Red Hat Enterprise Linux 8 update for GNOME



| Updated: 2023-11-02
Risk High
Patch available YES
Number of vulnerabilities 53
CVE-ID CVE-2019-8625
CVE-2019-8710
CVE-2019-8720
CVE-2019-8743
CVE-2019-8764
CVE-2019-8766
CVE-2019-8769
CVE-2019-8771
CVE-2019-8782
CVE-2019-8783
CVE-2019-8808
CVE-2019-8811
CVE-2019-8812
CVE-2019-8813
CVE-2019-8814
CVE-2019-8815
CVE-2019-8816
CVE-2019-8819
CVE-2019-8820
CVE-2019-8823
CVE-2019-8835
CVE-2019-8844
CVE-2019-8846
CVE-2020-10018
CVE-2020-11793
CVE-2020-14391
CVE-2020-15503
CVE-2020-3862
CVE-2020-3864
CVE-2020-3865
CVE-2020-3867
CVE-2020-3868
CVE-2020-3885
CVE-2020-3894
CVE-2020-3895
CVE-2020-3897
CVE-2020-3899
CVE-2020-3900
CVE-2020-3901
CVE-2020-3902
CVE-2020-9802
CVE-2020-9803
CVE-2020-9805
CVE-2020-9806
CVE-2020-9807
CVE-2020-9843
CVE-2020-9850
CVE-2020-9862
CVE-2020-9893
CVE-2020-9894
CVE-2020-9895
CVE-2020-9915
CVE-2020-9925
CWE-ID CWE-79
CWE-119
CWE-200
CWE-416
CWE-312
CWE-346
CWE-840
CWE-362
CWE-843
CWE-20
CWE-77
CWE-125
CWE-264
Exploitation vector Network
Public exploit Vulnerability #3 is being exploited in the wild.
Public exploit code for vulnerability #34 is available.
Public exploit code for vulnerability #41 is available.
Public exploit code for vulnerability #47 is available.
Vulnerable software
 Red Hat CodeReady Linux Builder for IBM z Systems
Operating systems & Components / Operating system

Red Hat CodeReady Linux Builder for ARM 64
Operating systems & Components / Operating system

Red Hat CodeReady Linux Builder for Power, little endian
Operating systems & Components / Operating system

Red Hat CodeReady Linux Builder for x86_64
Operating systems & Components / Operating system

Red Hat Enterprise Linux for ARM 64
Operating systems & Components / Operating system

Red Hat Enterprise Linux for Power, little endian
Operating systems & Components / Operating system

Red Hat Enterprise Linux for IBM z Systems
Operating systems & Components / Operating system

Red Hat Enterprise Linux for x86_64
Operating systems & Components / Operating system

gtk-doc (Red Hat package)
Operating systems & Components / Operating system package or component

xdg-desktop-portal-gtk (Red Hat package)
Operating systems & Components / Operating system package or component

xdg-desktop-portal (Red Hat package)
Operating systems & Components / Operating system package or component

webrtc-audio-processing (Red Hat package)
Operating systems & Components / Operating system package or component

webkit2gtk3 (Red Hat package)
Operating systems & Components / Operating system package or component

vte291 (Red Hat package)
Operating systems & Components / Operating system package or component

tracker (Red Hat package)
Operating systems & Components / Operating system package or component

pygobject3 (Red Hat package)
Operating systems & Components / Operating system package or component

potrace (Red Hat package)
Operating systems & Components / Operating system package or component

pipewire0.2 (Red Hat package)
Operating systems & Components / Operating system package or component

pipewire (Red Hat package)
Operating systems & Components / Operating system package or component

nautilus (Red Hat package)
Operating systems & Components / Operating system package or component

mutter (Red Hat package)
Operating systems & Components / Operating system package or component

libsoup (Red Hat package)
Operating systems & Components / Operating system package or component

gvfs (Red Hat package)
Operating systems & Components / Operating system package or component

gtk3 (Red Hat package)
Operating systems & Components / Operating system package or component

gsettings-desktop-schemas (Red Hat package)
Operating systems & Components / Operating system package or component

