CVE-2025-2151

CVE-2025-2151

Título es
CVE-2025-2151

Lun, 10/03/2025 – 13:15

Tipo
CWE-119

Gravedad v2.0
7.50

Gravedad 2.0 Txt
HIGH

Título en

CVE-2025-2151

Descripción en
A vulnerability classified as critical was found in Open Asset Import Library Assimp 5.4.3. This vulnerability affects the function Assimp::GetNextLine in the library ParsingUtils.h of the component File Handler. The manipulation leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

10/03/2025

10/03/2025

Vector CVSS:4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Vector CVSS:3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Vector CVSS:2.0
AV:N/AC:L/Au:N/C:P/I:P/A:P

Gravedad 4.0
5.30

Gravedad 4.0 txt
MEDIUM

Gravedad 3.1 (CVSS 3.1 Base Score)
6.30

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
MEDIUM

Referencias


  • https://github.com/assimp/assimp/issues/6016

  • https://github.com/assimp/assimp/issues/6026

  • https://github.com/sae-as-me/Crashes/raw/refs/heads/main/assimp/assimp_crash_1

  • https://vuldb.com/?ctiid_299062=

  • https://vuldb.com/?id_299062=

  • https://vuldb.com/?submit_510582=

  • https://github.com/assimp/assimp/issues/6016

  • https://github.com/assimp/assimp/issues/6026

    • Enviar en el boletín
    Off

    CVE-2025-2149

    CVE-2025-2149

    Título es
    CVE-2025-2149

    Lun, 10/03/2025 – 13:15

    Tipo
    CWE-665

    Gravedad v2.0
    1.00

    Gravedad 2.0 Txt
    LOW

    Título en

    CVE-2025-2149

    Descripción en
    A vulnerability was found in PyTorch 2.6.0+cu124. It has been rated as problematic. Affected by this issue is the function nnq_Sigmoid of the component Quantized Sigmoid Module. The manipulation of the argument scale/zero_point leads to improper initialization. The attack needs to be approached locally. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used.

    10/03/2025

    10/03/2025

    Vector CVSS:4.0
    CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Vector CVSS:3.1
    CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

    Vector CVSS:2.0
    AV:L/AC:H/Au:S/C:N/I:P/A:N

    Gravedad 4.0
    2.00

    Gravedad 4.0 txt
    LOW

    Gravedad 3.1 (CVSS 3.1 Base Score)
    2.50

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    LOW

    Referencias


  • https://github.com/pytorch/pytorch/issues/147818

  • https://github.com/pytorch/pytorch/issues/147818#issue-2877301660

  • https://vuldb.com/?ctiid_299060=

  • https://vuldb.com/?id_299060=

  • https://vuldb.com/?submit_506563=

  • https://github.com/pytorch/pytorch/issues/147818

  • https://github.com/pytorch/pytorch/issues/147818#issue-2877301660

    • Enviar en el boletín
    Off

    CVE-2025-25615

    CVE-2025-25615

    Título es
    CVE-2025-25615

    Lun, 10/03/2025 – 14:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-25615

    Descripción en
    Unifiedtransform 2.0 is vulnerable to Incorrect Access Control which allows viewing attendance list for all class sections.

    10/03/2025

    10/03/2025

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias


  • https://github.com/armaansidana2003/CVE-2025-25615

  • https://github.com/changeweb/Unifiedtransform

    • Enviar en el boletín
    Off

    CVE-2025-1497

    CVE-2025-1497

    Título es
    CVE-2025-1497

    Lun, 10/03/2025 – 14:15

    Tipo
    CWE-77

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-1497

    Descripción en
    A vulnerability, that could result in Remote Code Execution (RCE), has been found in PlotAI. Lack of validation of LLM-generated output allows attacker to execute arbitrary Python code.
    Vendor commented out vulnerable line, further usage of the software requires uncommenting it and thus accepting the risk. The vendor does not plan to release a patch to fix this vulnerability.

    10/03/2025

    10/03/2025

    Vector CVSS:4.0
    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Gravedad 4.0
    9.30

    Gravedad 4.0 txt
    CRITICAL

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias


  • https://cert.pl/en/posts/2025/03/CVE-2025-1497

  • https://cert.pl/posts/2025/03/CVE-2025-1497

  • https://github.com/mljar/plotai

  • https://github.com/mljar/plotai/commit/bdcfb13484f0b85703a4c1ddfd71cb21840e7fde

    • Enviar en el boletín
    Off

    CVE-2024-57492

    CVE-2024-57492

    Título es
    CVE-2024-57492

    Lun, 10/03/2025 – 14:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-57492

    Descripción en
    An issue in redoxOS relibc before commit 98aa4ea5 allows a local attacker to cause a denial of service via the round_up_to_page funciton.

    10/03/2025

    10/03/2025

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias


  • https://github.com/Marsman1996/pocs/blob/master/redox/CVE-2024-57492/README.md

  • https://gitlab.redox-os.org/redox-os/relibc/-/issues/200

  • https://gitlab.redox-os.org/redox-os/relibc/-/merge_requests/569

    • Enviar en el boletín
    Off

    CVE-2025-26865

    CVE-2025-26865

    Título es
    CVE-2025-26865

    Lun, 10/03/2025 – 14:15

    Tipo
    CWE-1336

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-26865

    Descripción en
    Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz.

