Untrusted search path vulnerability in IBM InfoSphere BigInsights 3.0, 3.0.0.1, 3.0.0.2, and 4.0, when a DB2 database is used, allows local users to gain privileges via a Trojan horse library that is loaded by a setuid or setgid program.
Monthly Archives: December 2015
CVE-2015-5987 (n600_db_wi-fi_dual-band_n+_router_f9k1102_firmware)
Belkin F9K1102 2 devices with firmware 2.10.17 use an improper algorithm for selecting the ID value in the header of a DNS query, which makes it easier for remote attackers to spoof responses by predicting this value.
CVE-2015-5988 (n600_db_wi-fi_dual-band_n+_router_f9k1102_firmware)
The web management interface on Belkin F9K1102 2 devices with firmware 2.10.17 has a blank password, which allows remote attackers to obtain administrative privileges by leveraging a LAN session.
CVE-2015-5989 (n600_db_wi-fi_dual-band_n+_router_f9k1102_firmware)
Belkin F9K1102 2 devices with firmware 2.10.17 rely on client-side JavaScript code for authorization, which allows remote attackers to obtain administrative privileges via certain changes to LockStatus and Login_Success values.
CVE-2015-5990 (n600_db_wi-fi_dual-band_n+_router_f9k1102_firmware)
Cross-site request forgery (CSRF) vulnerability on Belkin F9K1102 2 devices with firmware 2.10.17 allows remote attackers to hijack the authentication of arbitrary users.
Gentoo Linux Security Advisory 201512-11
Gentoo Linux Security Advisory 201512-11 – A buffer overflow in Firebird might allow remote attackers to execute arbitrary code. Versions less than 2.5.3.26780.0-r3 are affected.
Gentoo Linux Security Advisory 201512-12
Gentoo Linux Security Advisory 201512-12 – Data validation in KDE Systemsettings could lead to local privilege escalation. Versions less than 4.11.13-r1 are affected.
Gentoo Linux Security Advisory 201512-13
Gentoo Linux Security Advisory 201512-13 – Multiple vulnerabilities have been found in InspIRCd, the worst allowing remote attackers to execute arbitrary code. Versions less than 2.0.20 are affected.
Ganeti Leaked Secret / Denial Of Service
Ganeti, an open source virtualization manager, suffers from multiple issues in its RESTful control interface (RAPI). The distributed replicated storage (DRBD) secret is leaked by the RAPI interface when job results are requested. Leveraging on the knowledge of this secret, a malicious user who had already gained access to the storage network of the cluster can retrieve instance data more easily and reliably. The RAPI interface is also vulnerable to a denial of service condition, triggered via SSL parameter renegotiation issued by a malicious client. The condition leads to resource exhaustion on the master node. Many versions are affected.
Joomla 3.4.5 Object Injection
Joomla versions 1.5.x through 3.4.5 object injection exploit that allows for code execution and more. Written in golang.