当前节点:cve
时间节点
2020-09-27 17:18:43cassandra.cerias.purdue.edu
http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.

如果攻击者控制HTTP请求方法,则Python 3.x中的http.client在3.5.10之前的版本,3.6.12之前的3.6.x,3.7.9之前的3.7.x和3.8.5之前的3.8.x如果攻击者控制HTTP请求方法,则允许CRLF注入,例如通过在HTTPConnection.request的第一个参数中插入CR和LF控制字符进行演示。
2020-09-27 17:18:42cassandra.cerias.purdue.edu
In rfb/CSecurityTLS.cxx and rfb/CSecurityTLS.java in TigerVNC before 1.11.0, viewers mishandle TLS certificate exceptions. They store the certificates as authorities, meaning that the owner of a certificate could impersonate any server after a client had added an exception.

在1.11.0之前的TigerVNC中的rfb / CSecurityTLS.cxx和rfb / CSecurityTLS.java中,查看器会错误处理TLS证书异常。它们将证书存储为授权机构,这意味着证书的所有者可以在客户端添加例外之后模拟任何服务器。
2020-09-26 17:12:54cassandra.cerias.purdue.edu
A Reflective XSS Vulnerability in HTTP Management Interface in Brocade Fabric OS versions before Brocade Fabric OS v9.0.0, v8.2.2c, v8.2.1e, v8.1.2k, v8.2.0_CBN3, v7.4.2g could allow authenticated attackers with access to the web interface to hijack a user’s session and take over the account.

2020-09-26 17:12:54cassandra.cerias.purdue.edu
A vulnerability in the management interface in Brocade Fabric OS Versions before Brocade Fabric OS v9.0.0 could allow a remote attacker to perform a denial of service attack on the vulnerable host.

Brocade Fabric OS v9.0.0之前的Brocade Fabric OS版本中的管理界面中的漏洞可能允许远程攻击者对易受攻击的主机执行拒绝服务攻击。
2020-09-26 17:12:53cassandra.cerias.purdue.edu
Host Header Injection vulnerability in the http management interface in Brocade Fabric OS versions before v9.0.0 could allow a remote attacker to exploit this vulnerability by injecting arbitrary HTTP headers

v9.0.0之前的Brocade Fabric OS版本中的http管理界面中的Host Header Injection漏洞可能允许远程攻击者通过注入任意HTTP标头来利用此漏洞
2020-09-26 17:12:53cassandra.cerias.purdue.edu
Brocade SANnav versions before v2.1.0, contain a Plaintext Password Storage vulnerability.

Brocade SANnav v2.1.0之前的版本包含纯文本密码存储漏洞。
2020-09-26 17:12:52cassandra.cerias.purdue.edu
A vulnerability in Brocade SANnav versions before v2.1.0 could allow a remote authenticated attacker to conduct an LDAP injection. The vulnerability could allow a remote attacker to bypass the authentication process.

v2.1.0之前的Brocade SANnav版本中的漏洞可能允许经过身份验证的远程攻击者进行LDAP注入。该漏洞可能允许远程攻击者绕过身份验证过程。
2020-09-26 17:12:52cassandra.cerias.purdue.edu
U.S. Air Force Sensor Data Management System extract75 has a buffer overflow that leads to code execution. An overflow in a global variable (sBuffer) leads to a Write-What-Where outcome. Writing beyond sBuffer will clobber most global variables until reaching a pointer such as DES_info or image_info. By controlling that pointer, one achieves an arbitrary write when its fields are assigned. The data written is from a potentially untrusted NITF file in the form of an integer. The attacker can gain control of the instruction pointer.

美国空军传感器数据管理系统extract75的缓冲区溢出导致代码执行。全局变量(sBuffer)的溢出会导致Write-What-Where写入结果。超出sBuffer的写入将破坏大多数全局变量,直到到达诸如DES_info或image_info之类的指针为止。通过控制该指针,可以在分配其字段时实现任意写入。写入的数据来自整数形式的潜在不受信任的NITF文件。攻击者可以控制指令指针。
2020-09-26 17:12:51cassandra.cerias.purdue.edu
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.

**拒绝**请勿使用此身份证号码。 ConsultID:无。原因:该候选人已被其CNA撤回。注意:无。
2020-09-26 17:12:51cassandra.cerias.purdue.edu
In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the `tf.raw_ops.Switch` operation takes as input a tensor and a boolean and outputs two tensors. Depending on the boolean value, one of the tensors is exactly the input tensor whereas the other one should be an empty tensor. However, the eager runtime traverses all tensors in the output. Since only one of the tensors is defined, the other one is `nullptr`, hence we are binding a reference to `nullptr`. This is undefined behavior and reported as an error if compiling with `-fsanitize=null`. In this case, this results in a segmentation fault The issue is patched in commit da8558533d925694483d2c136a9220d6d49d843c, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.

在版本1.15.4、2.0.3、2.1.2、2.2.1和2.3.1之前的Tensorflow中,tf.raw_ops.Switch`操作将张量和布尔值作为输入,并输出两个张量。取决于布尔值,张量之一就是输入张量,而另一个应该是空张量。但是,急切的运行时会遍历输出中的所有张量。由于只定义了一个张量,另一个是“ nullptr”,因此我们将引用绑定到“ nullptr”。这是未定义的行为,如果使用`-fsanitize = null`进行编译,则会报告为错误。在这种情况下,这会导致分段错误。问题已在提交da8558533d925694483d2c136a9220d6d49d843c中修复,并在TensorFlow版本1.15.4、2.0.3、2.1.2、2.2.1或2.3.1中发布。
2020-09-26 17:12:50cassandra.cerias.purdue.edu
In Tensorflow before versions 2.2.1 and 2.3.1, if a user passes an invalid argument to `dlpack.to_dlpack` the expected validations will cause variables to bind to `nullptr` while setting a `status` variable to the error condition. However, this `status` argument is not properly checked. Hence, code following these methods will bind references to null pointers. This is undefined behavior and reported as an error if compiling with `-fsanitize=null`. The issue is patched in commit 22e07fb204386768e5bcbea563641ea11f96ceb8 and is released in TensorFlow versions 2.2.1, or 2.3.1.

