CVE-2023-35945

Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy’s HTTP/2 codec may leak a header map and bookkeeping structures upon receiving `RST_STREAM` immediately followed by the `GOAWAY` frames from an upstream server. In nghttp2, cleanup of pending requests due to receipt of the `GOAWAY` frame skips de-allocation of the bookkeeping structure and pending compressed header. The error return [code path] is taken if connection is already marked for not sending more requests due to `GOAWAY` frame. The clean-up code is right after the return statement, causing memory leak. Denial of service through memory exhaustion. This vulnerability was patched in versions(s) 1.26.3, 1.25.8, 1.24.9, 1.23.11.

Source: CVE-2023-35945

CVE-2023-30565

An insecure connection between Systems Manager and CQI Reporter application could expose infusion data to an attacker.

Source: CVE-2023-30565

CVE-2023-37463

cmark-gfm is an extended version of the C reference implementation of CommonMark, a rationalized version of Markdown syntax with a spec. Three polynomial time complexity issues in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. These vulnerabilities have been patched in 0.29.0.gfm.12.

Source: CVE-2023-37463

CVE-2023-30561

The data flowing between the PCU and its modules is insecure. A threat actor with physical access could potentially read or modify data by attaching a specially crafted device while an infusion is running.

Source: CVE-2023-30561

CVE-2023-30562

A GRE dataset file within Systems Manager can be tampered with and distributed to PCUs.

Source: CVE-2023-30562

CVE-2023-30563

A malicious file could be uploaded into a System Manager User Import Function resulting in a hijacked session.

Source: CVE-2023-30563

CVE-2023-30564

Alaris Systems Manager does not perform input validation during the Device Import Function.

Source: CVE-2023-30564

CVE-2022-42045

Certain Zemana products are vulnerable to Arbitrary code injection. This affects Watchdog Anti-Malware 4.1.422 and Zemana AntiMalware 3.2.28.

Source: CVE-2022-42045

CVE-2023-30560

The configuration from the PCU can be modified without authentication using physical connection to the PCU.

Source: CVE-2023-30560

CVE-2023-34458

mx-chain-go is the official implementation of the MultiversX blockchain protocol, written in golang. When executing a relayed transaction, if the inner transaction failed, it would have increased the inner transaction’s sender account nonce. This could have contributed to a limited DoS attack on a targeted account. The fix is a breaking change so a new flag `RelayedNonceFixEnableEpoch` was needed. This was a strict processing issue while validating blocks on a chain. This vulnerability has been patched in version 1.4.17.

Source: CVE-2023-34458