Fedora 38 update for alsa-plugins



Risk High
Patch available YES
Number of vulnerabilities 23
CVE-ID CVE-2023-0927
CVE-2023-0928
CVE-2023-0929
CVE-2023-0930
CVE-2023-0931
CVE-2023-0932
CVE-2023-0933
CVE-2023-0941
CVE-2023-1213
CVE-2023-1214
CVE-2023-1215
CVE-2023-1216
CVE-2023-1217
CVE-2023-1218
CVE-2023-1219
CVE-2023-1220
CVE-2023-1221
CVE-2023-1222
CVE-2023-1223
CVE-2023-1224
CVE-2023-1225
CVE-2023-1226
CVE-2023-1227
CWE-ID CWE-416
CWE-122
CWE-190
CWE-843
CWE-121
CWE-264
Exploitation vector Network
Public exploit N/A
Vulnerable software
 Fedora
Operating systems & Components / Operating system

xine-lib
Operating systems & Components / Operating system package or component

wf-recorder
Operating systems & Components / Operating system package or component

unpaper
Operating systems & Components / Operating system package or component

stellarium
Operating systems & Components / Operating system package or component

siril
Operating systems & Components / Operating system package or component

retroarch
Operating systems & Components / Operating system package or component

qt6-qtwebengine
Operating systems & Components / Operating system package or component

qt6-qtmultimedia
Operating systems & Components / Operating system package or component

qmmp-plugin-pack
Operating systems & Components / Operating system package or component

qmmp
Operating systems & Components / Operating system package or component

phd2
Operating systems & Components / Operating system package or component

nv-codec-headers
Operating systems & Components / Operating system package or component

notcurses
Operating systems & Components / Operating system package or component

neatvnc
Operating systems & Components / Operating system package or component

mpv
Operating systems & Components / Operating system package or component

mlt
Operating systems & Components / Operating system package or component

loudgain
Operating systems & Components / Operating system package or component

libindi
Operating systems & Components / Operating system package or component

kstars
Operating systems & Components / Operating system package or component

kpipewire
Operating systems & Components / Operating system package or component

k3b
Operating systems & Components / Operating system package or component

indi-3rdparty-libraries
Operating systems & Components / Operating system package or component

indi-3rdparty-drivers
Operating systems & Components / Operating system package or component

haruna
Operating systems & Components / Operating system package or component

guacamole-server
Operating systems & Components / Operating system package or component

gstreamer1-plugin-libav
Operating systems & Components / Operating system package or component

ffmpegthumbs
Operating systems & Components / Operating system package or component

ffmpeg
Operating systems & Components / Operating system package or component

chromium
Operating systems & Components / Operating system package or component

chromaprint
Operating systems & Components / Operating system package or component

celestia
Operating systems & Components / Operating system package or component

blender
Operating systems & Components / Operating system package or component

audacious-plugins
Operating systems & Components / Operating system package or component

attract-mode
Operating systems & Components / Operating system package or component

alsa-plugins
Operating systems & Components / Operating system package or component

Vendor Fedoraproject

Security Bulletin

This security bulletin contains information about 23 vulnerabilities.

1) Use-after-free

EUVDB-ID: #VU72543

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-0927

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Web Payments API component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Fedora: 38

xine-lib: before 1.2.13-1.fc38

wf-recorder: before 0.3.1-0.3.20221225gita9725f7.fc38

unpaper: before 7.0.0-7.fc38

stellarium: before 1.2-8.fc38

siril: before 1.0.6-6.fc38

retroarch: before 1.15.0-4.fc38

qt6-qtwebengine: before 6.4.2-4.fc38

qt6-qtmultimedia: before 6.4.2-4.fc38

qmmp-plugin-pack: before 2.1.0-5.fc38

qmmp: before 2.1.2-4.fc38

phd2: before 2.6.11^dev4^20230212a205f63-1.fc38

nv-codec-headers: before 12.0.16.0-1.fc38

notcurses: before 3.0.8-6.fc38

neatvnc: before 0.6.0-2.fc38

mpv: before 0.35.1-3.fc38

mlt: before 7.14.0-2.fc38

loudgain: before 0.6.8-13.fc38

libindi: before 2.0.0-3.fc38

kstars: before 3.6.3-1.fc38

kpipewire: before 5.27.2-2.fc38

k3b: before 22.12.3-2.fc38

indi-3rdparty-libraries: before 2.0.0-1.fc38

indi-3rdparty-drivers: before 2.0.0-2.fc38

haruna: before 0.10.3-3.fc38

guacamole-server: before 1.5.0-2.fc38

gstreamer1-plugin-libav: before 1.22.0-2.fc38

ffmpegthumbs: before 22.12.3-2.fc38

ffmpeg: before 6.0-1.fc38

chromium: before 111.0.5563.64-2.fc38

chromaprint: before 1.5.1-8.fc38

celestia: before 1.7.0~20230305ebfcdb1-4.fc38

blender: before 3.4.1-16.fc38

audacious-plugins: before 4.3-2.fc38

attract-mode: before 2.6.2-6.fc38

alsa-plugins: before 1.2.7.1-5.fc38

CPE2.3 External links

http://bodhi.fedoraproject.org/updates/FEDORA-2023-a5e10b188a


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Use-after-free

EUVDB-ID: #VU72544

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-0928

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the SwiftShader component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Fedora: 38

xine-lib: before 1.2.13-1.fc38

wf-recorder: before 0.3.1-0.3.20221225gita9725f7.fc38

unpaper: before 7.0.0-7.fc38

stellarium: before 1.2-8.fc38

siril: before 1.0.6-6.fc38

retroarch: before 1.15.0-4.fc38

qt6-qtwebengine: before 6.4.2-4.fc38

qt6-qtmultimedia: before 6.4.2-4.fc38

qmmp-plugin-pack: before 2.1.0-5.fc38

qmmp: before 2.1.2-4.fc38

phd2: before 2.6.11^dev4^20230212a205f63-1.fc38

nv-codec-headers: before 12.0.16.0-1.fc38

notcurses: before 3.0.8-6.fc38

neatvnc: before 0.6.0-2.fc38

mpv: before 0.35.1-3.fc38

mlt: before 7.14.0-2.fc38

loudgain: before 0.6.8-13.fc38

libindi: before 2.0.0-3.fc38

kstars: before 3.6.3-1.fc38

kpipewire: before 5.27.2-2.fc38

k3b: before 22.12.3-2.fc38

indi-3rdparty-libraries: before 2.0.0-1.fc38

indi-3rdparty-drivers: before 2.0.0-2.fc38

haruna: before 0.10.3-3.fc38

guacamole-server: before 1.5.0-2.fc38

gstreamer1-plugin-libav: before 1.22.0-2.fc38

ffmpegthumbs: before 22.12.3-2.fc38

ffmpeg: before 6.0-1.fc38

chromium: before 111.0.5563.64-2.fc38

chromaprint: before 1.5.1-8.fc38

celestia: before 1.7.0~20230305ebfcdb1-4.fc38

blender: before 3.4.1-16.fc38

audacious-plugins: before 4.3-2.fc38

attract-mode: before 2.6.2-6.fc38

alsa-plugins: before 1.2.7.1-5.fc38

CPE2.3 External links

http://bodhi.fedoraproject.org/updates/FEDORA-2023-a5e10b188a


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Use-after-free

EUVDB-ID: #VU72545

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-0929

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Vulkan component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Fedora: 38

