pertential data-race of nf_tables_flowtables list entry. Use list_for_each_entr
CVSS Source: CVE.org
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-35939
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by the leaking of pages on dma_set_decrypted() failure. A local authenticated attacker could exploit this vulnerability to cause a denial of service.
CWE: CWE-401: Missing Release of Memory after Effective Lifetime
CVSS Source: IBM X-Force
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-38540
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by an out-of-bounds flaw when bnxt_qplib_alloc_init_hwq is called with hwq_attr->aux_depth != 0 and hwq_attr->aux_stride == 0. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-125: Out-of-bounds Read
CVSS Source: Red Hat
CVSS Base score: 4.4
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-38541
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a stack-based buffer overflow in of_modalias(). By sending an overly long argument, a local authenticated attacker could exploit this vulnerability to overflow a buffer and cause a denial of service.
CWE: CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CVSS Source: IBM X-Force
CVSS Base score: 4.4
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-38586
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a ring buffer corruption on fragmented Tx packets in r8169. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CWE: CWE-457: Use of Uninitialized Variable
CVSS Source: IBM X-Force
CVSS Base score: 4.1
CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-38608
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference in netif state handling in net/mlx5e. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CWE: CWE-476: NULL Pointer Dereference
CVSS Source: IBM X-Force
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-39503
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a race condition between namespace cleanup in ipset and the garbage collection of the list:set type. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CWE: CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSS Source: IBM X-Force
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-40924
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by an error related to making DPT object unshrinkable. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CWE: CWE-1287: Improper Validation of Specified Type of Input
CVSS Source: IBM X-Force
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-40961
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference in fib6_nh_init(). By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CWE: CWE-476: NULL Pointer Dereference
CVSS Source: IBM X-Force
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-40983
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a dst refcount before doing decryption. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CWE: CWE-1287: Improper Validation of Specified Type of Input
CVSS Source: IBM X-Force
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-40984
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference error. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CWE: CWE-476: NULL Pointer Dereference
CVSS Source: IBM X-Force
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-41009
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a stack-based buffer overflow in ringbuf. By sending an overly long argument, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CWE: CWE-770: Allocation of Resources Without Limits or Throttling
CVSS Source: IBM X-Force
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-41042
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by stack-based buffer overflow inf_tables_api.c. A local authenticated attacker could exploit this vulnerability to cause a denial of service.
CWE: CWE-121: Stack-based Buffer Overflow
CVSS Source: IBM X-Force
CVSS Base score: 4.1
CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-41066
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by an skb leak. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CWE: CWE-401: Missing Release of Memory after Effective Lifetime
CVSS Source: IBM X-Force
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-41092
DESCRIPTION: Linux Kernel could allow a local authenticated attacker to execute arbitrary code on the system, caused by a use-after-free error. An attacker could exploit this vulnerability to execute arbitrary code on the system.
CWE: CWE-416: Use After Free
CVSS Source: IBM X-Force
CVSS Base score: 7.8
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2024-41093
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by the use of null object of framebuffer. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CWE: CWE-476: NULL Pointer Dereference
CVSS Source: IBM X-Force
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-42070
DESCRIPTION: Linux Kernel could allow a local authenticated attacker to obtain sensitive information, caused by a flaw in Netfilter: Nf_tables. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information.
CWE: CWE-401: Missing Release of Memory after Effective Lifetime
CVSS Source: IBM X-Force
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2024-42079
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference in gfs2_log_flush. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CWE: CWE-476: NULL Pointer Dereference
CVSS Source: IBM X-Force
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-42244
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a flaw in USB: serial: mos7840. A local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVSS Source: IBM X-Force
CVSS Base score: 4.4
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-42284
DESCRIPTION: Linux Kernel is vulnerable to a buffer overflow, caused by improper bounds checking by the tipc_udp_addr2str() function. By sending a specially crafted request, a local attacker could overflow a buffer and execute arbitrary code on the system.
