Security Vulnerabilities - CVEs Published In June 2024
liboqs is a C-language cryptographic library that provides implementations of post-quantum cryptography algorithms. A control-flow timing lean has been identified in the reference implementation of the Kyber key encapsulation mechanism when it is compiled with Clang 15-18 for `-Os`, `-O1`, and other compilation options. A proof-of-concept local attack on the reference implementation leaks the entire ML-KEM 512 secret key in ~10 minutes using end-to-end decapsulation timing measurements. The issue has been fixed in version 0.10.1. As a possible workaround, some compiler options may produce vectorized code that does not leak secret information, however relying on these compiler options as a workaround may not be reliable.
CVSS Score
5.9
EPSS Score
0.005
Published
2024-06-10
Use of hard-coded password to the patients' database allows an attacker to retrieve sensitive data stored in the database. The password is the same among all drEryk Gabinet installations.This issue affects drEryk Gabinet software versions from 7.0.0.0 through 9.17.0.0.
CVSS Score
9.8
EPSS Score
0.001
Published
2024-06-10
Use of hard-coded password to the patients' database allows an attacker to retrieve sensitive data stored in the database. The password is the same among all Simple Care software installations.
This issue affects Estomed Sp. z o.o. Simple Care software in all versions. The software is no longer supported.
CVSS Score
9.8
EPSS Score
0.001
Published
2024-06-10
Use of hard-coded password to the patients' database allows an attacker to retrieve sensitive data stored in the database. The password is the same among all Eurosoft Przychodnia installations.
This issue affects Eurosoft Przychodnia software before version 20240417.001 (from that version vulnerability is fixed).
CVSS Score
9.8
EPSS Score
0.001
Published
2024-06-10
Improper restriction of excessive authentication attempts with two factor authentication methods in Checkmk 2.3 before 2.3.0p6 facilitates brute-forcing of second factor mechanisms.
CVSS Score
5.9
EPSS Score
0.003
Published
2024-06-10
CVE-2024-36971
In the Linux kernel, the following vulnerability has been resolved:
net: fix __dst_negative_advice() race
__dst_negative_advice() does not enforce proper RCU rules when
sk->dst_cache must be cleared, leading to possible UAF.
RCU rules are that we must first clear sk->sk_dst_cache,
then call dst_release(old_dst).
Note that sk_dst_reset(sk) is implementing this protocol correctly,
while __dst_negative_advice() uses the wrong order.
Given that ip6_negative_advice() has special logic
against RTF_CACHE, this means each of the three ->negative_advice()
existing methods must perform the sk_dst_reset() themselves.
Note the check against NULL dst is centralized in
__dst_negative_advice(), there is no need to duplicate
it in various callbacks.
Many thanks to Clement Lecigne for tracking this issue.
This old bug became visible after the blamed commit, using UDP sockets.
Known exploited
CVSS Score
7.8
EPSS Score
0.005
Published
2024-06-10
Missing Authorization vulnerability in RafflePress Giveaways and Contests by RafflePress.This issue affects Giveaways and Contests by RafflePress: from n/a through 1.12.4.
CVSS Score
4.3
EPSS Score
0.001
Published
2024-06-10
Missing Authorization vulnerability in Netgsm.This issue affects Netgsm: from n/a through 2.9.16.
CVSS Score
4.3
EPSS Score
0.001
Published
2024-06-10
Missing Authorization vulnerability in CodePeople WP Time Slots Booking Form.This issue affects WP Time Slots Booking Form: from n/a through 1.2.11.
CVSS Score
5.3
EPSS Score
0.005
Published
2024-06-10
Missing Authorization vulnerability in Awesome Support Team Awesome Support.This issue affects Awesome Support: from n/a through 6.1.7.
CVSS Score
4.3
EPSS Score
0.001
Published
2024-06-10