CVE ID | CVSS | Vendor | Exploit | Patch | Trends |
---|---|---|---|---|---|
CVE-2024-7348Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected. | CVSS 7.5 | Postgresql | - | Patched | |
CVE-2024-6787This vulnerability occurs when an attacker exploits a race condition between the time a file is checked and the time it is used (TOCTOU). By exploiting this race condition, an attacker can write arbitrary files to the system. This could allow the attacker to execute malicious code and potentially cause file losses. | CVSS 5.9 | Moxa | - | Patched | |
CVE-2024-5803The AVGUI.exe of AVG/Avast Antivirus before versions before 24.1 can allow a local attacker to escalate privileges via an COM hijack in a time-of-check to time-of-use (TOCTOU) when self protection is disabled. | CVSS 7.5 | Avg, et al | - | - | |
CVE-2024-5558CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability exists that could
cause escalation of privileges when an attacker abuses a limited admin account. | CVSS 6.4 | Schneider-electric | - | Patched | |
CVE-2024-51563The virtio_vq_recordon function is subject to a time-of-check to time-of-use (TOCTOU) race condition. | CVSS MEDIUM | Alibaba | - | - | |
CVE-2024-50592An attacker with local access the to medical office computer can
escalate his Windows user privileges to "NT AUTHORITY\SYSTEM" by
exploiting a race condition in the Elefant Update Service during the
repair or update process. When using the repair function, the service queries the server for a
list of files and their hashes. In addition, instructions to execute
binaries to finalize the repair process are included. The executables are executed as "NT AUTHORITY\SYSTEM" after they are
copied over to the user writable installation folder (C:\Elefant1). This
means that a user can overwrite either "PostESUUpdate.exe" or
"Update_OpenJava.exe" in the time frame after the copy and before the
execution of the final repair step. The overwritten executable is then executed as "NT AUTHORITY\SYSTEM". | CVSS 7 | Elefantcms | - | - | |
CVE-2024-50234In the Linux kernel, the following vulnerability has been resolved:
wifi: iwlegacy: Clear stale interrupts before resuming device
iwl4965 fails upon resume from hibernation on my laptop. The reason
seems to be a stale interrupt which isn't being cleared out before
interrupts are enabled. We end up with a race beween the resume
trying to bring things back up, and the restart work (queued form
the interrupt handler) trying to bring things down. Eventually
the whole thing blows up.
Fix the problem by clearing out any stale interrupts before
interrupts get enabled during resume.
Here's a debug log of the indicent:
[ 12.042589] ieee80211 phy0: il_isr ISR inta 0x00000080, enabled 0xaa00008b, fh 0x00000000
[ 12.042625] ieee80211 phy0: il4965_irq_tasklet inta 0x00000080, enabled 0x00000000, fh 0x00000000
[ 12.042651] iwl4965 0000:10:00.0: RF_KILL bit toggled to enable radio.
[ 12.042653] iwl4965 0000:10:00.0: On demand firmware reload
[ 12.042690] ieee80211 phy0: il4965_irq_tasklet End inta 0x00000000, enabled 0xaa00008b, fh 0x00000000, flags 0x00000282
[ 12.052207] ieee80211 phy0: il4965_mac_start enter
[ 12.052212] ieee80211 phy0: il_prep_station Add STA to driver ID 31: ff:ff:ff:ff:ff:ff
[ 12.052244] ieee80211 phy0: il4965_set_hw_ready hardware ready
[ 12.052324] ieee80211 phy0: il_apm_init Init card's basic functions
[ 12.052348] ieee80211 phy0: il_apm_init L1 Enabled; Disabling L0S
[ 12.055727] ieee80211 phy0: il4965_load_bsm Begin load bsm
[ 12.056140] ieee80211 phy0: il4965_verify_bsm Begin verify bsm
[ 12.058642] ieee80211 phy0: il4965_verify_bsm BSM bootstrap uCode image OK
[ 12.058721] ieee80211 phy0: il4965_load_bsm BSM write complete, poll 1 iterations
[ 12.058734] ieee80211 phy0: __il4965_up iwl4965 is coming up
[ 12.058737] ieee80211 phy0: il4965_mac_start Start UP work done.
[ 12.058757] ieee80211 phy0: __il4965_down iwl4965 is going down
[ 12.058761] ieee80211 phy0: il_scan_cancel_timeout Scan cancel timeout
[ 12.058762] ieee80211 phy0: il_do_scan_abort Not performing scan to abort
[ 12.058765] ieee80211 phy0: il_clear_ucode_stations Clearing ucode stations in driver
[ 12.058767] ieee80211 phy0: il_clear_ucode_stations No active stations found to be cleared
[ 12.058819] ieee80211 phy0: _il_apm_stop Stop card, put in low power state
[ 12.058827] ieee80211 phy0: _il_apm_stop_master stop master
[ 12.058864] ieee80211 phy0: il4965_clear_free_frames 0 frames on pre-allocated heap on clear.
[ 12.058869] ieee80211 phy0: Hardware restart was requested
[ 16.132299] iwl4965 0000:10:00.0: START_ALIVE timeout after 4000ms.
[ 16.132303] ------------[ cut here ]------------
[ 16.132304] Hardware became unavailable upon resume. This could be a software issue prior to suspend or a hardware issue.
