SB2025012172 - Oracle Solaris update for third-party components
Published: January 21, 2025 Updated: November 28, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 78 secuirty vulnerabilities.
1) Improper input validation (CVE-ID: CVE-2024-21207)
The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the InnoDB component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.
2) Improper input validation (CVE-ID: CVE-2024-21231)
The vulnerability allows a remote authenticated user to perform service disruption.
The vulnerability exists due to improper input validation within the Client programs component in MySQL Server. A remote authenticated user can exploit this vulnerability to perform service disruption.
3) Improper input validation (CVE-ID: CVE-2024-21230)
The vulnerability allows a remote authenticated user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote authenticated user can exploit this vulnerability to perform a denial of service (DoS) attack.
4) Improper input validation (CVE-ID: CVE-2024-21219)
The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Server: DML component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.
5) Improper input validation (CVE-ID: CVE-2024-21218)
The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the InnoDB component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.
6) Improper input validation (CVE-ID: CVE-2024-21213)
The vulnerability allows a local privileged user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the InnoDB component in MySQL Server. A local privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.
7) Improper input validation (CVE-ID: CVE-2024-21212)
The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Server: Health Monitor component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.
8) Improper input validation (CVE-ID: CVE-2024-21209)
The vulnerability allows a remote privileged user to gain access to sensitive information.
The vulnerability exists due to improper input validation within the Client: mysqldump component in MySQL Client. A remote privileged user can exploit this vulnerability to gain access to sensitive information.
9) Improper input validation (CVE-ID: CVE-2024-21204)
The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Server: PS component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.
10) Improper input validation (CVE-ID: CVE-2024-21236)
The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the InnoDB component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.
11) Improper input validation (CVE-ID: CVE-2024-21203)
The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Server: FTS component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.
12) Improper input validation (CVE-ID: CVE-2024-21201)
The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.
13) Improper input validation (CVE-ID: CVE-2024-21200)
The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.
14) Improper input validation (CVE-ID: CVE-2024-21199)
The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the InnoDB component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.
15) Improper input validation (CVE-ID: CVE-2024-21198)
The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Server: DDL component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.
16) Improper input validation (CVE-ID: CVE-2024-21197)
The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Server: Information Schema component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.
17) Improper input validation (CVE-ID: CVE-2024-21196)
The vulnerability allows a remote authenticated user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Server: X Plugin component in MySQL Server. A remote authenticated user can exploit this vulnerability to perform a denial of service (DoS) attack.
18) Improper input validation (CVE-ID: CVE-2024-21232)
The vulnerability allows a remote privileged user to perform service disruption.
The vulnerability exists due to improper input validation within the Server: Components Services component in MySQL Server. A remote privileged user can exploit this vulnerability to perform service disruption.
19) Improper input validation (CVE-ID: CVE-2024-21237)
The vulnerability allows a remote privileged user to perform service disruption.
The vulnerability exists due to improper input validation within the Server: Group Replication GCS component in MySQL Server. A remote privileged user can exploit this vulnerability to perform service disruption.
20) Improper input validation (CVE-ID: CVE-2024-21193)
The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Server: PS component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.
21) Integer overflow (CVE-ID: CVE-2024-11236)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow within the dblib and firebird quoters. A remote attacker can pass specially crafted input to the application, trigger an integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
22) Insufficient Logging (CVE-ID: CVE-2024-9026)
The vulnerability allows an attacker to alter log files.
The vulnerability exists due to an unspecified error, which can lead to logs from child processes to be altered.
23) Out-of-bounds read (CVE-ID: CVE-2024-8932)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the ldap_escape() function. A remote attacker can pass specially crafted input to the application, trigger an out-of-bounds read error and read contents of memory on the system.
24) Security features bypass (CVE-ID: CVE-2024-8927)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to environment variable collision, which can lead to cgi.force_redirect bypass. A remote attacker can bypass implemented security restriction and gain unauthorized access to the application.
25) OS Command Injection (CVE-ID: CVE-2024-8926)
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The
vulnerability exists due to improper input validation in PHP-CGI
implementation. A remote attacker can send specially crafted HTTP
request to the application and execute arbitrary OS commands on the
system.
26) Input validation error (CVE-ID: CVE-2024-8925)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient validation of user-supplied input when parsing multipart form data. A remote attacker can pass specially crafted input to the application and bypass implemented security restrictions.
27) OS Command Injection (CVE-ID: CVE-2024-4577)
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in PHP-CGI implementation. A remote attacker can send specially crafted HTTP request to the application and execute arbitrary OS commands on the system.
28) CRLF injection (CVE-ID: CVE-2024-11234)
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to insufficient validation of URIs in streams component when using proxy. A remote attacker can pass specially crafted data to the application containing CR-LF characters and perform a spoofing attack.
29) Improper input validation (CVE-ID: CVE-2024-21238)
The vulnerability allows a remote authenticated user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Server: Thread Pooling component in MySQL Server. A remote authenticated user can exploit this vulnerability to perform a denial of service (DoS) attack.