在2.2.1和2.3.1之前的Tensorflow中,如果用户将无效参数传递给dlpack.to_dlpack,则预期的验证将导致变量绑定到nullptr,同时将状态变量设置为错误条件。但是,此`status`参数未正确检查。因此,遵循这些方法的代码会将引用绑定到空指针。这是未定义的行为,如果使用`-fsanitize = null`进行编译,则会报告为错误。该问题已在commit 22e07fb204386768e5bcbea563641ea11f96ceb8中修复,并在TensorFlow版本2.2.1或2.3.1中发布。
2020-09-26 17:12:50cassandra.cerias.purdue.edu
In Tensorflow before versions 2.2.1 and 2.3.1, if a user passes a list of strings to `dlpack.to_dlpack` there is a memory leak following an expected validation failure. The issue occurs because the `status` argument during validation failures is not properly checked. Since each of the above methods can return an error status, the `status` value must be checked before continuing. The issue is patched in commit 22e07fb204386768e5bcbea563641ea11f96ceb8 and is released in TensorFlow versions 2.2.1, or 2.3.1.

在2.2.1和2.3.1之前的Tensorflow中,如果用户将字符串列表传递给dlpack.to_dlpack,则在预期的验证失败后会发生内存泄漏。发生此问题是因为未正确检查验证失败期间的`status`参数。由于上述每种方法都可以返回错误状态,因此必须在继续之前检查“状态”值。该问题已在commit 22e07fb204386768e5bcbea563641ea11f96ceb8中修复,并在TensorFlow版本2.2.1或2.3.1中发布。
2020-09-26 17:12:49cassandra.cerias.purdue.edu
In Tensorflow before versions 2.2.1 and 2.3.1, the implementation of `dlpack.to_dlpack` can be made to use uninitialized memory resulting in further memory corruption. This is because the pybind11 glue code assumes that the argument is a tensor. However, there is nothing stopping users from passing in a Python object instead of a tensor. The uninitialized memory address is due to a `reinterpret_cast` Since the `PyObject` is a Python object, not a TensorFlow Tensor, the cast to `EagerTensor` fails. The issue is patched in commit 22e07fb204386768e5bcbea563641ea11f96ceb8 and is released in TensorFlow versions 2.2.1, or 2.3.1.

在Tensorflow 2.2.1和2.3.1之前的版本中,可以使dlpack.to_dlpack的实现使用未初始化的内存,从而导致进一步的内存损坏。这是因为pybind11粘合代码假定参数是张量。但是,没有什么可以阻止用户传递Python对象而不是张量。未初始化的内存地址是由于`reinterpret_cast`引起的。由于`PyObject`是Python对象,而不是TensorFlow Tensor,因此转换为`EagerTensor`失败。该问题已在commit 22e07fb204386768e5bcbea563641ea11f96ceb8中修复,并在TensorFlow版本2.2.1或2.3.1中发布。
2020-09-26 17:12:49cassandra.cerias.purdue.edu
In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the `SparseFillEmptyRowsGrad` implementation has incomplete validation of the shapes of its arguments. Although `reverse_index_map_t` and `grad_values_t` are accessed in a similar pattern, only `reverse_index_map_t` is validated to be of proper shape. Hence, malicious users can pass a bad `grad_values_t` to trigger an assertion failure in `vec`, causing denial of service in serving installations. The issue is patched in commit 390611e0d45c5793c7066110af37c8514e6a6c54, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1."

在1.15.4、2.0.3、2.1.2、2.2.1和2.3.1之前的Tensorflow中,`SparseFillEmptyRowsGrad`实现对其参数形状的验证不完全。尽管以类似的方式访问“ reverse_index_map_t”和“ grad_values_t”,但只有“ reverse_index_map_t”经过验证具有适当的形状。因此,恶意用户可以传递错误的grad_values_t来触发vec中的断言失败,从而导致服务安装中的服务被拒绝。该问题已在提交390611e0d45c5793c7066110af37c8514e6a6c54中修复,并在TensorFlow版本1.15.4、2.0.3、2.1.2、2.2.1或2.3.1中发布。”
2020-09-26 17:12:49cassandra.cerias.purdue.edu
In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the implementation of `SparseFillEmptyRowsGrad` uses a double indexing pattern. It is possible for `reverse_index_map(i)` to be an index outside of bounds of `grad_values`, thus resulting in a heap buffer overflow. The issue is patched in commit 390611e0d45c5793c7066110af37c8514e6a6c54, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.

在版本1.15.4、2.0.3、2.1.2、2.2.1和2.3.1之前的Tensorflow中,`SparseFillEmptyRowsGrad`的实现使用双索引模式。 “ reverse_index_map(i)”可能是超出“ grad_values”范围的索引,从而导致堆缓冲区溢出。该问题已在提交390611e0d45c5793c7066110af37c8514e6a6c54中修复,并在TensorFlow版本1.15.4、2.0.3、2.1.2、2.2.1或2.3.1中发布。
2020-09-26 17:12:48cassandra.cerias.purdue.edu
In Tensorflow version 2.3.0, the `SparseCountSparseOutput` and `RaggedCountSparseOutput` implementations don't validate that the `weights` tensor has the same shape as the data. The check exists for `DenseCountSparseOutput`, where both tensors are fully specified. In the sparse and ragged count weights are still accessed in parallel with the data. But, since there is no validation, a user passing fewer weights than the values for the tensors can generate a read from outside the bounds of the heap buffer allocated for the weights. The issue is patched in commit 3cbb917b4714766030b28eba9fb41bb97ce9ee02 and is released in TensorFlow version 2.3.1.

