Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat

2022-02-09T22:58:06

Description

While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests.

Affected Software

CPE Name	Name	Version
	org.apache.tomcat:tomcat	8.5.59
	org.apache.tomcat:tomcat	9.0.39
	org.apache.tomcat:tomcat	10.0.0-M8

{"id": "GHSA-VVW4-RFWF-P6HX", "vendorId": null, "type": "github", "bulletinFamily": "software", "title": "Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat", "description": "While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests.", "published": "2022-02-09T22:58:06", "modified": "2023-02-01T05:05:23", "epss": [{"cve": "CVE-2020-17527", "epss": 0.00219, "percentile": 0.58524, "modified": "2023-06-06"}], "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0}, "severity": "MEDIUM", "exploitabilityScore": 10.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, "href": "https://github.com/advisories/GHSA-vvw4-rfwf-p6hx", "reporter": "GitHub Advisory Database", "references": ["https://nvd.nist.gov/vuln/detail/CVE-2020-17527", "https://lists.apache.org/thread.html/r26a2a66339087fc37db3caf201e446d3e83b5cce314371e235ff1784@%3Ccommits.tomee.apache.org%3E", "https://lists.apache.org/thread.html/r2d6e05c5ff96f8068a59dfdb3800e9ee8d4e36ce1971783c6e5f9b20@%3Ccommits.tomee.apache.org%3E", "https://lists.apache.org/thread.html/r5a285242737ddef4d338236328aaaf3237183e1465a5efafd16b99ed@%3Cdev.tomcat.apache.org%3E", "https://lists.apache.org/thread.html/r8a227ac6a755a6406c1cc47dd48800e973d4cf13fe7fe68ac59c679c@%3Cdev.tomcat.apache.org%3E", "https://lists.apache.org/thread.html/r9fd47f1b03e9b41d16a5cf72659b533887267d3398d963c2fff3abfa@%3Ccommits.tomee.apache.org%3E", "https://lists.apache.org/thread.html/ra35c8d617b17d59f400112cebadec43ad379f98198b4a9726190d7ee@%3Cissues.guacamole.apache.org%3E", "https://lists.apache.org/thread.html/ra9fcdb904dd2e2256ef90b3e4ced279cd464cb0ab63a6c64df5c010d@%3Cannounce.apache.org%3E", "https://lists.apache.org/thread.html/ra9fcdb904dd2e2256ef90b3e4ced279cd464cb0ab63a6c64df5c010d@%3Cannounce.tomcat.apache.org%3E", "https://lists.apache.org/thread.html/raa0e9ad388c1e6fd1e301b5e080f9439f64cb4178119a86a4801cc53@%3Cdev.tomcat.apache.org%3E", "https://lists.apache.org/thread.html/rabbe6b3ae6a9795641d7a05c00d2378d5bbbe4240b7e20f09b092cce@%3Cissues.guacamole.apache.org%3E", "https://lists.apache.org/thread.html/rbba08c4dcef3603e36276d49adda8eedbe458c5104314b4038f697e1@%3Cusers.tomcat.apache.org%3E", "https://lists.apache.org/thread.html/rca833c6d42b7b9ce1563488c0929f29fcc95947d86e5e740258c8937@%3Cdev.tomcat.apache.org%3E", "https://lists.apache.org/thread.html/rce5ac9a40173651d540babce59f6f3825f12c6d4e886ba00823b11e5%40%3Cannounce.tomcat.apache.org%3E", "https://lists.apache.org/thread.html/rce5ac9a40173651d540babce59f6f3825f12c6d4e886ba00823b11e5@%3Cannounce.apache.org%3E", "https://lists.apache.org/thread.html/rce5ac9a40173651d540babce59f6f3825f12c6d4e886ba00823b11e5@%3Cannounce.tomcat.apache.org%3E", "https://lists.apache.org/thread.html/rd5babd13d7a350b369b2f647b4dd32ce678af42f9aba5389df1ae6ca@%3Cusers.tomcat.apache.org%3E", "https://lists.debian.org/debian-lts-announce/2020/12/msg00022.html", "https://security.gentoo.org/glsa/202012-23", "https://security.netapp.com/advisory/ntap-20201210-0003/", "https://www.debian.org/security/2021/dsa-4835", "http://www.openwall.com/lists/oss-security/2020/12/03/3", "https://www.oracle.com/security-alerts/cpuApr2021.html", "https://www.oracle.com//security-alerts/cpujul2021.html", "https://www.oracle.com/security-alerts/cpujan2022.html", "https://www.oracle.com/security-alerts/cpuapr2022.html", "https://github.com/advisories/GHSA-vvw4-rfwf-p6hx"], "cvelist": ["CVE-2020-17527"], "immutableFields": [], "lastseen": "2023-06-06T15:19:42", "viewCount": 16, "enchantments": {"backreferences": {"references": [{"type": "amazon", "idList": ["ALAS-2020-1473"]}, {"type": "archlinux", "idList": ["ASA-202012-3", "ASA-202012-4"]}, {"type": "cisa", "idList": ["CISA:727AB64FBBEAE210BE92EA5DFD66647C"]}, {"type": "cve", "idList": ["CVE-2020-17527"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2495-1:A5479"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2020-17527"]}, {"type": "f5", "idList": ["F5:K44415301"]}, {"type": "gentoo", "idList": ["GLSA-202012-23"]}, {"type": "ibm", "idList": ["1A226F41CCEE49F182D2CE6E2913B939C921267EC05F27A8773B9DAF87654A6F", "C53D3C47BD4A155045F99C1E4CBF677182A1008DEB57811C876885F82676C572", "F0AFFAB5446BEF6A6B346CA7237A1583252E55B1EA002352E7DFDFFB5796363C"]}, {"type": "kaspersky", "idList": ["KLA12087"]}, {"type": "kitploit", "idList": ["KITPLOIT:116690769744039319"]}, {"type": "nessus", "idList": ["ALA_ALAS-2020-1473.NASL", "DEBIAN_DLA-2495.NASL", "GENTOO_GLSA-202012-23.NASL", "MYSQL_ENTERPRISE_MONITOR_8_0_24.NASL", "ORACLE_RDBMS_CPU_APR_2021.NASL", "PHOTONOS_PHSA-2020-1_0-0350_APACHE.NASL", "PHOTONOS_PHSA-2020-3_0-0180_APACHE.NASL", "REDHAT-RHSA-2021-0494.NASL"]}, {"type": "oracle", "idList": ["ORACLE:CPUJAN2022"]}, {"type": "photon", "idList": ["PHSA-2020-1.0-0350", "PHSA-2020-3.0-0180", "PHSA-2021-2.0-0308", "PHSA-2021-4.0-0007"]}, {"type": "redhat", "idList": ["RHSA-2021:0494"]}, {"type": "redhatcve", "idList": ["RH:CVE-2020-17527"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2021:0043-1", "OPENSUSE-SU-2021:0081-1"]}, {"type": "symantec", "idList": ["SMNTC-17650"]}, {"type": "threatpost", "idList": ["THREATPOST:99DC4B497599503D640FDFD9A2DC5FA3"]}, {"type": "tomcat", "idList": ["TOMCAT:324E50A03961FCE2265C4097A2D9383A"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2020-17527"]}]}, "dependencies": {"references": [{"type": "amazon", "idList": ["ALAS-2020-1473", "ALAS-2021-1473"]}, {"type": "archlinux", "idList": ["ASA-202012-3", "ASA-202012-4"]}, {"type": "cisa", "idList": ["CISA:727AB64FBBEAE210BE92EA5DFD66647C"]}, {"type": "cve", "idList": ["CVE-2020-17527"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2495-1:A5479", "DEBIAN:DSA-4835-1:22674"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2020-17527"]}, {"type": "f5", "idList": ["F5:K44415301"]}, {"type": "gentoo", "idList": ["GLSA-202012-23"]}, {"type": "ibm", "idList": ["1A226F41CCEE49F182D2CE6E2913B939C921267EC05F27A8773B9DAF87654A6F", "508080EC2619947743811C2CDFEC88743E56A6A7B5472534F08845B6126E5BEA", "95EA56D6055115B49AA8D0630FEC4CFD34FF4271A5FA42CFC289248EA2AEBEDC", "C53D3C47BD4A155045F99C1E4CBF677182A1008DEB57811C876885F82676C572", "F0AFFAB5446BEF6A6B346CA7237A1583252E55B1EA002352E7DFDFFB5796363C"]}, {"type": "kaspersky", "idList": ["KLA12087"]}, {"type": "mageia", "idList": ["MGASA-2021-0020"]}, {"type": "nessus", "idList": ["ALA_ALAS-2020-1473.NASL", "ALA_ALAS-2021-1473.NASL", "DEBIAN_DLA-2495.NASL", "DEBIAN_DSA-4835.NASL", "EULEROS_SA-2021-1175.NASL", "GENTOO_GLSA-202012-23.NASL", "MYSQL_ENTERPRISE_MONITOR_8_0_24.NASL", "NUTANIX_NXSA-AOS-5_15_5.NASL", "NUTANIX_NXSA-AOS-5_19_0_5.NASL", "NUTANIX_NXSA-AOS-5_19_1.NASL", "OPENSUSE-2021-43.NASL", "OPENSUSE-2021-81.NASL", "ORACLE_RDBMS_CPU_APR_2021.NASL", "PHOTONOS_PHSA-2020-1_0-0350_APACHE.NASL", "PHOTONOS_PHSA-2020-3_0-0180_APACHE.NASL", "PHOTONOS_PHSA-2021-2_0-0308_APACHE.NASL", "PHOTONOS_PHSA-2021-4_0-0007_APACHE.NASL", "REDHAT-RHSA-2021-0494.NASL", "TOMCAT_10_0_0_M10.NASL", "TOMCAT_8_5_60.NASL", "TOMCAT_9_0_40.NASL", "UBUNTU_USN-5360-1.NASL"]}, {"type": "oracle", "idList": ["ORACLE:CPUAPR2021", "ORACLE:CPUAPR2022", "ORACLE:CPUJAN2022", "ORACLE:CPUJUL2021"]}, {"type": "osv", "idList": ["OSV:DLA-2495-1", "OSV:DSA-4835-1", "OSV:GHSA-VVW4-RFWF-P6HX"]}, {"type": "photon", "idList": ["PHSA-2020-0180", "PHSA-2020-0350", "PHSA-2020-1.0-0350", "PHSA-2020-3.0-0180", "PHSA-2021-0007", "PHSA-2021-0308", "PHSA-2021-2.0-0308", "PHSA-2021-4.0-0007"]}, {"type": "redhat", "idList": ["RHSA-2021:0494", "RHSA-2021:0495", "RHSA-2021:4012", "RHSA-2021:5134"]}, {"type": "redhatcve", "idList": ["RH:CVE-2020-17527"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2021:0043-1", "OPENSUSE-SU-2021:0081-1"]}, {"type": "symantec", "idList": ["SMNTC-17650"]}, {"type": "tomcat", "idList": ["TOMCAT:297A2EAE99263A165E24C66156B7872A", "TOMCAT:324E50A03961FCE2265C4097A2D9383A", "TOMCAT:BAAFFB46A35FA23A4961B3B00F383DC9"]}, {"type": "ubuntu", "idList": ["USN-5360-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2020-17527"]}, {"type": "veracode", "idList": ["VERACODE:28041"]}]}, "exploitation": null, "score": {"value": 7.5, "vector": "NONE"}, "epss": [{"cve": "CVE-2020-17527", "epss": 0.00219, "percentile": 0.58319, "modified": "2023-05-01"}], "vulnersScore": 7.5}, "_state": {"dependencies": 1686087756, "score": 1686065288, "affected_software_major_version": 0, "epss": 0}, "_internal": {"score_hash": "10043878ffcb107b0875a9ca4f89b4b4"}, "affectedSoftware": [{"version": "8.5.59", "operator": "lt", "ecosystem": "MAVEN", "name": "org.apache.tomcat:tomcat"}, {"version": "9.0.39", "operator": "lt", "ecosystem": "MAVEN", "name": "org.apache.tomcat:tomcat"}, {"version": "10.0.0-M8", "operator": "le", "ecosystem": "MAVEN", "name": "org.apache.tomcat:tomcat"}]}

{"nessus": [{"lastseen": "2023-05-18T15:25:41", "description": "It was discovered that Apache Tomcat from 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests.\n\nFor Debian 9 stretch, this problem has been fixed in version 8.5.54-0+deb9u5.\n\nWe recommend that you upgrade your tomcat8 packages.\n\nFor the detailed security status of tomcat8 please refer to its security tracker page at:\nhttps://security-tracker.debian.org/tracker/tomcat8\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2020-12-17T00:00:00", "type": "nessus", "title": "Debian DLA-2495-1 : tomcat8 security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-17527"], "modified": "2022-12-06T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:libservlet3.1-java", "p-cpe:/a:debian:debian_linux:libservlet3.1-java-doc", "p-cpe:/a:debian:debian_linux:libtomcat8-embed-java", "p-cpe:/a:debian:debian_linux:libtomcat8-java", "p-cpe:/a:debian:debian_linux:tomcat8", "p-cpe:/a:debian:debian_linux:tomcat8-admin", "p-cpe:/a:debian:debian_linux:tomcat8-common", "p-cpe:/a:debian:debian_linux:tomcat8-docs", "p-cpe:/a:debian:debian_linux:tomcat8-examples", "p-cpe:/a:debian:debian_linux:tomcat8-user", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DLA-2495.NASL", "href": "https://www.tenable.com/plugins/nessus/144343", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-2495-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(144343);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/06\");\n\n script_cve_id(\"CVE-2020-17527\");\n script_xref(name:\"IAVA\", value:\"2020-A-0570-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"Debian DLA-2495-1 : tomcat8 security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"It was discovered that Apache Tomcat from 8.5.0 to 8.5.59 could re-use\nan HTTP request header value from the previous stream received on an\nHTTP/2 connection for the request associated with the subsequent\nstream. While this would most likely lead to an error and the closure\nof the HTTP/2 connection, it is possible that information could leak\nbetween requests.\n\nFor Debian 9 stretch, this problem has been fixed in version\n8.5.54-0+deb9u5.\n\nWe recommend that you upgrade your tomcat8 packages.\n\nFor the detailed security status of tomcat8 please refer to its\nsecurity tracker page at:\nhttps://security-tracker.debian.org/tracker/tomcat8\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2020/12/msg00022.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/tomcat8\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/tomcat8\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libservlet3.1-java\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libservlet3.1-java-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libtomcat8-embed-java\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libtomcat8-java\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat8-admin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat8-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat8-docs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat8-examples\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat8-user\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/12/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/12/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/17\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"libservlet3.1-java\", reference:\"8.5.54-0+deb9u5\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libservlet3.1-java-doc\", reference:\"8.5.54-0+deb9u5\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libtomcat8-embed-java\", reference:\"8.5.54-0+deb9u5\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libtomcat8-java\", reference:\"8.5.54-0+deb9u5\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"tomcat8\", reference:\"8.5.54-0+deb9u5\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"tomcat8-admin\", reference:\"8.5.54-0+deb9u5\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"tomcat8-common\", reference:\"8.5.54-0+deb9u5\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"tomcat8-docs\", reference:\"8.5.54-0+deb9u5\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"tomcat8-examples\", reference:\"8.5.54-0+deb9u5\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"tomcat8-user\", reference:\"8.5.54-0+deb9u5\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:24:07", "description": "This update for tomcat fixes the following issue :\n\n - CVE-2020-17527: Fixed a HTTP/2 request header mix-up (bsc#1179602).