30) Buffer Over-read (CVE-ID: CVE-2024-11233)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a one byte over-read in streams when using the convert.quoted-printable-decode filter. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
31) Infinite loop (CVE-ID: CVE-2024-8088)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop within the the CPython "zipfile" module affecting "zipfile.Path". A remote attacker can consume all available system resources and cause denial of service conditions.
32) Out-of-bounds read (CVE-ID: CVE-2024-7264)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition within the ASN1 parser code in the GTime2str() function. A remote attacker can trigger an out-of-bounds read error and cause a denial of service condition on the system.
33) Improper input validation (CVE-ID: CVE-2024-21247)
The vulnerability allows a remote privileged user to read and manipulate data.
The vulnerability exists due to improper input validation within the Cluster: General component in MySQL Cluster. A remote privileged user can exploit this vulnerability to read and manipulate data.
34) Improper input validation (CVE-ID: CVE-2024-21244)
The vulnerability allows a remote privileged user to gain access to sensitive information.
The vulnerability exists due to improper input validation within the Server: Telemetry component in MySQL Server. A remote privileged user can exploit this vulnerability to gain access to sensitive information.
35) Improper input validation (CVE-ID: CVE-2024-21243)
The vulnerability allows a remote privileged user to gain access to sensitive information.
The vulnerability exists due to improper input validation within the Server: Telemetry component in MySQL Server. A remote privileged user can exploit this vulnerability to gain access to sensitive information.
36) Improper input validation (CVE-ID: CVE-2024-21241)
The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.
37) Improper input validation (CVE-ID: CVE-2024-21239)
The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the InnoDB component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.
38) Improper input validation (CVE-ID: CVE-2024-21194)
The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the InnoDB component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.
39) Input validation error (CVE-ID: CVE-2024-8250)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in NTLMSSP dissector. A remote attacker can send specially crafted packets via the network and perform a denial of service (DoS) attack.
40) Command Injection (CVE-ID: CVE-2024-53899)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improper input validation when handling magic templates strings in activation scripts. A local user can pass specially crafted value via an environment variable to the affected script and execute arbitrary OS commands on the system.
41) Out-of-bounds read (CVE-ID: CVE-2024-5535)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition within the SSL_select_next_proto() function when using NPN. A remote attacker can send specially crafted data to the application, trigger an out-of-bounds read and perform a denial of service (DoS) attack.
42) Input validation error (CVE-ID: CVE-2024-11168)
The vulnerability allows a remote attacker to bypass security restrictions.
The vulnerability exists due to insufficient validation of bracketed hosts (e.g. []) within the urllib.parse.urlsplit() and urlparse() functions allowing hosts that weren't IPv6 or IPvFuture. A remote attacker can pass specially crafted IP address to the application to bypass implemented IP-based security checks or perform SSRF attacks.
43) Resource exhaustion (CVE-ID: CVE-2024-7592)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources within the 'http.cookies' standard library module when parsing cookies that contained backslashes for quoted characters in the cookie value. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
44) Buffer Over-read (CVE-ID: CVE-2024-8929)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due memory leak within the MySQLnd component. A
remote attacker can force the application to leak partial content of
the heap and gain access to sensitive information.
45) Infinite loop (CVE-ID: CVE-2024-5569)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop. A remote attacker can pass a specially crafted zip file to the application, consume all available system resources and cause denial of service conditions.
46) Input validation error (CVE-ID: CVE-2023-27043)
The vulnerability allows a remote attacker to bypass filtration.
The vulnerability exists due to insufficient validation of user-supplied input when parsing email address with a special character. A remote attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain.
47) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2024-8775)
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to software stores sensitive information into log files. A local user can read the log files and gain access to sensitive data.
48) Command Injection (CVE-ID: CVE-2024-6923)
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to insufficient validation of newlines for email headers when
serializing an email message. A remote attacker can inject arbitrary headers into serialized email messages.
49) Incorrect authorization (CVE-ID: CVE-2024-9902)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to an error within the ansible-core `user` module. A local user can silently create or replace the contents of any file on any system path and take ownership of it when a privileged user executes the `user` module against the unprivileged user's home directory. If the unprivileged user has traversal permissions on the directory containing the exploited target file, they retain full control over the contents of the file as its owner.
50) Incorrect permission assignment for critical resource (CVE-ID: CVE-2020-15862)
The vulnerability allows a remote user to escalate privileges on the system.
The vulnerability exists due to insecure permissions set by the Net-snmp installed on Debian-based systems. A remote user can overwrite files in net-snmp directory via EXTEND MIB and execute arbitrary code on the system with root privileges.
51) OS Command Injection (CVE-ID: CVE-2024-9287)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improper input validation in the venv module when creating a virtual environment. A local user can pass specially crafted strings to the application and execute arbitrary OS commands on the target system.
52) Incorrect Regular Expression (CVE-ID: CVE-2024-6232)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of .tar archives when processing it with regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.
53) Input validation error (CVE-ID: CVE-2024-10524)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to an unspecified error in wget. A remote attacker can trick the victim into connecting to a specially crafted website and bypass certain security restrictions.