xine-lib: before 1.2.13-1.fc38

wf-recorder: before 0.3.1-0.3.20221225gita9725f7.fc38

unpaper: before 7.0.0-7.fc38

stellarium: before 1.2-8.fc38

siril: before 1.0.6-6.fc38

retroarch: before 1.15.0-4.fc38

qt6-qtwebengine: before 6.4.2-4.fc38

qt6-qtmultimedia: before 6.4.2-4.fc38

qmmp-plugin-pack: before 2.1.0-5.fc38

qmmp: before 2.1.2-4.fc38

phd2: before 2.6.11^dev4^20230212a205f63-1.fc38

nv-codec-headers: before 12.0.16.0-1.fc38

notcurses: before 3.0.8-6.fc38

neatvnc: before 0.6.0-2.fc38

mpv: before 0.35.1-3.fc38

mlt: before 7.14.0-2.fc38

loudgain: before 0.6.8-13.fc38

libindi: before 2.0.0-3.fc38

kstars: before 3.6.3-1.fc38

kpipewire: before 5.27.2-2.fc38

k3b: before 22.12.3-2.fc38

indi-3rdparty-libraries: before 2.0.0-1.fc38

indi-3rdparty-drivers: before 2.0.0-2.fc38

haruna: before 0.10.3-3.fc38

guacamole-server: before 1.5.0-2.fc38

gstreamer1-plugin-libav: before 1.22.0-2.fc38

ffmpegthumbs: before 22.12.3-2.fc38

ffmpeg: before 6.0-1.fc38

chromium: before 111.0.5563.64-2.fc38

chromaprint: before 1.5.1-8.fc38

celestia: before 1.7.0~20230305ebfcdb1-4.fc38

blender: before 3.4.1-16.fc38

audacious-plugins: before 4.3-2.fc38

attract-mode: before 2.6.2-6.fc38

alsa-plugins: before 1.2.7.1-5.fc38

CPE2.3 External links

http://bodhi.fedoraproject.org/updates/FEDORA-2023-a5e10b188a


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Heap-based buffer overflow

EUVDB-ID: #VU72546

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-0930

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted HTML content in Video. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Fedora: 38

xine-lib: before 1.2.13-1.fc38

wf-recorder: before 0.3.1-0.3.20221225gita9725f7.fc38

unpaper: before 7.0.0-7.fc38

stellarium: before 1.2-8.fc38

siril: before 1.0.6-6.fc38

retroarch: before 1.15.0-4.fc38

qt6-qtwebengine: before 6.4.2-4.fc38

qt6-qtmultimedia: before 6.4.2-4.fc38

qmmp-plugin-pack: before 2.1.0-5.fc38

qmmp: before 2.1.2-4.fc38

phd2: before 2.6.11^dev4^20230212a205f63-1.fc38

nv-codec-headers: before 12.0.16.0-1.fc38

notcurses: before 3.0.8-6.fc38

neatvnc: before 0.6.0-2.fc38

mpv: before 0.35.1-3.fc38

mlt: before 7.14.0-2.fc38

loudgain: before 0.6.8-13.fc38

libindi: before 2.0.0-3.fc38

kstars: before 3.6.3-1.fc38

kpipewire: before 5.27.2-2.fc38

k3b: before 22.12.3-2.fc38

indi-3rdparty-libraries: before 2.0.0-1.fc38

indi-3rdparty-drivers: before 2.0.0-2.fc38

haruna: before 0.10.3-3.fc38

guacamole-server: before 1.5.0-2.fc38

gstreamer1-plugin-libav: before 1.22.0-2.fc38

ffmpegthumbs: before 22.12.3-2.fc38

ffmpeg: before 6.0-1.fc38

chromium: before 111.0.5563.64-2.fc38

chromaprint: before 1.5.1-8.fc38

celestia: before 1.7.0~20230305ebfcdb1-4.fc38

blender: before 3.4.1-16.fc38

audacious-plugins: before 4.3-2.fc38

attract-mode: before 2.6.2-6.fc38

alsa-plugins: before 1.2.7.1-5.fc38

CPE2.3 External links

http://bodhi.fedoraproject.org/updates/FEDORA-2023-a5e10b188a


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Use-after-free

EUVDB-ID: #VU72547

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-0931

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Video component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Fedora: 38

xine-lib: before 1.2.13-1.fc38

wf-recorder: before 0.3.1-0.3.20221225gita9725f7.fc38

unpaper: before 7.0.0-7.fc38

stellarium: before 1.2-8.fc38

siril: before 1.0.6-6.fc38

retroarch: before 1.15.0-4.fc38

qt6-qtwebengine: before 6.4.2-4.fc38

qt6-qtmultimedia: before 6.4.2-4.fc38

qmmp-plugin-pack: before 2.1.0-5.fc38

qmmp: before 2.1.2-4.fc38

phd2: before 2.6.11^dev4^20230212a205f63-1.fc38

nv-codec-headers: before 12.0.16.0-1.fc38

notcurses: before 3.0.8-6.fc38

neatvnc: before 0.6.0-2.fc38

mpv: before 0.35.1-3.fc38

mlt: before 7.14.0-2.fc38

loudgain: before 0.6.8-13.fc38

libindi: before 2.0.0-3.fc38

kstars: before 3.6.3-1.fc38

kpipewire: before 5.27.2-2.fc38

k3b: before 22.12.3-2.fc38

indi-3rdparty-libraries: before 2.0.0-1.fc38

indi-3rdparty-drivers: before 2.0.0-2.fc38

haruna: before 0.10.3-3.fc38

guacamole-server: before 1.5.0-2.fc38

gstreamer1-plugin-libav: before 1.22.0-2.fc38

ffmpegthumbs: before 22.12.3-2.fc38

ffmpeg: before 6.0-1.fc38

chromium: before 111.0.5563.64-2.fc38

chromaprint: before 1.5.1-8.fc38

celestia: before 1.7.0~20230305ebfcdb1-4.fc38

blender: before 3.4.1-16.fc38

audacious-plugins: before 4.3-2.fc38

attract-mode: before 2.6.2-6.fc38

alsa-plugins: before 1.2.7.1-5.fc38

CPE2.3 External links

http://bodhi.fedoraproject.org/updates/FEDORA-2023-a5e10b188a


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Use-after-free

EUVDB-ID: #VU72548

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-0932

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the WebRTC component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Fedora: 38

