Enterprise Linux Server Aus
Monthly
A heap-based buffer overflow vulnerability exists in the glib library's g_escape_uri_string() function due to an integer overflow in buffer size calculation when processing strings with a very large number of characters requiring URI escaping. This vulnerability affects multiple Red Hat Enterprise Linux 9.0 and 10.0 distributions across various architectures (x86_64, ARM64, IBM Z, Power). A proof-of-concept exploit is publicly available, though EPSS scoring indicates only 0.01% exploitation probability (1st percentile), suggesting limited active exploitation in the wild despite the availability of exploit code.
A flaw was found in Yelp. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A flaw was found in libsoup. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.
mongosh may be susceptible to local privilege escalation under certain conditions potentially enabling unauthorized actions on a user's system with elevated privilege, when a crafted file is stored. Rated high severity (CVSS 7.5). No vendor patch available.
A flaw was found in rsync. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A path traversal vulnerability exists in rsync. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A flaw was found in rsync which could be triggered when rsync compares file checksums. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 19.1%.
A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA.
This is an out-of-bounds read vulnerability in GStreamer's gst-plugins-bad MPEG demuxer component that allows remote attackers to crash applications by sending specially crafted MPEG Program Stream Map (PSM) data. The vulnerability affects GStreamer installations across multiple Linux distributions including Debian 8.0/9.0 and Red Hat Enterprise Linux 7.x variants. With an EPSS score of 6.52% (91st percentile), this vulnerability has a moderately elevated probability of exploitation in the wild, though no active exploitation or KEV listing is indicated.
The GStreamer multimedia framework contains an uninitialized memory vulnerability in its VMNC (VMware VNC) decoder that allows remote attackers to read sensitive information from process memory. When processing specially crafted VMNC video files (such as a single-frame movie that doesn't draw to the canvas), the decoder exposes uninitialized memory contents that may contain passwords, cryptographic keys, or other sensitive data from the application's memory space. A proof-of-concept exploit exists and has been publicly disclosed, with an EPSS score of 1.28% indicating moderate real-world exploitation likelihood.
A buffer over-read vulnerability exists in GStreamer's H.264 video decoding implementation that affects Mozilla Firefox, Firefox ESR, Thunderbird, and SeaMonkey on Linux systems. Remote attackers can trigger a denial of service (application crash) or potentially execute arbitrary code by crafting malicious H.264 video data within an m4v file. With an EPSS score of 7.61% (92nd percentile) and patches available from vendors, this vulnerability represents a moderate exploitation risk despite its CVSS 6.8 rating, indicating real-world prioritization is warranted for affected Linux deployments.
A heap-based buffer overflow vulnerability exists in the glib library's g_escape_uri_string() function due to an integer overflow in buffer size calculation when processing strings with a very large number of characters requiring URI escaping. This vulnerability affects multiple Red Hat Enterprise Linux 9.0 and 10.0 distributions across various architectures (x86_64, ARM64, IBM Z, Power). A proof-of-concept exploit is publicly available, though EPSS scoring indicates only 0.01% exploitation probability (1st percentile), suggesting limited active exploitation in the wild despite the availability of exploit code.
A flaw was found in Yelp. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A flaw was found in libsoup. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.
mongosh may be susceptible to local privilege escalation under certain conditions potentially enabling unauthorized actions on a user's system with elevated privilege, when a crafted file is stored. Rated high severity (CVSS 7.5). No vendor patch available.
A flaw was found in rsync. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A path traversal vulnerability exists in rsync. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A flaw was found in rsync which could be triggered when rsync compares file checksums. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 19.1%.
A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA.
This is an out-of-bounds read vulnerability in GStreamer's gst-plugins-bad MPEG demuxer component that allows remote attackers to crash applications by sending specially crafted MPEG Program Stream Map (PSM) data. The vulnerability affects GStreamer installations across multiple Linux distributions including Debian 8.0/9.0 and Red Hat Enterprise Linux 7.x variants. With an EPSS score of 6.52% (91st percentile), this vulnerability has a moderately elevated probability of exploitation in the wild, though no active exploitation or KEV listing is indicated.
The GStreamer multimedia framework contains an uninitialized memory vulnerability in its VMNC (VMware VNC) decoder that allows remote attackers to read sensitive information from process memory. When processing specially crafted VMNC video files (such as a single-frame movie that doesn't draw to the canvas), the decoder exposes uninitialized memory contents that may contain passwords, cryptographic keys, or other sensitive data from the application's memory space. A proof-of-concept exploit exists and has been publicly disclosed, with an EPSS score of 1.28% indicating moderate real-world exploitation likelihood.
A buffer over-read vulnerability exists in GStreamer's H.264 video decoding implementation that affects Mozilla Firefox, Firefox ESR, Thunderbird, and SeaMonkey on Linux systems. Remote attackers can trigger a denial of service (application crash) or potentially execute arbitrary code by crafting malicious H.264 video data within an m4v file. With an EPSS score of 7.61% (92nd percentile) and patches available from vendors, this vulnerability represents a moderate exploitation risk despite its CVSS 6.8 rating, indicating real-world prioritization is warranted for affected Linux deployments.