Total
9187 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-16881 | 3 Debian, Redhat, Rsyslog | 13 Debian Linux, Enterprise Linux, Enterprise Linux Desktop and 10 more | 2022-10-06 | 5.0 MEDIUM | 7.5 HIGH |
| A denial of service vulnerability was found in rsyslog in the imptcp module. An attacker could send a specially crafted message to the imptcp socket, which would cause rsyslog to crash. Versions before 8.27.0 are vulnerable. | |||||
| CVE-2022-29155 | 3 Debian, Netapp, Openldap | 14 Debian Linux, H300s, H300s Firmware and 11 more | 2022-10-06 | 7.5 HIGH | 9.8 CRITICAL |
| In OpenLDAP 2.x before 2.5.12 and 2.6.x before 2.6.2, a SQL injection vulnerability exists in the experimental back-sql backend to slapd, via a SQL statement within an LDAP query. This can occur during an LDAP search operation when the search filter is processed, due to a lack of proper escaping. | |||||
| CVE-2021-4159 | 3 Debian, Linux, Redhat | 3 Debian Linux, Linux Kernel, Enterprise Linux | 2022-10-06 | N/A | 4.4 MEDIUM |
| A vulnerability was found in the Linux kernel's EBPF verifier when handling internal data structures. Internal memory locations could be returned to userspace. A local attacker with the permissions to insert eBPF code to the kernel can use this to leak internal kernel memory details defeating some of the exploit mitigations in place for the kernel. | |||||
| CVE-2017-3313 | 5 Canonical, Debian, Mariadb and 2 more | 10 Ubuntu Linux, Debian Linux, Mariadb and 7 more | 2022-10-06 | 1.5 LOW | 4.7 MEDIUM |
| Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: MyISAM). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data. CVSS v3.0 Base Score 4.7 (Confidentiality impacts). | |||||
| CVE-2018-11496 | 2 Debian, Long Range Zip Project | 2 Debian Linux, Long Range Zip | 2022-10-06 | 4.3 MEDIUM | 6.5 MEDIUM |
| In Long Range Zip (aka lrzip) 0.631, there is a use-after-free in read_stream in stream.c, because decompress_file in lrzip.c lacks certain size validation. | |||||
| CVE-2018-5747 | 2 Debian, Long Range Zip Project | 2 Debian Linux, Long Range Zip | 2022-10-06 | 4.3 MEDIUM | 5.5 MEDIUM |
| In Long Range Zip (aka lrzip) 0.631, there is a use-after-free in the ucompthread function (stream.c). Remote attackers could leverage this vulnerability to cause a denial of service via a crafted lrz file. | |||||
| CVE-2021-44533 | 3 Debian, Nodejs, Oracle | 9 Debian Linux, Node.js, Graalvm and 6 more | 2022-10-06 | 5.0 MEDIUM | 5.3 MEDIUM |
| Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification.Affected versions of Node.js that do not accept multi-value Relative Distinguished Names and are thus not vulnerable to such attacks themselves. However, third-party code that uses node's ambiguous presentation of certificate subjects may be vulnerable. | |||||
| CVE-2020-29260 | 2 Debian, Libvncserver Project | 2 Debian Linux, Libvncserver | 2022-10-05 | N/A | 7.5 HIGH |
| libvncclient v0.9.13 was discovered to contain a memory leak via the function rfbClientCleanup(). | |||||
| CVE-2020-6457 | 2 Debian, Google | 2 Debian Linux, Chrome | 2022-10-05 | 6.8 MEDIUM | 9.6 CRITICAL |
| Use after free in speech recognizer in Google Chrome prior to 81.0.4044.113 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. | |||||
| CVE-2020-6460 | 2 Debian, Google | 2 Debian Linux, Chrome | 2022-10-05 | 4.3 MEDIUM | 6.5 MEDIUM |
| Insufficient data validation in URL formatting in Google Chrome prior to 81.0.4044.122 allowed a remote attacker to perform domain spoofing via a crafted domain name. | |||||
