Several recently identified vulnerabilities:
- Three vulnerabilities in the free LibreCAD CAD system and the libdxfrw library that allow initiating a controlled buffer overflow and potentially causing your code to execute when opening specially designed DWG and DXF files. The problems have been fixed so far only in the form of patches (CVE-2021-21898, CVE-2021-21899, CVE-2021-21900).
- Vulnerability (CVE-2021-41817) in the Date.parse method provided in the Ruby standard library. Weaknesses in regular expressions used to parse dates in the Date.parse method can be used to perform DoS attacks that consume significant CPU resources and waste memory when processing specially crafted data.
- Vulnerability in the TensorFlow machine learning platform (CVE-2021-41228) that allows code to be executed when the saved_model_cli utility processes attacker data passed through the "-input_examples" parameter. The problem is caused by the use of external data when calling the code with the "eval" function. The issue has been fixed in the TensorFlow 2.7.0, TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4 releases.
- Vulnerability (CVE-2021-43331) in the GNU Mailman mailing list management system caused by incorrect handling of certain types of URLs. The problem allows you to organize the execution of JavaScript code by specifying a specially designed URL on the settings page. Another issue has also been identified in Mailman (CVE-2021-43332) that allows a user with moderator privileges to guess the administrator password. The issues are fixed in the Mailman 2.1.36 release.
- A series of vulnerabilities in the Vim text editor that could lead to buffer overflows and potentially malicious code execution when opening specially crafted files with the "-S" option (CVE-2021-3903, CVE-2021-3872, CVE-2021-3927, CVE -2021-3928, corrections - 1, 2, 3, 4).
Source: opennet.ru