[ 16.132338] WARNING: CPU: 0 PID: 181 at net/mac80211/util.c:1826 ieee80211_reconfig+0x8f/0x14b0 [mac80211]
[ 16.132390] Modules linked in: ctr ccm sch_fq_codel xt_tcpudp xt_multiport xt_state iptable_filter iptable_nat nf_nat nf_conntrack nf_defrag_ipv4 ip_tables x_tables binfmt_misc joydev mousedev btusb btrtl btintel btbcm bluetooth ecdh_generic ecc iTCO_wdt i2c_dev iwl4965 iwlegacy coretemp snd_hda_codec_analog pcspkr psmouse mac80211 snd_hda_codec_generic libarc4 sdhci_pci cqhci sha256_generic sdhci libsha256 firewire_ohci snd_hda_intel snd_intel_dspcfg mmc_core snd_hda_codec snd_hwdep firewire_core led_class iosf_mbi snd_hda_core uhci_hcd lpc_ich crc_itu_t cfg80211 ehci_pci ehci_hcd snd_pcm usbcore mfd_core rfkill snd_timer snd usb_common soundcore video parport_pc parport intel_agp wmi intel_gtt backlight e1000e agpgart evdev
[ 16.132456] CPU: 0 UID: 0 PID: 181 Comm: kworker/u8:6 Not tainted 6.11.0-cl+ #143
[ 16.132460] Hardware name: Hewlett-Packard HP Compaq 6910p/30BE, BIOS 68MCU Ver. F.19 07/06/2010
[ 16.132463] Workqueue: async async_run_entry_fn
[ 16.132469] RIP: 0010:ieee80211_reconfig+0x8f/0x14b0 [mac80211]
[ 16.132501] Code: da 02 00 0
---truncated--- | CVSS 7 | Linux | - | Patched | |
CVE-2024-49998In the Linux kernel, the following vulnerability has been resolved:
net: dsa: improve shutdown sequence
Alexander Sverdlin presents 2 problems during shutdown with the
lan9303 driver. One is specific to lan9303 and the other just happens
to reproduce there.
The first problem is that lan9303 is unique among DSA drivers in that it
calls dev_get_drvdata() at "arbitrary runtime" (not probe, not shutdown,
not remove):
phy_state_machine()
-> ...
-> dsa_user_phy_read()
-> ds->ops->phy_read()
-> lan9303_phy_read()
-> chip->ops->phy_read()
-> lan9303_mdio_phy_read()
-> dev_get_drvdata()
But we never stop the phy_state_machine(), so it may continue to run
after dsa_switch_shutdown(). Our common pattern in all DSA drivers is
to set drvdata to NULL to suppress the remove() method that may come
afterwards. But in this case it will result in an NPD.
The second problem is that the way in which we set
dp->conduit->dsa_ptr = NULL; is concurrent with receive packet
processing. dsa_switch_rcv() checks once whether dev->dsa_ptr is NULL,
but afterwards, rather than continuing to use that non-NULL value,
dev->dsa_ptr is dereferenced again and again without NULL checks:
dsa_conduit_find_user() and many other places. In between dereferences,
there is no locking to ensure that what was valid once continues to be
valid.
Both problems have the common aspect that closing the conduit interface
solves them.
In the first case, dev_close(conduit) triggers the NETDEV_GOING_DOWN
event in dsa_user_netdevice_event() which closes user ports as well.
dsa_port_disable_rt() calls phylink_stop(), which synchronously stops
the phylink state machine, and ds->ops->phy_read() will thus no longer
call into the driver after this point.
In the second case, dev_close(conduit) should do this, as per
Documentation/networking/driver.rst:
| Quiescence
| ----------
|
| After the ndo_stop routine has been called, the hardware must
| not receive or transmit any data. All in flight packets must
| be aborted. If necessary, poll or wait for completion of
| any reset commands.
So it should be sufficient to ensure that later, when we zeroize
conduit->dsa_ptr, there will be no concurrent dsa_switch_rcv() call
on this conduit.
The addition of the netif_device_detach() function is to ensure that
ioctls, rtnetlinks and ethtool requests on the user ports no longer
propagate down to the driver - we're no longer prepared to handle them.
