On this week’s digest, we’ll focus on:
- a cross-site scripting vulnerability that may result in distant code execution in Joplin;
- a buffer overflow vulnerability in zlib; and
- a number of vulnerabilities recognized within the NVIDIA GPU show driver.
Joplin Distant Code Execution by means of XSS
A code execution vulnerability by way of XSS was recognized in Joplin that might enable attackers to execute arbitrary instructions by means of a crafted payload injected into the Node titles. Joplin is a free, open supply, markdown-based be aware taking app appropriate with a number of working programs akin to Home windows, Mac, and Linux.
The vulnerability stems from how the dangerouslySetInnerHTML() methodology is used with unescaped consumer enter in GotoAnything.tsx. This permits an attacker to realize distant code execution on the sufferer’s system simply by sharing a pocket book with the weak payload in node titles. The payload executes at any time when the sufferer searches for the pocket book.
The patch has been launched in Joplin’s v2.9.1 launch. Joplin model v2.8.8 and earlier variations are affected. This vulnerability, registered as CVE-2022-35131, was rated 9.0 within the CVSS scoring on NVD as a result of excessive affect to confidentiality, integrity, and availability. A profitable assault requires any authenticated consumer to seek for the weak pocket book.
We suggest that you just replace Joplin to the newest model as quickly as doable, particularly if you happen to obtain shared notebooks.
Zlib Heap-based Buffer Overflow vulnerability
A heap-based buffer overflow vulnerability has been recognized in zlib, a well-liked basic function library used for knowledge compression. The vulnerability has been registered as CVE-2022-37434 and impacts all variations beneath 1.2.12.
Exploitation of the vulnerability is feasible as a result of heap-based buffer over-read or buffer overflow in inflate.c by means of a big gzip header further area. In response to the pull request remark that the builders created, if the additional area was bigger than the house the consumer supplied with inflateGetHeader(), and if a number of calls of inflate() delivered the additional header knowledge, then there may very well be a buffer overflow of the supplied house. This vulnerability solely impacts functions that use the inflateGetHeader() methodology.
A number of Vulnerabilities found for NVIDIA GPU Show Drivers
NVIDIA, one of the crucial standard GPU producers, has launched a safety advisory for a number of vulnerabilities found in its GPU show driver for each Home windows and Linux platforms. These vulnerabilities may be exploited to hold out varied sorts of assaults akin to denial of service, data disclosure, privilege escalation, code execution, or knowledge tampering.
One of many high-severity vulnerabilities, CVE‑2022‑31607, impacts the kernel mode layer (nvidia.ko), the place a neighborhood consumer with primary capabilities could cause improper enter validation resulting in a number of exploitation paths, in response to NVIDIA’ safety advisory. This vulnerability impacts Linux, and has a CVSS rating of seven.8 with a excessive score on confidentiality, integrity, and availability.
CVE‑2022‑31608 describes a vulnerability in an non-compulsory D-Bus configuration file which may result in code execution. The vulnerability may very well be leveraged by a neighborhood consumer with primary capabilities. A lot of the CVEs talked about in NVIDIA’s safety advisory require native privileges on the sufferer’s system to ensure that exploitation to achieve success.
You should utilize this information from NVIDIA to grasp which NVIDIA show driver is presently put in in your PC.