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.", "cvss3": {}, "published": "2021-01-25T00:00:00", "type": "nessus", "title": "openSUSE Security Update : tomcat (openSUSE-2021-81)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-17527"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:tomcat", "p-cpe:/a:novell:opensuse:tomcat-admin-webapps", "p-cpe:/a:novell:opensuse:tomcat-docs-webapp", "p-cpe:/a:novell:opensuse:tomcat-el-3_0-api", "p-cpe:/a:novell:opensuse:tomcat-embed", "p-cpe:/a:novell:opensuse:tomcat-javadoc", "p-cpe:/a:novell:opensuse:tomcat-jsp-2_3-api", "p-cpe:/a:novell:opensuse:tomcat-jsvc", "p-cpe:/a:novell:opensuse:tomcat-lib", "p-cpe:/a:novell:opensuse:tomcat-servlet-4_0-api", "p-cpe:/a:novell:opensuse:tomcat-webapps", "cpe:/o:novell:opensuse:15.1"], "id": "OPENSUSE-2021-81.NASL", "href": "https://www.tenable.com/plugins/nessus/145342", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2021-81.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145342);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2020-17527\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"openSUSE Security Update : tomcat (openSUSE-2021-81)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote openSUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"This update for tomcat fixes the following issue :\n\n - CVE-2020-17527: Fixed a HTTP/2 request header mix-up\n (bsc#1179602).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update\nproject.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1179602\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected tomcat packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/12/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-admin-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-docs-webapp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-el-3_0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-embed\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-jsp-2_3-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-jsvc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-servlet-4_0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.1\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.1\", reference:\"tomcat-9.0.36-lp151.3.39.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"tomcat-admin-webapps-9.0.36-lp151.3.39.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"tomcat-docs-webapp-9.0.36-lp151.3.39.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"tomcat-el-3_0-api-9.0.36-lp151.3.39.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"tomcat-embed-9.0.36-lp151.3.39.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"tomcat-javadoc-9.0.36-lp151.3.39.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"tomcat-jsp-2_3-api-9.0.36-lp151.3.39.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"tomcat-jsvc-9.0.36-lp151.3.39.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"tomcat-lib-9.0.36-lp151.3.39.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"tomcat-servlet-4_0-api-9.0.36-lp151.3.39.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"tomcat-webapps-9.0.36-lp151.3.39.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"tomcat / tomcat-admin-webapps / tomcat-docs-webapp / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:25:44", "description": "The remote host is affected by the vulnerability described in GLSA-202012-23 (Apache Tomcat: Information disclosure)\n\n It was discovered that Apache Tomcat could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream.\n Impact :\n\n A remote attacker, by sending well-timed HTTP/2 requests, could possibly obtain sensitive information.\n Workaround :\n\n Disable HTTP/2 support.", "cvss3": {}, "published": "2020-12-28T00:00:00", "type": "nessus", "title": "GLSA-202012-23 : Apache Tomcat: Information disclosure", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-17527"], "modified": "2022-12-08T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:tomcat", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-202012-23.NASL", "href": "https://www.tenable.com/plugins/nessus/144614", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 202012-23.\n#\n# The advisory text is Copyright (C) 2001-2022 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(144614);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/08\");\n\n script_cve_id(\"CVE-2020-17527\");\n script_xref(name:\"GLSA\", value:\"202012-23\");\n script_xref(name:\"IAVA\", value:\"2020-A-0570-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"GLSA-202012-23 : Apache Tomcat: Information disclosure\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host is affected by the vulnerability described in GLSA-202012-23\n(Apache Tomcat: Information disclosure)\n\n It was discovered that Apache Tomcat could re-use an HTTP request header\n value from the previous stream received on an HTTP/2 connection for the\n request associated with the subsequent stream.\n \nImpact :\n\n A remote attacker, by sending well-timed HTTP/2 requests, could possibly\n obtain sensitive information.\n \nWorkaround :\n\n Disable HTTP/2 support.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/202012-23\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"All Apache Tomcat 8.5.x users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=www-servers/tomcat-8.5.60:8.5'\n All Apache Tomcat 9.x users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=www-servers/tomcat-9.0.40:9'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-17527\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:tomcat\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/12/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/12/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/28\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"www-servers/tomcat\", unaffected:make_list(\"ge 8.5.60\", \"ge 9.0.40\"), vulnerable:make_list(\"lt 8.5.60\", \"lt 9.0.40\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Apache Tomcat\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:23:01", "description": "The version of tomcat8 installed on the remote host is prior to 8.5.60-1.86. It is, therefore, affected by a vulnerability as referenced in the ALAS-2021-1473 advisory.\n\n - While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests. (CVE-2020-17527)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-01-14T00:00:00", "type": "nessus", "title": "Amazon Linux AMI : tomcat8 (ALAS-2021-1473)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-17527"], "modified": "2022-12-07T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:tomcat8", "p-cpe:/a:amazon:linux:tomcat8-admin-webapps", "p-cpe:/a:amazon:linux:tomcat8-docs-webapp", "p-cpe:/a:amazon:linux:tomcat8-el-3.0-api", "p-cpe:/a:amazon:linux:tomcat8-javadoc", "p-cpe:/a:amazon:linux:tomcat8-jsp-2.3-api", "p-cpe:/a:amazon:linux:tomcat8-lib", "p-cpe:/a:amazon:linux:tomcat8-log4j", "p-cpe:/a:amazon:linux:tomcat8-servlet-3.1-api", "p-cpe:/a:amazon:linux:tomcat8-webapps", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2021-1473.NASL", "href": "https://www.tenable.com/plugins/nessus/145010", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2021-1473.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145010);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/07\");\n\n script_cve_id(\"CVE-2020-17527\");\n script_xref(name:\"ALAS\", value:\"2021-1473\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"Amazon Linux AMI : tomcat8 (ALAS-2021-1473)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Amazon Linux AMI host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of tomcat8 installed on the remote host is prior to 8.5.60-1.86. It is, therefore, affected by a\nvulnerability as referenced in the ALAS-2021-1473 advisory.\n\n - While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to\n 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on\n an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely\n lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak\n between requests. (CVE-2020-17527)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/ALAS-2021-1473.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-17527\");\n script_set_attribute(attribute:\"solution\", value:\n\"Run 'yum update tomcat8' to update your system.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-17527\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/12/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8-admin-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8-docs-webapp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8-el-3.0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8-jsp-2.3-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8-log4j\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8-servlet-3.1-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\npkgs = [\n {'reference':'tomcat8-8.5.60-1.86.amzn1', 'release':'ALA'},\n {'reference':'tomcat8-admin-webapps-8.5.60-1.86.amzn1', 'release':'ALA'},\n {'reference':'tomcat8-docs-webapp-8.5.60-1.86.amzn1', 'release':'ALA'},\n {'reference':'tomcat8-el-3.0-api-8.5.60-1.86.amzn1', 'release':'ALA'},\n {'reference':'tomcat8-javadoc-8.5.60-1.86.amzn1', 'release':'ALA'},\n {'reference':'tomcat8-jsp-2.3-api-8.5.60-1.86.amzn1', 'release':'ALA'},\n {'reference':'tomcat8-lib-8.5.60-1.86.amzn1', 'release':'ALA'},\n {'reference':'tomcat8-log4j-8.5.60-1.86.amzn1', 'release':'ALA'},\n {'reference':'tomcat8-servlet-3.1-api-8.5.60-1.86.amzn1', 'release':'ALA'},\n {'reference':'tomcat8-webapps-8.5.60-1.86.amzn1', 'release':'ALA'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n if (rpm_check(release:release, cpu:cpu, reference:reference, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"tomcat8 / tomcat8-admin-webapps / tomcat8-docs-webapp / etc\");\n}", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:26:40", "description": "An update of the apache package has been released.", "cvss3": {}, "published": "2020-12-22T00:00:00", "type": "nessus", "title": "Photon OS 3.0: Apache PHSA-2020-3.0-0180", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-17527"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:apache", "cpe:/o:vmware:photonos:3.0"], "id": "PHOTONOS_PHSA-2020-3_0-0180_APACHE.NASL", "href": "https://www.tenable.com/plugins/nessus/144516", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2020-3.0-0180. The text\n# itself is copyright (C) VMware, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(144516);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2020-17527\");\n script_xref(name:\"IAVA\", value:\"2020-A-0570-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"Photon OS 3.0: Apache PHSA-2020-3.0-0180\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the apache package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-3.0-180.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-17527\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/12/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/12/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:apache\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:3.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item('Host/PhotonOS/release');\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, 'PhotonOS');\nif (release !