gnome-terminal (Red Hat package)
Operating systems & Components / Operating system package or component

gnome-shell-extensions (Red Hat package)
Operating systems & Components / Operating system package or component

gnome-shell (Red Hat package)
Operating systems & Components / Operating system package or component

gnome-settings-daemon (Red Hat package)
Operating systems & Components / Operating system package or component

gnome-session (Red Hat package)
Operating systems & Components / Operating system package or component

gnome-remote-desktop (Red Hat package)
Operating systems & Components / Operating system package or component

gnome-photos (Red Hat package)
Operating systems & Components / Operating system package or component

gdm (Red Hat package)
Operating systems & Components / Operating system package or component

frei0r-plugins (Red Hat package)
Operating systems & Components / Operating system package or component

dleyna-renderer (Red Hat package)
Operating systems & Components / Operating system package or component

PackageKit (Red Hat package)
Operating systems & Components / Operating system package or component

LibRaw (Red Hat package)
Operating systems & Components / Operating system package or component

gnome-control-center (Red Hat package)
Operating systems & Components / Operating system package or component

Vendor Red Hat Inc.

Security Bulletin

This security bulletin contains information about 53 vulnerabilities.

1) Cross-site scripting

EUVDB-ID: #VU23171

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-8625

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2020:4451


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Buffer overflow

EUVDB-ID: #VU23152

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2019-8710

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing maliciously crafted web content. A remote attacker can trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2020:4451


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Buffer overflow

EUVDB-ID: #VU23175

Risk: High

CVSSv4.0: 9.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber]

CVE-ID: CVE-2019-8720

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing maliciously crafted web content. A remote attacker can trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2020:4451


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

4) Buffer overflow

EUVDB-ID: #VU23153

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2019-8743

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing maliciously crafted web content. A remote attacker can trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2020:4451


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Cross-site scripting

EUVDB-ID: #VU23154

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-8764

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2020:4451


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Buffer overflow

EUVDB-ID: #VU23156

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2019-8766

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing maliciously crafted web content. A remote attacker can trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2020:4451


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Information disclosure

EUVDB-ID: #VU23182

Risk: Medium

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-8769

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to improper input validation in the drawing of web page elements. A remote attacker can reveal browsing history when a victim visit a maliciously crafted website.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2020:4451


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Cross-site scripting

EUVDB-ID: #VU23183

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-8771

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in iframe sandboxing policy. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2020:4451


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Buffer overflow

EUVDB-ID: #VU23157

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2019-8782

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing maliciously crafted web content. A remote attacker can trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2020:4451


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Buffer overflow

EUVDB-ID: #VU23158

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2019-8783

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing maliciously crafted web content. A remote attacker can trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2020:4451


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Buffer overflow

EUVDB-ID: #VU23159

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2019-8808

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing maliciously crafted web content. A remote attacker can trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2020:4451


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Buffer overflow

EUVDB-ID: #VU23160

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2019-8811

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing maliciously crafted web content. A remote attacker can trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2020:4451


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Buffer overflow

EUVDB-ID: #VU23161

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2019-8812

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing maliciously crafted web content. A remote attacker can trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2020:4451


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Cross-site scripting

EUVDB-ID: #VU23162

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-8813

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2020:4451


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Buffer overflow

EUVDB-ID: #VU23163

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2019-8814

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing maliciously crafted web content. A remote attacker can trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2020:4451


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Buffer overflow

EUVDB-ID: #VU23164

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2019-8815

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing maliciously crafted web content. A remote attacker can trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2020:4451


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

17) Buffer overflow

EUVDB-ID: #VU23165

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2019-8816

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing maliciously crafted web content. A remote attacker can trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2020:4451


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

18) Buffer overflow

EUVDB-ID: #VU23166

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2019-8819

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing maliciously crafted web content. A remote attacker can trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2020:4451


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

19) Buffer overflow

EUVDB-ID: #VU23167

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2019-8820

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing maliciously crafted web content. A remote attacker can trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2020:4451