xine-lib: before 1.2.13-1.fc38

wf-recorder: before 0.3.1-0.3.20221225gita9725f7.fc38

unpaper: before 7.0.0-7.fc38

stellarium: before 1.2-8.fc38

siril: before 1.0.6-6.fc38

retroarch: before 1.15.0-4.fc38

qt6-qtwebengine: before 6.4.2-4.fc38

qt6-qtmultimedia: before 6.4.2-4.fc38

qmmp-plugin-pack: before 2.1.0-5.fc38

qmmp: before 2.1.2-4.fc38

phd2: before 2.6.11^dev4^20230212a205f63-1.fc38

nv-codec-headers: before 12.0.16.0-1.fc38

notcurses: before 3.0.8-6.fc38

neatvnc: before 0.6.0-2.fc38

mpv: before 0.35.1-3.fc38

mlt: before 7.14.0-2.fc38

loudgain: before 0.6.8-13.fc38

libindi: before 2.0.0-3.fc38

kstars: before 3.6.3-1.fc38

kpipewire: before 5.27.2-2.fc38

k3b: before 22.12.3-2.fc38

indi-3rdparty-libraries: before 2.0.0-1.fc38

indi-3rdparty-drivers: before 2.0.0-2.fc38

haruna: before 0.10.3-3.fc38

guacamole-server: before 1.5.0-2.fc38

gstreamer1-plugin-libav: before 1.22.0-2.fc38

ffmpegthumbs: before 22.12.3-2.fc38

ffmpeg: before 6.0-1.fc38

chromium: before 111.0.5563.64-2.fc38

chromaprint: before 1.5.1-8.fc38

celestia: before 1.7.0~20230305ebfcdb1-4.fc38

blender: before 3.4.1-16.fc38

audacious-plugins: before 4.3-2.fc38

attract-mode: before 2.6.2-6.fc38

alsa-plugins: before 1.2.7.1-5.fc38

CPE2.3 External links

http://bodhi.fedoraproject.org/updates/FEDORA-2023-a5e10b188a


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Integer overflow

EUVDB-ID: #VU72549

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-0933

CWE-ID: CWE-190 - Integer overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to crash the browser.

The vulnerability exists due to a integer overflow in PDF in Google Chrome. A remote attacker can trick the victim to visit a specially crafted webpage and crash the browser.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Fedora: 38

xine-lib: before 1.2.13-1.fc38

wf-recorder: before 0.3.1-0.3.20221225gita9725f7.fc38

unpaper: before 7.0.0-7.fc38

stellarium: before 1.2-8.fc38

siril: before 1.0.6-6.fc38

retroarch: before 1.15.0-4.fc38

qt6-qtwebengine: before 6.4.2-4.fc38

qt6-qtmultimedia: before 6.4.2-4.fc38

qmmp-plugin-pack: before 2.1.0-5.fc38

qmmp: before 2.1.2-4.fc38

phd2: before 2.6.11^dev4^20230212a205f63-1.fc38

nv-codec-headers: before 12.0.16.0-1.fc38

notcurses: before 3.0.8-6.fc38

neatvnc: before 0.6.0-2.fc38

mpv: before 0.35.1-3.fc38

mlt: before 7.14.0-2.fc38

loudgain: before 0.6.8-13.fc38

libindi: before 2.0.0-3.fc38

kstars: before 3.6.3-1.fc38

kpipewire: before 5.27.2-2.fc38

k3b: before 22.12.3-2.fc38

indi-3rdparty-libraries: before 2.0.0-1.fc38

indi-3rdparty-drivers: before 2.0.0-2.fc38

haruna: before 0.10.3-3.fc38

guacamole-server: before 1.5.0-2.fc38

gstreamer1-plugin-libav: before 1.22.0-2.fc38

ffmpegthumbs: before 22.12.3-2.fc38

ffmpeg: before 6.0-1.fc38

chromium: before 111.0.5563.64-2.fc38

chromaprint: before 1.5.1-8.fc38

celestia: before 1.7.0~20230305ebfcdb1-4.fc38

blender: before 3.4.1-16.fc38

audacious-plugins: before 4.3-2.fc38

attract-mode: before 2.6.2-6.fc38

alsa-plugins: before 1.2.7.1-5.fc38

CPE2.3 External links

http://bodhi.fedoraproject.org/updates/FEDORA-2023-a5e10b188a


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Use-after-free

EUVDB-ID: #VU72542

Risk: High

CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-0941

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Prompts component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Fedora: 38

xine-lib: before 1.2.13-1.fc38

wf-recorder: before 0.3.1-0.3.20221225gita9725f7.fc38

unpaper: before 7.0.0-7.fc38

stellarium: before 1.2-8.fc38

siril: before 1.0.6-6.fc38

retroarch: before 1.15.0-4.fc38

qt6-qtwebengine: before 6.4.2-4.fc38

qt6-qtmultimedia: before 6.4.2-4.fc38

qmmp-plugin-pack: before 2.1.0-5.fc38

qmmp: before 2.1.2-4.fc38

phd2: before 2.6.11^dev4^20230212a205f63-1.fc38

nv-codec-headers: before 12.0.16.0-1.fc38

notcurses: before 3.0.8-6.fc38

neatvnc: before 0.6.0-2.fc38

mpv: before 0.35.1-3.fc38

mlt: before 7.14.0-2.fc38

loudgain: before 0.6.8-13.fc38

libindi: before 2.0.0-3.fc38

kstars: before 3.6.3-1.fc38

kpipewire: before 5.27.2-2.fc38

k3b: before 22.12.3-2.fc38

indi-3rdparty-libraries: before 2.0.0-1.fc38

indi-3rdparty-drivers: before 2.0.0-2.fc38

haruna: before 0.10.3-3.fc38

guacamole-server: before 1.5.0-2.fc38

gstreamer1-plugin-libav: before 1.22.0-2.fc38

ffmpegthumbs: before 22.12.3-2.fc38

ffmpeg: before 6.0-1.fc38

chromium: before 111.0.5563.64-2.fc38

chromaprint: before 1.5.1-8.fc38

celestia: before 1.7.0~20230305ebfcdb1-4.fc38

blender: before 3.4.1-16.fc38

audacious-plugins: before 4.3-2.fc38

attract-mode: before 2.6.2-6.fc38

alsa-plugins: before 1.2.7.1-5.fc38

CPE2.3 External links

http://bodhi.fedoraproject.org/updates/FEDORA-2023-a5e10b188a


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Use-after-free

EUVDB-ID: #VU73118

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-1213

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Swiftshader component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Fedora: 38

