VARIoT IoT vulnerabilities database

A dependency confusion vulnerability was reported in the Antilles open-source software prior to version 1.0.1 that could allow for remote code execution during installation due to a package listed in requirements.txt not existing in the public package index (PyPi). MITRE classifies this weakness as an Uncontrolled Search Path Element (CWE-427) in which a private package dependency may be replaced by an unauthorized package of the same name published to a well-known public repository such as PyPi. The configuration has been updated to only install components built by Antilles, removing all other public package indexes. Additionally, the antilles-tools dependency has been published to PyPi. Antilles An uncontrolled search path element vulnerability exists in open source software.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

A buffer overflow was discovered on Realtek RTL8195AM devices before 2.0.10. It exists in the client code when processing a malformed IE length of HT capability information in the Beacon and Association response frame. Realtek RTL8195AM A classic buffer overflow vulnerability exists on the device.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Realtek RTL8195AM is an IoT microcontroller from Taiwan Realtek Semiconductor (Realtek). The Realtek RTL8195AM version before 2.0.10 has a buffer error vulnerability

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6400v2 1.0.4.106_10.0.80 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the UPnP service, which listens on TCP port 5000 by default. When parsing the uuid request header, the process does not properly validate the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-14110. Zero Day Initiative To this vulnerability ZDI-CAN-14110 Was numbering.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. NETGEAR R6400v2 is a router from Netgear. A hardware device that connects two or more networks and acts as a gateway between the networks

On version 2.x before 2.0.3 and 1.x before 1.12.3, the command line restriction that controls snippet use with NGINX Ingress Controller does not apply to Ingress objects. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

Out-of-bounds write in the firmware for Intel(R) Ethernet 700 Series Controllers before version 8.2 may allow a privileged user to potentially enable an escalation of privilege via local access. Intel(R) Ethernet 700 Series Controller Is vulnerable to an out-of-bounds write.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state

Beeline Smart box 2.0.38 is vulnerable to Cross Site Request Forgery (CSRF) via mgt_end_user.htm. (DoS) It may be in a state

Out-of-bounds write in firmware for some Intel(R) NUCs may allow an authenticated user to potentially enable denial of service via local access. plural Intel(R) NUC The product contains a vulnerability related to out-of-bounds writes.Service operation interruption (DoS) It may be in a state

Beeline Smart Box 2.0.38 is vulnerable to Cross Site Scripting (XSS) via the choose_mac parameter to setup.cgi

A unauthenticated denial of service vulnerability exists in Citrix ADC <13.0-83.27, <12.1-63.22 and 11.1-65.23 when configured as a VPN (Gateway) or AAA virtual server could allow an attacker to cause a temporary disruption of the Management GUI, Nitro API, and RPC communication. Citrix ADC Exists in a resource exhaustion vulnerability.Service operation interruption (DoS) It may be in a state

An uncontrolled resource consumption vulnerability exists in Citrix ADC <13.0-83.27, <12.1-63.22 and 11.1-65.23 that could allow an attacker with access to NSIP or SNIP with management interface access to cause a temporary disruption of the Management GUI, Nitro API, and RPC communication. Citrix ADC Exists in a resource exhaustion vulnerability.Service operation interruption (DoS) It may be in a state

Cross site request forgery (CSRF) in Genexis Platinum 4410 V2-1.28, allows attackers to cause a denial of service by continuously restarting the router. Genexis Platinum 4410 Contains a cross-site request forgery vulnerability.Service operation interruption (DoS) It may be in a state