The race condition actually did not exist when commit 0650bf52b31f
("net: dsa: be compatible with masters which unregister on shutdown")
first introduced dsa_switch_shutdown(). It was created later, when we
stopped unregistering the user interfaces from a bad spot, and we just
replaced that sequence with a racy zeroization of conduit->dsa_ptr
(one which doesn't ensure that the interfaces aren't up). | CVSS 4.7 | Linux | - | Patched | |
CVE-2024-49768A remote client may send a request that is exactly recv_bytes (defaults to 8192) long, followed by a secondary request using HTTP pipelining. When request lookahead is disabled (default) we won't read any more requests, and when the first request fails due to a parsing error, we simply close the connection. However when request lookahead is enabled, it is possible to process and receive the first request, start sending the error message back to the client while we read the next request and queue it. This will allow the secondary request to be serviced by the worker thread while the connection should be closed. | CVSS 4.8 | Octobercms, et al | - | Patched | |
CVE-2024-49046Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability | CVSS 7.8 | Microsoft | - | Patched | |
CVE-2024-48322UsersController.php in Run.codes 1.5.2 and older has a reset password race condition vulnerability. | CVSS 8.1 | - | - | ||
CVE-2024-47813Wasmtime is an open source runtime for WebAssembly. Under certain concurrent event orderings, a `wasmtime::Engine`'s internal type registry was susceptible to double-unregistration bugs due to a race condition, leading to panics and potentially type registry corruption. That registry corruption could, following an additional and particular sequence of concurrent events, lead to violations of WebAssembly's control-flow integrity (CFI) and type safety. Users that do not use `wasmtime::Engine` across multiple threads are not affected. Users that only create new modules across threads over time are additionally not affected. Reproducing this bug requires creating and dropping multiple type instances (such as `wasmtime::FuncType` or `wasmtime::ArrayType`) concurrently on multiple threads, where all types are associated with the same `wasmtime::Engine`. **Wasm guests cannot trigger this bug.** See the "References" section below for a list of Wasmtime types-related APIs that are affected. Wasmtime maintains an internal registry of types within a `wasmtime::Engine` and an engine is shareable across threads. Types can be created and referenced through creation of a `wasmtime::Module`, creation of `wasmtime::FuncType`, or a number of other APIs where the host creates a function (see "References" below). Each of these cases interacts with an engine to deduplicate type information and manage type indices that are used to implement type checks in WebAssembly's `call_indirect` function, for example. This bug is a race condition in this management where the internal type registry could be corrupted to trigger an assert or contain invalid state. Wasmtime's internal representation of a type has individual types (e.g. one-per-host-function) maintain a registration count of how many time it's been used. Types additionally have state within an engine behind a read-write lock such as lookup/deduplication information. The race here is a time-of-check versus time-of-use (TOCTOU) bug where one thread atomically decrements a type entry's registration count, observes zero registrations, and then acquires a lock in order to unregister that entry. However, between when this first thread observed the zero-registration count and when it acquires that lock, another thread could perform the following sequence of events: re-register another copy of the type, which deduplicates to that same entry, resurrecting it and incrementing its registration count; then drop the type and decrement its registration count; observe that the registration count is now zero; acquire the type registry lock; and finally unregister the type. Now, when the original thread finally acquires the lock and unregisters the entry, it is the second time this entry has been unregistered. This bug was originally introduced in Wasmtime 19's development of the WebAssembly GC proposal. This bug affects users who are not using the GC proposal, however, and affects Wasmtime in its default configuration even when the GC proposal is disabled. Wasmtime users using 19.0.0 and after are all affected by this issue. We have released the following Wasmtime versions, all of which have a fix for this bug: * 21.0.2 * 22.0.1 * 23.0.3 * 24.0.1 * 25.0.2. If your application creates and drops Wasmtime types on multiple threads concurrently, there are no known workarounds. Users are encouraged to upgrade to a patched release. | CVSS 2.9 | Bytecodealliance | - | Patched | |
CVE-2024-47494A Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in the AgentD process of Juniper Networks Junos OS allows an attacker who is already causing impact to established sessions which generates counter changes picked up by the AgentD process during telemetry polling, to move the AgentD process into a state where AgentD attempts to reap an already destroyed sensor. This reaping attempt then leads to memory corruption causing the FPC to crash which is a Denial of Service (DoS).
The FPC will recover automatically without user intervention after the crash.
This issue affects Junos OS:
* All versions before 21.4R3-S9
* From 22.2 before 22.2R3-S5,
* From 22.3 before 22.3R3-S4,
* From 22.4 before 22.4R3-S3,
* From 23.2 before 23.2R2-S2,
* From 23.4 before 23.4R2.
This issue does not affect Junos OS Evolved. | CVSS 5.9 | Juniper | - | - | |
CVE-2024-45120Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability that could lead to a security feature bypass. An attacker could exploit this vulnerability to alter a condition between the check and the use of a resource, having a low impact on integrity. Exploitation of this issue requires user interaction. | CVSS 3.1 | Adobe | - | Patched | |
CVE-2024-43882In the Linux kernel, the following vulnerability has been resolved:
exec: Fix ToCToU between perm check and set-uid/gid usage
When opening a file for exec via do_filp_open(), permission checking is
done against the file's metadata at that moment, and on success, a file
pointer is passed back. Much later in the execve() code path, the file
metadata (specifically mode, uid, and gid) is used to determine if/how
to set the uid and gid. However, those values may have changed since the
permissions check, meaning the execution may gain unintended privileges.
For example, if a file could change permissions from executable and not
set-id:
---------x 1 root root 16048 Aug 7 13:16 target
to set-id and non-executable:
---S------ 1 root root 16048 Aug 7 13:16 target
it is possible to gain root privileges when execution should have been
disallowed.
While this race condition is rare in real-world scenarios, it has been
observed (and proven exploitable) when package managers are updating
the setuid bits of installed programs. Such files start with being
world-executable but then are adjusted to be group-exec with a set-uid
bit. For example, "chmod o-x,u+s target" makes "target" executable only
by uid "root" and gid "cdrom", while also becoming setuid-root:
-rwxr-xr-x 1 root cdrom 16048 Aug 7 13:16 target
becomes:
-rwsr-xr-- 1 root cdrom 16048 Aug 7 13:16 target
But racing the chmod means users without group "cdrom" membership can
get the permission to execute "target" just before the chmod, and when
the chmod finishes, the exec reaches brpm_fill_uid(), and performs the
setuid to root, violating the expressed authorization of "only cdrom
group members can setuid to root".