~ \"^VMware Photon (?:Linux|OS) 3\\.0(\\D|$)\") audit(AUDIT_OS_NOT, 'PhotonOS 3.0');\n\nif (!get_kb_item('Host/PhotonOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'PhotonOS', cpu);\n\nflag = 0;\n\nif (rpm_check(release:'PhotonOS-3.0', reference:'apache-tomcat-8.5.60-1.ph3')) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'apache');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:24:06", "description": "This update for tomcat fixes the following issue :\n\n - CVE-2020-17527: Fixed a HTTP/2 request header mix-up (bsc#1179602).\n\nThis update was imported from the SUSE:SLE-15-SP2:Update update project.", "cvss3": {}, "published": "2021-01-25T00:00:00", "type": "nessus", "title": "openSUSE Security Update : tomcat (openSUSE-2021-43)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-17527"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:tomcat", "p-cpe:/a:novell:opensuse:tomcat-admin-webapps", "p-cpe:/a:novell:opensuse:tomcat-docs-webapp", "p-cpe:/a:novell:opensuse:tomcat-el-3_0-api", "p-cpe:/a:novell:opensuse:tomcat-embed", "p-cpe:/a:novell:opensuse:tomcat-javadoc", "p-cpe:/a:novell:opensuse:tomcat-jsp-2_3-api", "p-cpe:/a:novell:opensuse:tomcat-jsvc", "p-cpe:/a:novell:opensuse:tomcat-lib", "p-cpe:/a:novell:opensuse:tomcat-servlet-4_0-api", "p-cpe:/a:novell:opensuse:tomcat-webapps", "cpe:/o:novell:opensuse:15.2"], "id": "OPENSUSE-2021-43.NASL", "href": "https://www.tenable.com/plugins/nessus/145325", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2021-43.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145325);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2020-17527\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"openSUSE Security Update : tomcat (openSUSE-2021-43)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote openSUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"This update for tomcat fixes the following issue :\n\n - CVE-2020-17527: Fixed a HTTP/2 request header mix-up\n (bsc#1179602).\n\nThis update was imported from the SUSE:SLE-15-SP2:Update update\nproject.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1179602\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected tomcat packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/12/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-admin-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-docs-webapp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-el-3_0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-embed\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-jsp-2_3-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-jsvc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-servlet-4_0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.2\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.2\", reference:\"tomcat-9.0.36-lp152.2.16.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"tomcat-admin-webapps-9.0.36-lp152.2.16.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"tomcat-docs-webapp-9.0.36-lp152.2.16.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"tomcat-el-3_0-api-9.0.36-lp152.2.16.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"tomcat-embed-9.0.36-lp152.2.16.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"tomcat-javadoc-9.0.36-lp152.2.16.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"tomcat-jsp-2_3-api-9.0.36-lp152.2.16.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"tomcat-jsvc-9.0.36-lp152.2.16.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"tomcat-lib-9.0.36-lp152.2.16.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"tomcat-servlet-4_0-api-9.0.36-lp152.2.16.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"tomcat-webapps-9.0.36-lp152.2.16.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"tomcat / tomcat-admin-webapps / tomcat-docs-webapp / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:26:24", "description": "The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the ALAS-2020-1473 advisory.\n\n - While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests. (CVE-2020-17527)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.\n\nThis plugin has been deprecated due to Amazon pulling the previously published advisory.", "cvss3": {}, "published": "2020-12-18T00:00:00", "type": "nessus", "title": "Amazon Linux AMI : tomcat8 (ALAS-2020-1473) (deprecated)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-17527"], "modified": "2021-03-12T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:tomcat8", "p-cpe:/a:amazon:linux:tomcat8-admin-webapps", "p-cpe:/a:amazon:linux:tomcat8-docs-webapp", "p-cpe:/a:amazon:linux:tomcat8-el-3.0-api", "p-cpe:/a:amazon:linux:tomcat8-javadoc", "p-cpe:/a:amazon:linux:tomcat8-jsp-2.3-api", "p-cpe:/a:amazon:linux:tomcat8-lib", "p-cpe:/a:amazon:linux:tomcat8-log4j", "p-cpe:/a:amazon:linux:tomcat8-servlet-3.1-api", "p-cpe:/a:amazon:linux:tomcat8-webapps", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2020-1473.NASL", "href": "https://www.tenable.com/plugins/nessus/144462", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# @DEPRECATED@\n#\n# Disabled on 2020-12-23 due to Amazon pulling the previsouly published advisory.\n# \n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2020-1473.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(144462);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/03/12\");\n\n script_cve_id(\"CVE-2020-17527\");\n script_xref(name:\"ALAS\", value:\"2020-1473\");\n script_xref(name:\"IAVA\", value:\"2020-A-0570-S\");\n\n script_name(english:\"Amazon Linux AMI : tomcat8 (ALAS-2020-1473) (deprecated)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"This plugin has been deprecated.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by a\nvulnerability as referenced in the ALAS-2020-1473 advisory.\n\n - While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to\n 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on\n an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely\n lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak\n between requests. (CVE-2020-17527)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\n\nThis plugin has been deprecated due to Amazon pulling the previously published advisory.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/ALAS-2020-1473.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-17527\");\n script_set_attribute(attribute:\"solution\", value:\n\"n/a\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-17527\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/12/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/12/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8-admin-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8-docs-webapp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8-el-3.0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8-jsp-2.3-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8-log4j\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8-servlet-3.1-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\nexit(0, \"This plugin has been deprecated due to Amazon pulling the previously published advisory.\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:23:21", "description": "An update of the apache package has been released.", "cvss3": {}, "published": "2021-01-13T00:00:00", "type": "nessus", "title": "Photon OS 2.0: Apache PHSA-2021-2.0-0308", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-17527"], "modified": "2022-12-07T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:apache", "cpe:/o:vmware:photonos:2.0"], "id": "PHOTONOS_PHSA-2021-2_0-0308_APACHE.NASL", "href": "https://www.tenable.com/plugins/nessus/144895", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2021-2.0-0308. The text\n# itself is copyright (C) VMware, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(144895);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/07\");\n\n script_cve_id(\"CVE-2020-17527\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"Photon OS 2.0: Apache PHSA-2021-2.0-0308\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the apache package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-2-308.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-17527\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/12/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:apache\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:2.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item('Host/PhotonOS/release');\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, 'PhotonOS');\nif (release !~ \"^VMware Photon (?:Linux|OS) 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, 'PhotonOS 2.0');\n\nif (!get_kb_item('Host/PhotonOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'PhotonOS', cpu);\n\nflag = 0;\n\nif (rpm_check(release:'PhotonOS-2.0', reference:'apache-tomcat-8.5.60-1.ph2')) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'apache');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T14:13:32", "description": "An update of the apache package has been released.", "cvss3": {}, "published": "2020-12-22T00:00:00", "type": "nessus", "title": "Photon OS 1.0: Apache PHSA-2020-1.0-0350", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-17527"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:apache", "cpe:/o:vmware:photonos:1.0"], "id": "PHOTONOS_PHSA-2020-1_0-0350_APACHE.NASL", "href": "https://www.tenable.com/plugins/nessus/144518", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2020-1.0-0350. The text\n# itself is copyright (C) VMware, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(144518);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2020-17527\");\n script_xref(name:\"IAVA\", value:\"2020-A-0570-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"Photon OS 1.0: Apache PHSA-2020-1.0-0350\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the apache package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-1.0-350.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-17527\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/12/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/12/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:apache\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:1.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item('Host/PhotonOS/release');\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, 'PhotonOS');\nif (release !~ \"^VMware Photon (?:Linux|OS) 1\\.0(\\D|$)\") audit(AUDIT_OS_NOT, 'PhotonOS 1.0');\n\nif (!get_kb_item('Host/PhotonOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'PhotonOS', cpu);\n\nflag = 0;\n\nif (rpm_check(release:'PhotonOS-1.0', reference:'apache-tomcat-8.5.60-1.ph1')) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'apache');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:30:25", "description": "The version of Tomcat installed on the remote host is prior to 10.0.0.M10. It is, therefore, affected by multiple vulnerabilities as referenced in the fixed_in_apache_tomcat_10.0.0-m10_security-10 advisory.\n\n - When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances. (CVE-2021-24122)\n\n - While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests. (CVE-2020-17527)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-06-21T00:00:00", "type": "nessus", "title": "Apache Tomcat 10.0.0.M1 < 10.0.0.M10 multiple vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-17527", "CVE-2021-24122"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:apache:tomcat"], "id": "TOMCAT_10_0_0_M10.NASL", "href": "https://www.tenable.com/plugins/nessus/150937", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150937);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2020-17527\", \"CVE-2021-24122\");\n script_xref(name:\"IAVA\", value:\"2020-A-0570-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"Apache Tomcat 10.0.0.M1 < 10.0.0.M10 multiple vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Apache Tomcat server is affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Tomcat installed on the remote host is prior to 10.0.0.M10. It is, therefore, affected by multiple\nvulnerabilities as referenced in the fixed_in_apache_tomcat_10.0.0-m10_security-10 advisory.