xine-lib: before 1.2.13-1.fc38

wf-recorder: before 0.3.1-0.3.20221225gita9725f7.fc38

unpaper: before 7.0.0-7.fc38

stellarium: before 1.2-8.fc38

siril: before 1.0.6-6.fc38

retroarch: before 1.15.0-4.fc38

qt6-qtwebengine: before 6.4.2-4.fc38

qt6-qtmultimedia: before 6.4.2-4.fc38

qmmp-plugin-pack: before 2.1.0-5.fc38

qmmp: before 2.1.2-4.fc38

phd2: before 2.6.11^dev4^20230212a205f63-1.fc38

nv-codec-headers: before 12.0.16.0-1.fc38

notcurses: before 3.0.8-6.fc38

neatvnc: before 0.6.0-2.fc38

mpv: before 0.35.1-3.fc38

mlt: before 7.14.0-2.fc38

loudgain: before 0.6.8-13.fc38

libindi: before 2.0.0-3.fc38

kstars: before 3.6.3-1.fc38

kpipewire: before 5.27.2-2.fc38

k3b: before 22.12.3-2.fc38

indi-3rdparty-libraries: before 2.0.0-1.fc38

indi-3rdparty-drivers: before 2.0.0-2.fc38

haruna: before 0.10.3-3.fc38

guacamole-server: before 1.5.0-2.fc38

gstreamer1-plugin-libav: before 1.22.0-2.fc38

ffmpegthumbs: before 22.12.3-2.fc38

ffmpeg: before 6.0-1.fc38

chromium: before 111.0.5563.64-2.fc38

chromaprint: before 1.5.1-8.fc38

celestia: before 1.7.0~20230305ebfcdb1-4.fc38

blender: before 3.4.1-16.fc38

audacious-plugins: before 4.3-2.fc38

attract-mode: before 2.6.2-6.fc38

alsa-plugins: before 1.2.7.1-5.fc38

CPE2.3 External links

http://bodhi.fedoraproject.org/updates/FEDORA-2023-a5e10b188a


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Type Confusion

EUVDB-ID: #VU73119

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-1214

CWE-ID: CWE-843 - Type confusion

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a type confusion error within the V8 component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a type confusion error and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Fedora: 38

xine-lib: before 1.2.13-1.fc38

wf-recorder: before 0.3.1-0.3.20221225gita9725f7.fc38

unpaper: before 7.0.0-7.fc38

stellarium: before 1.2-8.fc38

siril: before 1.0.6-6.fc38

retroarch: before 1.15.0-4.fc38

qt6-qtwebengine: before 6.4.2-4.fc38

qt6-qtmultimedia: before 6.4.2-4.fc38

qmmp-plugin-pack: before 2.1.0-5.fc38

qmmp: before 2.1.2-4.fc38

phd2: before 2.6.11^dev4^20230212a205f63-1.fc38

nv-codec-headers: before 12.0.16.0-1.fc38

notcurses: before 3.0.8-6.fc38

neatvnc: before 0.6.0-2.fc38

mpv: before 0.35.1-3.fc38

mlt: before 7.14.0-2.fc38

loudgain: before 0.6.8-13.fc38

libindi: before 2.0.0-3.fc38

kstars: before 3.6.3-1.fc38

kpipewire: before 5.27.2-2.fc38

k3b: before 22.12.3-2.fc38

indi-3rdparty-libraries: before 2.0.0-1.fc38

indi-3rdparty-drivers: before 2.0.0-2.fc38

haruna: before 0.10.3-3.fc38

guacamole-server: before 1.5.0-2.fc38

gstreamer1-plugin-libav: before 1.22.0-2.fc38

ffmpegthumbs: before 22.12.3-2.fc38

ffmpeg: before 6.0-1.fc38

chromium: before 111.0.5563.64-2.fc38

chromaprint: before 1.5.1-8.fc38

celestia: before 1.7.0~20230305ebfcdb1-4.fc38

blender: before 3.4.1-16.fc38

audacious-plugins: before 4.3-2.fc38

attract-mode: before 2.6.2-6.fc38

alsa-plugins: before 1.2.7.1-5.fc38

CPE2.3 External links

http://bodhi.fedoraproject.org/updates/FEDORA-2023-a5e10b188a


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Type Confusion

EUVDB-ID: #VU73120

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-1215

CWE-ID: CWE-843 - Type confusion

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a type confusion error within the CSS component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a type confusion error and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Fedora: 38

xine-lib: before 1.2.13-1.fc38

wf-recorder: before 0.3.1-0.3.20221225gita9725f7.fc38

unpaper: before 7.0.0-7.fc38

stellarium: before 1.2-8.fc38

siril: before 1.0.6-6.fc38

retroarch: before 1.15.0-4.fc38

qt6-qtwebengine: before 6.4.2-4.fc38

qt6-qtmultimedia: before 6.4.2-4.fc38

qmmp-plugin-pack: before 2.1.0-5.fc38

qmmp: before 2.1.2-4.fc38

phd2: before 2.6.11^dev4^20230212a205f63-1.fc38

nv-codec-headers: before 12.0.16.0-1.fc38

notcurses: before 3.0.8-6.fc38

neatvnc: before 0.6.0-2.fc38

mpv: before 0.35.1-3.fc38

mlt: before 7.14.0-2.fc38

loudgain: before 0.6.8-13.fc38

libindi: before 2.0.0-3.fc38

kstars: before 3.6.3-1.fc38

kpipewire: before 5.27.2-2.fc38

k3b: before 22.12.3-2.fc38

indi-3rdparty-libraries: before 2.0.0-1.fc38

indi-3rdparty-drivers: before 2.0.0-2.fc38

haruna: before 0.10.3-3.fc38

guacamole-server: before 1.5.0-2.fc38

gstreamer1-plugin-libav: before 1.22.0-2.fc38

ffmpegthumbs: before 22.12.3-2.fc38

ffmpeg: before 6.0-1.fc38

chromium: before 111.0.5563.64-2.fc38

chromaprint: before 1.5.1-8.fc38

celestia: before 1.7.0~20230305ebfcdb1-4.fc38

blender: before 3.4.1-16.fc38

audacious-plugins: before 4.3-2.fc38

attract-mode: before 2.6.2-6.fc38

alsa-plugins: before 1.2.7.1-5.fc38

CPE2.3 External links

http://bodhi.fedoraproject.org/updates/FEDORA-2023-a5e10b188a


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Use-after-free

EUVDB-ID: #VU73121

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-1216

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the DevTools component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Fedora: 38

