Red Hat Enterprise Linux 8 update for GNOME

1) Cross-site scripting

EUVDB-ID: #VU23171

Risk: Low

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-8625

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Install updates from vendor's website.

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

http://access.redhat.com/errata/RHSA-2020:4451

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Buffer overflow

EUVDB-ID: #VU23152

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-8710

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing maliciously crafted web content. A remote attacker can trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install updates from vendor's website.

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

http://access.redhat.com/errata/RHSA-2020:4451

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Buffer overflow

EUVDB-ID: #VU23175

Risk: High

CVSSv3.1: 9.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C]

CVE-ID: CVE-2019-8720

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing maliciously crafted web content. A remote attacker can trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install updates from vendor's website.

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

http://access.redhat.com/errata/RHSA-2020:4451

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

4) Buffer overflow

EUVDB-ID: #VU23153

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-8743

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing maliciously crafted web content. A remote attacker can trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install updates from vendor's website.

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

http://access.redhat.com/errata/RHSA-2020:4451

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Cross-site scripting

EUVDB-ID: #VU23154

Risk: Low

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-8764

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Install updates from vendor's website.

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

http://access.redhat.com/errata/RHSA-2020:4451

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Buffer overflow

EUVDB-ID: #VU23156

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-8766

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing maliciously crafted web content. A remote attacker can trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install updates from vendor's website.

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

http://access.redhat.com/errata/RHSA-2020:4451

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Information disclosure

EUVDB-ID: #VU23182

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-8769

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to improper input validation in the drawing of web page elements. A remote attacker can reveal browsing history when a victim visit a maliciously crafted website.

Install updates from vendor's website.

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

http://access.redhat.com/errata/RHSA-2020:4451

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Cross-site scripting

EUVDB-ID: #VU23183

Risk: Low

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-8771

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in iframe sandboxing policy. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Install updates from vendor's website.

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

http://access.redhat.com/errata/RHSA-2020:4451

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Buffer overflow

EUVDB-ID: #VU23157

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-8782

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing maliciously crafted web content. A remote attacker can trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install updates from vendor's website.

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

http://access.redhat.com/errata/RHSA-2020:4451

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Buffer overflow

EUVDB-ID: #VU23158

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-8783

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing maliciously crafted web content. A remote attacker can trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install updates from vendor's website.

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

http://access.redhat.com/errata/RHSA-2020:4451

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Buffer overflow

EUVDB-ID: #VU23159

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-8808

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing maliciously crafted web content. A remote attacker can trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install updates from vendor's website.

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

http://access.redhat.com/errata/RHSA-2020:4451

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Buffer overflow

EUVDB-ID: #VU23160

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-8811

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing maliciously crafted web content. A remote attacker can trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install updates from vendor's website.

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

http://access.redhat.com/errata/RHSA-2020:4451

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Buffer overflow

EUVDB-ID: #VU23161

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-8812

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing maliciously crafted web content. A remote attacker can trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install updates from vendor's website.

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

http://access.redhat.com/errata/RHSA-2020:4451

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Cross-site scripting

EUVDB-ID: #VU23162

Risk: Low

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-8813

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Install updates from vendor's website.

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

http://access.redhat.com/errata/RHSA-2020:4451

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Buffer overflow

EUVDB-ID: #VU23163

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-8814

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing maliciously crafted web content. A remote attacker can trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install updates from vendor's website.

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

http://access.redhat.com/errata/RHSA-2020:4451

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Buffer overflow

EUVDB-ID: #VU23164

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-8815

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing maliciously crafted web content. A remote attacker can trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install updates from vendor's website.

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

http://access.redhat.com/errata/RHSA-2020:4451

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

17) Buffer overflow

EUVDB-ID: #VU23165

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-8816

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing maliciously crafted web content. A remote attacker can trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install updates from vendor's website.

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

http://access.redhat.com/errata/RHSA-2020:4451

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

18) Buffer overflow

EUVDB-ID: #VU23166

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-8819

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing maliciously crafted web content. A remote attacker can trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install updates from vendor's website.

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

http://access.redhat.com/errata/RHSA-2020:4451

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

19) Buffer overflow

EUVDB-ID: #VU23167

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-8820

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing maliciously crafted web content. A remote attacker can trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install updates from vendor's website.