\n\n - When serving resources from a network location using the NTFS file system, Apache Tomcat versions\n 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP\n source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API\n File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API\n (FindFirstFileW) in some circumstances. (CVE-2021-24122)\n\n - While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to\n 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on\n an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely\n lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak\n between requests. (CVE-2020-17527)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://github.com/apache/tomcat/commit/7f004ac4531c45f9a2a2d1470561fe135cf27bc2\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?32f44cf1\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bz.apache.org/bugzilla/show_bug.cgi?id=64830\");\n # https://github.com/apache/tomcat/commit/8d2fe6894d6e258a6d615d7f786acca80e6020cb\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5bd634bb\");\n # https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M10\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0856ba95\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Tomcat version 10.0.0.M10 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-17527\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/11/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:tomcat\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"tomcat_error_version.nasl\", \"tomcat_win_installed.nbin\", \"apache_tomcat_nix_installed.nbin\");\n script_require_keys(\"installed_sw/Apache Tomcat\");\n\n exit(0);\n}\n\ninclude('tomcat_version.inc');\n\ntomcat_check_version(fixed: '10.0.0.M10', min:'10.0.0.M1', severity:SECURITY_WARNING, granularity_regex: \"^(10(\\.0(\\.0)?)?)$\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:23:12", "description": "According to the versions of the tomcat packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances.(CVE-2021-24122)\n\n - While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests.(CVE-2020-17527)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-02-01T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP8 : tomcat (EulerOS-SA-2021-1175)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-17527", "CVE-2021-24122"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:tomcat", "p-cpe:/a:huawei:euleros:tomcat-admin-webapps", "p-cpe:/a:huawei:euleros:tomcat-el-3.0-api", "p-cpe:/a:huawei:euleros:tomcat-jsp-2.3-api", "p-cpe:/a:huawei:euleros:tomcat-lib", "p-cpe:/a:huawei:euleros:tomcat-servlet-4.0-api", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2021-1175.NASL", "href": "https://www.tenable.com/plugins/nessus/145727", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145727);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2020-17527\", \"CVE-2021-24122\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"EulerOS 2.0 SP8 : tomcat (EulerOS-SA-2021-1175)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the tomcat packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - When serving resources from a network location using\n the NTFS file system, Apache Tomcat versions 10.0.0-M1\n to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and\n 7.0.0 to 7.0.106 were susceptible to JSP source code\n disclosure in some configurations. The root cause was\n the unexpected behaviour of the JRE API\n File.getCanonicalPath() which in turn was caused by the\n inconsistent behaviour of the Windows API\n (FindFirstFileW) in some circumstances.(CVE-2021-24122)\n\n - While investigating bug 64830 it was discovered that\n Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to\n 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request\n header value from the previous stream received on an\n HTTP/2 connection for the request associated with the\n subsequent stream. While this would most likely lead to\n an error and the closure of the HTTP/2 connection, it\n is possible that information could leak between\n requests.(CVE-2020-17527)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-1175\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?91339a6c\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected tomcat packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tomcat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tomcat-admin-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tomcat-el-3.0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tomcat-jsp-2.3-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tomcat-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tomcat-servlet-4.0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(8)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP8\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP8\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nflag = 0;\n\npkgs = [\"tomcat-9.0.10-1.h12.eulerosv2r8\",\n \"tomcat-admin-webapps-9.0.10-1.h12.eulerosv2r8\",\n \"tomcat-el-3.0-api-9.0.10-1.h12.eulerosv2r8\",\n \"tomcat-jsp-2.3-api-9.0.10-1.h12.eulerosv2r8\",\n \"tomcat-lib-9.0.10-1.h12.eulerosv2r8\",\n \"tomcat-servlet-4.0-api-9.0.10-1.h12.eulerosv2r8\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"8\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"tomcat\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T14:13:46", "description": "The version of Tomcat installed on the remote host is prior to 8.5.60. It is, therefore, affected by multiple vulnerabilities as referenced in the fixed_in_apache_tomcat_8.5.60_security-8 advisory.\n\n - When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances. (CVE-2021-24122)\n\n - While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests. (CVE-2020-17527)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2020-12-10T00:00:00", "type": "nessus", "title": "Apache Tomcat 8.5.x < 8.5.60 Information Disclosure", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-17527", "CVE-2021-24122"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:apache:tomcat"], "id": "TOMCAT_8_5_60.NASL", "href": "https://www.tenable.com/plugins/nessus/144054", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(144054);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2020-17527\", \"CVE-2021-24122\");\n script_xref(name:\"IAVA\", value:\"2020-A-0570-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"Apache Tomcat 8.5.x < 8.5.60 Information Disclosure\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Apache Tomcat server is affected by an information disclosure vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Tomcat installed on the remote host is prior to 8.5.60. It is, therefore, affected by multiple\nvulnerabilities as referenced in the fixed_in_apache_tomcat_8.5.60_security-8 advisory.\n\n - When serving resources from a network location using the NTFS file system, Apache Tomcat versions\n 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP\n source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API\n File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API\n (FindFirstFileW) in some circumstances. (CVE-2021-24122)\n\n - While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to\n 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on\n an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely\n lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak\n between requests. (CVE-2020-17527)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.60\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?05c4b1e2\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Tomcat version 8.5.60 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-17527\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/11/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/11/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:tomcat\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"tomcat_error_version.nasl\", \"tomcat_win_installed.nbin\", \"apache_tomcat_nix_installed.nbin\");\n script_require_keys(\"installed_sw/Apache Tomcat\");\n\n exit(0);\n}\n\ninclude('tomcat_version.inc');\n\ntomcat_check_version(\n min:'8.5.0',\n fixed: '8.5.60',\n severity:SECURITY_WARNING,\n granularity_regex: \"^8(\\.5)?$\"\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:24:08", "description": "Two vulnerabilities were discovered in the Tomcat servlet and JSP engine, which could result in information disclosure.", "cvss3": {}, "published": "2021-01-25T00:00:00", "type": "nessus", "title": "Debian DSA-4835-1 : tomcat9 - security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-13943", "CVE-2020-17527"], "modified": "2022-12-06T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:tomcat9", "cpe:/o:debian:debian_linux:10.0"], "id": "DEBIAN_DSA-4835.NASL", "href": "https://www.tenable.com/plugins/nessus/145386", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4835. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(145386);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/06\");\n\n script_cve_id(\"CVE-2020-13943\", \"CVE-2020-17527\");\n script_xref(name:\"DSA\", value:\"4835\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"Debian DSA-4835-1 : tomcat9 - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Two vulnerabilities were discovered in the Tomcat servlet and JSP\nengine, which could result in information disclosure.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/tomcat9\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/buster/tomcat9\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2021/dsa-4835\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Upgrade the tomcat9 packages.\n\nFor the stable distribution (buster), these problems have been fixed\nin version 9.0.31-1~deb10u3.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat9\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:10.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/10/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/25\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"10.0\", prefix:\"libtomcat9-embed-java\", reference:\"9.0.31-1~deb10u3\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"libtomcat9-java\", reference:\"9.0.31-1~deb10u3\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"tomcat9\", reference:\"9.0.31-1~deb10u3\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"tomcat9-admin\", reference:\"9.0.31-1~deb10u3\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"tomcat9-common\", reference:\"9.0.31-1~deb10u3\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"tomcat9-docs\", reference:\"9.0.31-1~deb10u3\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"tomcat9-examples\", reference:\"9.0.31-1~deb10u3\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"tomcat9-user\", reference:\"9.0.31-1~deb10u3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:26:19", "description": "The version of Tomcat installed on the remote host is prior to 9.0.40. It is, therefore, affected by multiple vulnerabilities as referenced in the fixed_in_apache_tomcat_9.0.40_security-9 advisory.\n\n - When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances. (CVE-2021-24122)\n\n - While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests. (CVE-2020-17527)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2020-12-10T00:00:00", "type": "nessus", "title": "Apache Tomcat 9.x < 9.0.40 Information Disclosure", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-17527", "CVE-2021-24122"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:apache:tomcat"], "id": "TOMCAT_9_0_40.NASL", "href": "https://www.tenable.com/plugins/nessus/144050", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(144050);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2020-17527\", \"CVE-2021-24122\");\n script_xref(name:\"IAVA\", value:\"2020-A-0570-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"Apache Tomcat 9.x < 9.0.40 Information Disclosure\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Apache Tomcat server is affected by an information disclosure vulnerability\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Tomcat installed on the remote host is prior to 9.0.40. It is, therefore, affected by multiple\nvulnerabilities as referenced in the fixed_in_apache_tomcat_9.0.40_security-9 advisory.\n\n - When serving resources from a network location using the NTFS file system, Apache Tomcat versions\n 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP\n source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API\n File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API\n (FindFirstFileW) in some circumstances. (CVE-2021-24122)\n\n - While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to\n 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on\n an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely\n lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak\n between requests. (CVE-2020-17527)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.40\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?13c2f9e9\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Tomcat version 9.0.40 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-17527\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/11/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/11/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:tomcat\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"tomcat_error_version.nasl\", \"tomcat_win_installed.nbin\", \"apache_tomcat_nix_installed.nbin\");\n script_require_keys(\"installed_sw/Apache Tomcat\");\n\n exit(0);\n}\n\ninclude('tomcat_version.inc');\n\ntomcat_check_version(\n min:'9.0.0-M1',\n fixed:'9.0.40',\n severity:SECURITY_WARNING,\n granularity_regex: \"^9(\\.0)?