xine-lib: before 1.2.13-1.fc38

wf-recorder: before 0.3.1-0.3.20221225gita9725f7.fc38

unpaper: before 7.0.0-7.fc38

stellarium: before 1.2-8.fc38

siril: before 1.0.6-6.fc38

retroarch: before 1.15.0-4.fc38

qt6-qtwebengine: before 6.4.2-4.fc38

qt6-qtmultimedia: before 6.4.2-4.fc38

qmmp-plugin-pack: before 2.1.0-5.fc38

qmmp: before 2.1.2-4.fc38

phd2: before 2.6.11^dev4^20230212a205f63-1.fc38

nv-codec-headers: before 12.0.16.0-1.fc38

notcurses: before 3.0.8-6.fc38

neatvnc: before 0.6.0-2.fc38

mpv: before 0.35.1-3.fc38

mlt: before 7.14.0-2.fc38

loudgain: before 0.6.8-13.fc38

libindi: before 2.0.0-3.fc38

kstars: before 3.6.3-1.fc38

kpipewire: before 5.27.2-2.fc38

k3b: before 22.12.3-2.fc38

indi-3rdparty-libraries: before 2.0.0-1.fc38

indi-3rdparty-drivers: before 2.0.0-2.fc38

haruna: before 0.10.3-3.fc38

guacamole-server: before 1.5.0-2.fc38

gstreamer1-plugin-libav: before 1.22.0-2.fc38

ffmpegthumbs: before 22.12.3-2.fc38

ffmpeg: before 6.0-1.fc38

chromium: before 111.0.5563.64-2.fc38

chromaprint: before 1.5.1-8.fc38

celestia: before 1.7.0~20230305ebfcdb1-4.fc38

blender: before 3.4.1-16.fc38

audacious-plugins: before 4.3-2.fc38

attract-mode: before 2.6.2-6.fc38

alsa-plugins: before 1.2.7.1-5.fc38

CPE2.3 External links

http://bodhi.fedoraproject.org/updates/FEDORA-2023-a5e10b188a


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Stack-based buffer overflow

EUVDB-ID: #VU73122

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-1217

CWE-ID: CWE-121 - Stack-based buffer overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to a boundary error in Crash reporting in Google Chrome. A remote attacker can trick the victim to visit a specially crafted webpage, trigger a stack-based buffer overflow and execute arbitrary code on the system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Fedora: 38

xine-lib: before 1.2.13-1.fc38

wf-recorder: before 0.3.1-0.3.20221225gita9725f7.fc38

unpaper: before 7.0.0-7.fc38

stellarium: before 1.2-8.fc38

siril: before 1.0.6-6.fc38

retroarch: before 1.15.0-4.fc38

qt6-qtwebengine: before 6.4.2-4.fc38

qt6-qtmultimedia: before 6.4.2-4.fc38

qmmp-plugin-pack: before 2.1.0-5.fc38

qmmp: before 2.1.2-4.fc38

phd2: before 2.6.11^dev4^20230212a205f63-1.fc38

nv-codec-headers: before 12.0.16.0-1.fc38

notcurses: before 3.0.8-6.fc38

neatvnc: before 0.6.0-2.fc38

mpv: before 0.35.1-3.fc38

mlt: before 7.14.0-2.fc38

loudgain: before 0.6.8-13.fc38

libindi: before 2.0.0-3.fc38

kstars: before 3.6.3-1.fc38

kpipewire: before 5.27.2-2.fc38

k3b: before 22.12.3-2.fc38

indi-3rdparty-libraries: before 2.0.0-1.fc38

indi-3rdparty-drivers: before 2.0.0-2.fc38

haruna: before 0.10.3-3.fc38

guacamole-server: before 1.5.0-2.fc38

gstreamer1-plugin-libav: before 1.22.0-2.fc38

ffmpegthumbs: before 22.12.3-2.fc38

ffmpeg: before 6.0-1.fc38

chromium: before 111.0.5563.64-2.fc38

chromaprint: before 1.5.1-8.fc38

celestia: before 1.7.0~20230305ebfcdb1-4.fc38

blender: before 3.4.1-16.fc38

audacious-plugins: before 4.3-2.fc38

attract-mode: before 2.6.2-6.fc38

alsa-plugins: before 1.2.7.1-5.fc38

CPE2.3 External links

http://bodhi.fedoraproject.org/updates/FEDORA-2023-a5e10b188a


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Use-after-free

EUVDB-ID: #VU73123

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-1218

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the WebRTC component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Fedora: 38

xine-lib: before 1.2.13-1.fc38

wf-recorder: before 0.3.1-0.3.20221225gita9725f7.fc38

unpaper: before 7.0.0-7.fc38

stellarium: before 1.2-8.fc38

siril: before 1.0.6-6.fc38

retroarch: before 1.15.0-4.fc38

qt6-qtwebengine: before 6.4.2-4.fc38

qt6-qtmultimedia: before 6.4.2-4.fc38

qmmp-plugin-pack: before 2.1.0-5.fc38

qmmp: before 2.1.2-4.fc38

phd2: before 2.6.11^dev4^20230212a205f63-1.fc38

nv-codec-headers: before 12.0.16.0-1.fc38

notcurses: before 3.0.8-6.fc38

neatvnc: before 0.6.0-2.fc38

mpv: before 0.35.1-3.fc38

mlt: before 7.14.0-2.fc38

loudgain: before 0.6.8-13.fc38

libindi: before 2.0.0-3.fc38

kstars: before 3.6.3-1.fc38

kpipewire: before 5.27.2-2.fc38

k3b: before 22.12.3-2.fc38

indi-3rdparty-libraries: before 2.0.0-1.fc38

indi-3rdparty-drivers: before 2.0.0-2.fc38

haruna: before 0.10.3-3.fc38

guacamole-server: before 1.5.0-2.fc38

gstreamer1-plugin-libav: before 1.22.0-2.fc38

ffmpegthumbs: before 22.12.3-2.fc38

ffmpeg: before 6.0-1.fc38

chromium: before 111.0.5563.64-2.fc38

chromaprint: before 1.5.1-8.fc38

celestia: before 1.7.0~20230305ebfcdb1-4.fc38

blender: before 3.4.1-16.fc38

audacious-plugins: before 4.3-2.fc38

attract-mode: before 2.6.2-6.fc38

alsa-plugins: before 1.2.7.1-5.fc38

CPE2.3 External links

http://bodhi.fedoraproject.org/updates/FEDORA-2023-a5e10b188a


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Heap-based buffer overflow

EUVDB-ID: #VU73124

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-1219

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted HTML content in Metrics. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Fedora: 38