在Tensorflow版本2.3.0中,`SparseCountSparseOutput`和`RaggedCountSparseOutput`实现无法验证weights张量与数据的形状相同。存在对“ DenseCountSparseOutput”的检查,其中两个张量均已完全指定。在稀疏和参差不齐的计数中,权重仍然与数据并行访问。但是,由于没有验证,因此传递的权重小于张量值的用户可以从分配给权重的堆缓冲区边界之外生成读取。此问题已在commit 3cbb917b4714766030b28eba9fb41bb97ce9ee02中修复,并在TensorFlow版本2.3.1中发布。
2020-09-26 17:12:48cassandra.cerias.purdue.edu
In Tensorflow before version 2.3.1, the `SparseCountSparseOutput` implementation does not validate that the input arguments form a valid sparse tensor. In particular, there is no validation that the `indices` tensor has rank 2. This tensor must be a matrix because code assumes its elements are accessed as elements of a matrix. However, malicious users can pass in tensors of different rank, resulting in a `CHECK` assertion failure and a crash. This can be used to cause denial of service in serving installations, if users are allowed to control the components of the input sparse tensor. The issue is patched in commit 3cbb917b4714766030b28eba9fb41bb97ce9ee02 and is released in TensorFlow version 2.3.1.

在2.3.1版之前的Tensorflow中,`SparseCountSparseOutput`实现无法验证输入参数是否形成有效的稀疏张量。特别是,没有验证'indices'张量具有等级2。该张量必须是矩阵,因为代码假定其元素被访问为矩阵的元素。但是,恶意用户可以传递不同等级的张量,从而导致“ CHECK”声明失败和崩溃。如果允许用户控制输入稀疏张量的组件,则这可用于导致服务安装中的服务被拒绝。此问题已在commit 3cbb917b4714766030b28eba9fb41bb97ce9ee02中修复,并在TensorFlow版本2.3.1中发布。
2020-09-26 17:12:47cassandra.cerias.purdue.edu
In Tensorflow before version 2.3.1, the `SparseCountSparseOutput` implementation does not validate that the input arguments form a valid sparse tensor. In particular, there is no validation that the `indices` tensor has the same shape as the `values` one. The values in these tensors are always accessed in parallel. Thus, a shape mismatch can result in accesses outside the bounds of heap allocated buffers. The issue is patched in commit 3cbb917b4714766030b28eba9fb41bb97ce9ee02 and is released in TensorFlow version 2.3.1.

在2.3.1版之前的Tensorflow中,`SparseCountSparseOutput`实现无法验证输入参数是否形成有效的稀疏张量。特别地,没有验证“索引”张量具有与“值”相同的形状。这些张量中的值始终可以并行访问。因此,形状不匹配会导致访问超出堆分配缓冲区的范围。此问题已在commit 3cbb917b4714766030b28eba9fb41bb97ce9ee02中修复,并在TensorFlow版本2.3.1中发布。
2020-09-26 17:12:46cassandra.cerias.purdue.edu
In Tensorflow before version 2.3.1, the `RaggedCountSparseOutput` does not validate that the input arguments form a valid ragged tensor. In particular, there is no validation that the `splits` tensor has the minimum required number of elements. Code uses this quantity to initialize a different data structure. Since `BatchedMap` is equivalent to a vector, it needs to have at least one element to not be `nullptr`. If user passes a `splits` tensor that is empty or has exactly one element, we get a `SIGABRT` signal raised by the operating system. The issue is patched in commit 3cbb917b4714766030b28eba9fb41bb97ce9ee02 and is released in TensorFlow version 2.3.1.

在2.3.1版之前的Tensorflow中,`RaggedCountSparseOutput`不会验证输入参数是否形成有效的参差张量。特别是,没有验证`splits`张量具有最少数量的元素。代码使用此数量来初始化不同的数据结构。由于`BatchedMap`等价于向量,因此它必须至少具有一个元素才能不为`nullptr`。如果用户传递的“裂口”张量为空或正好具有一个元素,则操作系统会发出“ SIGABRT”信号。此问题已在commit 3cbb917b4714766030b28eba9fb41bb97ce9ee02中修复,并在TensorFlow版本2.3.1中发布。
2020-09-26 17:12:46cassandra.cerias.purdue.edu
In Tensorflow before version 2.3.1, the `RaggedCountSparseOutput` implementation does not validate that the input arguments form a valid ragged tensor. In particular, there is no validation that the values in the `splits` tensor generate a valid partitioning of the `values` tensor. Thus, the code sets up conditions to cause a heap buffer overflow. A `BatchedMap` is equivalent to a vector where each element is a hashmap. However, if the first element of `splits_values` is not 0, `batch_idx` will never be 1, hence there will be no hashmap at index 0 in `per_batch_counts`. Trying to access that in the user code results in a segmentation fault. The issue is patched in commit 3cbb917b4714766030b28eba9fb41bb97ce9ee02 and is released in TensorFlow version 2.3.1.

在2.3.1之前的Tensorflow中,`RaggedCountSparseOutput`实现无法验证输入参数形成有效的参差张量。特别是,没有验证“ splits”张量中的值会生成“ values”张量的有效分区。因此,代码设置了导致堆缓冲区溢出的条件。 “ BatchedMap”等效于向量,其中每个元素都是一个哈希图。但是,如果“ splits_values”的第一个元素不为0,则“ batch_idx”将永远不会为1,因此在“ per_batch_counts”的索引0处将没有哈希映射。尝试在用户代码中访问它会导致分段错误。此问题已在commit 3cbb917b4714766030b28eba9fb41bb97ce9ee02中修复,并在TensorFlow版本2.3.1中发布。
2020-09-26 17:12:45cassandra.cerias.purdue.edu
In Tensorflow before version 2.3.1, the `RaggedCountSparseOutput` implementation does not validate that the input arguments form a valid ragged tensor. In particular, there is no validation that the values in the `splits` tensor generate a valid partitioning of the `values` tensor. Hence, the code is prone to heap buffer overflow. If `split_values` does not end with a value at least `num_values` then the `while` loop condition will trigger a read outside of the bounds of `split_values` once `batch_idx` grows too large. The issue is patched in commit 3cbb917b4714766030b28eba9fb41bb97ce9ee02 and is released in TensorFlow version 2.3.1.