$\"\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:25:03", "description": "The remote Redhat Enterprise Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:0494 advisory.\n\n - tomcat: Apache Tomcat HTTP/2 Request mix-up (CVE-2020-13943)\n\n - tomcat: HTTP/2 request header mix-up (CVE-2020-17527)\n\n - openssl: EDIPARTYNAME NULL pointer de-reference (CVE-2020-1971)\n\n - tomcat: Information disclosure when using NTFS file system (CVE-2021-24122)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-02-11T00:00:00", "type": "nessus", "title": "RHEL 7 / 8 : Red Hat JBoss Web Server 5.4.1 Security Update (Moderate) (RHSA-2021:0494)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-13943", "CVE-2020-17527", "CVE-2020-1971", "CVE-2021-24122"], "modified": "2023-01-23T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:7", "cpe:/o:redhat:enterprise_linux:8", "p-cpe:/a:redhat:enterprise_linux:jws5-tomcat", "p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-admin-webapps", "p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-docs-webapp", "p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-el-3.0-api", "p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-javadoc", "p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-jsp-2.3-api", "p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-lib", "p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-native", "p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-selinux", "p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-servlet-4.0-api", "p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-webapps"], "id": "REDHAT-RHSA-2021-0494.NASL", "href": "https://www.tenable.com/plugins/nessus/146431", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2021:0494. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146431);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/23\");\n\n script_cve_id(\n \"CVE-2020-1971\",\n \"CVE-2020-13943\",\n \"CVE-2020-17527\",\n \"CVE-2021-24122\"\n );\n script_xref(name:\"RHSA\", value:\"2021:0494\");\n script_xref(name:\"IAVA\", value:\"2020-A-0465-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0038\");\n script_xref(name:\"IAVA\", value:\"2020-A-0570-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0193\");\n script_xref(name:\"IAVA\", value:\"2021-A-0196\");\n script_xref(name:\"IAVA\", value:\"2020-A-0566-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0328\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"RHEL 7 / 8 : Red Hat JBoss Web Server 5.4.1 Security Update (Moderate) (RHSA-2021:0494)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2021:0494 advisory.\n\n - tomcat: Apache Tomcat HTTP/2 Request mix-up (CVE-2020-13943)\n\n - tomcat: HTTP/2 request header mix-up (CVE-2020-17527)\n\n - openssl: EDIPARTYNAME NULL pointer de-reference (CVE-2020-1971)\n\n - tomcat: Information disclosure when using NTFS file system (CVE-2021-24122)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-1971\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-13943\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-17527\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-24122\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2021:0494\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1887648\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1903409\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1904221\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1917209\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-17527\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(200, 476);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/09/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jws5-tomcat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-admin-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-docs-webapp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-el-3.0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-jsp-2.3-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-native\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-selinux\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-servlet-4.0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-webapps\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release_list(operator: 'ge', os_version: os_ver, rhel_versions: ['7','8'])) audit(AUDIT_OS_NOT, 'Red Hat 7.x / 8.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar constraints = [\n {\n 'repo_relative_urls': [\n 'content/dist/layered/rhel8/x86_64/jws/5/debug',\n 'content/dist/layered/rhel8/x86_64/jws/5/os',\n 'content/dist/layered/rhel8/x86_64/jws/5/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'jws5-tomcat-9.0.36-9.redhat_8.1.el8jws', 'release':'8', 'el_string':'el8jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws-5'},\n {'reference':'jws5-tomcat-admin-webapps-9.0.36-9.redhat_8.1.el8jws', 'release':'8', 'el_string':'el8jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws-5'},\n {'reference':'jws5-tomcat-docs-webapp-9.0.36-9.redhat_8.1.el8jws', 'release':'8', 'el_string':'el8jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws-5'},\n {'reference':'jws5-tomcat-el-3.0-api-9.0.36-9.redhat_8.1.el8jws', 'release':'8', 'el_string':'el8jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws-5'},\n {'reference':'jws5-tomcat-javadoc-9.0.36-9.redhat_8.1.el8jws', 'release':'8', 'el_string':'el8jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws-5'},\n {'reference':'jws5-tomcat-jsp-2.3-api-9.0.36-9.redhat_8.1.el8jws', 'release':'8', 'el_string':'el8jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws-5'},\n {'reference':'jws5-tomcat-lib-9.0.36-9.redhat_8.1.el8jws', 'release':'8', 'el_string':'el8jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws-5'},\n {'reference':'jws5-tomcat-native-1.2.25-3.redhat_3.el8jws', 'cpu':'x86_64', 'release':'8', 'el_string':'el8jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws-5'},\n {'reference':'jws5-tomcat-selinux-9.0.36-9.redhat_8.1.el8jws', 'release':'8', 'el_string':'el8jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws-5'},\n {'reference':'jws5-tomcat-servlet-4.0-api-9.0.36-9.redhat_8.1.el8jws', 'release':'8', 'el_string':'el8jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws-5'},\n {'reference':'jws5-tomcat-webapps-9.0.36-9.redhat_8.1.el8jws', 'release':'8', 'el_string':'el8jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws-5'}\n ]\n },\n {\n 'repo_relative_urls': [\n 'content/dist/rhel/server/7/7Server/x86_64/jws/5/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/jws/5/os',\n 'content/dist/rhel/server/7/7Server/x86_64/jws/5/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'jws5-tomcat-9.0.36-9.redhat_8.1.el7jws', 'release':'7', 'el_string':'el7jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws-5'},\n {'reference':'jws5-tomcat-admin-webapps-9.0.36-9.redhat_8.1.el7jws', 'release':'7', 'el_string':'el7jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws-5'},\n {'reference':'jws5-tomcat-docs-webapp-9.0.36-9.redhat_8.1.el7jws', 'release':'7', 'el_string':'el7jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws-5'},\n {'reference':'jws5-tomcat-el-3.0-api-9.0.36-9.redhat_8.1.el7jws', 'release':'7', 'el_string':'el7jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws-5'},\n {'reference':'jws5-tomcat-javadoc-9.0.36-9.redhat_8.1.el7jws', 'release':'7', 'el_string':'el7jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws-5'},\n {'reference':'jws5-tomcat-jsp-2.3-api-9.0.36-9.redhat_8.1.el7jws', 'release':'7', 'el_string':'el7jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws-5'},\n {'reference':'jws5-tomcat-lib-9.0.36-9.redhat_8.1.el7jws', 'release':'7', 'el_string':'el7jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws-5'},\n {'reference':'jws5-tomcat-native-1.2.25-3.redhat_3.el7jws', 'cpu':'x86_64', 'release':'7', 'el_string':'el7jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws-5'},\n {'reference':'jws5-tomcat-selinux-9.0.36-9.redhat_8.1.el7jws', 'release':'7', 'el_string':'el7jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws-5'},\n {'reference':'jws5-tomcat-servlet-4.0-api-9.0.36-9.redhat_8.1.el7jws', 'release':'7', 'el_string':'el7jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws-5'},\n {'reference':'jws5-tomcat-webapps-9.0.36-9.redhat_8.1.el7jws', 'release':'7', 'el_string':'el7jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws-5'}\n ]\n }\n];\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar flag = 0;\nforeach var constraint_array ( constraints ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];\n foreach var pkg ( constraint_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];\n if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];\n if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];\n if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];\n if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];\n if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];\n if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];\n if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];\n if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'jws5-tomcat / jws5-tomcat-admin-webapps / jws5-tomcat-docs-webapp / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-20T14:55:04", "description": "An update of the apache package has been released.", "cvss3": {}, "published": "2021-04-07T00:00:00", "type": "nessus", "title": "Photon OS 4.0: Apache PHSA-2021-4.0-0007", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-17527", "CVE-2021-24122", "CVE-2021-25122", "CVE-2021-25329"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:apache", "cpe:/o:vmware:photonos:4.0"], "id": "PHOTONOS_PHSA-2021-4_0-0007_APACHE.NASL", "href": "https://www.tenable.com/plugins/nessus/148353", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2021-4.0-0007. The text\n# itself is copyright (C) VMware, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(148353);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2020-17527\",\n \"CVE-2021-24122\",\n \"CVE-2021-25122\",\n \"CVE-2021-25329\"\n );\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"Photon OS 4.0: Apache PHSA-2021-4.0-0007\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the apache package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-4.0-7.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-25122\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/11/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/04/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:apache\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:4.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item('Host/PhotonOS/release');\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, 'PhotonOS');\nif (release !~ \"^VMware Photon (?:Linux|OS) 4\\.0(\\D|$)\") audit(AUDIT_OS_NOT, 'PhotonOS 4.0');\n\nif (!get_kb_item('Host/PhotonOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'PhotonOS', cpu);\n\nflag = 0;\n\nif (rpm_check(release:'PhotonOS-4.0', reference:'apache-tomcat-8.5.64-1.ph4')) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'apache');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T15:08:15", "description": "MySQL Enterprise Monitor installed on the remote host is 8.0.x prior to 8.0.24. Therefore, it's affected by multiple vulnerabilities as referenced in the April 2021 CPU advisory.\n\n - Vulnerability in the MySQL Enterprise Monitor product of Oracle MySQL (component: Monitoring: General (Apache Tomcat)). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Enterprise Monitor.\n Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Enterprise Monitor accessible data (CVE-2020-17527).\n\n - Vulnerability in the MySQL Enterprise Monitor product of Oracle MySQL (component: Monitoring: General (Apache Struts)). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise MySQL Enterprise Monitor. Successful attacks of this vulnerability can result in takeover of MySQL Enterprise Monitor (CVE-2020-17530).\n\n - Vulnerability in the MySQL Enterprise Monitor product of Oracle MySQL (component: Monitoring: General (OpenSSL)).\n Supported versions that are affected are 8.0.23 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise MySQL Enterprise Monitor. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL Enterprise Monitor accessible data as well as unauthorized access to critical data or complete access to all MySQL Enterprise Monitor accessible data (CVE-2021-3450).\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-04-26T00:00:00", "type": "nessus", "title": "Oracle MySQL Enterprise Monitor Multiple Vulnerabilities (Apr 2021 CPU)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-17527", "CVE-2020-17530", "CVE-2021-23841", "CVE-2021-25122", "CVE-2021-3450"], "modified": "2023-04-25T00:00:00", "cpe": ["cpe:/a:oracle:mysql_enterprise_monitor"], "id": "MYSQL_ENTERPRISE_MONITOR_8_0_24.NASL", "href": "https://www.tenable.com/plugins/nessus/148986", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(148986);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\n \"CVE-2020-17527\",\n \"CVE-2020-17530\",\n \"CVE-2021-3450\",\n \"CVE-2021-23841\",\n \"CVE-2021-25122\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"Oracle MySQL Enterprise Monitor Multiple Vulnerabilities (Apr 2021 CPU)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"description\", value:\n\"MySQL Enterprise Monitor installed on the remote host is 8.0.x prior to 8.0.24. Therefore, it's affected by \nmultiple vulnerabilities as referenced in the April 2021 CPU advisory.\n\n - Vulnerability in the MySQL Enterprise Monitor product of Oracle MySQL (component: Monitoring: General \n (Apache Tomcat)). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability\n allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Enterprise Monitor.\n Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to\n all MySQL Enterprise Monitor accessible data (CVE-2020-17527).\n\n - Vulnerability in the MySQL Enterprise Monitor product of Oracle MySQL (component: Monitoring: General \n (Apache Struts)). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability \n allows unauthenticated attacker with network access via HTTPS to compromise MySQL Enterprise Monitor. Successful\n attacks of this vulnerability can result in takeover of MySQL Enterprise Monitor (CVE-2020-17530).\n\n - Vulnerability in the MySQL Enterprise Monitor product of Oracle MySQL (component: Monitoring: General (OpenSSL)).\n Supported versions that are affected are 8.0.23 and prior. Difficult to exploit vulnerability allows \n unauthenticated attacker with network access via HTTPS to compromise MySQL Enterprise Monitor. Successful attacks\n of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or \n all MySQL Enterprise Monitor accessible data as well as unauthorized access to critical data or complete access \n to all MySQL Enterprise Monitor accessible data (CVE-2021-3450).\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/a/tech/docs/cpuapr2021cvrf.xml\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/security-alerts/cpuapr2021.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/a/tech/docs/cpujul2021cvrf.xml\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/security-alerts/cpujul2021.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the April 2021 Oracle Critical Patch Update advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-17530\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts 2 Forced Multi OGNL Evaluation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/04/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:mysql_enterprise_monitor\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"mysql_enterprise_monitor_web_detect.nasl\", \"oracle_mysql_enterprise_monitor_local_nix_detect.nbin\", \"oracle_mysql_enterprise_monitor_local_detect.nbin\");\n script_require_keys(\"installed_sw/MySQL Enterprise Monitor\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nvar app_info = vcf::combined_get_app_info(app:'MySQL Enterprise Monitor');\nvar constraints = [{ 'min_version' : '8.0', 'fixed_version' : '8.0.24' }];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-07-13T14:54:51", "description": "The remote Ubuntu 18.04 LTS / 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-5360-1 advisory.\n\n - When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter=null (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed. (CVE-2020-9484)\n\n - Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.10, and 8.0.0 to 8.0.7 is vulnerable to certain types of HTTP/2 HEADERS frames that can cause the server to allocate a large amount of memory and spin the thread. (CVE-2020-9494)\n\n - If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources. (CVE-2020-13943)\n\n - While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests. (CVE-2020-17527)\n\n - When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request.\n (CVE-2021-25122)\n\n - The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue. (CVE-2021-25329)\n\n - A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65. (CVE-2021-30640)\n\n - Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding;\n and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.\n (CVE-2021-33037)\n\n - Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be used to trigger an infinite loop resulting in a denial of service.\n (CVE-2021-41079)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-04-01T00:00:00", "type": "nessus", "title": "Ubuntu 18.04 LTS / 20.04 LTS : Tomcat vulnerabilities (USN-5360-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-13943", "CVE-2020-17527", "CVE-2020-9484", "CVE-2020-9494", "CVE-2021-25122", "CVE-2021-25329", "CVE-2021-30640", "CVE-2021-33037", "CVE-2021-41079"], "modified": "2023-07-10T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:18.04:-:lts", "cpe:/o:canonical:ubuntu_linux:20.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:libtomcat9-embed-java", "p-cpe:/a:canonical:ubuntu_linux:libtomcat9-java", "p-cpe:/a:canonical:ubuntu_linux:tomcat9", "p-cpe:/a:canonical:ubuntu_linux:tomcat9-admin", "p-cpe:/a:canonical:ubuntu_linux:tomcat9-common", "p-cpe:/a:canonical:ubuntu_linux:tomcat9-examples", "p-cpe:/a:canonical:ubuntu_linux:tomcat9-user"], "id": "UBUNTU_USN-5360-1.NASL", "href": "https://www.tenable.com/plugins/nessus/159385", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-5360-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159385);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/07/10\");\n\n script_cve_id(\n \"CVE-2020-9484\",\n \"CVE-2020-9494\",\n \"CVE-2020-13943\",\n \"CVE-2020-17527\",\n \"CVE-2021-25122\",\n \"CVE-2021-25329\",\n \"CVE-2021-30640\",\n \"CVE-2021-33037\",\n \"CVE-2021-41079\"\n );\n script_xref(name:\"USN\", value:\"5360-1\");\n script_xref(name:\"IAVA\", value:\"2020-A-0470\");\n script_xref(name:\"IAVA\", value:\"2020-A-0225-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0324\");\n script_xref(name:\"IAVA\", value:\"2020-A-0465-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0570-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0193\");\n script_xref(name:\"IAVA\", value:\"2021-A-0194-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0114-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0347\");\n script_xref(name:\"IAVA\", value:\"2021-A-0483\");\n script_xref(name:\"IAVA\", value:\"2021-A-0303-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0486-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0487\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"Ubuntu 18.04 LTS / 20.04 LTS : Tomcat vulnerabilities (USN-5360-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 18.04 LTS / 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the USN-5360-1 advisory.\n\n - When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to\n 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the\n server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is\n configured with sessionAttributeValueClassNameFilter=null (the default unless a SecurityManager is used)\n or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker\n knows the relative file path from the storage location used by FileStore to the file the attacker has\n control over; then, using a specifically crafted request, the attacker will be able to trigger remote code\n execution via deserialization of the file under their control. Note that all of conditions a) to d) must\n be true for the attack to succeed. (CVE-2020-9484)\n\n - Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.10, and 8.0.0 to 8.0.7 is vulnerable to certain types\n of HTTP/2 HEADERS frames that can cause the server to allocate a large amount of memory and spin the\n thread. (CVE-2020-9494)\n\n - If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to\n 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the\n HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP\n headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This\n could lead to users seeing responses for unexpected resources. (CVE-2020-13943)\n\n - While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to\n 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on\n an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely\n lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak\n between requests. (CVE-2020-17527)\n\n - When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to\n 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one\n request to another meaning user A and user B could both see the results of user A's request.\n (CVE-2021-25122)\n\n - The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to\n 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be\n used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published\n prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to\n this issue. (CVE-2021-25329)\n\n - A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of\n a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue\n affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65. (CVE-2021-30640)\n\n - Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP\n transfer-encoding request header in some circumstances leading to the possibility to request smuggling\n when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if\n the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding;\n and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.\n (CVE-2021-33037)\n\n - Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate\n incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially\n crafted packet could be used to trigger an infinite loop resulting in a denial of service.\n (CVE-2021-41079)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-5360-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-30640\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-25122\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/05/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/03/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libtomcat9-embed-java\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libtomcat9-java\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:tomcat9\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:tomcat9-admin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:tomcat9-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:tomcat9-examples\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:tomcat9-user\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2022-2023 Canonical, Inc. / NASL script (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('debian_package.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/Ubuntu/release');\nif ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nos_release = chomp(os_release);\nif (! ('18.04' >< os_release || '20.