close_altfile in filename.c in less before 606 omits shell_quote calls for LESSCLOSE. — CVE-2022-48624

Zusammenfassung

Sicherheitshinweis CVE-2022-48624. close_altfile in filename.c in less before 606 omits shell_quote calls for LESSCLOSE. Hersteller: Microsoft. Quelle: MSRC. Risiko: high. CVSS 7.8. Details in der offiziellen Quelle.

Was tun?

Allgemeine, vorsichtige Schritte (bitte prüfe die offizielle Quelle für Details):

• Priorisiere sofort Patches oder Mitigations (hohes akutes Risiko).
• Identifiziere betroffene Produktversionen und prüfe, ob du betroffen bist.
• Spiele Hersteller-Updates/Patches ein oder setze empfohlene Mitigations um.
• Lies das offizielle Advisory für betroffene Versionen und konkrete Schritte.

Offizielles Advisory

Zur offiziellen Quelle

Mehr dazu

• .NET Denial of Service Vulnerability CVE-2024-21386
• .NET Denial of Service Vulnerability CVE-2024-21404
• <vuln:Note Title="Mariner" Type="Tag" Ordinal="20">Mariner CVE-2023-46838
• <vuln:Note Title="Mariner" Type="Tag" Ordinal="20">Mariner CVE-2021-38593
• <vuln:Note Title="Mariner" Type="Tag" Ordinal="20">Mariner CVE-2023-6200
• A buffer overflow in Wireshark before 4.2.0 allows a remote attacker to cause a denial of service via the pan/addr_resolv.c, and ws_manuf_lookup_str(), size components. NOTE: this is disputed by the vendor because neither release 4.2.0 nor any other release was affected. CVE-2024-24476
• A Buffer Overflow in Wireshark before 4.2.0 allows a remote attacker to cause a denial of service via the wsutil/to_str.c, and format_fractional_part_nsecs components. NOTE: this is disputed by the vendor because neither release 4.2.0 nor any other release was affected. CVE-2024-24479
• A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection exploiting the lack of limitations on chunk extension bytes. The issue can cause CPU and network bandwidth exhaustion bypassing standard safeguards like timeouts and body size limits. CVE-2024-22019
• An issue in Wireshark before 4.2.0 allows a remote attacker to cause a denial of service via the packet-bgp.c, dissect_bgp_open(tvbuff_t*tvb, proto_tree*tree, packet_info*pinfo), optlen components. NOTE: this is disputed by the vendor because neither release 4.2.0 nor any other release was affected. CVE-2024-24478
• Apache Commons Compress: Denial of service caused by an infinite loop for a corrupted DUMP file CVE-2024-25710
• Apache Xerces C++: Use-after-free on external DTD scan CVE-2024-23807
• Azure Connected Machine Agent Elevation of Privilege Vulnerability CVE-2024-21329