在2.3.1之前的Tensorflow中,`RaggedCountSparseOutput`实现无法验证输入参数形成有效的参差张量。特别是,没有验证“ splits”张量中的值会生成“ values”张量的有效分区。因此,该代码易于出现堆缓冲区溢出。如果`split_values`不以至少num_values`结尾,那么`batch_idx'变得太大时,`while`循环条件将触发超出`split_values`边界的读取。此问题已在commit 3cbb917b4714766030b28eba9fb41bb97ce9ee02中修复,并在TensorFlow版本2.3.1中发布。
2020-09-26 17:12:45cassandra.cerias.purdue.edu
In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the `Shard` API in TensorFlow expects the last argument to be a function taking two `int64` (i.e., `long long`) arguments. However, there are several places in TensorFlow where a lambda taking `int` or `int32` arguments is being used. In these cases, if the amount of work to be parallelized is large enough, integer truncation occurs. Depending on how the two arguments of the lambda are used, this can result in segfaults, read/write outside of heap allocated arrays, stack overflows, or data corruption. The issue is patched in commits 27b417360cbd671ef55915e4bb6bb06af8b8a832 and ca8c013b5e97b1373b3bb1c97ea655e69f31a575, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.

在版本1.15.4、2.0.3、2.1.2、2.2.1和2.3.1之前的Tensorflow中,TensorFlow中的`Shard` API期望最后一个参数是一个带有两个`int64'的函数(即long long `)参数。但是,在TensorFlow中有好几个地方都在使用带有int或int32参数的lambda。在这些情况下,如果要并行化的工作量足够大,则会发生整数截断。根据lambda的两个参数的使用方式,这可能导致段错误,在堆分配的数组之外进行读/写,堆栈溢出或数据损坏。该问题已在commits 27b417360cbd671ef55915e4bb6bb06af8b8a832和ca8c013b5e97b1373b3bb1c97ea655e69f31a575中修复,并在TensorFlow版本1.15.4、2.0.3、2.1.2、2.2.1或2.3.1中发布。
2020-09-26 17:12:44cassandra.cerias.purdue.edu
In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, by controlling the `fill` argument of tf.strings.as_string, a malicious attacker is able to trigger a format string vulnerability due to the way the internal format use in a `printf` call is constructed. This may result in segmentation fault. The issue is patched in commit 33be22c65d86256e6826666662e40dbdfe70ee83, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.

在Tensorflow 1.15.4、2.0.3、2.1.2、2.2.1和2.3.1之前的版本中,通过控制tf.strings.as_string的fill参数,恶意攻击者可以触发格式字符串漏洞。与构造`printf`调用中使用的内部格式的方式相同。这可能会导致分段错误。该问题已在commit 33be22c65d86256e6826666662e40dbdfe70ee83中修复,并在TensorFlow版本1.15.4、2.0.3、2.1.2、2.2.1或2.3.1中发布。
2020-09-26 17:12:44cassandra.cerias.purdue.edu
In eager mode, TensorFlow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1 does not set the session state. Hence, calling `tf.raw_ops.GetSessionHandle` or `tf.raw_ops.GetSessionHandleV2` results in a null pointer dereference In linked snippet, in eager mode, `ctx->session_state()` returns `nullptr`. Since code immediately dereferences this, we get a segmentation fault. The issue is patched in commit 9a133d73ae4b4664d22bd1aa6d654fec13c52ee1, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.

在热切模式下,版本1.15.4、2.0.3、2.1.2、2.2.1和2.3.1之前的TensorFlow不会设置会话状态。因此,调用`tf.raw_ops.GetSessionHandle`或`tf.raw_ops.GetSessionHandleV2`会导致空指针取消引用。在链接代码段中,急切模式下,`ctx-> session_state()`将返回`nullptr`。由于代码会立即取消引用此代码,因此会出现分段错误。该问题已在commit 9a133d73ae4b4664d22bd1aa6d654fec13c52ee1中修复,并在TensorFlow版本1.15.4、2.0.3、2.1.2、2.2.1或2.3.1中发布。
2020-09-26 17:12:43cassandra.cerias.purdue.edu
In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the `data_splits` argument of `tf.raw_ops.StringNGrams` lacks validation. This allows a user to pass values that can cause heap overflow errors and even leak contents of memory In the linked code snippet, all the binary strings after `ee ff` are contents from the memory stack. Since these can contain return addresses, this data leak can be used to defeat ASLR. The issue is patched in commit 0462de5b544ed4731aa2fb23946ac22c01856b80, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.

在版本1.15.4、2.0.3、2.1.2、2.2.1和2.3.1之前的Tensorflow中,tf.raw_ops.StringNGrams的data_splits参数缺乏验证。这允许用户传递可能导致堆溢出错误甚至泄漏内存内容的值。在链接的代码片段中,“ ee ff”之后的所有二进制字符串都是内存堆栈中的内容。由于这些可以包含返回地址,因此可以使用此数据泄漏来打败ASLR。该问题已在commit 0462de5b544ed4731aa2fb23946ac22c01856b80中修复,并在TensorFlow版本1.15.4、2.0.3、2.1.2、2.2.1或2.3.1中发布。
2020-09-26 17:12:43cassandra.cerias.purdue.edu
In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, changing the TensorFlow's `SavedModel` protocol buffer and altering the name of required keys results in segfaults and data corruption while loading the model. This can cause a denial of service in products using `tensorflow-serving` or other inference-as-a-service installments. Fixed were added in commits f760f88b4267d981e13f4b302c437ae800445968 and fcfef195637c6e365577829c4d67681695956e7d (both going into TensorFlow 2.2.0 and 2.3.0 but not yet backported to earlier versions). However, this was not enough, as #41097 reports a different failure mode. The issue is patched in commit adf095206f25471e864a8e63a0f1caef53a0e3a6, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.