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 18.04 / 20.04', 'Ubuntu ' + os_release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nvar pkgs = [\n {'osver': '18.04', 'pkgname': 'libtomcat9-embed-java', 'pkgver': '9.0.16-3ubuntu0.18.04.2'},\n {'osver': '18.04', 'pkgname': 'libtomcat9-java', 'pkgver': '9.0.16-3ubuntu0.18.04.2'},\n {'osver': '18.04', 'pkgname': 'tomcat9', 'pkgver': '9.0.16-3ubuntu0.18.04.2'},\n {'osver': '18.04', 'pkgname': 'tomcat9-admin', 'pkgver': '9.0.16-3ubuntu0.18.04.2'},\n {'osver': '18.04', 'pkgname': 'tomcat9-common', 'pkgver': '9.0.16-3ubuntu0.18.04.2'},\n {'osver': '18.04', 'pkgname': 'tomcat9-examples', 'pkgver': '9.0.16-3ubuntu0.18.04.2'},\n {'osver': '18.04', 'pkgname': 'tomcat9-user', 'pkgver': '9.0.16-3ubuntu0.18.04.2'},\n {'osver': '20.04', 'pkgname': 'libtomcat9-embed-java', 'pkgver': '9.0.31-1ubuntu0.2'},\n {'osver': '20.04', 'pkgname': 'libtomcat9-java', 'pkgver': '9.0.31-1ubuntu0.2'},\n {'osver': '20.04', 'pkgname': 'tomcat9', 'pkgver': '9.0.31-1ubuntu0.2'},\n {'osver': '20.04', 'pkgname': 'tomcat9-admin', 'pkgver': '9.0.31-1ubuntu0.2'},\n {'osver': '20.04', 'pkgname': 'tomcat9-common', 'pkgver': '9.0.31-1ubuntu0.2'},\n {'osver': '20.04', 'pkgname': 'tomcat9-examples', 'pkgver': '9.0.31-1ubuntu0.2'},\n {'osver': '20.04', 'pkgname': 'tomcat9-user', 'pkgver': '9.0.31-1ubuntu0.2'}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var osver = NULL;\n var pkgname = NULL;\n var pkgver = NULL;\n if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];\n if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];\n if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];\n if (osver && pkgname && pkgver) {\n if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'libtomcat9-embed-java / libtomcat9-java / tomcat9 / tomcat9-admin / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T15:08:11", "description": "The versions of Oracle Database Server installed on the remote host are affected by multiple vulnerabilities as referenced in the April 2021 CPU advisory. \n\n - Vulnerability in the Oracle Database - Enterprise Edition Security (Dell BSAFE Micro Edition Suite) component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Database - Enterprise Edition Security (Dell BSAFE Micro Edition Suite). Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Database - Enterprise Edition Security (Dell BSAFE Micro Edition Suite) (CVE-2020-5360).\n\n - Vulnerability in the Workload Manager (Apache Tomcat) component of Oracle Database Server. Supported versions that are affected are 18c and 19c. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Workload Manager (Apache Tomcat). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Workload Manager (Apache Tomcat) accessible data (CVE-2020-17527).\n\n - Vulnerability in the Oracle Database - Enterprise Edition (Dell BSAFE Crypto-J) component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Oracle Database - Enterprise Edition (Dell BSAFE Crypto-J). Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Database - Enterprise Edition (Dell BSAFE Crypto-J) accessible data (CVE-2019-3740). \n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-04-21T00:00:00", "type": "nessus", "title": "Oracle Database Server Multiple Vulnerabilities (Apr 2021 CPU)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11358", "CVE-2019-3738", "CVE-2019-3739", "CVE-2019-3740", "CVE-2020-11022", "CVE-2020-11023", "CVE-2020-13943", "CVE-2020-17527", "CVE-2020-5359", "CVE-2020-5360", "CVE-2020-7760", "CVE-2020-9484", "CVE-2021-2173", "CVE-2021-2175", "CVE-2021-2207", "CVE-2021-2234", "CVE-2021-2245"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:oracle:database_server"], "id": "ORACLE_RDBMS_CPU_APR_2021.NASL", "href": "https://www.tenable.com/plugins/nessus/148894", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(148894);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2019-3738\",\n \"CVE-2019-3739\",\n \"CVE-2019-3740\",\n \"CVE-2019-11358\",\n \"CVE-2020-5359\",\n \"CVE-2020-5360\",\n \"CVE-2020-7760\",\n \"CVE-2020-9484\",\n \"CVE-2020-11022\",\n \"CVE-2020-11023\",\n \"CVE-2020-13943\",\n \"CVE-2020-17527\",\n \"CVE-2021-2173\",\n \"CVE-2021-2175\",\n \"CVE-2021-2207\",\n \"CVE-2021-2234\",\n \"CVE-2021-2245\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0194-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0330-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"Oracle Database Server Multiple Vulnerabilities (Apr 2021 CPU)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is running a database server which is affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"description\", value:\n\"The versions of Oracle Database Server installed on the remote host are affected by multiple vulnerabilities as\nreferenced in the April 2021 CPU advisory. \n\n - Vulnerability in the Oracle Database - Enterprise Edition Security (Dell BSAFE Micro Edition Suite) \n component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c\n and 19c. Easily exploitable vulnerability allows unauthenticated attacker with network access via \n multiple protocols to compromise Oracle Database - Enterprise Edition Security (Dell BSAFE Micro Edition Suite). \n Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently \n repeatable crash (complete DOS) of Oracle Database - Enterprise Edition Security (Dell BSAFE Micro Edition Suite) \n (CVE-2020-5360).\n\n - Vulnerability in the Workload Manager (Apache Tomcat) component of Oracle Database Server. Supported versions \n that are affected are 18c and 19c. Easily exploitable vulnerability allows unauthenticated attacker with network \n access via HTTP to compromise Workload Manager (Apache Tomcat). Successful attacks of this vulnerability can \n result in unauthorized access to critical data or complete access to all Workload Manager (Apache Tomcat) \n accessible data (CVE-2020-17527).\n\n - Vulnerability in the Oracle Database - Enterprise Edition (Dell BSAFE Crypto-J) component of Oracle Database \n Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability\n allows unauthenticated attacker with network access via Oracle Net to compromise Oracle Database - Enterprise \n Edition (Dell BSAFE Crypto-J). Successful attacks require human interaction from a person other than the attacker. \n Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to \n all Oracle Database - Enterprise Edition (Dell BSAFE Crypto-J) accessible data (CVE-2019-3740). \n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/a/tech/docs/cpuapr2021cvrf.xml\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/security-alerts/cpuapr2021.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the April 2021 Oracle Critical Patch Update advisory.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-5359\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-17527\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/04/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:database_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Databases\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"oracle_rdbms_query_patch_info.nbin\", \"oracle_rdbms_patch_info.nbin\");\n\n exit(0);\n}\n\ninclude('vcf_extras_oracle.inc');\n\napp_info = vcf::oracle_rdbms::get_app_info();\n\nconstraints = [\n # RDBMS:\n {'min_version': '19.0', 'fixed_version': '19.9.2.0.210420', 'missing_patch':'32421507', 'os':'unix', 'component':'db'},\n {'min_version': '19.0', 'fixed_version': '19.11.0.0.210420', 'missing_patch':'32409154', 'os':'win', 'component':'db'},\n {'min_version': '19.10', 'fixed_version': '19.10.1.0.210420', 'missing_patch':'32441092', 'os':'unix', 'component':'db'},\n {'min_version': '19.11', 'fixed_version': '19.11.0.0.210420', 'missing_patch':'32545013', 'os':'unix', 'component':'db'},\n \n {'min_version': '18.0', 'fixed_version': '18.12.2.0.210420', 'missing_patch':'32421478', 'os':'unix', 'component':'db'},\n {'min_version': '18.0', 'fixed_version': '18.14.0.0.210420', 'missing_patch':'32438481', 'os':'win', 'component':'db'},\n {'min_version': '18.13', 'fixed_version': '18.13.1.0.210420', 'missing_patch':'32451079', 'os':'unix', 'component':'db'},\n {'min_version': '18.14', 'fixed_version': '18.14.0.0.210420', 'missing_patch':'32524155', 'os':'unix', 'component':'db'},\n \n {'min_version': '12.2.0.1.0', 'fixed_version': '12.2.0.1.210420', 'missing_patch':'32507738', 'os':'unix', 'component':'db'},\n {'min_version': '12.2.0.1.0', 'fixed_version': '12.2.0.1.210420', 'missing_patch':'32392089', 'os':'win', 'component':'db'},\n\n {'min_version': '12.1.0.2.0', 'fixed_version': '12.1.0.2.210420', 'missing_patch':'32328635, 32328632', 'os':'unix', 'component':'db'},\n {'min_version': '12.1.0.2.0', 'fixed_version': '12.1.0.2.210420', 'missing_patch':'32396181', 'os':'win', 'component':'db'},\n \n # OJVM:\n {'min_version': '19.0', 'fixed_version': '19.11.0.0.210420', 'missing_patch':'32399816', 'os':'unix', 'component':'ojvm'},\n {'min_version': '19.0', 'fixed_version': '19.11.0.0.210420', 'missing_patch':'32399816', 'os':'win', 'component':'ojvm'},\n\n {'min_version': '18.0', 'fixed_version': '18.14.0.0.210420', 'missing_patch':'32552752', 'os':'unix', 'component':'ojvm'},\n {'min_version': '18.0', 'fixed_version': '18.14.0.0.210420', 'missing_patch':'32552752', 'os':'win', 'component':'ojvm'},\n\n {'min_version': '12.2.0.1.0', 'fixed_version': '12.2.0.1.210420', 'missing_patch':'32473172', 'os':'unix', 'component':'ojvm'},\n {'min_version': '12.2.0.1.0', 'fixed_version': '12.2.0.1.210420', 'missing_patch':'32427674', 'os':'win', 'component':'ojvm'},\n\n {'min_version': '12.1.0.2.0', 'fixed_version': '12.1.0.2.210420', 'missing_patch':'32473164', 'os':'unix', 'component':'ojvm'},\n {'min_version': '12.1.0.2.0', 'fixed_version': '12.1.0.2.210420', 'missing_patch':'32427683', 'os':'win', 'component':'ojvm'}\n \n];\n\nvcf::oracle_rdbms::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_WARNING\n);\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-09-24T16:06:39", "description": "The version of AOS installed on the remote host is prior to 5.19.0.5. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AOS-5.19.0.5 advisory.\n\n - libpng before 1.6.32 does not properly check the length of chunks against the user limit. (CVE-2017-12652)\n\n - In Apache httpd 2.4.0 to 2.4.29, the expression specified in <FilesMatch> could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are are externally blocked, but only by matching the trailing portion of the filename. (CVE-2017-15715)\n\n - A localhost.localdomain whitelist entry in valid_host() in scheduler/client.c in CUPS before 2.2.2 allows remote attackers to execute arbitrary IPP commands by sending POST requests to the CUPS daemon in conjunction with DNS rebinding. The localhost.localdomain name is often resolved via a DNS server (neither the OS nor the web browser is responsible for ensuring that localhost.localdomain is 127.0.0.1).\n (CVE-2017-18190)\n\n - An issue was discovered in drivers/i2c/i2c-core-smbus.c in the Linux kernel before 4.14.15. There is an out of bounds write in the function i2c_smbus_xfer_emulated. (CVE-2017-18551)\n\n - The default cloud-init configuration, in cloud-init 0.6.2 and newer, included ssh_deletekeys: 0, disabling cloud-init's deletion of ssh host keys. In some environments, this could lead to instances created by cloning a golden master or template system, sharing ssh host keys, and being able to impersonate one another or conduct man-in-the-middle attacks. (CVE-2018-10896)\n\n - In Apache httpd 2.4.0 to 2.4.29, when mod_session is configured to forward its session data to CGI applications (SessionEnv on, not the default), a remote user may influence their content by using a Session header. This comes from the HTTP_SESSION variable name used by mod_session to forward its data to CGIs, since the prefix HTTP_ is also used by the Apache HTTP Server to pass HTTP header fields, per CGI specifications. (CVE-2018-1283)\n\n - A specially crafted HTTP request header could have crashed the Apache HTTP Server prior to version 2.4.30 due to an out of bound read while preparing data to be cached in shared memory. It could be used as a Denial of Service attack against users of mod_cache_socache. The vulnerability is considered as low risk since mod_cache_socache is not widely used, mod_cache_disk is not concerned by this vulnerability.\n (CVE-2018-1303)\n\n - An issue was discovered in the Linux kernel before 4.20. There is a race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c, leading to a use-after-free. (CVE-2018-20836)\n\n - In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks). (CVE-2018-20843)\n\n - In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an unexpected URL within the request URL. (CVE-2019-10098)\n\n - libmspack 0.9.1alpha is affected by: Buffer Overflow. The impact is: Information Disclosure. The component is: function chmd_read_headers() in libmspack(file libmspack/mspack/chmd.c). The attack vector is: the victim must open a specially crafted chm file. The fixed version is: after commit 2f084136cfe0d05e5bf5703f3e83c6d955234b4d. (CVE-2019-1010305)\n\n - libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded. (CVE-2019-11068)\n\n - When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.