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

20) Buffer overflow

EUVDB-ID: #VU23170

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2019-8823

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing maliciously crafted web content. A remote attacker can trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2020:4451


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

21) Buffer overflow

EUVDB-ID: #VU48062

Risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2019-8835

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in tvOS 13.3, iCloud for Windows 10.9, iOS 13.3 and iPadOS 13.3, Safari 13.0.4, iTunes 12.10.3 for Windows, iCloud for Windows 7.16. Processing maliciously crafted web content may lead to arbitrary code execution.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2020:4451


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

22) Buffer overflow

EUVDB-ID: #VU48063

Risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2019-8844

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in tvOS 13.3, watchOS 6.1.1, iCloud for Windows 10.9, iOS 13.3 and iPadOS 13.3, Safari 13.0.4, iTunes 12.10.3 for Windows, iCloud for Windows 7.16. Processing maliciously crafted web content may lead to arbitrary code execution.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2020:4451


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

23) Use-after-free

EUVDB-ID: #VU23613

Risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2019-8846

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in the SVG Marker Element feature of Apple Safari's WebKit. A remote attacker can use a specially crafted HTML web page, when opened by a victim, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2020:4451


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

24) Use-after-free

EUVDB-ID: #VU26076

Risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-10018

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error when processing web conftent. A remote attacker can trick a victim to visit a specially crafted web page, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2020:4451


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

25) Use-after-free

EUVDB-ID: #VU30304

Risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-11793

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

A use-after-free issue exists in WebKitGTK before 2.28.1 and WPE WebKit before 2.28.1 via crafted web content that allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash).

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2020:4451


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

26) Cleartext storage of sensitive information

EUVDB-ID: #VU49120

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-14391

CWE-ID: CWE-312 - Cleartext Storage of Sensitive Information

Exploit availability: No

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists in the GNOME Control Center in the way it handles credentials passed from Red Hat Customer Portal. When a user registers a system through the GNOME Settings User Interface, the user's credentials are passed as an argument to gnome-settings-daemon helper, making it readable by an unprivileged local user.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2020:4451


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

27) Buffer overflow

EUVDB-ID: #VU31920

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-15503

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error in "decoders/unpack_thumb.cpp", "postprocessing/mem_image.cpp" and u"tils/thumb_utils.cpp". A remote attacker can trigger memory corruption and cause a denial of service condition on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2020:4451


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

28) Buffer overflow

EUVDB-ID: #VU25375

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-3862

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error. A remote attacker can create a specially crafted web page, trick the victim into visiting it and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2020:4451


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

29) Origin validation error

EUVDB-ID: #VU25379

Risk: Medium

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-3864

CWE-ID: CWE-346 - Origin Validation Error

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to an logical error that leads to DOM object not having a unique security origin. A remote attacker can interact with DOM objects from another domain.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2020:4451


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

30) Origin validation error

EUVDB-ID: #VU25380

Risk: Medium

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-3865

CWE-ID: CWE-346 - Origin Validation Error

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to a logical error that leads to a top-level DOM object context being incorrectly considered secure. A remote attacker can gain unauthorized access to DOM objects from another domain.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2020:4451


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

31) Univeral cross-site scripting

EUVDB-ID: #VU25381

Risk: Medium

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-3867

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2020:4451


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

32) Buffer overflow

EUVDB-ID: #VU25382

Risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-3868

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2020:4451


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

33) Business Logic Errors

EUVDB-ID: #VU26432

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-3885

CWE-ID: CWE-840 - Business Logic Errors (3.0)

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to logical errors. A remote attacker can trick a victim to open a specially crafted file or visit a malicious page and cause a file URL may be incorrectly processed.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2020:4451


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

34) Race condition

EUVDB-ID: #VU26428

Risk: Medium

CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2020-3894

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to gain access to sensitive information on the system.

