ProHoster > Blog > internet news > Dangerous vulnerabilities in QEMU, Node.js, Grafana and Android

Dangerous vulnerabilities in QEMU, Node.js, Grafana and Android

Several recently identified vulnerabilities:

  • Vulnerability (CVE-2020-13765) in QEMU, which could potentially result in code being executed with the rights of the QEMU process on the host side when a specially crafted kernel image is loaded in the guest. The problem is caused by a buffer overflow in the ROM copy code during system boot and manifests itself when loading the contents of a 32-bit kernel image into memory. The fix is ​​currently only available in the form patch.
  • Four vulnerabilities in Node.js. Vulnerabilities eliminated in releases 14.4.0, 10.21.0 and 12.18.0.
    • CVE-2020-8172 - Allows you to bypass host certificate verification when reusing a TLS session.
    • CVE-2020-8174 - potentially allows code to be executed in the system due to a buffer overflow in the napi_get_value_string_*() functions that occurs when certain calls to N-API (C API for writing native add-ons).
    • CVE-2020-10531 - Integer overflow in ICU (International Components for Unicode) for C/C++ that can result in a buffer overflow when using the UnicodeString::doAppend() function.
    • CVE-2020-11080 - Allows denial of service (100% CPU load) via sending "SETTINGS" jumbo frames when connecting via HTTP/2.
  • Vulnerability in the Grafana interactive metrics visualization platform, which is used to build graphs for visual monitoring based on various data sources. An error in the code for working with avatars allows you to initiate sending an HTTP request from Grafana to any URL without passing authentication and see the result of this request. This feature can be used, for example, to study the internal network of companies using Grafana. Problem eliminated in issues
    Grafana 6.7.4 and 7.0.2. As a security workaround, it is recommended to restrict access to the "/avatar/*" URL on the Grafana server.

  • Published The June Android security patch that fixes 34 vulnerabilities. Four issues are rated Critical: two vulnerabilities (CVE-2019-14073, CVE-2019-14080) in Qualcomm proprietary components) and two vulnerabilities in the system that allow code execution when processing specially formatted external data (CVE-2020-0117 - integer overflow in the Bluetooth stack, CVE-2020-8597 - EAP overflow in pppd).

Source: opennet.ru

Add a comment