Re-check that we still have execute permissions in case the metadata
has changed. It would be better to keep a copy from the perm-check time,
but until we can do that refactoring, the least-bad option is to do a
full inode_permission() call (under inode lock). It is understood that
this is safe against dead-locks, but hardly optimal. | CVSS 7 | Linux | - | Patched | |
CVE-2024-43511Windows Kernel Elevation of Privilege Vulnerability | CVSS 7 | Microsoft | - | Patched | |
CVE-2024-43452Windows Registry Elevation of Privilege Vulnerability | CVSS 7.5 | Microsoft | - | Patched | |
CVE-2024-39936An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed.. | CVSS 5.9 | Mingw, et al | - | Patched | |
CVE-2024-39894OpenSSH 9.5 through 9.7 before 9.8 sometimes allows timing attacks against echo-off password entry (e.g., for su and Sudo) because of an ObscureKeystrokeTiming logic error. Similarly, other timing attacks against keystroke entry could occur. | CVSS 7.5 | Openssh | - | Patched | |
CVE-2024-39826Path traversal in Team Chat for some Zoom Workplace Apps and SDKs for Windows may allow an authenticated user to conduct information disclosure via network access.
Users can help keep themselves secure by applying the latest updates available at https://zoom.us/download. | CVSS 6.8 | - | Patched | ||
CVE-2024-39821Race condition in the installer for Zoom Workplace App for Windows and Zoom Rooms App for Windows may allow an authenticated user to conduct a denial of service via local access.
Users can help keep themselves secure by applying the latest updates available at https://zoom.us/download. | CVSS 6.6 | Zoom | - | Patched | |
CVE-2024-39425Acrobat Reader versions 20.005.30636, 24.002.20965, 24.002.20964, 24.001.30123 and earlier are affected by a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability that could lead to privilege escalation. Exploitation of this issue require local low-privilege access to the affected system and attack complexity is high. | CVSS 7 | Adobe | - | Patched | |
CVE-2024-39420Acrobat Reader versions 20.005.30636, 24.002.20965, 24.002.20964, 24.001.30123 and earlier are affected by a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability that could result in arbitrary code execution in the context of the current user. This issue occurs when the state of a resource changes between its check-time and use-time, allowing an attacker to manipulate the resource. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | CVSS 8.8 | Adobe | - | Patched | |
CVE-2024-38407Memory corruption while processing input parameters for any IOCTL call in the JPEG Encoder driver. | CVSS 7 | Jpeg encoder project, et al | - | Patched | |
CVE-2024-38406Memory corruption while handling IOCTL calls in JPEG Encoder driver. | CVSS 7 | Jpeg encoder project, et al | - | Patched | |
CVE-2024-38186A privilege escalation vulnerability exists in the License update functionality of Microsoft CLIPSP.SYS 10.0.22621 Build 22621, 10.0.26080.1 and 10.0.26085.1. A specially crafted license blob can lead to privilege escalation. An attacker can use the NtQuerySystemInformation function call to trigger this vulnerability. | CVSS 7.8 | Microsoft | - | Patched | |
CVE-2024-38153Windows Kernel Elevation of Privilege Vulnerability | CVSS 7.8 | Microsoft | - | Patched | |
CVE-2024-36304This vulnerability allows local attackers to escalate privileges on affected installations of Trend Micro Apex One Security Agent. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.<br/>The specific flaw exists within the Apex One NT RealTime Scan service. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM.<br/> Trend Micro has issued an update to correct this vulnerability. More details can be found at: <br/><a href="https://success.trendmicro.com/dcx/s/solution/000298063?language=en_US">https://success.trendmicro.com/dcx/s/solution/000298063?language=en_US</a> <br/></td> | CVSS 7.8 | Trendmicro | Exploit | - | |
CVE-2024-35265Windows Perception Service Elevation of Privilege Vulnerability | CVSS 7 | Microsoft | - | Patched | |
CVE-2024-34528WordOps through 3.20.0 has a wo/cli/plugins/stack_pref.py TOCTOU race condition because the conf_path os.open does not use a mode parameter during file creation. | CVSS 7.7 | - | Patched | ||
CVE-2024-3292A race condition vulnerability exists where an authenticated, local attacker on a Windows Nessus Agent host could modify installation parameters at installation time, which could lead to the execution of arbitrary code on the Nessus host. - CVE-2024-3292 | CVSS 8.2 | - | - | ||
CVE-2024-3290A race condition vulnerability exists where an authenticated, local attacker on a Windows Nessus host could modify installation parameters at installation time, which could lead to the execution of arbitrary code on the Nessus host | CVSS 8.2 | Tenable | - | - | |
CVE-2024-32482The Tillitis TKey signer device application is an ed25519 signing tool. A vulnerability has been found that makes it possible to disclose portions of the TKey’s data in RAM over the USB interface. To exploit the vulnerability an attacker needs to use a custom client application and to touch the TKey. No secret is disclosed. All client applications integrating tkey-device-signer should upgrade to version 1.0.0 to receive a fix. No known workarounds are available. | CVSS 2.2 | - | - | ||
CVE-2024-30471Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache StreamPipes in user self-registration.
This allows an attacker to potentially request the creation of multiple accounts with the same email address until the email address is registered, creating many identical users and corrupting StreamPipe's user management.
This issue affects Apache StreamPipes: through 0.93.0.