54) Input validation error (CVE-ID: CVE-2024-9781)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input within the AppleTalk and RELOAD Framing dissectors. A remote attacker can pass send crafted packets to the application and perform a denial of service (DoS) attack.
55) Buffer overflow (CVE-ID: CVE-2024-11691)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in Apple GPU drivers. A remote attacker can trick the victim into visiting a specially crafted webpage, trigger memory corruption and execute arbitrary code on the target system.
Note, the vulnerability affects only installations on macOS operating system.
56) NULL pointer dereference (CVE-ID: CVE-2022-24810)
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error in nsVacmAccessTable when handling malformed OID in a SET request. A remote user can pass specially crafted data to the application and perform a denial of service (DoS) attack.
57) Resource exhaustion (CVE-ID: CVE-2024-53907)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources within the django.utils.html.strip_tags() function. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
58) SQL injection (CVE-ID: CVE-2024-53908)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data within the django.db.models.fields.json.HasKey() function in Oracle lookup. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
59) Out-of-bounds write (CVE-ID: CVE-2022-24805)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when handling INDEX of NET-SNMP-VACM-MIB. A remote attacker can trick the victim into loading a specially crafted MIB collection, trigger an out-of-bounds write and execute arbitrary code on the target system.
60) Information disclosure (CVE-ID: CVE-2024-11159)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to an error when handling remote content in in OpenPGP encrypted message. A remote attacker can gain contents of an encrypted message.
61) Insufficient UI Warning of Dangerous Operations (CVE-ID: CVE-2024-11692)
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to an error, which leads to a select dropdown be shown over another tab. A remote attacker can perform spoofing attack against arbitrary website.
62) Buffer overflow (CVE-ID: CVE-2024-11699)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
63) Insufficient UI Warning of Dangerous Operations (CVE-ID: CVE-2024-11698)
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to an error in handling fullscreen transitions. A remote attacker can force the browser to be stuck in the fullscreen mode even after pressing the "Esc" button and perform a spoofing attack.
Note, the vulnerability affects installations on macOS only.
64) Data Handling (CVE-ID: CVE-2024-11697)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to improper keypress handling in executable file confirmation dialog. A remote attacker can trick the victim into executing a malicious file.
65) Improper error handling (CVE-ID: CVE-2024-11696)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to improper exception handling thrown by the loadManifestFromFile method when validating add-on signatures. A remote attacker can bypass the implemented signature verification process and perform installation of a malicious add-on.
66) Spoofing attack (CVE-ID: CVE-2024-11695)
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to incorrect processing of URL containing Arabic script and whitespace characters. A remote attacker can spoof the URL of the website.
67) Security features bypass (CVE-ID: CVE-2024-11694)
The vulnerability allows a remote attacker to bypass implemented CSP.
The vulnerability exists due to Enhanced Tracking Protection's Strict mode allows a CSP frame-src bypass and DOM-based XSS through the Google SafeFrame shim in the Web Compatibility extension. A remote attacker can masquerade malicious frames as legitimate content.
68) Insufficient UI Warning of Dangerous Operations (CVE-ID: CVE-2024-11693)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to a file warning is not displayed when downloading .library-ms files. A remote attacker can trick the victim into downloading and execution malicious files on the system.
Note, the vulnerability affects only installations on Windows operating system.
69) Buffer overflow (CVE-ID: CVE-2024-10467)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
70) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2024-10458)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to a permission leak via embed or object elements. A remote attacker can create a specially crafted webpage that embeds a trusted website and force the browser to inherit permissions from this trusted website.
71) Resource management error (CVE-ID: CVE-2024-10466)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the application when handling DOM push subscriptions. A remote attacker can send specially crafted data to the browser and crash it.
72) Insufficient UI Warning of Dangerous Operations (CVE-ID: CVE-2024-10465)
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to a clipboard "paste" button persists across different tabs. A remote attacker can trick the victim into pasting content into a malicious tab.
73) Resource management error (CVE-ID: CVE-2024-10464)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to repeated writes to history interface attributes. A remote attacker can crash the browser.
74) Information disclosure (CVE-ID: CVE-2024-10463)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a cross-origin video frame leak. A remote attacker can trick the victim into visiting a specially crafted website and access video frames cross-origin from a different browser tab.
75) Spoofing attack (CVE-ID: CVE-2024-10462)
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to the browser truncates long URLs when displaying origin of permission prompt. A remote attacker can perform a spoofing attack by providing an overly long URL that looks like a trusted domain name.
76) Universal cross-site scripting (CVE-ID: CVE-2024-10461)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data when handling multipart/x-mixed-replace responses. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of any website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
77) Insufficient UI Warning of Dangerous Operations (CVE-ID: CVE-2024-10460)
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to the origin of an external protocol handler prompt can be obscured using a "data:" URL within an iframe. A remote attacker can perform spoofing attack.
78) Use-after-free (CVE-ID: CVE-2024-10459)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in layout with accessibility. A remote attacker can trick the victim into visiting a specially crafted website, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Remediation
Install update from vendor's website.