CWE: CWE-754: Improper Check for Unusual or Exceptional Conditions
CVSS Source: IBM X-Force
CVSS Base score: 7.3
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H)
CVEID: CVE-2024-42292
DESCRIPTION: Linux Kernel could allow a local authenticated attacker to obtain sensitive information, caused by an out-of-bounds read flaw in the zap_modalias_env() function. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service condition.
CWE: CWE-125: Out-of-bounds Read
CVSS Source: Red Hat
CVSS Base score: 6.1
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L)
CVEID: CVE-2024-42301
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by array out-of-bounds issues in sprintf. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-129: Improper Validation of Array Index
CVSS Source: Red Hat
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-43854
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a flaw with metadata added by bio_integrity_prep is using plain kmalloc. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-401: Missing Release of Memory after Effective Lifetime
CVSS Source: Red Hat
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-43880
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a object nesting flaw. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-1287: Improper Validation of Specified Type of Input
CVSS Source: Red Hat
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-43889
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a divide-by-zero panic in padata_mt_helper(). By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-369: Divide By Zero
CVSS Source: Red Hat
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-43892
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a race condition between multiple idr_remove() calls or between idr_alloc()/idr_replace() and idr_remove() functions. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Source: Red Hat
CVSS Base score: 4.7
CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-44935
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference flaw in the reuseport_add_sock() function. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-476: NULL Pointer Dereference
CVSS Source: Red Hat
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-44989
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereferences in xfrm real_dev. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-476: NULL Pointer Dereference
CVSS Source: Red Hat
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-44990
DESCRIPTION: In the Linux kernel, the following vulnerability has been resolved: bonding: fix null pointer deref in bond_ipsec_offload_ok We must check if there is an active slave before dereferencing the pointer.
CWE: CWE-476: NULL Pointer Dereference
CVSS Source: NVD
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-45018
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by missing initialization of extack in flow offload. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CWE: CWE-665: Improper Initialization
CVSS Source: IBM X-Force
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-46826
DESCRIPTION: In the Linux kernel, the following vulnerability has been resolved: ELF: fix kernel.randomize_va_space double read ELF loader uses "randomize_va_space" twice. It is sysctl and can change at any moment, so 2 loads could see 2 different values in theory with unpredictable consequences. Issue exactly one load for consistent value across one exec.
CVSS Source: NVD
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-47668
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a rare race in __genradix_ptr_alloc(). By sending a specially crafted request, a local attacker could exploit this vulnerability to cause a denial of service.
CWE: CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSS Source: IBM X-Force
CVSS Base score: 6.2
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2023-5870
DESCRIPTION: PostgreSQL is vulnerable to a denial of service, caused by a flaw in the pg_signal_backend role. By sending a specially crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-400: Uncontrolled Resource Consumption
CVSS Source: IBM X-Force
CVSS Base score: 2.2
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2024-10979
DESCRIPTION: Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
CWE: CWE-15: External Control of System or Configuration Setting
CVSS Source: IBM X-Force
CVSS Base score: 8.8
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2024-50602
DESCRIPTION: An issue was discovered in libexpat before 2.6.4. There is a crash within the XML_ResumeParser function because XML_StopParser can stop/suspend an unstarted parser.
CWE: CWE-754: Improper Check for Unusual or Exceptional Conditions
CVSS Source: IBM X-Force
CVSS Base score: 5.9
CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
DESCRIPTION: PostgreSQL could provide weaker than expected security, caused by a flaw with retaining an error message from man-in-the-middle. A remote attacker could exploit this vulnerability to launch further attacks on the system.
CWE: CWE-348: Use of Less Trusted Source
CVSS Source: IBM X-Force
CVSS Base score: 3.1
CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)
CVEID: CVE-2024-10978
DESCRIPTION: PostgreSQL could allow a remote authenticated attacker to bypass security restrictions, caused by an incorrect privilege assignment. By sending a specially crafted request, an attacker could exploit this vulnerability to perform unauthorized view or change to different rows.