| CVE-2020-6461 | 2 Debian, Google | 2 Debian Linux, Chrome | 2022-10-05 | 6.8 MEDIUM | 9.6 CRITICAL |
| Use after free in storage in Google Chrome prior to 81.0.4044.129 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. | |||||
| CVE-2020-6458 | 2 Debian, Google | 2 Debian Linux, Chrome | 2022-10-05 | 6.8 MEDIUM | 8.8 HIGH |
| Out of bounds read and write in PDFium in Google Chrome prior to 81.0.4044.122 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. | |||||
| CVE-2019-12973 | 4 Debian, Opensuse, Oracle and 1 more | 5 Debian Linux, Leap, Database Server and 2 more | 2022-10-05 | 4.3 MEDIUM | 5.5 MEDIUM |
| In OpenJPEG 2.3.1, there is excessive iteration in the opj_t1_encode_cblks function of openjp2/t1.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted bmp file. This issue is similar to CVE-2018-6616. | |||||
| CVE-2020-6462 | 2 Debian, Google | 2 Debian Linux, Chrome | 2022-10-05 | 6.8 MEDIUM | 9.6 CRITICAL |
| Use after free in task scheduling in Google Chrome prior to 81.0.4044.129 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. | |||||
| CVE-2021-3582 | 2 Debian, Qemu | 2 Debian Linux, Qemu | 2022-10-05 | 2.1 LOW | 6.5 MEDIUM |
| A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. The issue occurs while handling a "PVRDMA_CMD_CREATE_MR" command due to improper memory remapping (mremap). This flaw allows a malicious guest to crash the QEMU process on the host. The highest threat from this vulnerability is to system availability. | |||||
| CVE-2021-44532 | 3 Debian, Nodejs, Oracle | 9 Debian Linux, Node.js, Graalvm and 6 more | 2022-10-05 | 5.0 MEDIUM | 5.3 MEDIUM |
| Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option. | |||||
| CVE-2022-0516 | 5 Debian, Fedoraproject, Linux and 2 more | 31 Debian Linux, Fedora, Linux Kernel and 28 more | 2022-10-04 | 4.6 MEDIUM | 7.8 HIGH |
| A vulnerability was found in kvm_s390_guest_sida_op in the arch/s390/kvm/kvm-s390.c function in KVM for s390 in the Linux kernel. This flaw allows a local attacker with a normal user privilege to obtain unauthorized memory write access. This flaw affects Linux kernel versions prior to 5.17-rc4. | |||||
| CVE-2021-32728 | 2 Debian, Nextcloud | 2 Debian Linux, Desktop | 2022-10-04 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer. Clients using the Nextcloud end-to-end encryption feature download the public and private key via an API endpoint. In versions prior to 3.3.0, the Nextcloud Desktop client fails to check if a private key belongs to previously downloaded public certificate. If the Nextcloud instance serves a malicious public key, the data would be encrypted for this key and thus could be accessible to a malicious actor. This issue is fixed in Nextcloud Desktop Client version 3.3.0. There are no known workarounds aside from upgrading. | |||||
| CVE-2022-2255 | 2 Debian, Modwsgi | 2 Debian Linux, Mod Wsgi | 2022-10-01 | N/A | 7.5 HIGH |
| A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing. | |||||
| CVE-2022-3008 | 2 Debian, Tinygltf Project | 2 Debian Linux, Tinygltf | 2022-10-01 | N/A | 8.8 HIGH |
| The tinygltf library uses the C library function wordexp() to perform file path expansion on untrusted paths that are provided from the input file. This function allows for command injection by using backticks. An attacker could craft an untrusted path input that would result in a path expansion. We recommend upgrading to 2.6.0 or past commit 52ff00a38447f06a17eab1caa2cf0730a119c751 | |||||