febrero 2025 - Página 128 de 144

5 Feb 2025

CVE-2025-0725

Título es

CVE-2025-0725

Mié, 05/02/2025 – 10:15

Gravedad 2.0 Txt

Pendiente de análisis

Título en

CVE-2025-0725

Descripción en

When libcurl is asked to perform automatic gzip decompression of
content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option,
**using zlib 1.2.0.3 or older**, an attacker-controlled integer overflow would
make libcurl perform a buffer overflow.

05/02/2025

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)

Pendiente de análisis

Referencias

https://curl.se/docs/CVE-2025-0725.html

https://curl.se/docs/CVE-2025-0725.json

https://hackerone.com/reports/2956023

http://www.openwall.com/lists/oss-security/2025/02/05/3

Enviar en el boletín

Off

5 Feb 2025

CVE-2025-0665

Título es

CVE-2025-0665

Mié, 05/02/2025 – 10:15

Gravedad 2.0 Txt

Pendiente de análisis

Título en

CVE-2025-0665

Descripción en

libcurl would wrongly close the same eventfd file descriptor twice when taking
down a connection channel after having completed a threaded name resolve.

05/02/2025

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)

Pendiente de análisis

Referencias

https://curl.se/docs/CVE-2025-0665.html

https://curl.se/docs/CVE-2025-0665.json

https://hackerone.com/reports/2954286

http://www.openwall.com/lists/oss-security/2025/02/05/2

Enviar en el boletín

Off

5 Feb 2025

CVE-2025-0167

Título es

CVE-2025-0167

Mié, 05/02/2025 – 10:15

Gravedad 2.0 Txt

Pendiente de análisis

Título en

CVE-2025-0167

Descripción en

When asked to use a `.netrc` file for credentials **and** to follow HTTP
redirects, curl could leak the password used for the first host to the
followed-to host under certain circumstances.

This flaw only manifests itself if the netrc file has a `default` entry that
omits both login and password. A rare circumstance.

05/02/2025

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)

Pendiente de análisis

Referencias

https://curl.se/docs/CVE-2025-0167.html

https://curl.se/docs/CVE-2025-0167.json

https://hackerone.com/reports/2917232

Enviar en el boletín

Off

5 Feb 2025

CVE-2024-6356

Título es

CVE-2024-6356

Mié, 05/02/2025 – 10:15

Tipo

CWE-286

Gravedad 2.0 Txt

Pendiente de análisis

Título en

CVE-2024-6356

Descripción en

An issue was discovered in GitLab EE affecting all versions starting from 16.0 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2, which allowed cross project access for Security policy bot.

05/02/2025

Vector CVSS:3.1

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

Gravedad 3.1 (CVSS 3.1 Base Score)

4.40

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)

MEDIUM

Referencias

https://gitlab.com/gitlab-org/gitlab/-/issues/469108

https://hackerone.com/reports/2575051

Enviar en el boletín

Off

5 Feb 2025

CVE-2024-1539

Título es

CVE-2024-1539

Mié, 05/02/2025 – 10:15

Tipo

CWE-862

Gravedad 2.0 Txt

Pendiente de análisis

Título en

CVE-2024-1539

Descripción en

An issue has been discovered in GitLab EE affecting all versions starting from 15.2 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. It was possible to disclose updates to issues to a banned group member using the API.

05/02/2025

Vector CVSS:3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Gravedad 3.1 (CVSS 3.1 Base Score)

4.30

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)

MEDIUM

Referencias

https://gitlab.com/gitlab-org/gitlab/-/issues/442049

https://hackerone.com/reports/2369988

Enviar en el boletín

Off

5 Feb 2025

CVE-2023-6386

Título es

CVE-2023-6386

Mié, 05/02/2025 – 10:15

Tipo

CWE-770

Gravedad 2.0 Txt

Pendiente de análisis

Título en

CVE-2023-6386

Descripción en

A denial of service vulnerability was identified in GitLab CE/EE, affecting all versions from 15.11 prior to 16.6.7, 16.7 prior to 16.7.5 and 16.8 prior to 16.8.2 which allows an attacker to spike the GitLab instance resource usage resulting in service degradation.

05/02/2025

Vector CVSS:3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Gravedad 3.1 (CVSS 3.1 Base Score)

6.50

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)

MEDIUM

Referencias

https://gitlab.com/gitlab-org/gitlab/-/issues/433147

https://hackerone.com/reports/2261581

Enviar en el boletín

Off

5 Feb 2025

CVE-2024-49352

Título es

CVE-2024-49352

Mié, 05/02/2025 – 11:15

Tipo

CWE-611

Gravedad 2.0 Txt

Pendiente de análisis

Título en

CVE-2024-49352

Descripción en

IBM Cognos Analytics 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 12.0.0, 12.0.1, 12.0.2, 12.0.3, and 12.0.4 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.

05/02/2025

Vector CVSS:3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L

Gravedad 3.1 (CVSS 3.1 Base Score)

7.10

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)

HIGH

Referencias

https://www.ibm.com/support/pages/node/7181480

Enviar en el boletín

Off

5 Feb 2025

CVE-2024-9631

Título es

CVE-2024-9631

Mié, 05/02/2025 – 11:15

Tipo

CWE-407

Gravedad 2.0 Txt

Pendiente de análisis

Título en

CVE-2024-9631

Descripción en

An issue was discovered in GitLab CE/EE affecting all versions starting from 13.6 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, where viewing diffs of MR with conflicts can be slow.

05/02/2025

Vector CVSS:3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Gravedad 3.1 (CVSS 3.1 Base Score)

7.50

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)

HIGH

Referencias

https://gitlab.com/gitlab-org/gitlab/-/issues/480867

https://hackerone.com/reports/2650086

Enviar en el boletín

Off

5 Feb 2025

CVE-2024-5528

Título es

CVE-2024-5528

Mié, 05/02/2025 – 11:15

Tipo

CWE-1023

Gravedad 2.0 Txt

Pendiente de análisis

Título en

CVE-2024-5528

Descripción en

An issue was discovered in GitLab CE/EE affecting all versions prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2, which allows a subdomain takeover in GitLab Pages.

05/02/2025

Vector CVSS:3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Gravedad 3.1 (CVSS 3.1 Base Score)

3.50

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)

LOW

Referencias

https://gitlab.com/gitlab-org/gitlab/-/issues/464558

https://hackerone.com/reports/2523654

Enviar en el boletín

Off

5 Feb 2025

CVE-2024-13829

Título es

CVE-2024-13829

Mié, 05/02/2025 – 06:15

Tipo

CWE-200

Gravedad 2.0 Txt

Pendiente de análisis

Título en

CVE-2024-13829

Descripción en

The WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 8.0.8 via the 'attachments.php' file. This makes it possible for unauthenticated attackers to extract sensitive data including files uploaded via forms.

05/02/2025

Vector CVSS:3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Gravedad 3.1 (CVSS 3.1 Base Score)

5.30

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)

MEDIUM

Referencias

https://plugins.trac.wordpress.org/browser/tripetto/trunk/lib/attachments.php

https://plugins.trac.wordpress.org/changeset/3231968/

https://www.wordfence.com/threat-intel/vulnerabilities/id/0a938042-bad6-4fe0-8905-148d07a22996?source=cve

Enviar en el boletín

Off

Archivos mensuales: febrero 2025