CWE: CWE-266: Incorrect Privilege Assignment
CVSS Source: IBM X-Force
CVSS Base score: 4.2
CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N)
CVEID: CVE-2020-21469
DESCRIPTION: PostgreSQL is vulnerable to a denial of service, caused by a buffer overflow. By sending specially crafted SIGHUP signals, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CVSS Source: IBM X-Force
CVSS Base score: 7.5
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-32007
DESCRIPTION: Apache CXF is vulnerable to a denial of service, caused by improper input validation by the p2c parameter. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-20: Improper Input Validation
CVSS Source: IBM X-Force
CVSS Base score: 7.5
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-45769
DESCRIPTION: Performance Co-Pilot (PCP) is vulnerable to a denial of service, caused by an out-of-bounds write. By sending a specially crafted data, a local authenticated attacker could exploit this vulnerability to cause the program to misbehave or crash.
CWE: CWE-787: Out-of-bounds Write
CVSS Source: CVE.org
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-45770
DESCRIPTION: Performance Co-Pilot (PCP) could allow a local authenticated attacker to gain elevated privileges on the system, caused by a link following flaw, By sending a specially crafted request, an attacker could exploit this vulnerability to escalate privileges.
CWE: CWE-59: Improper Link Resolution Before File Access ('Link Following')
CVSS Source: CVE.org
CVSS Base score: 4.4
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)
CVEID: CVE-2024-0985
DESCRIPTION: Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. Versions before PostgreSQL 16.2, 15.6, 14.11, 13.14, and 12.18 are affected.
CWE: CWE-271: Privilege Dropping / Lowering Errors
CVSS Source: IBM X-Force
CVSS Base score: 8
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H)
CVEID: CVE-2024-4317
DESCRIPTION: PostgreSQL could allow a remote authenticated attacker to obtain sensitive information, caused by missing authorization in PostgreSQL built-in views pg_stats_ext and pg_stats_ext_exprs. By sending a specially crafted request, a remote attacker could exploit this vulnerability to obtain sensitive information.
CWE: CWE-862: Missing Authorization
CVSS Source: IBM X-Force
CVSS Base score: 3.1
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2023-7104
DESCRIPTION: SQLite SQLite3 is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the sessionReadRecord function in ext/session/sqlite3session.c. By sending a specially crafted request, a remote authenticated attacker could overflow a buffer and execute arbitrary code on the system.
CWE: CWE-122: Heap-based Buffer Overflow
CVSS Source: IBM X-Force
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2024-10976
DESCRIPTION: Incomplete tracking in PostgreSQL of tables with row security allows a reused query to view or change different rows from those intended. CVE-2023-2455 and CVE-2016-2193 fixed most interaction between row security and user ID changes. They missed cases where a subquery, WITH query, security invoker view, or SQL-language function references a table with a row-level security policy. This has the same consequences as the two earlier CVEs. That is to say, it leads to potentially incorrect polici
CWE: CWE-1250: Improper Preservation of Consistency Between Independent Representations of Shared State
CVSS Source: IBM X-Force
CVSS Base score: 4.2
CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N)
CVEID: CVE-2024-24786
DESCRIPTION: Protocol Buffers protobuf-go is vulnerable to a denial of service, caused by an infinite loop flaw in the rotojson.Unmarshal function when unmarshaling certain forms of invalid JSON. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')
CVSS Source: IBM X-Force
CVSS Base score: 5.9
CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-53677
DESCRIPTION: File upload logic in Apache Struts is flawed. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. This issue affects Apache Struts: from 2.0.0 before 6.4.0. Users are recommended to upgrade to version 6.4.0 at least and migrate to the new file upload mechanism https://struts.apache.org/core-developers/file-upload . If you are not using an old file upload logic based on FileuploadInterceptor your application is safe. You can find more details in https://cwiki.apache.org/confluence/display/WW/S2-067
CWE: CWE-434: Unrestricted Upload of File with Dangerous Type
CVSS Source: Apache Software Foundation
CVSS Base score: 9.5
CVSS Vector: (CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H)
CVEID: CVE-2023-2454
DESCRIPTION: schema_element defeats protective search_path changes; It was found that certain database calls in PostgreSQL could permit an authed attacker with elevated database-level privileges to execute arbitrary code.