Users are recommended to upgrade to version 0.95.0, which fixes the issue.
| CVSS 3.7 | Apache | - | Patched | |
CVE-2024-30099Windows Kernel Elevation of Privilege Vulnerability | CVSS 7 | Microsoft | - | Patched | |
CVE-2024-30088This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.<br/>The specific flaw exists within the implementation of NtQueryInformationToken. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM.<br/> Microsoft has issued an update to correct this vulnerability. More details can be found at: <br/><a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30088">https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30088</a> <br/></td> | CVSS 7 | Microsoft | Exploit | Patched | |
CVE-2024-30084This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.<br/>The specific flaw exists within the UnserializePropertySet function in the ks.sys driver. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM.<br/> Microsoft has issued an update to correct this vulnerability. More details can be found at: <br/><a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30084">https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30084</a> <br/></td> | CVSS 7 | Microsoft | Exploit | Patched | |
CVE-2024-29149An issue was discovered in Alcatel-Lucent ALE NOE deskphones through 86x8_NOE-R300.1.40.12.4180 and SIP deskphones through 86x8_SIP-R200.1.01.10.728. Because of a time-of-check time-of-use vulnerability, an authenticated attacker is able to replace the verified firmware image with malicious firmware during the update process. | CVSS 7.4 | Alcatel-lucent | - | - | |
CVE-2024-2913A race condition vulnerability exists in the mintplex-labs/anything-llm repository, specifically within the user invite acceptance process. Attackers can exploit this vulnerability by sending multiple concurrent requests to accept a single user invite, allowing the creation of multiple user accounts from a single invite link intended for only one user. This bypasses the intended security mechanism that restricts invite acceptance to a single user, leading to unauthorized user creation without detection in the invite tab. The issue is due to the lack of validation for concurrent requests in the backend. | CVSS Low | Mintplexlabs | - | - | |
CVE-2024-29066Windows Distributed File System (DFS) Remote Code Execution Vulnerability | CVSS 7.2 | - | Patched | ||
CVE-2024-29062Secure Boot Security Feature Bypass Vulnerability | CVSS 7.1 | Microsoft | - | Patched | |
CVE-2024-28718An issue in OpenStack magnum yoga-eom version allows a remote attacker to execute arbitrary code via the cert_manager.py. component. | CVSS 9.8 | Openstack | - | Patched | |
CVE-2024-28183ESP-IDF is the development framework for Espressif SoCs supported on Windows, Linux and macOS. A Time-of-Check to Time-of-Use (TOCTOU) vulnerability was discovered in the implementation of the ESP-IDF bootloader which could allow an attacker with physical access to flash of the device to bypass anti-rollback protection. Anti-rollback prevents rollback to application with security version lower than one programmed in eFuse of chip. This attack can allow to boot past (passive) application partition having lower security version of the same device even in the presence of the flash encryption scheme. The attack requires carefully modifying the flash contents after the anti-rollback checks have been performed by the bootloader (before loading the application). The vulnerability is fixed in 4.4.7 and 5.2.1. | CVSS 6.1 | Espressif | - | - | |
CVE-2024-28137This vulnerability allows local attackers to escalate privileges on affected installations of Phoenix Contact CHARX SEC-3100 charging controllers. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.<br/>The specific flaw exists within the /etc/init.d/user-applications script. By creating a symbolic link, an attacker can abuse the script to change ownership of arbitrary files. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root.<br/> Phoenix Contact has issued an update to correct this vulnerability. More details can be found at: <br/><a href="https://cert.vde.com/en/advisories/VDE-2024-019/">https://cert.vde.com/en/advisories/VDE-2024-019/</a> <br/></td> | CVSS 7.8 | Exploit | - | ||
CVE-2024-27361A vulnerability was discovered in Samsung Mobile Processor Exynos 980, Exynos 990, Exynos 1080, Exynos 2100, Exynos 2200, Exynos 1280, Exynos 1380, and Exynos 2400 that involves a time-of-check to time-of-use (TOCTOU) race condition, which can lead to a Denial of Service. | CVSS 5.1 | Samsung | - | - | |
CVE-2024-27297Nix is a package manager for Linux and other Unix systems. A fixed-output derivations on Linux can send file descriptors to files in the Nix store to another program running on the host (or another fixed-output derivation) via Unix domain sockets in the abstract namespace. This allows to modify the output of the derivation, after Nix has registered the path as "valid" and immutable in the Nix database. In particular, this allows the output of fixed-output derivations to be modified from their expected content. This issue has been addressed in versions 2.3.18 2.18.2 2.19.4 and 2.20.5. Users are advised to upgrade. There are no known workarounds for this vulnerability. | CVSS 6.3 | - | - | ||
CVE-2024-27238Race condition in the installer for some Zoom Apps and SDKs for Windows before version 6.0.0 may allow an authenticated user to conduct a privilege escalation via local access.
Users can help keep themselves secure by applying the latest updates available at https://zoom.us/download. | CVSS 7.1 | - | Patched | ||
CVE-2024-27114A unauthenticated Remote Code Execution (RCE) vulnerability is found in the SO Planning online planning tool. If the public view setting is enabled, a attacker can upload a PHP-file that will be available for execution for a few milliseconds before it is removed, leading to execution of code on the underlying system. The vulnerability has been remediated in version 1.52.02. | CVSS 9.8 | Soplanning | - | - | |
CVE-2024-26218Windows Kernel Elevation of Privilege Vulnerability | CVSS 7.8 | Exploit | Patched | ||
CVE-2024-24995This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche. Authentication is required to exploit this vulnerability.<br/>The specific flaw exists within the doInTransaction method. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.<br/> Ivanti has issued an update to correct this vulnerability. More details can be found at: <br/><a href="https://forums.ivanti.com/s/article/Avalanche-6-4-3-Security-Hardening-and-CVEs-addressed?language=en_US">https://forums.ivanti.com/s/article/Avalanche-6-4-3-Security-Hardening-and-CVEs-addressed?language=en_US</a> <br/></td> | CVSS Low | Ivanti | Exploit | - | |
CVE-2024-24993This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche. Authentication is required to exploit this vulnerability.<br/>The specific flaw exists within the InstallPackageThread class. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.<br/> Ivanti has issued an update to correct this vulnerability. More details can be found at: <br/><a href="https://forums.ivanti.com/s/article/Avalanche-6-4-3-Security-Hardening-and-CVEs-addressed?language=en_US">https://forums.ivanti.com/s/article/Avalanche-6-4-3-Security-Hardening-and-CVEs-addressed?language=en_US</a> <br/></td> | CVSS Low | Ivanti | Exploit | - | |
CVE-2024-24855A race condition was found in the Linux kernel's scsi device driver in lpfc_unregister_fcf_rescan() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.