xine-lib: before 1.2.13-1.fc38

wf-recorder: before 0.3.1-0.3.20221225gita9725f7.fc38

unpaper: before 7.0.0-7.fc38

stellarium: before 1.2-8.fc38

siril: before 1.0.6-6.fc38

retroarch: before 1.15.0-4.fc38

qt6-qtwebengine: before 6.4.2-4.fc38

qt6-qtmultimedia: before 6.4.2-4.fc38

qmmp-plugin-pack: before 2.1.0-5.fc38

qmmp: before 2.1.2-4.fc38

phd2: before 2.6.11^dev4^20230212a205f63-1.fc38

nv-codec-headers: before 12.0.16.0-1.fc38

notcurses: before 3.0.8-6.fc38

neatvnc: before 0.6.0-2.fc38

mpv: before 0.35.1-3.fc38

mlt: before 7.14.0-2.fc38

loudgain: before 0.6.8-13.fc38

libindi: before 2.0.0-3.fc38

kstars: before 3.6.3-1.fc38

kpipewire: before 5.27.2-2.fc38

k3b: before 22.12.3-2.fc38

indi-3rdparty-libraries: before 2.0.0-1.fc38

indi-3rdparty-drivers: before 2.0.0-2.fc38

haruna: before 0.10.3-3.fc38

guacamole-server: before 1.5.0-2.fc38

gstreamer1-plugin-libav: before 1.22.0-2.fc38

ffmpegthumbs: before 22.12.3-2.fc38

ffmpeg: before 6.0-1.fc38

chromium: before 111.0.5563.64-2.fc38

chromaprint: before 1.5.1-8.fc38

celestia: before 1.7.0~20230305ebfcdb1-4.fc38

blender: before 3.4.1-16.fc38

audacious-plugins: before 4.3-2.fc38

attract-mode: before 2.6.2-6.fc38

alsa-plugins: before 1.2.7.1-5.fc38

CPE2.3 External links

http://bodhi.fedoraproject.org/updates/FEDORA-2023-a5e10b188a


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Heap-based buffer overflow

EUVDB-ID: #VU73125

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-1220

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted HTML content in UMA. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Fedora: 38

xine-lib: before 1.2.13-1.fc38

wf-recorder: before 0.3.1-0.3.20221225gita9725f7.fc38

unpaper: before 7.0.0-7.fc38

stellarium: before 1.2-8.fc38

siril: before 1.0.6-6.fc38

retroarch: before 1.15.0-4.fc38

qt6-qtwebengine: before 6.4.2-4.fc38

qt6-qtmultimedia: before 6.4.2-4.fc38

qmmp-plugin-pack: before 2.1.0-5.fc38

qmmp: before 2.1.2-4.fc38

phd2: before 2.6.11^dev4^20230212a205f63-1.fc38

nv-codec-headers: before 12.0.16.0-1.fc38

notcurses: before 3.0.8-6.fc38

neatvnc: before 0.6.0-2.fc38

mpv: before 0.35.1-3.fc38

mlt: before 7.14.0-2.fc38

loudgain: before 0.6.8-13.fc38

libindi: before 2.0.0-3.fc38

kstars: before 3.6.3-1.fc38

kpipewire: before 5.27.2-2.fc38

k3b: before 22.12.3-2.fc38

indi-3rdparty-libraries: before 2.0.0-1.fc38

indi-3rdparty-drivers: before 2.0.0-2.fc38

haruna: before 0.10.3-3.fc38

guacamole-server: before 1.5.0-2.fc38

gstreamer1-plugin-libav: before 1.22.0-2.fc38

ffmpegthumbs: before 22.12.3-2.fc38

ffmpeg: before 6.0-1.fc38

chromium: before 111.0.5563.64-2.fc38

chromaprint: before 1.5.1-8.fc38

celestia: before 1.7.0~20230305ebfcdb1-4.fc38

blender: before 3.4.1-16.fc38

audacious-plugins: before 4.3-2.fc38

attract-mode: before 2.6.2-6.fc38

alsa-plugins: before 1.2.7.1-5.fc38

CPE2.3 External links

http://bodhi.fedoraproject.org/updates/FEDORA-2023-a5e10b188a


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

17) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU73126

Risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-1221

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient policy enforcement in Extensions API in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and gain access to sensitive information.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Fedora: 38

xine-lib: before 1.2.13-1.fc38

wf-recorder: before 0.3.1-0.3.20221225gita9725f7.fc38

unpaper: before 7.0.0-7.fc38

stellarium: before 1.2-8.fc38

siril: before 1.0.6-6.fc38

retroarch: before 1.15.0-4.fc38

qt6-qtwebengine: before 6.4.2-4.fc38

qt6-qtmultimedia: before 6.4.2-4.fc38

qmmp-plugin-pack: before 2.1.0-5.fc38

qmmp: before 2.1.2-4.fc38

phd2: before 2.6.11^dev4^20230212a205f63-1.fc38

nv-codec-headers: before 12.0.16.0-1.fc38

notcurses: before 3.0.8-6.fc38

neatvnc: before 0.6.0-2.fc38

mpv: before 0.35.1-3.fc38

mlt: before 7.14.0-2.fc38

loudgain: before 0.6.8-13.fc38

libindi: before 2.0.0-3.fc38

kstars: before 3.6.3-1.fc38

kpipewire: before 5.27.2-2.fc38

k3b: before 22.12.3-2.fc38

indi-3rdparty-libraries: before 2.0.0-1.fc38

indi-3rdparty-drivers: before 2.0.0-2.fc38

haruna: before 0.10.3-3.fc38

guacamole-server: before 1.5.0-2.fc38

gstreamer1-plugin-libav: before 1.22.0-2.fc38

ffmpegthumbs: before 22.12.3-2.fc38

ffmpeg: before 6.0-1.fc38

chromium: before 111.0.5563.64-2.fc38

chromaprint: before 1.5.1-8.fc38

celestia: before 1.7.0~20230305ebfcdb1-4.fc38

blender: before 3.4.1-16.fc38

audacious-plugins: before 4.3-2.fc38

attract-mode: before 2.6.2-6.fc38

alsa-plugins: before 1.2.7.1-5.fc38

CPE2.3 External links

http://bodhi.fedoraproject.org/updates/FEDORA-2023-a5e10b188a


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

18) Heap-based buffer overflow

EUVDB-ID: #VU73127

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-1222

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted HTML content in Web Audio API. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Fedora: 38