The vulnerability exists due to a race condition. A remote atacker can trick a victim to open a specially crafted file or visit a malicioous page, exploit the race and gain unauthorized access to sensitive information on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2020:4451


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

35) Buffer overflow

EUVDB-ID: #VU26426

Risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-3895

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing maliciously crafted web content. A remote attacker can trick a victim to open a specially crafted file or visit a malicious page, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2020:4451


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

36) Type Confusion

EUVDB-ID: #VU26422

Risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-3897

CWE-ID: CWE-843 - Type confusion

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a type confusion error within the object transition cache. A remote attacker can trick a victim to visit a malicisou page or open a specially crafted file, trigger a type confusion error and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2020:4451


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

37) Buffer overflow

EUVDB-ID: #VU26430

Risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-3899

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error. A remote attacker can trick a victim to open a specially crafted file or visit a malicious page, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2020:4451


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

38) Buffer overflow

EUVDB-ID: #VU26427

Risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-3900

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing maliciously crafted web content. A remote attacker can trick a victim to open a specially crafted file or visit a malicious page, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2020:4451


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

39) Type Confusion

EUVDB-ID: #VU26424

Risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-3901

CWE-ID: CWE-843 - Type confusion

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a type confusion error when processing maliciously crafted web content. A remote attacker can trick a victim to open a specially crafted file or visit a malicious page, trigger a type confusion error and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2020:4451


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

40) Cross-site scripting

EUVDB-ID: #VU26431

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-3902

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2020:4451


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

41) Input validation error

EUVDB-ID: #VU32958

Risk: High

CVSSv4.0: 7.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2020-9802

CWE-ID: CWE-20 - Improper input validation

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insufficient validation of user-supplied input when processing web content. A remote attacker can create a specially crafted web page, trick the victim into visiting it and execute arbitrary code on the target system.


Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2020:4451


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

42) Memory corruption

EUVDB-ID: #VU32959

Risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-9803

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insufficient validation of user-supplied input when processing web content. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger memory corruption and execute arbitrary code on the target system.


Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2020:4451


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

43) Universal cross-site scripting

EUVDB-ID: #VU32960

Risk: Medium

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-9805

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2020:4451


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

44) Memory corruption

EUVDB-ID: #VU32961

Risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-9806

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insufficient validation of user-supplied input when processing web content. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger memory corruption and execute arbitrary code on the target system.


Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2020:4451


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

45) Memory corruption

EUVDB-ID: #VU32962

Risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-9807

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insufficient validation of user-supplied input when processing web content. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger memory corruption and execute arbitrary code on the target system.


Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2020:4451


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

46) Cross-site scripting

EUVDB-ID: #VU32963

Risk: Medium

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-9843

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2020:4451


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

47) Input validation error

EUVDB-ID: #VU32964

Risk: High

CVSSv4.0: 8.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber]

CVE-ID: CVE-2020-9850

CWE-ID: CWE-20 - Improper input validation

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insufficient validation of user-supplied input when processing web content. A remote attacker can create a specially crafted web page, trick the victim into visiting it and execute arbitrary code on the target system.


Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2020:4451


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.

48) Command Injection

EUVDB-ID: #VU32965

Risk: Medium

CVSSv4.0: 4.8 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-9862

CWE-ID: CWE-77 - Command injection

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary commands on the system.

The vulnerability exists due to improper input validation in Web Inspector when copying a URL. A remote attacker can trick the victim into copying a specially crafted URL and execute arbitrary commands on the system with privileges of the current user.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2020:4451


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

49) Use-after-free

EUVDB-ID: #VU32966

Risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-9893

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error when processing web content. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2020:4451


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

50) Out-of-bounds read

EUVDB-ID: #VU32967

Risk: Medium

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-9894

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2020:4451


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

51) Use-after-free

EUVDB-ID: #VU32968

Risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-9895

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error when processing web content. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2020:4451


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

52) Security restrictions bypass

EUVDB-ID: #VU32969

Risk: Medium

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-9915

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to application does not properly impose Content Security Policy. A remote attacker can create a specially crafted web page, trick the victim into visiting it and bypass implemented security restrictions. The vulnerability may allow an attacker to perform cross-site scripting attacks or gain access to sensitive information.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2020:4451


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

53) Univeral cross-site scripting

EUVDB-ID: #VU32970

Risk: Medium

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-9925

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of arbitrary website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2020:4451


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###