在版本1.15.4、2.0.3、2.1.2、2.2.1和2.3.1之前的Tensorflow中,更改TensorFlow的`SavedModel`协议缓冲区并更改所需键的名称会导致在加载模型时出现段错误和数据损坏。这可能会导致使用“ tensorflow-serving”或其他“推断即服务”分期付款的产品拒绝服务。已在commits f760f88b4267d981e13f4b302c437ae800445968和fcfef195637c6e365577829c4d6768169595656e7d中添加了已修复的问题(均已进入TensorFlow 2.2.0和2.3.0,但尚未反向移植到早期版本)。但是,这还不够,因为#41097报告了不同的故障模式。该问题已在提交adf095206f25471e864a8e63a0f1caef53a0e3a6中修复,并在TensorFlow版本1.15.4、2.0.3、2.1.2、2.2.1或2.3.1中发布。
2020-09-26 17:12:42cassandra.cerias.purdue.edu
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, to mimic Python's indexing with negative values, TFLite uses `ResolveAxis` to convert negative values to positive indices. However, the only check that the converted index is now valid is only present in debug builds. If the `DCHECK` does not trigger, then code execution moves ahead with a negative index. This, in turn, results in accessing data out of bounds which results in segfaults and/or data corruption. The issue is patched in commit 2d88f470dea2671b430884260f3626b1fe99830a, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.

在版本1.15.4、2.0.3、2.1.2、2.2.1和2.3.1之前的tensorflow-lite中,为了模仿带有负值的Python索引,TFLite使用`ResolveAxis`将负值转换为正索引。但是,仅在调试版本中才存在对转换后的索引现在有效的唯一检查。如果“ DCHECK”没有触发,则代码执行将以负索引向前进行。反过来,这导致超出范围访问数据,这导致段错误和/或数据损坏。该问题已在commit 2d88f470dea2671b430884260f3626b1fe99830a中修复,并在TensorFlow版本1.15.4、2.0.3、2.1.2、2.2.1或2.3.1中发布。
2020-09-26 17:12:41cassandra.cerias.purdue.edu
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can craft cases where this is larger than that of the second tensor. In turn, this would result in reads/writes outside of bounds since the interpreter will wrongly assume that there is enough data in both tensors. The issue is patched in commit 8ee24e7949a203d234489f9da2c5bf45a7d5157d, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.

在版本1.15.4、2.0.3、2.1.2、2.2.1和2.3.1之前的tensorflow-lite中,确定两个张量的公共尺寸时,TFLite使用`DCHECK`在调试之外是无操作的编译模式。由于函数总是返回第一个张量的维,因此恶意攻击者可以设计出比第二个张量大的情况。反过来,这将导致超出范围的读/写,因为解释器会错误地假定两个张量中都有足够的数据。该问题已在commit 8ee24e7949a203d234489f9da2c5bf45a7d5157d中修复,并在TensorFlow版本1.15.4、2.0.3、2.1.2、2.2.1或2.3.1中发布。
2020-09-26 17:12:41cassandra.cerias.purdue.edu
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one. The runtime assumes that these buffers are written to before a possible read, hence they are initialized with `nullptr`. However, by changing the buffer index for a tensor and implicitly converting that tensor to be a read-write one, as there is nothing in the model that writes to it, we get a null pointer dereference. The issue is patched in commit 0b5662bc, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.

在版本1.15.4、2.0.3、2.1.2、2.2.1和2.3.1之前的tensorflow-lite中,精心设计的TFLite模型可以强制节点将具有“ nullptr”缓冲区支持的张量作为输入。这可以通过在平面缓冲区序列化中更改缓冲区索引以将只读张量转换为可读写张量来实现。运行时假定这些缓冲区在可能的读取之前就已被写入,因此它们用“ nullptr”初始化。但是,通过更改张量的缓冲区索引并将该张量隐式转换为可读写张量,因为模型中没有写入该张量的索引,因此将获得空指针取消引用。该问题已在提交0b5662bc中修复,并在TensorFlow版本1.15.4、2.0.3、2.1.2、2.2.1或2.3.1中发布。
2020-09-26 17:12:40cassandra.cerias.purdue.edu
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and will release patch releases for all versions between 1.15 and 2.3. We recommend users to upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.

在1.15.4、2.0.3、2.1.2、2.2.1和2.3.1版之前的tensorflow-lite中,如果TFLite保存的模型使用与操作员的输入和输出相同的张量,则取决于操作员,我们可以观察到分段错误或仅内存损坏。我们已在d58c96946b中修复了该问题,并将发布1.15至2.3之间所有版本的补丁程序版本。我们建议用户升级到TensorFlow 1.15.4、2.0.3、2.1.2、2.2.1或2.3.1。
2020-09-26 17:12:40cassandra.cerias.purdue.edu
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices for the tensors, indexing into an array of tensors that is owned by the subgraph. This results in a pattern of double array indexing when trying to get the data of each tensor. However, some operators can have some tensors be optional. To handle this scenario, the flatbuffer model uses a negative `-1` value as index for these tensors. This results in special casing during validation at model loading time. Unfortunately, this means that the `-1` index is a valid tensor index for any operator, including those that don't expect optional inputs and including for output tensors. Thus, this allows writing and reading from outside the bounds of heap allocated arrays, although only at a specific offset from the start of these arrays. This results in both read and write gadgets, albeit very limited in scope. The issue is patched in several commits (46d5b0852, 00302787b7, e11f5558, cd31fd0ce, 1970c21, and fff2c83), and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1. A potential workaround would be to add a custom `Verifier` to the model loading code to ensure that only operators which accept optional inputs use the `-1` special value and only for the tensors that they expect to be optional. Since this allow-list type approach is erro-prone, we advise upgrading to the patched code.