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

http://access.redhat.com/errata/RHSA-2020:4451

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

20) Buffer overflow

EUVDB-ID: #VU23170

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-8823

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing maliciously crafted web content. A remote attacker can trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install updates from vendor's website.

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

http://access.redhat.com/errata/RHSA-2020:4451

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

21) Buffer overflow

EUVDB-ID: #VU48062

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-8835

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in tvOS 13.3, iCloud for Windows 10.9, iOS 13.3 and iPadOS 13.3, Safari 13.0.4, iTunes 12.10.3 for Windows, iCloud for Windows 7.16. Processing maliciously crafted web content may lead to arbitrary code execution.

Install updates from vendor's website.

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

http://access.redhat.com/errata/RHSA-2020:4451

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

22) Buffer overflow

EUVDB-ID: #VU48063

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-8844

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in tvOS 13.3, watchOS 6.1.1, iCloud for Windows 10.9, iOS 13.3 and iPadOS 13.3, Safari 13.0.4, iTunes 12.10.3 for Windows, iCloud for Windows 7.16. Processing maliciously crafted web content may lead to arbitrary code execution.

Install updates from vendor's website.

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

http://access.redhat.com/errata/RHSA-2020:4451

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

23) Use-after-free

EUVDB-ID: #VU23613

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-8846

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in the SVG Marker Element feature of Apple Safari's WebKit. A remote attacker can use a specially crafted HTML web page, when opened by a victim, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Install updates from vendor's website.

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

http://access.redhat.com/errata/RHSA-2020:4451

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

24) Use-after-free

EUVDB-ID: #VU26076

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-10018

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error when processing web conftent. A remote attacker can trick a victim to visit a specially crafted web page, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Install updates from vendor's website.

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

http://access.redhat.com/errata/RHSA-2020:4451

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

25) Use-after-free

EUVDB-ID: #VU30304

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-11793

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

A use-after-free issue exists in WebKitGTK before 2.28.1 and WPE WebKit before 2.28.1 via crafted web content that allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash).

Install updates from vendor's website.

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

http://access.redhat.com/errata/RHSA-2020:4451

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

26) Cleartext storage of sensitive information

EUVDB-ID: #VU49120

Risk: Low

CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-14391

CWE-ID: CWE-312 - Cleartext Storage of Sensitive Information

Exploit availability: No

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists in the GNOME Control Center in the way it handles credentials passed from Red Hat Customer Portal. When a user registers a system through the GNOME Settings User Interface, the user's credentials are passed as an argument to gnome-settings-daemon helper, making it readable by an unprivileged local user.

Install updates from vendor's website.

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

http://access.redhat.com/errata/RHSA-2020:4451

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

27) Buffer overflow

EUVDB-ID: #VU31920

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-15503

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error in "decoders/unpack_thumb.cpp", "postprocessing/mem_image.cpp" and u"tils/thumb_utils.cpp". A remote attacker can trigger memory corruption and cause a denial of service condition on the target system.

Install updates from vendor's website.

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

http://access.redhat.com/errata/RHSA-2020:4451

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

28) Buffer overflow

EUVDB-ID: #VU25375

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-3862

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error. A remote attacker can create a specially crafted web page, trick the victim into visiting it and perform a denial of service (DoS) attack.

Install updates from vendor's website.

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

http://access.redhat.com/errata/RHSA-2020:4451

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

29) Origin validation error

EUVDB-ID: #VU25379

Risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-3864

CWE-ID: CWE-346 - Origin Validation Error

Exploit availability: No

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to an logical error that leads to DOM object not having a unique security origin. A remote attacker can interact with DOM objects from another domain.

Install updates from vendor's website.

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

http://access.redhat.com/errata/RHSA-2020:4451

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

30) Origin validation error

EUVDB-ID: #VU25380

Risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-3865

CWE-ID: CWE-346 - Origin Validation Error

Exploit availability: No

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to a logical error that leads to a top-level DOM object context being incorrectly considered secure. A remote attacker can gain unauthorized access to DOM objects from another domain.

Install updates from vendor's website.

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

http://access.redhat.com/errata/RHSA-2020:4451

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

31) Univeral cross-site scripting

EUVDB-ID: #VU25381

Risk: Medium

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-3867

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Install updates from vendor's website.

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

http://access.redhat.com/errata/RHSA-2020:4451

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

32) Buffer overflow

EUVDB-ID: #VU25382

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-3868

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install updates from vendor's website.

