Monthly Archive: September 2018

It was found that the "mknod" call derived from mknod(2) can create files pointing to devices on a glusterfs server node. An authenticated attacker could use this to create an arbitrary device and read...

It was found that an attacker could issue a xattr request via glusterfs FUSE to cause gluster brick process to crash which will result in a remote denial of service. If gluster multiplexing is...

An information disclosure vulnerability was discovered in glusterfs server. An attacker could issue a xattr request via glusterfs FUSE to determine the existence of any file. Date published : 2018-09-04 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10913 https://review.gluster.org/#/c/glusterfs/+/21071/

A flaw was found in the way dic_unserialize function of glusterfs does not handle negative key length values. An attacker could use this flaw to read memory from other locations into the stored dict...

It was found that glusterfs server is vulnerable to multiple stack based buffer overflows due to functions in server-rpc-fopc.c allocating fixed size buffers using ‘alloca(3)’. An authenticated attacker could exploit this by mounting a...

It was found that glusterfs server does not properly sanitize file paths in the "trusted.io-stats-dump" extended attribute which is used by the "debug/io-stats" translator. Attacker can use this flaw to create files and execute...

AttacheCase ver.3.3.0.0 and earlier allows an arbitrary script execution via unspecified vectors. Date published : 2018-09-04 https://hibara.org/software/attachecase/?lang=en http://jvn.jp/en/jp/JVN02037158/index.html

AttacheCase ver.2.8.4.0 and earlier allows an arbitrary script execution via unspecified vectors. Date published : 2018-09-04 https://hibara.org/software/attachecase/?lang=en http://jvn.jp/en/jp/JVN02037158/index.html

Cross-site scripting vulnerability in Movable Type versions prior to Ver. 6.3.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Date published : 2018-09-04 http://jvn.jp/en/jp/JVN89550319/index.html

A vulnerability in NoMachine App for Android 5.0.63 and earlier allows attackers to alter environment variables via unspecified vectors. Date published : 2018-09-04 https://www.nomachine.com/TR06P08619 http://jvn.jp/en/jp/JVN14451678/index.html

Untrusted search path vulnerability in The installer of Digital Paper App version 1.4.0.16050 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory. Date published : 2018-09-04...

Directory traversal vulnerability in Explzh v.7.58 and earlier allows an attacker to read arbitrary files via unspecified vectors. Date published : 2018-09-04 https://www.ponsoftware.com/archiver/explzh/explzh.htm#explz759 http://jvn.jp/en/jp/JVN55813866/index.html

An issue was discovered in the HDF HDF5 1.8.20 library. There is an out of bounds read in H5L_extern_query at H5Lexternal.c. Date published : 2018-09-03 https://github.com/TeamSeri0us/pocs/tree/master/hdf5/h5stat

Little CMS (aka Little Color Management System) 2.9 has an integer overflow in the AllocateDataSet function in cmscgats.c, leading to a heap-based buffer overflow in the SetData function via a crafted file in the...