    This issue affects Apache OFBiz: from 18.12.17 before 18.12.18.  

    It's a regression between 18.12.17 and 18.12.18.
    In case you use something like that, which is not recommended!
    For security, only official releases should be used.

    In other words, if you use 18.12.17 you are still safe.
    The version 18.12.17 is not a affected.
    But something between 18.12.17 and 18.12.18 is.

    In that case, users are recommended to upgrade to version 18.12.18, which fixes the issue.

    10/03/2025

    10/03/2025

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias


  • https://issues.apache.org/jira/browse/OFBIZ-12594

  • https://lists.apache.org/thread/prb48ztk01bflyyjbl6p56wlcc1n5sz7

  • https://ofbiz.apache.org/download.html

  • https://ofbiz.apache.org/security.html

  • http://www.openwall.com/lists/oss-security/2025/03/07/1

    • Enviar en el boletín
    Off

    CVE-2025-25616

    CVE-2025-25616

    Título es
    CVE-2025-25616

    Lun, 10/03/2025 – 14:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-25616

    Descripción en
    Unifiedtransform 2.0 is vulnerable to Incorrect Access Control, which allows students to modify rules for exams. The affected endpoint is /exams/edit-rule?exam_rule_id=1.

    10/03/2025

    10/03/2025

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias


  • https://github.com/armaansidana2003/CVE-2025-25616

  • https://github.com/changeweb/Unifiedtransform

    • Enviar en el boletín
    Off

    CVE-2025-2153

    CVE-2025-2153

    Título es
    CVE-2025-2153

    Lun, 10/03/2025 – 14:15

    Tipo
    CWE-119

    Gravedad v2.0
    5.10

    Gravedad 2.0 Txt
    MEDIUM

    Título en

    CVE-2025-2153

    Descripción en
    A vulnerability, which was classified as critical, was found in HDF5 1.14.6. Affected is the function H5SM_delete of the file H5SM.c of the component h5 File Handler. The manipulation leads to heap-based buffer overflow. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used.

    10/03/2025

    10/03/2025

    Vector CVSS:4.0
    CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

    Vector CVSS:2.0
    AV:N/AC:H/Au:N/C:P/I:P/A:P

    Gravedad 4.0
    2.30

    Gravedad 4.0 txt
    LOW

    Gravedad 3.1 (CVSS 3.1 Base Score)
    5.00

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias


  • https://github.com/HDFGroup/hdf5/issues/5329

  • https://github.com/sae-as-me/Crashes/raw/refs/heads/main/hdf5/h5_extended_crash.h5

  • https://vuldb.com/?ctiid_299064=

  • https://vuldb.com/?id_299064=

  • https://vuldb.com/?submit_510819=

    • Enviar en el boletín
    Off

    CVE-2025-2152

    CVE-2025-2152

    Título es
    CVE-2025-2152

    Lun, 10/03/2025 – 14:15

    Tipo
    CWE-119

    Gravedad v2.0
    7.50

    Gravedad 2.0 Txt
    HIGH

    Título en

    CVE-2025-2152

    Descripción en
    A vulnerability, which was classified as critical, has been found in Open Asset Import Library Assimp 5.4.3. This issue affects the function Assimp::BaseImporter::ConvertToUTF8 of the file BaseImporter.cpp of the component File Handler. The manipulation leads to heap-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

    10/03/2025

    10/03/2025

    Vector CVSS:4.0
    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

    Vector CVSS:2.0
    AV:N/AC:L/Au:N/C:P/I:P/A:P

    Gravedad 4.0
    5.30

    Gravedad 4.0 txt
    MEDIUM

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.30

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias


  • https://github.com/assimp/assimp/issues/6027

  • https://github.com/assimp/assimp/issues/6027#issue-2877629241

  • https://vuldb.com/?ctiid_299063=

  • https://vuldb.com/?id_299063=

  • https://vuldb.com/?submit_510818=

    • Enviar en el boletín
    Off

    CVE-2025-1944

    CVE-2025-1944

    Título es
    CVE-2025-1944

    Lun, 10/03/2025 – 12:15

    Tipo
    CWE-345

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-1944

    Descripción en
    picklescan before 0.0.23 is vulnerable to a ZIP archive manipulation attack that causes it to crash when attempting to extract and scan PyTorch model archives. By modifying the filename in the ZIP header while keeping the original filename in the directory listing, an attacker can make PickleScan raise a BadZipFile error. However, PyTorch's more forgiving ZIP implementation still allows the model to be loaded, enabling malicious payloads to bypass detection.

    10/03/2025

    10/03/2025

    Vector CVSS:4.0
    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Gravedad 4.0
    5.30

    Gravedad 4.0 txt
    MEDIUM

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias


  • https://github.com/mmaitre314/picklescan/commit/e58e45e0d9e091159c1554f9b04828bbb40b9781

  • https://github.com/mmaitre314/picklescan/security/advisories/GHSA-7q5r-7gvp-wc82

  • https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1944

    • Enviar en el boletín
    Off