Security Vulnerabilities - CVEs Published In July 2024
An issue was found in upload.php on the Ruijie EG-2000 series gateway. A parameter passed to the class UploadFile is mishandled (%00 and /var/./html are not checked), which can allow an attacker to upload any file to the gateway. This affects EG-2000SE EG_RGOS 11.9 B11P1.
CVSS Score
7.5
EPSS Score
0.0
Published
2024-07-16
An issue was found on the Ruijie EG-2000 series gateway. There is a buffer overflow in client.so. Consequently, an attacker can use login.php to login to any account, without providing its password. This affects EG-2000SE EG_RGOS 11.1(1)B1.
CVSS Score
8.4
EPSS Score
0.0
Published
2024-07-16
An issue was discovered in JFinalCMS v.5.0.0. There is a SQL injection vulnerablity via /admin/div_data/data
CVSS Score
8.8
EPSS Score
0.0
Published
2024-07-16
The vulnerability could be remotely exploited to bypass authentication.
CVSS Score
9.8
EPSS Score
0.002
Published
2024-07-16
Tenda AC18 V15.03.3.10_EN was discovered to contain a stack-based buffer overflow vulnerability via the deviceId parameter at ip/goform/saveParentControlInfo.
CVSS Score
9.8
EPSS Score
0.003
Published
2024-07-16
Tenda AC18 V15.03.3.10_EN was discovered to contain a stack-based buffer overflow vulnerability via the deviceId parameter at ip/goform/addWifiMacFilter.
CVSS Score
9.8
EPSS Score
0.002
Published
2024-07-16
Tenda i29V1.0 V1.0.0.5 was discovered to contain a hardcoded password for root.
CVSS Score
9.8
EPSS Score
0.002
Published
2024-07-16
Sensitive information disclosure due to excessive privileges assigned to Acronis Agent. The following products are affected: Acronis Cyber Protect 15 (Windows, Linux) before build 30984.
CVSS Score
7.7
EPSS Score
0.001
Published
2024-07-16
In the Linux kernel, the following vulnerability has been resolved:
vdpa: fix use-after-free on vp_vdpa_remove
When vp_vdpa driver is unbind, vp_vdpa is freed in vdpa_unregister_device
and then vp_vdpa->mdev.pci_dev is dereferenced in vp_modern_remove,
triggering use-after-free.
Call Trace of unbinding driver free vp_vdpa :
do_syscall_64
vfs_write
kernfs_fop_write_iter
device_release_driver_internal
pci_device_remove
vp_vdpa_remove
vdpa_unregister_device
kobject_release
device_release
kfree
Call Trace of dereference vp_vdpa->mdev.pci_dev:
vp_modern_remove
pci_release_selected_regions
pci_release_region
pci_resource_len
pci_resource_end
(dev)->resource[(bar)].end
CVSS Score
5.5
EPSS Score
0.001
Published
2024-07-16
In the Linux kernel, the following vulnerability has been resolved:
vhost: fix hung thread due to erroneous iotlb entries
In vhost_iotlb_add_range_ctx(), range size can overflow to 0 when
start is 0 and last is ULONG_MAX. One instance where it can happen
is when userspace sends an IOTLB message with iova=size=uaddr=0
(vhost_process_iotlb_msg). So, an entry with size = 0, start = 0,
last = ULONG_MAX ends up in the iotlb. Next time a packet is sent,
iotlb_access_ok() loops indefinitely due to that erroneous entry.
Call Trace:
<TASK>
iotlb_access_ok+0x21b/0x3e0 drivers/vhost/vhost.c:1340
vq_meta_prefetch+0xbc/0x280 drivers/vhost/vhost.c:1366
vhost_transport_do_send_pkt+0xe0/0xfd0 drivers/vhost/vsock.c:104
vhost_worker+0x23d/0x3d0 drivers/vhost/vhost.c:372
kthread+0x2e9/0x3a0 kernel/kthread.c:377
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
</TASK>
Reported by syzbot at:
https://syzkaller.appspot.com/bug?extid=0abd373e2e50d704db87
To fix this, do two things:
1. Return -EINVAL in vhost_chr_write_iter() when userspace asks to map
a range with size 0.
2. Fix vhost_iotlb_add_range_ctx() to handle the range [0, ULONG_MAX]
by splitting it into two entries.
CVSS Score
5.5
EPSS Score
0.0
Published
2024-07-16