xine-lib: before 1.2.13-1.fc38

wf-recorder: before 0.3.1-0.3.20221225gita9725f7.fc38

unpaper: before 7.0.0-7.fc38

stellarium: before 1.2-8.fc38

siril: before 1.0.6-6.fc38

retroarch: before 1.15.0-4.fc38

qt6-qtwebengine: before 6.4.2-4.fc38

qt6-qtmultimedia: before 6.4.2-4.fc38

qmmp-plugin-pack: before 2.1.0-5.fc38

qmmp: before 2.1.2-4.fc38

phd2: before 2.6.11^dev4^20230212a205f63-1.fc38

nv-codec-headers: before 12.0.16.0-1.fc38

notcurses: before 3.0.8-6.fc38

neatvnc: before 0.6.0-2.fc38

mpv: before 0.35.1-3.fc38

mlt: before 7.14.0-2.fc38

loudgain: before 0.6.8-13.fc38

libindi: before 2.0.0-3.fc38

kstars: before 3.6.3-1.fc38

kpipewire: before 5.27.2-2.fc38

k3b: before 22.12.3-2.fc38

indi-3rdparty-libraries: before 2.0.0-1.fc38

indi-3rdparty-drivers: before 2.0.0-2.fc38

haruna: before 0.10.3-3.fc38

guacamole-server: before 1.5.0-2.fc38

gstreamer1-plugin-libav: before 1.22.0-2.fc38

ffmpegthumbs: before 22.12.3-2.fc38

ffmpeg: before 6.0-1.fc38

chromium: before 111.0.5563.64-2.fc38

chromaprint: before 1.5.1-8.fc38

celestia: before 1.7.0~20230305ebfcdb1-4.fc38

blender: before 3.4.1-16.fc38

audacious-plugins: before 4.3-2.fc38

attract-mode: before 2.6.2-6.fc38

alsa-plugins: before 1.2.7.1-5.fc38

CPE2.3 External links

http://bodhi.fedoraproject.org/updates/FEDORA-2023-a5e10b188a


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

19) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU73128

Risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-1223

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient policy enforcement in Autofill in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and gain access to sensitive information.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Fedora: 38

xine-lib: before 1.2.13-1.fc38

wf-recorder: before 0.3.1-0.3.20221225gita9725f7.fc38

unpaper: before 7.0.0-7.fc38

stellarium: before 1.2-8.fc38

siril: before 1.0.6-6.fc38

retroarch: before 1.15.0-4.fc38

qt6-qtwebengine: before 6.4.2-4.fc38

qt6-qtmultimedia: before 6.4.2-4.fc38

qmmp-plugin-pack: before 2.1.0-5.fc38

qmmp: before 2.1.2-4.fc38

phd2: before 2.6.11^dev4^20230212a205f63-1.fc38

nv-codec-headers: before 12.0.16.0-1.fc38

notcurses: before 3.0.8-6.fc38

neatvnc: before 0.6.0-2.fc38

mpv: before 0.35.1-3.fc38

mlt: before 7.14.0-2.fc38

loudgain: before 0.6.8-13.fc38

libindi: before 2.0.0-3.fc38

kstars: before 3.6.3-1.fc38

kpipewire: before 5.27.2-2.fc38

k3b: before 22.12.3-2.fc38

indi-3rdparty-libraries: before 2.0.0-1.fc38

indi-3rdparty-drivers: before 2.0.0-2.fc38

haruna: before 0.10.3-3.fc38

guacamole-server: before 1.5.0-2.fc38

gstreamer1-plugin-libav: before 1.22.0-2.fc38

ffmpegthumbs: before 22.12.3-2.fc38

ffmpeg: before 6.0-1.fc38

chromium: before 111.0.5563.64-2.fc38

chromaprint: before 1.5.1-8.fc38

celestia: before 1.7.0~20230305ebfcdb1-4.fc38

blender: before 3.4.1-16.fc38

audacious-plugins: before 4.3-2.fc38

attract-mode: before 2.6.2-6.fc38

alsa-plugins: before 1.2.7.1-5.fc38

CPE2.3 External links

http://bodhi.fedoraproject.org/updates/FEDORA-2023-a5e10b188a


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

20) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU73129

Risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-1224

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient policy enforcement in Web Payments API in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and gain access to sensitive information.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Fedora: 38

xine-lib: before 1.2.13-1.fc38

wf-recorder: before 0.3.1-0.3.20221225gita9725f7.fc38

unpaper: before 7.0.0-7.fc38

stellarium: before 1.2-8.fc38

siril: before 1.0.6-6.fc38

retroarch: before 1.15.0-4.fc38

qt6-qtwebengine: before 6.4.2-4.fc38

qt6-qtmultimedia: before 6.4.2-4.fc38

qmmp-plugin-pack: before 2.1.0-5.fc38

qmmp: before 2.1.2-4.fc38

phd2: before 2.6.11^dev4^20230212a205f63-1.fc38

nv-codec-headers: before 12.0.16.0-1.fc38

notcurses: before 3.0.8-6.fc38

neatvnc: before 0.6.0-2.fc38

mpv: before 0.35.1-3.fc38

mlt: before 7.14.0-2.fc38

loudgain: before 0.6.8-13.fc38

libindi: before 2.0.0-3.fc38

kstars: before 3.6.3-1.fc38

kpipewire: before 5.27.2-2.fc38

k3b: before 22.12.3-2.fc38

indi-3rdparty-libraries: before 2.0.0-1.fc38

indi-3rdparty-drivers: before 2.0.0-2.fc38

haruna: before 0.10.3-3.fc38

guacamole-server: before 1.5.0-2.fc38

gstreamer1-plugin-libav: before 1.22.0-2.fc38

ffmpegthumbs: before 22.12.3-2.fc38

ffmpeg: before 6.0-1.fc38

chromium: before 111.0.5563.64-2.fc38

chromaprint: before 1.5.1-8.fc38

celestia: before 1.7.0~20230305ebfcdb1-4.fc38

blender: before 3.4.1-16.fc38

audacious-plugins: before 4.3-2.fc38

attract-mode: before 2.6.2-6.fc38

alsa-plugins: before 1.2.7.1-5.fc38

CPE2.3 External links

http://bodhi.fedoraproject.org/updates/FEDORA-2023-a5e10b188a


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

21) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU73130

Risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-1225

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient policy enforcement in Navigation in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and gain access to sensitive information.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Fedora: 38