在TensorFlow Lite 1.15.4、2.0.3、2.1.2、2.2.1和2.3.1之前的版本中,以FlatBuffer格式保存的模型使用双索引方案:一个模型有一组子图,每个子图有一组运算符,每个运算符都有一组输入/输出张量。 Flatbuffer格式使用张量索引,索引到子图拥有的张量数组。尝试获取每个张量的数据时,这会导致出现双数组索引的模式。但是,某些运算符可以使某些张量为可选。为了处理这种情况,flatbuffer模型使用负“ -1”值作为这些张量的索引。在模型加载时的验证过程中,这将导致特殊的套管。不幸的是,这意味着`-1`索引对于任何运算符都是有效的张量索引,包括那些不需要可选输入的运算符以及包括输出张量的运算符。因此,这允许从堆分配的数组的边界之外进行写入和读取,尽管仅在距这些数组的起始位置特定的偏移量处。尽管范围非常有限,但这会导致读取和写入小工具。该问题已在多个提交(46d5b0852、00302787b7,e11f5558,cd31fd0ce,1970c21和fff2c83)中修复,并在TensorFlow版本1.15.4、2.0.3、2.1.2、2.2.1或2.3.1中发布。可能的解决方法是在模型加载代码中添加自定义的“验证程序”,以确保仅接受可选输入的运算符使用-1特殊值,并且仅对它们期望为可选的张量使用。由于这种允许列表类型的方法容易出错,因此建议升级到修补后的代码。
2020-09-26 17:12:40cassandra.cerias.purdue.edu
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `output_data` buffer. This might result in a segmentation fault but it can also be used to further corrupt the memory and can be chained with other vulnerabilities to create more advanced exploits. The issue is patched in commit 204945b19e44b57906c9344c0d00120eeeae178a and is released in TensorFlow versions 2.2.1, or 2.3.1. A potential workaround would be to add a custom `Verifier` to the model loading code to ensure that the segment ids are all positive, although this only handles the case when the segment ids are stored statically in the model. A similar validation could be done if the segment ids are generated at runtime between inference steps. If the segment ids are generated as outputs of a tensor during inference steps, then there are no possible workaround and users are advised to upgrade to patched code.

在2.2.1和2.3.1之前的TensorFlow Lite中,使用分段总和的模型可通过在分段ID张量中插入负数元素来触发在堆分配的缓冲区范围之外的写入。有权访问“ segment_ids_data”的用户可以更改“ output_index”,然后写入“ output_data”缓冲区之外。这可能会导致分段错误,但是它也可以用于进一步破坏内存,并且可以与其他漏洞链接在一起以创建更高级的漏洞利用。该问题已在commit 204945b19e44b57906c9344c0d00120eeeae178a中修复,并在TensorFlow版本2.2.1或2.3.1中发布。可能的解决方法是在模型加载代码中添加自定义“验证程序”,以确保段ID均为正,尽管这只能处理将段ID静态存储在模型中的情况。如果在推断步骤之间的运行时生成段ID,则可以进行类似的验证。如果在推断步骤期间将段ID作为张量的输出生成,则没有可能的解决方法,建议用户升级到修补的代码。
2020-09-26 17:12:39cassandra.cerias.purdue.edu
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger a denial of service by causing an out of memory allocation in the implementation of segment sum. Since code uses the last element of the tensor holding them to determine the dimensionality of output tensor, attackers can use a very large value to trigger a large allocation. The issue is patched in commit 204945b19e44b57906c9344c0d00120eeeae178a and is released in TensorFlow versions 2.2.1, or 2.3.1. A potential workaround would be to add a custom `Verifier` to limit the maximum value in the segment ids tensor. This only handles the case when the segment ids are stored statically in the model, but a similar validation could be done if the segment ids are generated at runtime, between inference steps. However, if the segment ids are generated as outputs of a tensor during inference steps, then there are no possible workaround and users are advised to upgrade to patched code.

在TensorFlow Lite 2.2.1和2.3.1之前的版本中,使用分段总和的模型会在分段总和的实现中引起内存不足分配,从而触发服务拒绝。由于代码使用张量的最后一个元素来确定输出张量的维数,因此攻击者可以使用很大的值来触发大的分配。该问题已在commit 204945b19e44b57906c9344c0d00120eeeae178a中修复,并在TensorFlow版本2.2.1或2.3.1中发布。一个可能的解决方法是添加一个自定义的“ Verifier”,以限制段ID张量中的最大值。这仅处理将段ID静态存储在模型中的情况,但是如果在推断步骤之间在运行时生成段ID,则可以进行类似的验证。但是,如果在推断步骤期间将段ID作为张量的输出生成,则没有可能的解决方法,建议用户升级到修补的代码。
2020-09-26 17:12:39cassandra.cerias.purdue.edu
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger a write out bounds / segmentation fault if the segment ids are not sorted. Code assumes that the segment ids are in increasing order, using the last element of the tensor holding them to determine the dimensionality of output tensor. This results in allocating insufficient memory for the output tensor and in a write outside the bounds of the output array. This usually results in a segmentation fault, but depending on runtime conditions it can provide for a write gadget to be used in future memory corruption-based exploits. The issue is patched in commit 204945b19e44b57906c9344c0d00120eeeae178a and is released in TensorFlow versions 2.2.1, or 2.3.1. A potential workaround would be to add a custom `Verifier` to the model loading code to ensure that the segment ids are sorted, although this only handles the case when the segment ids are stored statically in the model. A similar validation could be done if the segment ids are generated at runtime between inference steps. If the segment ids are generated as outputs of a tensor during inference steps, then there are no possible workaround and users are advised to upgrade to patched code.

在TensorFlow Lite 2.2.1和2.3.1之前的版本中,如果未对细分ID进行排序,则使用细分总和的模型会触发写出边界/细分错误。代码假定段id的顺序是递增的,使用持有它们的张量的最后一个元素确定输出张量的维数。这导致为输出张量分配的内存不足,并导致输出数组边界之外的写入。这通常会导致分段错误,但是根据运行时条件,它可以提供一个写小工具,以供将来基于内存损坏的漏洞利用。该问题已在commit 204945b19e44b57906c9344c0d00120eeeae178a中修复,并在TensorFlow版本2.2.1或2.3.1中发布。可能的解决方法是在模型加载代码中添加自定义“验证程序”,以确保对段ID进行排序,尽管这只能处理将段ID静态存储在模型中的情况。如果在推断步骤之间的运行时生成段ID,则可以进行类似的验证。如果在推断步骤期间将段ID作为张量的输出生成,则没有可能的解决方法,建议用户升级到修补的代码。
2020-09-26 17:12:38cassandra.cerias.purdue.edu
Supportlink CLI in Brocade Fabric OS Versions v8.2.1 through v8.2.1d, and 8.2.2 versions before v8.2.2c does not obfuscate the password field, which could expose users’ credentials of the remote server. An authenticated user could obtain the exposed password credentials to gain access to the remote host.