| CVSS 4.7 | Linux | - | Patched | |
CVE-2024-24692Race condition in the installer for Zoom Rooms Client for Windows before version 5.17.5 may allow an authenticated user to conduct a denial of service via local access.
Users can help keep themselves secure by applying the latest updates available at https://zoom.us/download. | CVSS 4.7 | Zoom | - | Patched | |
CVE-2024-2440A race condition in GitHub Enterprise Server allowed an existing admin to maintain permissions on a detached repository by making a GraphQL mutation to alter repository permissions while the repository is detached. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.13 and was fixed in versions 3.9.13, 3.10.10, 3.11.8 and 3.12.1. This vulnerability was reported via the GitHub Bug Bounty program. | CVSS 5.5 | Github | - | - | |
CVE-2024-23463Anti-tampering protection of the Zscaler Client Connector can be bypassed under certain conditions when running the Repair App functionality. This affects Zscaler Client Connector on Windows prior to 4.2.1
| CVSS 8.8 | Zscaler | - | - | |
CVE-2024-23196A race condition was found in the Linux kernel's sound/hda device driver in snd_hdac_regmap_sync() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.
| CVSS 4.7 | Linux | - | Patched | |
CVE-2024-22185Time-of-check Time-of-use Race Condition in some Intel(R) processors with Intel(R) ACTM may allow a privileged user to potentially enable escalation of privilege via local access. | CVSS 7.2 | - | - | ||
CVE-2024-21792Time-of-check Time-of-use race condition in Intel® Neural Compressor software before version 2.5.0 may allow an authenticated user to potentially enable information disclosure via local access. | CVSS 4.7 | - | Patched | ||
CVE-2024-21433Windows Print Spooler Elevation of Privilege Vulnerability | CVSS 7 | Microsoft | - | Patched | |
CVE-2024-21371This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.<br/>The specific flaw exists within the handling of NTFS junctions. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel.<br/> Microsoft has issued an update to correct this vulnerability. More details can be found at: <br/><a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21371">https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21371</a> <br/></td> | CVSS 7 | Microsoft | Exploit | Patched | |
CVE-2024-21362Windows Kernel Security Feature Bypass Vulnerability | CVSS 5.5 | Microsoft | - | Patched | |
CVE-2024-1729This security policy is with regards to a timing attack that allows users of Gradio apps to potentially guess the password of password-protected Gradio apps. This relies on the fact that string comparisons in Python terminate early, as soon as there is a string mismatch. Because Gradio apps are, by default, not rate-limited, a user could brute-force millions of guesses to figure out the correct username and password. | CVSS Low | Gradio project | - | Patched | |
CVE-2024-0171Dell PowerEdge Server BIOS contains an TOCTOU race condition vulnerability. A local low privileged attacker could potentially exploit this vulnerability to gain access to otherwise unauthorized resources. | CVSS 5.3 | Dell | - | Patched | |
CVE-2024-0163Dell PowerEdge Server BIOS and Dell Precision Rack BIOS contain a TOCTOU race condition vulnerability. A local low privileged attacker could potentially exploit this vulnerability to gain access to otherwise unauthorized resources. | CVSS 5.3 | - | - | ||
CVE-2024-0133NVIDIA Container Toolkit 1.16.1 or earlier contains a vulnerability in the default mode of operation allowing a specially crafted container image to create empty files on the host file system. This does not impact use cases where CDI is used. A successful exploit of this vulnerability may lead to data tampering. | CVSS 3.4 | Nvidia | - | Patched | |
CVE-2024-0132NVIDIA Container Toolkit 1.16.1 or earlier contains a Time-of-check Time-of-Use (TOCTOU) vulnerability when used with default configuration where a specifically crafted container image may gain access to the host file system. This does not impact use cases where CDI is used. A successful exploit of this vulnerability may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering. | CVSS 8.3 | Nvidia | - | Patched | |
CVE-2023-6803A race condition in GitHub Enterprise Server allows an outside collaborator to be added while a repository is being transferred. This vulnerability affected all versions of GitHub Enterprise Server since 3.8 and was fixed in version 3.8.12, 3.9.7, 3.10.4, and 3.11.1.
| CVSS 5.8 | Github | - | - | |
CVE-2023-6690A race condition in GitHub Enterprise Server allowed an existing admin to maintain permissions on transferred repositories by making a GraphQL mutation to alter repository permissions during the transfer. This vulnerability affected GitHub Enterprise Server version 3.8.0 and above and was fixed in version 3.8.12, 3.9.7, 3.10.4, and 3.11.1.