xine-lib: before 1.2.13-1.fc38

wf-recorder: before 0.3.1-0.3.20221225gita9725f7.fc38

unpaper: before 7.0.0-7.fc38

stellarium: before 1.2-8.fc38

siril: before 1.0.6-6.fc38

retroarch: before 1.15.0-4.fc38

qt6-qtwebengine: before 6.4.2-4.fc38

qt6-qtmultimedia: before 6.4.2-4.fc38

qmmp-plugin-pack: before 2.1.0-5.fc38

qmmp: before 2.1.2-4.fc38

phd2: before 2.6.11^dev4^20230212a205f63-1.fc38

nv-codec-headers: before 12.0.16.0-1.fc38

notcurses: before 3.0.8-6.fc38

neatvnc: before 0.6.0-2.fc38

mpv: before 0.35.1-3.fc38

mlt: before 7.14.0-2.fc38

loudgain: before 0.6.8-13.fc38

libindi: before 2.0.0-3.fc38

kstars: before 3.6.3-1.fc38

kpipewire: before 5.27.2-2.fc38

k3b: before 22.12.3-2.fc38

indi-3rdparty-libraries: before 2.0.0-1.fc38

indi-3rdparty-drivers: before 2.0.0-2.fc38

haruna: before 0.10.3-3.fc38

guacamole-server: before 1.5.0-2.fc38

gstreamer1-plugin-libav: before 1.22.0-2.fc38

ffmpegthumbs: before 22.12.3-2.fc38

ffmpeg: before 6.0-1.fc38

chromium: before 111.0.5563.64-2.fc38

chromaprint: before 1.5.1-8.fc38

celestia: before 1.7.0~20230305ebfcdb1-4.fc38

blender: before 3.4.1-16.fc38

audacious-plugins: before 4.3-2.fc38

attract-mode: before 2.6.2-6.fc38

alsa-plugins: before 1.2.7.1-5.fc38

CPE2.3 External links

http://bodhi.fedoraproject.org/updates/FEDORA-2023-a5e10b188a


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

22) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU73131

Risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-1226

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient policy enforcement in Web Payments API in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and gain access to sensitive information.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Fedora: 38

xine-lib: before 1.2.13-1.fc38

wf-recorder: before 0.3.1-0.3.20221225gita9725f7.fc38

unpaper: before 7.0.0-7.fc38

stellarium: before 1.2-8.fc38

siril: before 1.0.6-6.fc38

retroarch: before 1.15.0-4.fc38

qt6-qtwebengine: before 6.4.2-4.fc38

qt6-qtmultimedia: before 6.4.2-4.fc38

qmmp-plugin-pack: before 2.1.0-5.fc38

qmmp: before 2.1.2-4.fc38

phd2: before 2.6.11^dev4^20230212a205f63-1.fc38

nv-codec-headers: before 12.0.16.0-1.fc38

notcurses: before 3.0.8-6.fc38

neatvnc: before 0.6.0-2.fc38

mpv: before 0.35.1-3.fc38

mlt: before 7.14.0-2.fc38

loudgain: before 0.6.8-13.fc38

libindi: before 2.0.0-3.fc38

kstars: before 3.6.3-1.fc38

kpipewire: before 5.27.2-2.fc38

k3b: before 22.12.3-2.fc38

indi-3rdparty-libraries: before 2.0.0-1.fc38

indi-3rdparty-drivers: before 2.0.0-2.fc38

haruna: before 0.10.3-3.fc38

guacamole-server: before 1.5.0-2.fc38

gstreamer1-plugin-libav: before 1.22.0-2.fc38

ffmpegthumbs: before 22.12.3-2.fc38

ffmpeg: before 6.0-1.fc38

chromium: before 111.0.5563.64-2.fc38

chromaprint: before 1.5.1-8.fc38

celestia: before 1.7.0~20230305ebfcdb1-4.fc38

blender: before 3.4.1-16.fc38

audacious-plugins: before 4.3-2.fc38

attract-mode: before 2.6.2-6.fc38

alsa-plugins: before 1.2.7.1-5.fc38

CPE2.3 External links

http://bodhi.fedoraproject.org/updates/FEDORA-2023-a5e10b188a


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

23) Use-after-free

EUVDB-ID: #VU73132

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-1227

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within Core in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Fedora: 38

xine-lib: before 1.2.13-1.fc38

wf-recorder: before 0.3.1-0.3.20221225gita9725f7.fc38

unpaper: before 7.0.0-7.fc38

stellarium: before 1.2-8.fc38

siril: before 1.0.6-6.fc38

retroarch: before 1.15.0-4.fc38

qt6-qtwebengine: before 6.4.2-4.fc38

qt6-qtmultimedia: before 6.4.2-4.fc38

qmmp-plugin-pack: before 2.1.0-5.fc38

qmmp: before 2.1.2-4.fc38

phd2: before 2.6.11^dev4^20230212a205f63-1.fc38

nv-codec-headers: before 12.0.16.0-1.fc38

notcurses: before 3.0.8-6.fc38

neatvnc: before 0.6.0-2.fc38

mpv: before 0.35.1-3.fc38

mlt: before 7.14.0-2.fc38

loudgain: before 0.6.8-13.fc38

libindi: before 2.0.0-3.fc38

kstars: before 3.6.3-1.fc38

kpipewire: before 5.27.2-2.fc38

k3b: before 22.12.3-2.fc38

indi-3rdparty-libraries: before 2.0.0-1.fc38

indi-3rdparty-drivers: before 2.0.0-2.fc38

haruna: before 0.10.3-3.fc38

guacamole-server: before 1.5.0-2.fc38

gstreamer1-plugin-libav: before 1.22.0-2.fc38

ffmpegthumbs: before 22.12.3-2.fc38

ffmpeg: before 6.0-1.fc38

chromium: before 111.0.5563.64-2.fc38

chromaprint: before 1.5.1-8.fc38

celestia: before 1.7.0~20230305ebfcdb1-4.fc38

blender: before 3.4.1-16.fc38

audacious-plugins: before 4.3-2.fc38

attract-mode: before 2.6.2-6.fc38

alsa-plugins: before 1.2.7.1-5.fc38

CPE2.3 External links

http://bodhi.fedoraproject.org/updates/FEDORA-2023-a5e10b188a


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###