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

http://access.redhat.com/errata/RHSA-2020:4451

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

33) Business Logic Errors

EUVDB-ID: #VU26432

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-3885

CWE-ID: CWE-840 - Business Logic Errors (3.0)

Exploit availability: No

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to logical errors. A remote attacker can trick a victim to open a specially crafted file or visit a malicious page and cause a file URL may be incorrectly processed.

Install updates from vendor's website.

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

http://access.redhat.com/errata/RHSA-2020:4451

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

34) Race condition

EUVDB-ID: #VU26428

Risk: Medium

CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2020-3894

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Exploit availability: Yes

The vulnerability allows a remote attacker to gain access to sensitive information on the system.

The vulnerability exists due to a race condition. A remote atacker can trick a victim to open a specially crafted file or visit a malicioous page, exploit the race and gain unauthorized access to sensitive information on the target system.

Install updates from vendor's website.

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

http://access.redhat.com/errata/RHSA-2020:4451

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

35) Buffer overflow

EUVDB-ID: #VU26426

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-3895

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing maliciously crafted web content. A remote attacker can trick a victim to open a specially crafted file or visit a malicious page, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install updates from vendor's website.

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

http://access.redhat.com/errata/RHSA-2020:4451

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

36) Type Confusion

EUVDB-ID: #VU26422

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-3897

CWE-ID: CWE-843 - Type confusion

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a type confusion error within the object transition cache. A remote attacker can trick a victim to visit a malicisou page or open a specially crafted file, trigger a type confusion error and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install updates from vendor's website.

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

http://access.redhat.com/errata/RHSA-2020:4451

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

37) Buffer overflow

EUVDB-ID: #VU26430

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-3899

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error. A remote attacker can trick a victim to open a specially crafted file or visit a malicious page, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install updates from vendor's website.

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

http://access.redhat.com/errata/RHSA-2020:4451

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

38) Buffer overflow

EUVDB-ID: #VU26427

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-3900

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing maliciously crafted web content. A remote attacker can trick a victim to open a specially crafted file or visit a malicious page, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install updates from vendor's website.

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

http://access.redhat.com/errata/RHSA-2020:4451

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

39) Type Confusion

EUVDB-ID: #VU26424

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-3901

CWE-ID: CWE-843 - Type confusion

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a type confusion error when processing maliciously crafted web content. A remote attacker can trick a victim to open a specially crafted file or visit a malicious page, trigger a type confusion error and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install updates from vendor's website.

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

http://access.redhat.com/errata/RHSA-2020:4451

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

40) Cross-site scripting

EUVDB-ID: #VU26431

Risk: Low

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-3902

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Install updates from vendor's website.

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

http://access.redhat.com/errata/RHSA-2020:4451

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

41) Input validation error

EUVDB-ID: #VU32958

Risk: High

CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2020-9802

CWE-ID: CWE-20 - Improper input validation

Exploit availability: Yes

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insufficient validation of user-supplied input when processing web content. A remote attacker can create a specially crafted web page, trick the victim into visiting it and execute arbitrary code on the target system.

Install updates from vendor's website.

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

http://access.redhat.com/errata/RHSA-2020:4451

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

42) Memory corruption

EUVDB-ID: #VU32959

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-9803

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insufficient validation of user-supplied input when processing web content. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger memory corruption and execute arbitrary code on the target system.

Install updates from vendor's website.

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

http://access.redhat.com/errata/RHSA-2020:4451

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

43) Universal cross-site scripting

EUVDB-ID: #VU32960

Risk: Medium

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-9805

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Install updates from vendor's website.

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

http://access.redhat.com/errata/RHSA-2020:4451

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

44) Memory corruption

EUVDB-ID: #VU32961

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-9806

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insufficient validation of user-supplied input when processing web content. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger memory corruption and execute arbitrary code on the target system.

Install updates from vendor's website.

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

http://access.redhat.com/errata/RHSA-2020:4451

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

45) Memory corruption

EUVDB-ID: #VU32962

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-9807

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insufficient validation of user-supplied input when processing web content. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger memory corruption and execute arbitrary code on the target system.

Install updates from vendor's website.

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

http://access.redhat.com/errata/RHSA-2020:4451

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

46) Cross-site scripting

EUVDB-ID: #VU32963

Risk: Medium

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-9843

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Install updates from vendor's website.