| CVSS 3.9 | Github | - | - | |
CVE-2023-5760A time-of-check to time-of-use (TOCTOU) bug in handling of IOCTL (input/output control) requests. This TOCTOU bug leads to an out-of-bounds write vulnerability which can be further exploited, allowing an attacker to gain full local privilege escalation on the system.This issue affects Avast/Avg Antivirus: 23.8.
| CVSS 7 | Avast | - | - | |
CVE-2023-52556In OpenBSD 7.4 before errata 009, a race condition between pf(4)'s processing of packets and expiration of packet states may cause a kernel panic.
| CVSS 6.2 | Openbsd | - | - | |
CVE-2023-46725FoodCoopShop is open source software for food coops and local shops. Versions starting with 3.2.0 prior to 3.6.1 are vulnerable to server-side request forgery. In the Network module, a manufacturer account can use the `/api/updateProducts.json` endpoint to make the server send a request to an arbitrary host. This means that the server can be used as a proxy into the internal network where the server is. Furthermore, the checks on a valid image are not adequate, leading to a time of check time of use issue. For example, by using a custom server that returns 200 on HEAD requests, then return a valid image on first GET request and then a 302 redirect to final target on second GET request, the server will copy whatever file is at the redirect destination, making this a full SSRF. Version 3.6.1 fixes this vulnerability. | CVSS 7.5 | Foodcoopshop | - | Patched | |
CVE-2023-46649A race condition in GitHub Enterprise Server was identified that could allow an attacker administrator access. To exploit this, an organization needs to be converted from a user. This vulnerability affected all versions of GitHub Enterprise Server since 3.7 and was fixed in version 3.7.19, 3.8.12, 3.9.7, 3.10.4, and 3.11.1. | CVSS 6.3 | Github | - | - | |
CVE-2023-44188
A Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in telemetry processing of Juniper Networks Junos OS allows a network-based authenticated attacker to flood the system with multiple telemetry requests, causing the Junos Kernel Debugging Streaming Daemon (jkdsd) process to crash, leading to a Denial of Service (DoS). Continued receipt and processing of telemetry requests will repeatedly crash the jkdsd process and sustain the Denial of Service (DoS) condition.
This issue is seen on all Junos platforms. The crash is triggered when multiple telemetry requests come from different collectors. As the load increases, the Dynamic Rendering Daemon (drend) decides to defer processing and continue later, which results in a timing issue accessing stale memory, causing the jkdsd process to crash and restart.
Note: jkdsd is not shipped with SRX Series devices and therefore are not affected by this vulnerability.
This issue affects:
Juniper Networks Junos OS:
* 20.4 versions prior to 20.4R3-S9;
* 21.1 versions 21.1R1 and later;
* 21.2 versions prior to 21.2R3-S6;
* 21.3 versions prior to 21.3R3-S5;
* 21.4 versions prior to 21.4R3-S5;
* 22.1 versions prior to 22.1R3-S4;
* 22.2 versions prior to 22.2R3-S2;
* 22.3 versions prior to 22.3R2-S1, 22.3R3-S1;
* 22.4 versions prior to 22.4R2-S2, 22.4R3;
* 23.1 versions prior to 23.1R2;
* 23.2 versions prior to 23.2R2.
This issue does not affect Juniper Networks Junos OS versions prior to 19.4R1.
| CVSS 5.3 | Juniper | - | Patched | |
CVE-2023-44128he vulnerability is to delete arbitrary files in LGInstallService ("com.lge.lginstallservies") app. The app contains the exported "com.lge.lginstallservies.InstallService" service that exposes an AIDL interface. All its "installPackage*" methods are finally calling the "installPackageVerify()" method that performs signature validation after the delete file method. An attacker can control conditions so this security check is never performed and an attacker-controlled file is deleted. | CVSS 3.6 | - | Patched | ||
CVE-2023-43976An issue in CatoNetworks CatoClient before v.5.4.0 allows attackers to escalate privileges and winning the race condition (TOCTOU) via the PrivilegedHelperTool component. | CVSS 8.1 | Catonetworks | Exploit | - | |
CVE-2023-43741A time-of-check-time-of-use race condition vulnerability in Buildkite Elastic CI for AWS versions prior to 6.7.1 and 5.22.5 allows the buildkite-agent user to bypass a symbolic link check for the PIPELINE_PATH variable in the fix-buildkite-agent-builds-permissions script. | CVSS 7 | Buildkite | Exploit | - | |
CVE-2023-42483A TOCTOU race condition in Samsung Mobile Processor Exynos 9820, Exynos 980, Exynos 1080, Exynos 2100, Exynos 2200, Exynos 1280, and Exynos 1380 can cause unexpected termination of a system. | CVSS 6.3 | Samsung | - | Patched | |
CVE-2023-4155A flaw was found in KVM AMD Secure Encrypted Virtualization (SEV) in the Linux kernel. A KVM guest using SEV-ES or SEV-SNP with multiple vCPUs can trigger a double fetch race condition vulnerability and invoke the `VMGEXIT` handler recursively. If an attacker manages to call the handler multiple times, they can trigger a stack overflow and cause a denial of service or potentially guest-to-host escape in kernel configurations without stack guard pages (`CONFIG_VMAP_STACK`). | CVSS 5.6 | Fedoraproject, et al | - | Patched | |
CVE-2023-3891Race condition in Lapce v0.2.8 allows an attacker to elevate privileges on the system | CVSS 7 | Lapce | Exploit | - | |
CVE-2023-38146Windows Themes Remote Code Execution Vulnerability | CVSS 8.8 | Microsoft | Exploit | Patched | |
CVE-2023-38141Windows Kernel Elevation of Privilege Vulnerability | CVSS 7.8 | Microsoft | Exploit | Patched | |
CVE-2023-38041A logged in user may elevate its permissions by abusing a Time-of-Check to Time-of-Use (TOCTOU) race condition. When a particular process flow is initiated, an attacker can exploit this condition to gain unauthorized elevated privileges on the affected system. | CVSS 7 | Exploit | Patched | ||
CVE-2023-37867Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in YetAnotherStarsRating.Com YASR – Yet Another Star Rating Plugin for WordPress.This issue affects YASR – Yet Another Star Rating Plugin for WordPress: from n/a through 3.3.8.
