Log In
Get a Demo

See for yourself – run a scan on your code right now

Get a demo

Fedora Linux has long been a favorite operating system (OS) for developers looking for an innovative, free environment. Originally developed and now sponsored by Red Hat, the open-source Fedora Project has a little something for everyone with its Workstation, Server, Internet of Things (IoT), Virtual Machine (VM), and container-optimized CoreOS options. 

As a trusted open-source OS, attackers will seek to exploit any vulnerabilities to poison the supply stream. Knowing these 39 Fedora Linux 38 vulnerabilities can help you secure your applications more effectively.

What is Fedora Linux 38 (F38)?

Fedora Linux 38 (F38) is the most recent release of the popular open-source OS. With F38’s April 2023 release, the Fedora Project brought developers:

  • New Spins that showcase different desktop environments
  • A mobile device image for Pinephone, Pinephone Pro, Pinetab, and Librem devices
  • Desktop experience enhancements, including a new lock screen, “background apps” on the quick menu, and accessibility setting improvements
  • Sysadmin improvements with the lighter-weight default package manager microdnf

39 F38 Vulnerabilities You Should Know

Although only released in April 2023, 158 vulnerabilities in F38 had been identified by September. However, since not all of those vulnerabilities pose the same risk, this list is based on the following factors:

  • Listed in the Cybersecurity and Infrastructure Security Agency’s (CISA’s) Known Exploited Vulnerability (KEV) list
  • Exploit Prediction Scoring System (EPSS) rating above 1%, indicating the likelihood of exploitation in the next 30 days
  • Maximum base Common Vulnerability Scoring System (CVSS) score of 8.8 or above

The 39 F38 vulnerabilities you should be worried about are:

  1. CVE-2023-2136 (KEV): allowed a remote attacker who compromised the renderer process to perform a sandbox escape potentially via a crafted HTML page
  2. CVE-2023-3079 (KEV): allowed remote attacker to potentially exploit heap corruption via a crafted HTML page
  3. CVE-2023-34966 (EPSS 7.93%): allows an attacker to trigger an infinite loop by issuing a malformed RPC request that results in a denial of service (DoS) condition  
  4. CVE-2023-34967 (EPSS 7.55%): allows an attacker to trigger a process crash because multiple client connections share an RPC worker process, so affecting one shared RPC mdssvc worker process affects other clients this worker serves
  5. CVE-2023-38408 (EPSS 3.65%): allows attackers to execute code remotely if an agent is forwarded to an attacker-controlled system, related to an incomplete fix for CVE-2016-10009
  6. CVE-2023-24805: allows attackers with network access to a hosted print server to inject system commands that the running server can execute.
  7. CVE-2022-24834: allows attackers with specially crafted Lua scripts executing in Redis to trigger a heap overflow that results in heap corruption and potential remote code execution. 
  8. CVE-2023-34152: causes a remote code execution vulnerability in OpenBlob with –enable-pipes configured
  9. CVE-2023-36328: allows attackers to execute arbitrary code and cause a denial of service
  10. CVE-2023-2134: potentially allows a remote attacker to exploit heap corruption via a crafted HTML page
  11. CVE-2023-2133: potentially allows a remote attacker to exploit heap corruption via a crafted HTML page
  12. CVE-2023-2137: potentially allows a remote attacker to exploit heap corruption via a crafted HTML page
  13. CVE-2023-36824: potentially triggers a heap overflow in Redis that could result in reading random heap memory, heap corruption, and potentially remote code execution
  14. CVE-2023-2724: potentially allows a remote attacker to exploit heap corruption via a crafted HTML page
  15. CVE-2023-2461: allows remote attackers who convince users to engage in specific UI interactions potential to exploit heap corruption
  16. CVE-2023-2721: potentially allows a remote attacker to exploit heap corruption via a crafted HTML page
  17. CVE-2023-2722: potentially allows remote attackers to exploit heap corruption via a crafted HTML page
  18. CVE-2023-2723: potentially allows remote attackers who compromise the renderer process to exploit heap corruption via a crafted HTML page
  19. CVE-2023-2724: potentially allows remote attackers to exploit heap corruption via a crafted HTML page
  20. CVE-2023-2725: potentially allows attacks that convince a user to install a malicious extension to exploit heap corruption via a crafted HTML page
  21. CVE-2023-2726: potentially allows attackers that convince a user to install a malicious web app to bypass the install dialog via a crafted HTML page
  22. CVE-2023-3214: potentially allows remote attackers to exploit heap corruption via a crafted HTML page
  23. CVE-2023-3215: potentially allows remote attackers to exploit heap corruption via a crafted HTML page
  24. CVE-2023-3216: potentially allows remote attackers to exploit heap corruption via a crafted HTML page
  25. CVE-2023-3217: potentially allows a remote attacker to exploit heap corruption via a crafted HTML page
  26. CVE-2023-4073: potentially allows a remote attacker to exploit heap corruption via a crafted HTML page
  27. CVE-2023-4349: potentially allows a remote attacker to exploit heap corruption via a crafted HTML page
  28. CVE-2023-4351: potentially allows a remote attacker to exploit heap corruption via a crafted HTML page
  29. CVE-2023-4352: potentially allows a remote attacker to exploit heap corruption via a crafted HTML page
  30. CVE-2023-4353: potentially allows a remote attacker to exploit heap corruption via a crafted HTML page
  31. CVE-2023-4354: potentially allows a remote attacker to exploit heap corruption via a crafted HTML page
  32. CVE-2023-4355: potentially allows a remote attacker to exploit heap corruption via a crafted HTML page
  33. CVE-2023-4356: potentially allows a remote attacker to exploit heap corruption via a crafted HTML page
  34. CVE-2023-4357: potentially allows remote attackers to bypass file access restrictions via a crafted HTML page
  35. CVE-2023-4358: potentially allows a remote attacker to exploit heap corruption via a crafted HTML page
  36. CVE-2023-4366: potentially allows attacks that convince a user to install a malicious extension to exploit heap corruption via a crafted HTML page
  37. CVE-2023-25358: allows attackers to execute code remotely
  38. CVE-2023-32004: causes a traversal path to bypass when verifying file permissions in an experimental permission model
  39. CVE-2023-32006: allows for policy mechanism bypass and requiring modules outside of the policy for a given module in an experimental policy mechanism feature