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

http://access.redhat.com/errata/RHSA-2020:4451

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

47) Input validation error

EUVDB-ID: #VU32964

Risk: High

CVSSv3.1: 8.2 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C]

CVE-ID: CVE-2020-9850

CWE-ID: CWE-20 - Improper input validation

Exploit availability: Yes

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insufficient validation of user-supplied input when processing web content. A remote attacker can create a specially crafted web page, trick the victim into visiting it and execute arbitrary code on the target system.

Install updates from vendor's website.

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

http://access.redhat.com/errata/RHSA-2020:4451

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.

48) Command Injection

EUVDB-ID: #VU32965

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-9862

CWE-ID: CWE-77 - Command injection

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary commands on the system.

The vulnerability exists due to improper input validation in Web Inspector when copying a URL. A remote attacker can trick the victim into copying a specially crafted URL and execute arbitrary commands on the system with privileges of the current user.

Install updates from vendor's website.

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

http://access.redhat.com/errata/RHSA-2020:4451

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

49) Use-after-free

EUVDB-ID: #VU32966

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-9893

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error when processing web content. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Install updates from vendor's website.

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

http://access.redhat.com/errata/RHSA-2020:4451

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

50) Out-of-bounds read

EUVDB-ID: #VU32967

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-9894

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.

Install updates from vendor's website.

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

http://access.redhat.com/errata/RHSA-2020:4451

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

51) Use-after-free

EUVDB-ID: #VU32968

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-9895

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error when processing web content. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Install updates from vendor's website.

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

http://access.redhat.com/errata/RHSA-2020:4451

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

52) Security restrictions bypass

EUVDB-ID: #VU32969

Risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-9915

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to application does not properly impose Content Security Policy. A remote attacker can create a specially crafted web page, trick the victim into visiting it and bypass implemented security restrictions. The vulnerability may allow an attacker to perform cross-site scripting attacks or gain access to sensitive information.

Install updates from vendor's website.

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

http://access.redhat.com/errata/RHSA-2020:4451

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

53) Univeral cross-site scripting

EUVDB-ID: #VU32970

Risk: Medium

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-9925

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of arbitrary website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Install updates from vendor's website.

Red Hat CodeReady Linux Builder for IBM z Systems: 8.0

Red Hat CodeReady Linux Builder for ARM 64: 8.0

Red Hat CodeReady Linux Builder for Power, little endian: 8.0

Red Hat CodeReady Linux Builder for x86_64: 8.0

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0

gtk-doc (Red Hat package): before 1.28-2.el8

xdg-desktop-portal-gtk (Red Hat package): before 1.6.0-1.el8

xdg-desktop-portal (Red Hat package): before 1.6.0-2.el8

webrtc-audio-processing (Red Hat package): before 0.3-9.el8

webkit2gtk3 (Red Hat package): before 2.28.4-1.el8

vte291 (Red Hat package): before 0.52.4-2.el8

tracker (Red Hat package): before 2.1.5-2.el8

pygobject3 (Red Hat package): before 3.28.3-2.el8

potrace (Red Hat package): before 1.15-3.el8

pipewire0.2 (Red Hat package): before 0.2.7-6.el8

pipewire (Red Hat package): before 0.3.6-1.el8

nautilus (Red Hat package): before 3.28.1-14.el8

mutter (Red Hat package): before 3.32.2-48.el8

libsoup (Red Hat package): before 2.62.3-2.el8

gvfs (Red Hat package): before 1.36.2-10.el8

gtk3 (Red Hat package): before 3.22.30-6.el8

gsettings-desktop-schemas (Red Hat package): before 3.32.0-5.el8

gnome-terminal (Red Hat package): before 3.28.3-2.el8

gnome-shell-extensions (Red Hat package): before 3.32.1-11.el8

gnome-shell (Red Hat package): before 3.32.2-20.el8

gnome-settings-daemon (Red Hat package): before 3.32.0-11.el8

gnome-session (Red Hat package): before 3.28.1-10.el8

gnome-remote-desktop (Red Hat package): before 0.1.8-3.el8

gnome-photos (Red Hat package): before 3.28.1-3.el8

gdm (Red Hat package): before 3.28.3-34.el8

frei0r-plugins (Red Hat package): before 1.6.1-7.el8

dleyna-renderer (Red Hat package): before 0.6.0-3.el8

PackageKit (Red Hat package): before 1.1.12-6.el8

LibRaw (Red Hat package): before 0.19.5-2.el8

gnome-control-center (Red Hat package): before 3.28.2-22.el8

http://access.redhat.com/errata/RHSA-2020:4451

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.