2020-09-26 17:12:38cassandra.cerias.purdue.edu
Brocade Fabric OS versions before Brocade Fabric OS v7.4.2g could allow an authenticated, remote attacker to view a user password in cleartext. The vulnerability is due to incorrectly logging the user password in log files.

Brocade Fabric OS v7.4.2g之前的Brocade Fabric OS版本可能允许经过身份验证的远程攻击者查看明文形式的用户密码。该漏洞是由于在日志文件中错误地记录了用户密码。
2020-09-26 17:12:37cassandra.cerias.purdue.edu
Brocade Fabric OS versions before Brocade Fabric OS v9.0.0, v8.2.2c, v8.2.1e, v8.1.2k, v8.2.0_CBN3, contains code injection and privilege escalation vulnerability.

Brocade Fabric OS v9.0.0,v8.2.2c,v8.2.1e,v8.1.2k,v8.2.0_CBN3之前的Brocade Fabric OS版本包含代码注入和特权升级漏洞。
2020-09-26 17:12:37cassandra.cerias.purdue.edu
A vulnerability in the command-line interface in Brocade Fabric OS before Brocade Fabric OS v8.2.2a1, 8.2.2c, v7.4.2g, v8.2.0_CBN3, v8.2.1e, v8.1.2k, v9.0.0, could allow a local authenticated attacker to modify shell variables, which may lead to an escalation of privileges or bypassing the logging.

在Brocade Fabric OS v8.2.2a1、8.2.2c,v7.4.2g,v8.2.0_CBN3,v8.2.1e,v8.1.2k,v9.0.0之前的Brocade Fabric OS命令行界面中的漏洞可能允许经过本地身份验证的攻击者修改shell变量,这可能导致特权升级或绕过日志记录。
2020-09-26 17:12:36cassandra.cerias.purdue.edu
Multiple buffer overflow vulnerabilities in REST API in Brocade Fabric OS versions v8.2.1 through v8.2.1d, and 8.2.2 versions before v8.2.2c could allow remote unauthenticated attackers to perform various attacks.

Brocade Fabric OS版本v8.2.1至v8.2.1d和v8.2.2c之前的8.2.2版本中REST API中的多个缓冲区溢出漏洞可能允许未经身份验证的远程攻击者执行各种攻击。
2020-09-26 17:12:36cassandra.cerias.purdue.edu
Rest API in Brocade Fabric OS v8.2.1 through v8.2.1d, and 8.2.2 versions before v8.2.2c is vulnerable to multiple instances of reflected input.

Brocade Fabric OS v8.2.1到v8.2.1d以及8.2.2之前的8.2.2版本中的Rest API容易受到反射输入的多个实例的影响。
2020-09-26 17:12:35cassandra.cerias.purdue.edu
The affected product is vulnerable to cross-site scripting (XSS), which may allow an attacker to trick application users into performing critical application actions that include, but are not limited to, adding and updating accounts.

受影响的产品容易受到跨站点脚本(XSS)的攻击,这可能使攻击者诱骗应用程序用户执行关键的应用程序操作,包括但不限于添加和更新帐户。
2020-09-26 17:12:35cassandra.cerias.purdue.edu
SQL injection exists in the jdownloads 3.2.63 component for Joomla! via com_jdownloads/helpers/jdownloadshelper.php, getUserLimits function in the list parameter.

Joomla!的jdownloads 3.2.63组件中存在SQL注入!通过com_jdownloads / helpers / jdownloadshelper.php,可在list参数中使用getUserLimits函数。
2020-09-26 17:12:34cassandra.cerias.purdue.edu
SQL injection exists in the jdownloads 3.2.63 component for Joomla! via com_jdownloads/helpers/jdownloadshelper.php, updateLog function via the X-forwarded-for Header parameter.

Joomla!的jdownloads 3.2.63组件中存在SQL注入!通过com_jdownloads / helpers / jdownloadshelper.php通过X-forwarded-for Header参数进行updateLog函数。
2020-09-26 17:12:34cassandra.cerias.purdue.edu
SQL injection exists in the jdownloads 3.2.63 component for Joomla! via components/com_jdownloads/helpers/categories.php, order function via the filter_order parameter.

Joomla!的jdownloads 3.2.63组件中存在SQL注入!通过component / com_jdownloads / helpers / categories.php,通过filter_order参数订购函数。
2020-09-26 17:12:33cassandra.cerias.purdue.edu
An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to SQL Injection due to the fact that it is possible to inject malicious SQL statements in malformed parameter types. Sending an improper variable type of Array allows a bypass of core SQL Injection sanitization. Authenticated users are able to inject malicious SQL queries. This vulnerability leads to full database leak including ckeys that can be used in the authentication process without knowing the username and cleartext password. This can occur via the ajax/actions.php group_id field.

在Observium Professional,Enterprise和Community 20.8.10631中发现了一个问题。由于有可能以格式错误的参数类型注入恶意SQL语句,因此它很容易受到SQL注入的攻击。发送不正确的Array变量类型可绕过核心SQL Injection清理。经过身份验证的用户可以注入恶意SQL查询。此漏洞导致数据库完全泄漏,包括可在身份验证过程中使用的ckey,而无需知道用户名和明文密码。这可以通过ajax / actions.php group_id字段发生。
2020-09-26 17:12:33cassandra.cerias.purdue.edu
An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to Cross-Site Scripting (XSS) due to the fact that it is possible to inject and store malicious JavaScript code within it. This can occur via the role_name or role_descr parameter to the roles/ URI.

在Observium Professional,Enterprise和Community 20.8.10631中发现了一个问题。由于它有可能注入并存储恶意JavaScript代码,因此它很容易受到跨站点脚本(XSS)的攻击。这可以通过角色/ URI的role_name或role_descr参数发生。
2020-09-26 17:12:32cassandra.cerias.purdue.edu
An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to SQL Injection due to the fact that it is possible to inject malicious SQL statements in malformed parameter types. Sending the improper variable type Array allows a bypass of core SQL Injection sanitization. Users are able to inject malicious statements in multiple functions. This vulnerability leads to full authentication bypass: any unauthorized user with access to the application is able to exploit this vulnerability. This can occur via the Cookie header to the default URI, within includes/authenticate.inc.php.