| CVSS 3.7 | Yet another stars rating project | - | - | |
CVE-2023-37250Unity Parsec has a TOCTOU race condition that permits local attackers to escalate privileges to SYSTEM if Parsec was installed in "Per User" mode. The application intentionally launches DLLs from a user-owned directory but intended to always perform integrity verification of those DLLs. This affects Parsec Loader versions through 8. Parsec Loader 9 is a fixed version. | CVSS 7 | Unity | Exploit | - | |
CVE-2023-35378Windows Projected File System Elevation of Privilege Vulnerability | CVSS 7 | Microsoft | - | Patched | |
CVE-2023-35311Microsoft Outlook Security Feature Bypass Vulnerability | CVSS 7.5 | Microsoft | Exploit | Patched | |
CVE-2023-34046VMware Fusion(13.x prior to 13.5) contains a TOCTOU (Time-of-check Time-of-use)
vulnerability that occurs during installation for the first time (the
user needs to drag or copy the application to a folder from the '.dmg'
volume) or when installing an upgrade. A malicious actor with local non-administrative user privileges may
exploit this vulnerability to escalate privileges to root on the system
where Fusion is installed or being installed for the first time. | CVSS 7 | - | Patched | ||
CVE-2023-33832IBM Spectrum Protect 8.1.0.0 through 8.1.17.0 could allow a local user to cause a denial of service due to due to improper time-of-check to time-of-use functionality. IBM X-Force ID: 256012. | CVSS 4.7 | - | Patched | ||
CVE-2023-33156Microsoft Defender Elevation of Privilege Vulnerability | CVSS 7 | Microsoft | - | Patched | |
CVE-2023-33154Windows Partition Management Driver Elevation of Privilege Vulnerability | CVSS 9.8 | Microsoft | - | Patched | |
CVE-2023-33119[HIGH] These vulnerabilities affect Qualcomm closed-source components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm. | CVSS 8.4 | - | Patched | ||
CVE-2023-33046[HIGH] These vulnerabilities affect Qualcomm closed-source components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm. | CVSS 7 | Qualcomm | - | Patched | |
CVE-2023-32555A Time-of-Check Time-Of-Use vulnerability in the Trend Micro Apex One and Apex One as a Service agent could allow a local attacker to escalate privileges on affected installations.
Please note: a local attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
This is similar to, but not identical to CVE-2023-32554. | CVSS 7 | Exploit | Patched | ||
CVE-2023-32554A Time-of-Check Time-Of-Use vulnerability in the Trend Micro Apex One and Apex One as a Service agent could allow a local attacker to escalate privileges on affected installations.
Please note: a local attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
This is similar to, but not identical to CVE-2023-32555. | CVSS 7 | Exploit | Patched | ||
CVE-2023-32282Race condition in BIOS firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access. | CVSS 7.2 | - | - | ||
CVE-2023-32156Tesla Model 3 Gateway Firmware Signature Validation Bypass Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected Tesla Model 3 vehicles. An attacker must first obtain the ability to execute privileged code on the Tesla infotainment system in order to exploit this vulnerability.
The specific flaw exists within the handling of firmware updates. The issue results from improper error-handling during the update process. An attacker can leverage this vulnerability to execute code in the context of Tesla's Gateway ECU. Was ZDI-CAN-20734. | CVSS Low | Tesla | - | - | |
CVE-2023-32001libcurl can be told to save cookie, HSTS and/or alt-svc data to files. When
doing this, it called `stat()` followed by `fopen()` in a way that made it
vulnerable to a TOCTOU race condition problem.
By exploiting this flaw, an attacker could trick the victim to create or
overwrite protected files holding this data in ways it was not intended to.
| CVSS MEDIUM | Tenable, et al | Exploit | Patched | |
CVE-2023-29337NuGet Client Remote Code Execution Vulnerability | CVSS 7.1 | Microsoft | - | Patched | |
CVE-2023-28576The buffer obtained from kernel APIs such as cam_mem_get_cpu_buf() may be readable/writable in userspace after kernel accesses it. In other words, user mode may race and modify the packet header (e.g. header.count), causing checks (e.g. size checks) in kernel code to be invalid. This may lead to out-of-bounds read/write issues. | CVSS 7 | Qualcomm | - | Patched | |
CVE-2023-28075
Dell BIOS contain a Time-of-check Time-of-use vulnerability in BIOS. A local authenticated malicious user with physical access to the system could potentially exploit this vulnerability by using a specifically timed DMA transaction during an SMI in order to gain arbitrary code execution on the system.
| CVSS HIGH | - | - |