CWE: CWE-20: Improper Input Validation
CVSS Source: IBM X-Force
CVSS Base score: 6
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N)
CVEID: CVE-2023-2455
DESCRIPTION: Row security policies disregard user ID changes after inlining; PostgreSQL could permit incorrect policies to be applied in certain cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy.
CWE: CWE-20: Improper Input Validation
CVSS Source: IBM X-Force
CVSS Base score: 7.1
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)
CVEID: CVE-2024-29736
DESCRIPTION: Apache CXF is vulnerable to server-side request forgery, caused by improper validation of WADL stylesheet parameter. By sending a specially crafted request, an attacker could exploit this vulnerability to conduct SSRF attack.
CWE: CWE-918: Server-Side Request Forgery (SSRF)
CVSS Source: IBM X-Force
CVSS Base score: 7.5
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2024-7348
DESCRIPTION: PostgreSQL could allow a remote authenticated attacker to gain elevated privileges on the system, caused by a tme-of-check time-of-use (TOCTOU) race condition in pg_dump. By sending a specially crafted request, an authenticated attacker could exploit this vulnerability to execute arbitrary SQL functions as the user running pg_dump.
CWE: CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition
CVSS Source: IBM X-Force
CVSS Base score: 8.8
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2023-5868
DESCRIPTION: PostgreSQL could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw when perform certain aggregate function calls. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain bytes of server memory from the end of the "unknown"-type value to the next zero byte, and use this information to launch further attacks against the affected system.
CWE: CWE-686: Function Call With Incorrect Argument Type
CVSS Source: IBM X-Force
CVSS Base score: 4.3
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2023-5869
DESCRIPTION: PostgreSQL is vulnerable to a buffer overflow, caused by improper bounds checking by the SQL array values. By sending a specially crafted request, a remote authenticated attacker could overflow a buffer and execute arbitrary code on the system.
CWE: CWE-190: Integer Overflow or Wraparound
CVSS Source: IBM X-Force
CVSS Base score: 8.8
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2022-48773
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by pointer derefs in Error Cases Of Rpcrdma_ep_create. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CWE: CWE-476: NULL Pointer Dereference
CVSS Source: IBM X-Force
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2023-52492
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference flaw in the channel unregistration function. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-476: NULL Pointer Dereference
CVSS Source: IBM X-Force
CVSS Base score: 4.4
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-24857
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a race condition in the conn_info_{min,max}_age_set() function in net/bluetooth. By sending a specially crafted request, a remote authenticated attacker could exploit this vulnerability to cause bluetooth connection abnormality or a denial of service condition.
CWE: CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSS Source: IBM X-Force
CVSS Base score: 4.6
CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:L)
CVEID: CVE-2024-26851
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a bmp length out of range flaw in nf_conntrack_h323. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-1286: Improper Validation of Syntactic Correctness of Input
CVSS Source: IBM X-Force
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-26924
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a flaw with the _remove function when more than one element that share the same key. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-476: NULL Pointer Dereference
CVSS Source: Red Hat
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-26976
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a flaw with when a vCPU is clearing its completion queue. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-400: Uncontrolled Resource Consumption
CVSS Source: Red Hat
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-27017
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by an error in netfilter: nft_set_pipapo. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVSS Source: IBM X-Force
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-27062
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a race condition in the nouveau module. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSS Source: Red Hat
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-35839
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by an error related to netfilter: bridge: replace physindev with physinif in nf_bridge_info. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CWE: CWE-427: Uncontrolled Search Path Element
CVSS Source: IBM X-Force
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-35898
DESCRIPTION: In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get() nft_unregister_flowtable_type() within nf_flow_inet_module_exit() can concurrent with __nft_flowtable_type_get() within nf_tables_newflowtable(). And thhere is not any protection when iterate over nf_tables_flowtables list in __nft_flowtable_type_get(). Therefore, there is pertential data-race of nf_tables_flowtables list entry. Use list_for_each_entr
CVSS Source: CVE.org
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-35939
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by the leaking of pages on dma_set_decrypted() failure. A local authenticated attacker could exploit this vulnerability to cause a denial of service.