Dell EMC Avamar versions 18.2,19.1,19.2,19.3,19.4 contain a plain-text password storage vulnerability. A high privileged user could potentially exploit this vulnerability, leading to a complete outage. Dell EMC Avamar There are vulnerabilities in inadequate protection of credentials.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202210-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Rust: Multiple Vulnerabilities Date: October 16, 2022 Bugs: #870166, #831638, #821157, #807052, #782367 ID: 202210-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======= Multiple vulnerabilities have been discovered in Rust, the worst of which could result in denial of service. Background ========= A systems programming language that runs blazingly fast, prevents segfaults, and guarantees thread safety. Affected packages ================ ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-lang/rust < 1.63.0-r1 >= 1.63.0-r1 2 dev-lang/rust-bin < 1.64.0 >= 1.64.0 Description ========== Multiple vulnerabilities have been discovered in Rust. Please review the CVE identifiers referenced below for details. Impact ===== Please review the referenced CVE identifiers for details. Workaround ========= There is no known workaround at this time. Resolution ========= All Rust users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">\xdev-lang/rust-1.63.0-r1" All Rust binary users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">\xdev-lang/rust-bin-1.64.0" In addition, users using Portage 3.0.38 or later should ensure that packages with Rust binaries have no vulnerable code statically linked into their binaries by rebuilding the @rust-rebuild set: # emerge --ask --oneshot --verbose @rust-rebuild References ========= [ 1 ] CVE-2021-28875 https://nvd.nist.gov/vuln/detail/CVE-2021-28875 [ 2 ] CVE-2021-28876 https://nvd.nist.gov/vuln/detail/CVE-2021-28876 [ 3 ] CVE-2021-28877 https://nvd.nist.gov/vuln/detail/CVE-2021-28877 [ 4 ] CVE-2021-28878 https://nvd.nist.gov/vuln/detail/CVE-2021-28878 [ 5 ] CVE-2021-28879 https://nvd.nist.gov/vuln/detail/CVE-2021-28879 [ 6 ] CVE-2021-29922 https://nvd.nist.gov/vuln/detail/CVE-2021-29922 [ 7 ] CVE-2021-31162 https://nvd.nist.gov/vuln/detail/CVE-2021-31162 [ 8 ] CVE-2021-36317 https://nvd.nist.gov/vuln/detail/CVE-2021-36317 [ 9 ] CVE-2021-36318 https://nvd.nist.gov/vuln/detail/CVE-2021-36318 [ 10 ] CVE-2021-42574 https://nvd.nist.gov/vuln/detail/CVE-2021-42574 [ 11 ] CVE-2021-42694 https://nvd.nist.gov/vuln/detail/CVE-2021-42694 [ 12 ] CVE-2022-21658 https://nvd.nist.gov/vuln/detail/CVE-2022-21658 [ 13 ] CVE-2022-36113 https://nvd.nist.gov/vuln/detail/CVE-2022-36113 [ 14 ] CVE-2022-36114 https://nvd.nist.gov/vuln/detail/CVE-2022-36114 Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202210-09 Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ====== Copyright 2022 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5

Dell EMC Avamar Server version 19.4 contains a plain-text password storage vulnerability in AvInstaller. A local attacker could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account. Dell EMC Avamar Server There are vulnerabilities in inadequate protection of credentials.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202210-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Rust: Multiple Vulnerabilities Date: October 16, 2022 Bugs: #870166, #831638, #821157, #807052, #782367 ID: 202210-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======= Multiple vulnerabilities have been discovered in Rust, the worst of which could result in denial of service. Background ========= A systems programming language that runs blazingly fast, prevents segfaults, and guarantees thread safety. Affected packages ================ ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-lang/rust < 1.63.0-r1 >= 1.63.0-r1 2 dev-lang/rust-bin < 1.64.0 >= 1.64.0 Description ========== Multiple vulnerabilities have been discovered in Rust. Please review the CVE identifiers referenced below for details. Impact ===== Please review the referenced CVE identifiers for details. Workaround ========= There is no known workaround at this time. Resolution ========= All Rust users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">\xdev-lang/rust-1.63.0-r1" All Rust binary users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">\xdev-lang/rust-bin-1.64.0" In addition, users using Portage 3.0.38 or later should ensure that packages with Rust binaries have no vulnerable code statically linked into their binaries by rebuilding the @rust-rebuild set: # emerge --ask --oneshot --verbose @rust-rebuild References ========= [ 1 ] CVE-2021-28875 https://nvd.nist.gov/vuln/detail/CVE-2021-28875 [ 2 ] CVE-2021-28876 https://nvd.nist.gov/vuln/detail/CVE-2021-28876 [ 3 ] CVE-2021-28877 https://nvd.nist.gov/vuln/detail/CVE-2021-28877 [ 4 ] CVE-2021-28878 https://nvd.nist.gov/vuln/detail/CVE-2021-28878 [ 5 ] CVE-2021-28879 https://nvd.nist.gov/vuln/detail/CVE-2021-28879 [ 6 ] CVE-2021-29922 https://nvd.nist.gov/vuln/detail/CVE-2021-29922 [ 7 ] CVE-2021-31162 https://nvd.nist.gov/vuln/detail/CVE-2021-31162 [ 8 ] CVE-2021-36317 https://nvd.nist.gov/vuln/detail/CVE-2021-36317 [ 9 ] CVE-2021-36318 https://nvd.nist.gov/vuln/detail/CVE-2021-36318 [ 10 ] CVE-2021-42574 https://nvd.nist.gov/vuln/detail/CVE-2021-42574 [ 11 ] CVE-2021-42694 https://nvd.nist.gov/vuln/detail/CVE-2021-42694 [ 12 ] CVE-2022-21658 https://nvd.nist.gov/vuln/detail/CVE-2022-21658 [ 13 ] CVE-2022-36113 https://nvd.nist.gov/vuln/detail/CVE-2022-36113 [ 14 ] CVE-2022-36114 https://nvd.nist.gov/vuln/detail/CVE-2022-36114 Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202210-09 Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ====== Copyright 2022 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5