Qwiet.ai: Identifying Real Threats through Reachability

As attackers increasingly target Linux vulnerabilities, you need visibility into the ones that can become genuine threats. Remediating 158 new vulnerabilities over four months is overwhelming, especially as researchers find more CVEs and you build more code. Even keeping up with the 39 high-value vulnerabilities can be challenging, especially as that number can change from one day to the next. 

Qwiet AI’s preZero platform enables you to rapidly scan your code to identify vulnerabilities in source code and business logic. To help you prioritize your activities, you can focus on those vulnerabilities that attackers can actively exploit within the context of your application. Further, our Blacklight is the first threat intelligence feed designed to help developers prioritize fixes by focusing on the exploits, threat actors, ransomware, and botnets actively exploiting vulnerabilities in the wild.

Take our preZero platform for a spin for free to see for yourself how Qwiet AI can help you identify F38 security vulnerabilities.

 

About ShiftLeft

ShiftLeft empowers developers and AppSec teams to dramatically reduce risk by quickly finding and fixing the vulnerabilities most likely to reach their applications and ignoring reported vulnerabilities that pose little risk. Industry-leading accuracy allows developers to focus on security fixes that matter and improve code velocity while enabling AppSec engineers to shift security left.

A unified code security platform, ShiftLeft CORE scans for attack context across custom code, APIs, OSS, containers, internal microservices, and first-party business logic by combining results of the company’s and Intelligent Software Composition Analysis (SCA). Using its unique graph database that combines code attributes and analyzes actual attack paths based on real application architecture, ShiftLeft then provides detailed guidance on risk remediation within existing development workflows and tooling. Teams that use ShiftLeft ship more secure code, faster. Backed by SYN Ventures, Bain Capital Ventures, Blackstone, Mayfield, Thomvest Ventures, and SineWave Ventures, ShiftLeft is based in Santa Clara, California. For information, visit: www.shiftleft.io.

Share

Read Next

Cybersecurity
April 22, 2024 6 min to read

What are the limitations of using ChatGPT to write code?

Love them or hate them, large language models (LLM) are here to stay. After opening the Pandora’s Box of ChatGPT in late 2022, everyone from developers to grandmas began using the tool to get the answers they wanted – and fast. As with every other new technology, ChatGPT created a new set of security risks, […]

READ MORE
Cybersecurity
April 17, 2024 5 min to read

Why Is Vulnerability Remediation Hard?

Imagine yourself standing in a local fair at night. The bright lights from the games beckon you, and you see your favorite game, the one you’re best at – Whack-A-Mole. You excitedly walk up to the booth, plunk down your few dollars, and get ready to whack a bunch of plastic, animatronic moles back into […]

READ MORE
Cybersecurity
April 9, 2024 5 min to read

Understanding XSS vs CSRF

When it comes to web application vulnerabilities and attacks, malicious actors are a lot like Cookie Monster, screaming, “Me love cookie!” Digital cookies may not be as tasty as chocolate chips, but they’re just as deliciously enticing because they often contain sensitive information or enable attackers to gain unauthorized access.  While both Cross-Site Scripting (XSS) […]

READ MORE

Read Next

Cybersecurity
November 22, 2021 5 min to read

Getting to Know Compliance in Software Development

On March 21, the Biden administration directed US companies to "harden your cyber defenses immediately." With these new federal guidelines for application security, the White House urged software developers to deploy "modern tools that can detect known and potential vulnerabilities" in their custom and open-source software (OSS). Learn more about how ShiftLeft can help.

READ MORE
AppSec Cybersecurity DevOps Engineering
August 3, 2023 4 min to read

What Would You Do With 10,000 Hours?

by Bruce Snell

I’m sure we’re all familiar with the idea made popular by Malcolm Gladwell’s book Outliers that it takes 10,000 hours to truly master something.  Based on the paper “The Role of Deliberate Practice in the Acquisition of Expert Performance“, the research data indicates that people who are experts in a field got to that level […]

READ MORE
Cybersecurity
September 14, 2023 4 min to read

TL;DR: CISA’s Secure-by-Design and Default

As the US federal government continues to inch toward implementing the various national cybersecurity executive orders and implementation strategies, the Cybersecurity and Infrastructure Security Agency (CISA) will be publishing more documents to help companies achieve the desired outcomes. To be more succinct, agencies are going to write a lot about actions developers must take to […]

READ MORE

See for yourself – run a scan on your code right now

try it for free
log in
Newsletter Sign Up

Stay informed of the latest news and critical events in AppSec space:

Twitter Linkedin Github
About
Platform Overview
Platform Components
Resources

© 2024 Qwiet. All rights reserved.