CWE: CWE-401: Missing Release of Memory after Effective Lifetime
CVSS Source: IBM X-Force
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-38540
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by an out-of-bounds flaw when bnxt_qplib_alloc_init_hwq is called with hwq_attr->aux_depth != 0 and hwq_attr->aux_stride == 0. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-125: Out-of-bounds Read
CVSS Source: Red Hat
CVSS Base score: 4.4
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-38541
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a stack-based buffer overflow in of_modalias(). By sending an overly long argument, a local authenticated attacker could exploit this vulnerability to overflow a buffer and cause a denial of service.
CWE: CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CVSS Source: IBM X-Force
CVSS Base score: 4.4
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-38586
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a ring buffer corruption on fragmented Tx packets in r8169. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CWE: CWE-457: Use of Uninitialized Variable
CVSS Source: IBM X-Force
CVSS Base score: 4.1
CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-38608
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference in netif state handling in net/mlx5e. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CWE: CWE-476: NULL Pointer Dereference
CVSS Source: IBM X-Force
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-39503
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a race condition between namespace cleanup in ipset and the garbage collection of the list:set type. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CWE: CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSS Source: IBM X-Force
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-40924
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by an error related to making DPT object unshrinkable. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CWE: CWE-1287: Improper Validation of Specified Type of Input
CVSS Source: IBM X-Force
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-40961
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference in fib6_nh_init(). By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CWE: CWE-476: NULL Pointer Dereference
CVSS Source: IBM X-Force
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-40983
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a dst refcount before doing decryption. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CWE: CWE-1287: Improper Validation of Specified Type of Input
CVSS Source: IBM X-Force
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-40984
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference error. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CWE: CWE-476: NULL Pointer Dereference
CVSS Source: IBM X-Force
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-41009
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a stack-based buffer overflow in ringbuf. By sending an overly long argument, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CWE: CWE-770: Allocation of Resources Without Limits or Throttling
CVSS Source: IBM X-Force
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-41042
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by stack-based buffer overflow inf_tables_api.c. A local authenticated attacker could exploit this vulnerability to cause a denial of service.
CWE: CWE-121: Stack-based Buffer Overflow
CVSS Source: IBM X-Force
CVSS Base score: 4.1
CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-41066
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by an skb leak. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CWE: CWE-401: Missing Release of Memory after Effective Lifetime
CVSS Source: IBM X-Force
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-41092
DESCRIPTION: Linux Kernel could allow a local authenticated attacker to execute arbitrary code on the system, caused by a use-after-free error. An attacker could exploit this vulnerability to execute arbitrary code on the system.
CWE: CWE-416: Use After Free
CVSS Source: IBM X-Force
CVSS Base score: 7.8
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2024-41093
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by the use of null object of framebuffer. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CWE: CWE-476: NULL Pointer Dereference
CVSS Source: IBM X-Force
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-42070
DESCRIPTION: Linux Kernel could allow a local authenticated attacker to obtain sensitive information, caused by a flaw in Netfilter: Nf_tables. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information.
CWE: CWE-401: Missing Release of Memory after Effective Lifetime
CVSS Source: IBM X-Force
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2024-42079
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference in gfs2_log_flush. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CWE: CWE-476: NULL Pointer Dereference
CVSS Source: IBM X-Force
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-42244
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a flaw in USB: serial: mos7840. A local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVSS Source: IBM X-Force
CVSS Base score: 4.4
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-42284
DESCRIPTION: Linux Kernel is vulnerable to a buffer overflow, caused by improper bounds checking by the tipc_udp_addr2str() function. By sending a specially crafted request, a local attacker could overflow a buffer and execute arbitrary code on the system.