在Observium Professional,Enterprise和Community 20.8.10631中发现了一个问题。由于有可能以格式错误的参数类型注入恶意SQL语句,因此它很容易受到SQL注入的攻击。发送不正确的变量类型Array可以绕过核心SQL Injection清理。用户能够注入多种功能的恶意语句。该漏洞导致完全的身份验证绕过:任何有权访问该应用程序的未授权用户都可以利用此漏洞。这可以通过包含/authenticate.inc.php中默认URI的Cookie头进行。
2020-09-26 17:12:32cassandra.cerias.purdue.edu
An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to directory traversal and local file inclusion due to the fact that there is an unrestricted possibility of loading any file with an inc.php extension. Inclusion of other files (even though limited to the mentioned extension) can lead to Remote Code Execution. This can occur via /ports/?format=../ URIs to pages/ports.inc.php.

在Observium Professional,Enterprise和Community 20.8.10631中发现了一个问题。由于存在无限限制地加载具有inc.php扩展名的文件的事实,因此它容易受到目录遍历和包含本地文件的攻击。包含其他文件(即使限于所提到的扩展名)也可能导致远程执行代码。这可以通过/ports/?format=../指向pages / ports.inc.php的URI发生。
2020-09-26 17:12:31cassandra.cerias.purdue.edu
An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to directory traversal and local file inclusion due to the fact that there is an unrestricted possibility of loading any file with an inc.php extension. Inclusion of other files (even though limited to the mentioned extension) can lead to Remote Code Execution. This can occur via /settings/?format=../ URIs to pages/settings.inc.php.

在Observium Professional,Enterprise和Community 20.8.10631中发现了一个问题。由于存在无限限制地加载具有inc.php扩展名的文件的事实,因此它容易受到目录遍历和包含本地文件的攻击。包含其他文件(即使限于所提到的扩展名)也可能导致远程执行代码。这可以通过/settings/?format=../ page / settings.inc.php的URI发生。
2020-09-26 17:12:31cassandra.cerias.purdue.edu
An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to Cross-Site Scripting (XSS) due to the fact that it is possible to inject and store malicious JavaScript code within it. This can occur via the graph_title parameter to the graphs/ URI.

在Observium Professional,Enterprise和Community 20.8.10631中发现了一个问题。由于它有可能注入并存储恶意JavaScript代码,因此它很容易受到跨站点脚本(XSS)的攻击。这可以通过图形/ URI的graph_title参数发生。
2020-09-26 17:12:30cassandra.cerias.purdue.edu
An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to directory traversal and local file inclusion due to the fact that there is an unrestricted possibility of loading any file with an inc.php extension. Inclusion of other files (even though limited to the mentioned extension) can lead to Remote Code Execution. This can occur via /device/device=345/?tab=routing&proto=../ URIs to device/routing.inc.php.

在Observium Professional,Enterprise和Community 20.8.10631中发现了一个问题。由于存在无限限制地加载具有inc.php扩展名的文件的事实,因此它容易受到目录遍历和包含本地文件的攻击。包含其他文件(即使限于所提到的扩展名)也可能导致远程执行代码。这可以通过/device/device=345/?tab=routing&proto=../ device / routing.inc.php的URI发生。
2020-09-26 17:12:30cassandra.cerias.purdue.edu
An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to Cross-Site Scripting (XSS) due to the fact that it is possible to inject and store malicious JavaScript code within it. This can occur via the alert_name or alert_message parameter to the /alert_check URI.

在Observium Professional,Enterprise和Community 20.8.10631中发现了一个问题。由于它有可能注入并存储恶意JavaScript代码,因此它很容易受到跨站点脚本(XSS)的攻击。这可以通过/ alert_check URI的alert_name或alert_message参数发生。
2020-09-26 17:12:30cassandra.cerias.purdue.edu
An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to Cross-Site Scripting (XSS) due to the fact that it is possible to inject and store malicious JavaScript code within it. This can occur via /alert_check/action=delete_alert_checker/alert_test_id= because of pages/alert_check.inc.php.

在Observium Professional,Enterprise和Community 20.8.10631中发现了一个问题。由于它有可能注入并存储恶意JavaScript代码,因此它很容易受到跨站点脚本(XSS)的攻击。由于页面/alert_check.inc.php,这可能通过/ alert_check / action = delete_alert_checker / alert_test_id =发生。
2020-09-26 17:12:29cassandra.cerias.purdue.edu
An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to Cross-Site Scripting (XSS) due to the fact that it is possible to inject and store malicious JavaScript code within it. This can occur via la_id to the /syslog_rules URI for delete_syslog_rule, because of syslog_rules.inc.php.

在Observium Professional,Enterprise和Community 20.8.10631中发现了一个问题。由于它有可能注入并存储恶意JavaScript代码,因此它很容易受到跨站点脚本(XSS)的攻击。由于syslog_rules.inc.php,这可能通过la_id到delete_syslog_rule的/ syslog_rules URI发生。
2020-09-26 17:12:29cassandra.cerias.purdue.edu
An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to Cross-Site Scripting (XSS) due to the fact that it is possible to inject and store malicious JavaScript code within it. This can occur in pages/contacts.inc.php.

在Observium Professional,Enterprise和Community 20.8.10631中发现了一个问题。由于它有可能注入并存储恶意JavaScript代码,因此它很容易受到跨站点脚本(XSS)的攻击。这可以在pages / contacts.inc.php中发生。
2020-09-26 17:12:28cassandra.cerias.purdue.edu
An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to Cross-Site Scripting (XSS) due to the fact that it is possible to inject and store malicious JavaScript code within it. This can occur via a /device/device=140/tab=wifi/view= URI.

在Observium Professional,Enterprise和Community 20.8.10631中发现了一个问题。由于它有可能注入并存储恶意JavaScript代码,因此它很容易受到跨站点脚本(XSS)的攻击。这可以通过/ device / device = 140 / tab = wifi / view = URI发生。