Information Exposure Affecting perf package, versions <0:6.1.97-104.177.amzn2023


Severity

Recommended
high

Based on Amazon Linux security rating.

Threat Intelligence

EPSS
0.04% (6th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-AMZN2023-PERF-8161012
  • published3 Oct 2024
  • disclosed29 Jul 2024

Introduced: 29 Jul 2024

CVE-2024-42070  (opens in a new tab)
CWE-200  (opens in a new tab)

How to fix?

Upgrade Amazon-Linux:2023 perf to version 0:6.1.97-104.177.amzn2023 or higher.
This issue was patched in ALAS2023-2024-714.

NVD Description

Note: Versions mentioned in the description apply only to the upstream perf package and not the perf package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2023 relevant fixed versions and status.

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers

register store validation for NFT_DATA_VALUE is conditional, however, the datatype is always either NFT_DATA_VALUE or NFT_DATA_VERDICT. This only requires a new helper function to infer the register type from the set datatype so this conditional check can be removed. Otherwise, pointer to chain object can be leaked through the registers.

CVSS Scores

version 3.1