Dell EMC Avamar Server versions 18.2, 19.1, 19.2, 19.3, and 19.4 contain an improper privilege management vulnerability in AUI. A malicious user with high privileges could potentially exploit this vulnerability, leading to the disclosure of the AUI info and performing some unauthorized operation on the AUI. (DoS) It may be in a state

Improper access control in the installer Intel(R)Administrative Tools for Intel(R) Network Adaptersfor Windowsbefore version 1.4.0.21 may allow an unauthenticated user to potentially enable escalation of privilege via local access. Windows for Intel(R) Administrative Tools for Intel(R) Network Adapters Exists in unspecified vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Intel Ethernet Controllers is an Ethernet controller of Intel Corporation of the United States

Improper input validation in the Intel(R) Administrative Tools for Intel(R) Network Adapters driver for Windows before version 1.4.0.15, may allow a privileged user to potentially enable escalation of privilege via local access. (DoS) It may be in a state. Intel Ethernet Adapters 800 is an Ethernet adapter produced by Intel Corporation of the United States

Improper access control in the software installer for the Intel(R) Serial IO driver for Intel(R) NUC 11 Gen before version 30.100.2104.1 may allow an authenticated user to potentially enable escalation of privilege via local access. Intel(R) Serial IO driver for Intel(R) NUC 11 Gen Exists in unspecified vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Incorrect default permissions in the software installer for the Intel(R) VTune(TM) Profiler before version 2021.3.0 may allow an authenticated user to potentially enable escalation of privilege via local access. Intel(R) VTune(TM) Profiler There is a vulnerability in improper default permissions.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Intel VTune Profiler is a performance testing tool used by Intel Corporation to optimize software. The software can perform performance tests on embedded applications of the Internet of Things, media software, Java applications, and high-performance computing applications. Intel VTune Profiler has a security vulnerability that allows local users to upgrade privileges on the system

Incorrect default permissions in the installer for the Intel(R) oneAPI Rendering Toolkit before version 2021.2 may allow an authenticated user to potentially enable escalation of privilege via local access. Intel(R) oneAPI Rendering Toolkit There is a vulnerability in improper default permissions.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Uncontrolled resource consumption in the Intel(R) Distribution of OpenVINOâ„¢ Toolkit before version 2021.4 may allow an unauthenticated user to potentially enable denial of service via local access. Intel(R) Distribution of OpenVINO Toolkit Exists in a resource exhaustion vulnerability.Service operation interruption (DoS) It may be in a state. Intel Distribution of OpenVINO(TM) Toolkit is an application and solution developed by Intel Corporation of the United States that uses deep learning intelligence. Based on convolutional neural networks (CNNs), the toolkit scales workloads across Intel® hardware, including accelerators, and maximizes performance