ProHoster > Блог > labaran intanet > Lalacewar haɗari a cikin QEMU, Node.js, Grafana da Android

Lalacewar haɗari a cikin QEMU, Node.js, Grafana da Android

An gano raunin da yawa kwanan nan:

  • Varfafawa (CVE-2020-13765) a cikin QEMU, wanda zai iya haifar da yin amfani da lambar tare da gata na tsari na QEMU a gefen mai masauki lokacin da aka ɗora hoton kwaya na al'ada a cikin baƙo. Matsalar tana faruwa ne ta hanyar matsewar buffer a cikin lambar kwafin ROM yayin boot ɗin tsarin kuma yana faruwa lokacin da abubuwan da ke cikin hoton kwaya mai 32-bit aka loda cikin ƙwaƙwalwar ajiya. Gyaran yana samuwa a cikin tsari kawai faci.
  • Lalacewar hudu in Node.js. Rashin lahani shafe a cikin sakewa 14.4.0, 10.21.0 da 12.18.0.
    • CVE-2020-8172 - Yana ba da damar tabbatar da takardar shaidar mai masaukin baki lokacin da ake sake amfani da zaman TLS.
    • CVE-2020-8174 - Mai yuwuwar ba da izinin aiwatar da lamba akan tsarin saboda buffer ambaliya a cikin ayyukan napi_get_value_string_*() waɗanda ke faruwa yayin wasu kira zuwa N-API (C API don rubuta add-ons na asali).
    • CVE-2020-10531 madaidaicin lamba ce a cikin ICU (International Components for Unicode) don C/C++ wanda zai iya haifar da cikar buffer lokacin amfani da aikin UnicodeString:: doAppend().
    • CVE-2020-11080 - yana ba da damar ƙin sabis (nauyin CPU 100%) ta hanyar watsa manyan firam ɗin "SETTINGS" lokacin haɗi ta HTTP/2.
  • Varfafawa a cikin dandali na gani na ma'auni na Grafana, wanda aka yi amfani da shi don gina jadawali na gani bisa tushen bayanai daban-daban. Kuskure a cikin lambar don aiki tare da avatars yana ba ku damar fara aika buƙatun HTTP daga Grafana zuwa kowane URL ba tare da wucewa ba kuma ku ga sakamakon wannan buƙatar. Ana iya amfani da wannan fasalin, alal misali, don nazarin cibiyar sadarwar cikin gida na kamfanoni masu amfani da Grafana. Matsala shafe cikin al'amura
    Grafana 6.7.4 da 7.0.2. A matsayin tsarin tsaro, ana ba da shawarar a hana samun dama ga URL “/ avatar/*” akan sabar da ke aiki da Grafana.

  • aka buga Saitin gyaran tsaro na watan Yuni don Android, wanda ke gyara lahani 34. An ba da lamurra huɗu matsayi mai mahimmanci: rashin ƙarfi guda biyu (CVE-2019-14073, CVE-2019-14080) a cikin abubuwan Qualcomm na mallakar mallaka) da lahani biyu a cikin tsarin da ke ba da izinin aiwatar da lambar yayin sarrafa bayanan waje na musamman (CVE-2020) -0117 - lamba ambaliya a cikin bututun Bluetooth, CVE-2020-8597 - EAP ya cika a cikin ppd).

source: budenet.ru

Add a comment