CWE: CWE-754: Improper Check for Unusual or Exceptional Conditions
CVSS Source: IBM X-Force
CVSS Base score: 7.3
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H)
CVEID: CVE-2024-42292
DESCRIPTION: Linux Kernel could allow a local authenticated attacker to obtain sensitive information, caused by an out-of-bounds read flaw in the zap_modalias_env() function. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service condition.
CWE: CWE-125: Out-of-bounds Read
CVSS Source: Red Hat
CVSS Base score: 6.1
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L)
CVEID: CVE-2024-42301
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by array out-of-bounds issues in sprintf. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-129: Improper Validation of Array Index
CVSS Source: Red Hat
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-43854
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a flaw with metadata added by bio_integrity_prep is using plain kmalloc. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-401: Missing Release of Memory after Effective Lifetime
CVSS Source: Red Hat
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-43880
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a object nesting flaw. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-1287: Improper Validation of Specified Type of Input
CVSS Source: Red Hat
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-43889
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a divide-by-zero panic in padata_mt_helper(). By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-369: Divide By Zero
CVSS Source: Red Hat
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-43892
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a race condition between multiple idr_remove() calls or between idr_alloc()/idr_replace() and idr_remove() functions. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Source: Red Hat
CVSS Base score: 4.7
CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-44935
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference flaw in the reuseport_add_sock() function. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-476: NULL Pointer Dereference
CVSS Source: Red Hat
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-44989
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereferences in xfrm real_dev. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-476: NULL Pointer Dereference
CVSS Source: Red Hat
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-44990
DESCRIPTION: In the Linux kernel, the following vulnerability has been resolved: bonding: fix null pointer deref in bond_ipsec_offload_ok We must check if there is an active slave before dereferencing the pointer.
CWE: CWE-476: NULL Pointer Dereference
CVSS Source: NVD
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-45018
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by missing initialization of extack in flow offload. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CWE: CWE-665: Improper Initialization
CVSS Source: IBM X-Force
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-46826
DESCRIPTION: In the Linux kernel, the following vulnerability has been resolved: ELF: fix kernel.randomize_va_space double read ELF loader uses "randomize_va_space" twice. It is sysctl and can change at any moment, so 2 loads could see 2 different values in theory with unpredictable consequences. Issue exactly one load for consistent value across one exec.
CVSS Source: NVD
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-47668
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a rare race in __genradix_ptr_alloc(). By sending a specially crafted request, a local attacker could exploit this vulnerability to cause a denial of service.
CWE: CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSS Source: IBM X-Force
CVSS Base score: 6.2
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2023-5870
DESCRIPTION: PostgreSQL is vulnerable to a denial of service, caused by a flaw in the pg_signal_backend role. By sending a specially crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-400: Uncontrolled Resource Consumption
CVSS Source: IBM X-Force
CVSS Base score: 2.2
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2024-10979
DESCRIPTION: Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
CWE: CWE-15: External Control of System or Configuration Setting
CVSS Source: IBM X-Force
CVSS Base score: 8.8
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2024-50602
DESCRIPTION: An issue was discovered in libexpat before 2.6.4. There is a crash within the XML_ResumeParser function because XML_StopParser can stop/suspend an unstarted parser.
CWE: CWE-754: Improper Check for Unusual or Exceptional Conditions
CVSS Source: IBM X-Force
CVSS Base score: 5.9
CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
| IBM QRadar SIEM | 7.5 - 7.5.0 UP10 IF02 |
Remediation/Fixes
IBM encourages customers to update their systems promptly.
| Product | Version | Fix |
| IBM QRadar SIEM | 7.5.0 | QRadar 7.5.0 UP11 |
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
Off
Acknowledgement
Change History
03 Feb 2025: Initial Publication
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.
Document Location
Worldwide
[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.5.0","Edition":"","Line of Business":{"code":"LOB77","label":"Automation Platform"}}]
Was this topic helpful?
Document Information
Modified date:
25 March 2025
UID
ibm17182335