Search results

Subject: PSA-2025-00001-1: Image format confusion with hot-changed CDROM media Advisory date: 2025-01-21 Packages: qemu-server Details: Missing checks when hot-swapping a CDROM drive's media could result in an image's format being automatically detected without proper verification...

Subject: PSA-2024-00016-1: XSS via Qemu guest agent response Advisory date: 2024-12-18 Packages: pve-manager Details: The VM summary panel of the Proxmox VE web interface was missing encoding of values returned by the QEMU Guest Agent (QGA). A malicious agent implementation inside the VM...

Subject: PSA-2024-00015-1: XSS in mail queue fields Advisory date: 2024-12-18 Packages: pmg-gui Details: Missing encoding in the Proxmox Mail Gateway UI led to HTML code contained in fields of the mail queue view to be rendered by the browser. This issue was reported by Niels Hendriks from...

Subject: PSA-2024-00012-1: Proxmox Mail Gateway: unexpected handling of single-part attachments Advisory date: 2024-12-12 Packages: pmg-api Details: The Remove Attachments and Attachment Quarantine actions in the rule system ignored the Content-Disposition: attachment header for the first...

Subject: PSA-2024-00014-1: image format confusion issues Advisory date: 2024-12-11 Packages: libpve-storage-perl, qemu-server, proxmox-backup-file-restore Details: Multiple ways of tricking a Proxmox VE system into using specially crafted, user-provided image data with an unexpected format...

Subject: PSA-2024-00013-1: Proxmox VE OVA/OVF importer: Insufficient validation of untrusted input Advisory date: 2024-12-11 Packages: - libpve-storage-perl == 8.2.8 (pvetest and pve-no-subscription only) Details: On a Proxmox VE system with an active storage with content type "import", a...

Subject: PSA-2024-00011-1: Proxmox Backup Server: unauthenticated DOS vulnerability Advisory date: 2024-12-03 Packages: proxmox-backup-server (== 3.2.8-1, pbstest and pbs-no-subscription only) Details: Proxmox Backup Server in version 3.2.8-1 was vulnerable to a remote unauthenticated DOS...

Subject: PSA-2024-00010-1: Proxmox VE iSCSI plugin volume path confusion Advisory date: 2024-11-20 Packages: libpve-storage-perl Details: On a Proxmox VE system with an active storage of type 'iscsi', a sufficiently privileged user can trick the system into accessing arbitrary host block...

Subject: PSA-2024-00009-1: Proxmox VE/Mail Gateway API: post-authentication privileged file read vulnerabilities Advisory date: 2024-09-23 Packages: - Proxmox Virtual Environment: pve-manager, libpve-storage-perl, libpve-http-server-perl, qemu-server - Proxmox Mail Gateway: pmg-api...

Subject: PSA-2024-00009-1: Proxmox VE/Mail Gateway API: post-authentication privileged file read vulnerabilities Advisory date: 2024-09-23 Packages: - Proxmox Virtual Environment: pve-manager, libpve-storage-perl, libpve-http-server-perl, qemu-server - Proxmox Mail Gateway: pmg-api...

Subject: PSA-2024-00008-1: kernel: DoS via short ethernet frames over tun/tap interfaces Advisory date: 2024-07-29 Packages: Proxmox 5.15 kernel packages (Proxmox VE 7), Proxmox 6.5 and 6.8 kernel packages (Proxmox VE 8) Details: The tun and tap network drivers in the Linux kernel lacked...

Subject: PSA-2024-00007-1: Shim bootloader remote code execution via http response Advisory date: 2024-06-28 Packages: shim-unsigned, shim-signed Details: A remote code execution vulnerability was found in the secure boot Shim bootloader. The Shim boot support trusts attacker-controlled...

Subject: PSA-2024-00007-1: Shim bootloader remote code execution via http response Advisory date: 2024-06-28 Packages: shim-unsigned, shim-signed Details: A remote code execution vulnerability was found in the secure boot Shim bootloader. The Shim boot support trusts attacker-controlled...

Subject: PSA-2024-00007-1: Shim bootloader remote code execution via http response Advisory date: 2024-06-28 Packages: shim-unsigned, shim-signed Details: A remote code execution vulnerability was found in the secure boot Shim bootloader. The Shim boot support trusts attacker-controlled...

Subject: PSA-2024-00005-1: SMTP Smuggling Publication date: 2024-03-28 Packages: pmg-api, postfix Details: Postfix was affected by an email spoofing attack that involves a composition of email services with specific differences in the way they handle line endings other than <CR><LF>...

Subject: PSA-2024-00003-1: QEMU denial of service via VNC client clipboard access Advisory date: 2024-03-28 Package(s): pve-qemu-kvm Details: A flaw was found in the QEMU built-in VNC server while processing ClientCutText messages. The qemu_clipboard_request() function can be reached...

Subject: PSA-2024-00004-1: LDAP: missing schema validation for synced attributes Advisory date: 2024-03-28 Package(s): libpve-access-control Details: On Proxmox Virtual Environment systems with user/group sync from LDAP or ActiveDirectory, the attribute values were not properly validated...

Subject: PSA-2024-00006-1: perl PVE API client certificate validation failure if fingerprint is not passed Advisory date: 2024-03-28 Package(s): libpve-api-client-perl Details: Usage of the perl PVE API client module without a pinned TLS certificate fingerprint (see below for exact...

Subject: PSA-2024-00002-1: Tape backup drive encryption failure Publication Date: 2024-02-26 Packages: proxmox-backup-server Details: With LTO tape backups for Proxmox Backup Server prior to the versions listed below, the separate hardware encryption key was unloaded from the tape drive too...

Subject: PSA-2024-00001-1: PixieFAIL EDK2 PXE vulnerabilities Advisory date: 2024-01-24 Package(s): Proxmox VE 7.x: pve-edk2-firmware Proxmox VE 8.x: pve-edk2-firmware-ovmf pve-edk2-firmware-legacy Details: Nine vulnerabilities in EDK II's reference EFI implementation that can be...