\n (CVE-2019-11719)\n\n - A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68. (CVE-2019-11727)\n\n - Improper refcounting of soft token session objects could cause a use-after-free and crash (likely limited to a denial of service). This vulnerability affects Firefox < 71. (CVE-2019-11756)\n\n - file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 does not properly restrict file permissions while a copy operation is in progress. Instead, default permissions are used. (CVE-2019-12450)\n\n - An issue was discovered in dlpar_parse_cc_property in arch/powerpc/platforms/pseries/dlpar.c in the Linux kernel through 5.1.6. There is an unchecked kstrdup of prop->name, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash). (CVE-2019-12614)\n\n - dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of symlink mishandling in the reference implementation of DBUS_COOKIE_SHA1 in the libdbus library. (This only affects the DBUS_COOKIE_SHA1 authentication mechanism.) A malicious client with write access to its own home directory could manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a different uid to read and write in unintended locations. In the worst case, this could result in the DBusServer reusing a cookie that is known to the malicious client, and treating that cookie as evidence that a subsequent client connection came from an attacker-chosen uid, allowing authentication bypass. (CVE-2019-12749)\n\n - A flaw was discovered in ibus in versions before 1.5.22 that allows any unprivileged user to monitor and send method calls to the ibus bus of another user due to a misconfiguration in the DBus server setup. A local attacker may use this flaw to intercept all keystrokes of a victim user who is using the graphical interface, change the input method engine, or modify other input related configurations of the victim user. (CVE-2019-14822)\n\n - In all versions of cpio before 2.13 does not properly validate input files when generating TAR archives.\n When cpio is used to create TAR archives from paths an attacker can write to, the resulting archive may contain files with permissions the attacker did not have or in paths he did not have access to. Extracting those archives from a high-privilege user without carefully reviewing them may lead to the compromise of the system. (CVE-2019-14866)\n\n - An issue was discovered in the Linux kernel before 5.2.3. There is a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/zr364xx/zr364xx.c driver. (CVE-2019-15217)\n\n - In the Linux kernel before 5.1.13, there is a memory leak in drivers/scsi/libsas/sas_expander.c when SAS expander discovery fails. This will cause a BUG and denial of service. (CVE-2019-15807)\n\n - In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read. (CVE-2019-15903)\n\n - An issue was discovered in the Linux kernel before 5.0.5. There is a use-after-free issue when hci_uart_register_dev() fails in hci_uart_set_proto() in drivers/bluetooth/hci_ldisc.c. (CVE-2019-15917)\n\n - drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference. (CVE-2019-16231)\n\n - drivers/scsi/qla2xxx/qla_os.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference. (CVE-2019-16233)\n\n - The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server. (CVE-2019-16935)\n\n - In the Linux kernel before 5.0, a memory leak exists in sit_init_net() in net/ipv6/sit.c when register_netdev() fails to register sitn->fb_tunnel_dev, which may cause denial of service, aka CID-07f12b26e21a. (CVE-2019-16994)\n\n - In Network Security Services (NSS) before 3.46, several cryptographic primitives had missing length checks. In cases where the application calling the library did not perform a sanity check on the inputs it could result in a crash due to a buffer overflow. (CVE-2019-17006)\n\n - After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. This vulnerability affects Firefox < 72. (CVE-2019-17023)\n\n - ieee802154_create in net/ieee802154/socket.c in the AF_IEEE802154 network module in the Linux kernel through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-e69dbd4619e7. (CVE-2019-17053)\n\n - base_sock_create in drivers/isdn/mISDN/socket.c in the AF_ISDN network module in the Linux kernel through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-b91ee4aa2a21. (CVE-2019-17055)\n\n - In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. (CVE-2019-17498)\n\n - In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclosed. (CVE-2019-18197)\n\n - A memory leak in the ccp_run_sha_cmd() function in drivers/crypto/ccp/ccp-ops.c in the Linux kernel through 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-128c66429247.\n (CVE-2019-18808)\n\n - ** DISPUTED ** A memory leak in the __ipmi_bmc_register() function in drivers/char/ipmi/ipmi_msghandler.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering ida_simple_get() failure, aka CID-4aa7afb0ee20. NOTE: third parties dispute the relevance of this because an attacker cannot realistically control this failure at probe time. (CVE-2019-19046)\n\n - ** DISPUTED ** A memory leak in the nl80211_get_ftm_responder_stats() function in net/wireless/nl80211.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering nl80211hdr_put() failures, aka CID-1399c59fa929. NOTE: third parties dispute the relevance of this because it occurs on a code path where a successful allocation has already occurred. (CVE-2019-19055)\n\n - A memory leak in the alloc_sgtable() function in drivers/net/wireless/intel/iwlwifi/fw/dbg.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering alloc_page() failures, aka CID-b4b814fec1a5. (CVE-2019-19058)\n\n - Multiple memory leaks in the iwl_pcie_ctxt_info_gen3_init() function in drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption) by triggering iwl_pcie_init_fw_sec() or dma_alloc_coherent() failures, aka CID-0f4f199443fa. (CVE-2019-19059)\n\n - A memory leak in the crypto_report() function in crypto/crypto_user_base.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering crypto_report_alg() failures, aka CID-ffdde5932042. (CVE-2019-19062)\n\n - Two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption), aka CID-3f9361695113. (CVE-2019-19063)\n\n - On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program. (CVE-2019-19126)\n\n - An out-of-bounds memory write issue was found in the Linux Kernel, version 3.13 through 5.4, in the way the Linux kernel's KVM hypervisor handled the 'KVM_GET_EMULATED_CPUID' ioctl(2) request to get CPUID features emulated by the KVM hypervisor. A user or process able to access the '/dev/kvm' device could use this flaw to crash the system, resulting in a denial of service. (CVE-2019-19332)\n\n - In the Linux kernel 5.0.21, mounting a crafted ext4 filesystem image, performing some operations, and unmounting can lead to a use-after-free in ext4_put_super in fs/ext4/super.c, related to dump_orphan_list in fs/ext4/super.c. (CVE-2019-19447)\n\n - In the Linux kernel before 5.3.7, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/adutux.c driver, aka CID-44efc269db79. (CVE-2019-19523)\n\n - In the Linux kernel before 5.3.12, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/input/ff-memless.c driver, aka CID-fa3a5a1880c9. (CVE-2019-19524)\n\n - In the Linux kernel before 5.2.10, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver, aka CID-c52873e5a1ef. (CVE-2019-19530)\n\n - In the Linux kernel before 5.3.11, there is an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_core.c driver, aka CID-f7a1337f0d29. (CVE-2019-19534)\n\n - In the Linux kernel before 5.2.10, there is a race condition bug that can be caused by a malicious USB device in the USB character device driver layer, aka CID-303911cfc5b9. This affects drivers/usb/core/file.c. (CVE-2019-19537)\n\n - The Linux kernel before 5.4.2 mishandles ext4_expand_extra_isize, as demonstrated by use-after-free errors in __ext4_expand_extra_isize and ext4_xattr_set_entry, related to fs/ext4/inode.c and fs/ext4/super.c, aka CID-4ea99936a163. (CVE-2019-19767)\n\n - In the Linux kernel before 5.3.11, sound/core/timer.c has a use-after-free caused by erroneous code refactoring, aka CID-e7af6307a8a5. This is related to snd_timer_open and snd_timer_close_locked. The timeri variable was originally intended to be for a newly created timer instance, but was used for a different purpose after refactoring. (CVE-2019-19807)\n\n - xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc->oldNs. (CVE-2019-19956)\n\n - In the Linux kernel before 5.0.6, there is a NULL pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c, related to put_links, aka CID-23da9588037e. (CVE-2019-20054)\n\n - mwifiex_tm_cmd in drivers/net/wireless/marvell/mwifiex/cfg80211.c in the Linux kernel before 5.1.6 has some error-handling cases that did not free allocated hostcmd memory, aka CID-003b686ace82. This will cause a memory leak and denial of service. (CVE-2019-20095)\n\n - An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the udevadm trigger command, a memory leak may occur. (CVE-2019-20386)\n\n - xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak.\n (CVE-2019-20388)\n\n - In the Linux kernel before 5.4.12, drivers/input/input.c has out-of-bounds writes via a crafted keycode table, as demonstrated by input_set_keycode, aka CID-cb222aed03d7. (CVE-2019-20636)\n\n - An issue was discovered in the Linux kernel before 5.0.6. In rx_queue_add_kobject() and netdev_queue_add_kobject() in net/core/net-sysfs.c, a reference count is mishandled, aka CID-a3e23f719f5c.\n (CVE-2019-20811)\n\n - In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation. (CVE-2019-20907)\n\n - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.6.45 and prior, 5.7.27 and prior and 8.0.17 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2019-2974)\n\n - An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability. (CVE-2019-5094)\n\n - A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4.\n A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability. (CVE-2019-5188)\n\n - Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3. (CVE-2019-5482)\n\n - A buffer overflow issue was addressed with improved memory handling. This issue is fixed in macOS Mojave 10.14.6, Security Update 2019-004 High Sierra, Security Update 2019-004 Sierra. An attacker in a privileged network position may be able to execute arbitrary code. (CVE-2019-8675, CVE-2019-8696)\n\n - In the Android kernel in i2c driver there is a possible out of bounds write due to memory corruption. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. (CVE-2019-9454)\n\n - In the Android kernel in the video driver there is a use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. (CVE-2019-9458)\n\n - There is a use-after-free in kernel versions before 5.5 due to a race condition between the release of ptp_clock and cdev while resource deallocation. When a (high privileged) process allocates a ptp device file (like /dev/ptpX) and voluntarily goes to sleep. During this time if the underlying device is removed, it can cause an exploitable condition as the process wakes up to terminate and clean all attached files.\n The system crashes due to the cdev structure being invalid (as already freed) which is pointed to by the inode. (CVE-2020-10690)\n\n - A flaw was found in the Linux kernel's implementation of Userspace core dumps. This flaw allows an attacker with a local account to crash a trivial program and exfiltrate private kernel data.\n (CVE-2020-10732)\n\n - A flaw was found in the Linux kernel. An index buffer overflow during Direct IO write leading to the NFS client to crash. In some cases, a reach out of the index after one memory allocation by kmalloc will cause a kernel panic. The highest threat from this vulnerability is to data confidentiality and system availability. (CVE-2020-10742)\n\n - A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing. (CVE-2020-10751)\n\n - In the Linux kernel before 5.5.8, get_raw_socket in drivers/vhost/net.c lacks validation of an sk_family field, which might allow attackers to trigger kernel stack corruption via crafted system calls.\n (CVE-2020-10942)\n\n - ** DISPUTED ** An issue was discovered in the Linux kernel through 5.6.2. mpol_parse_str in mm/mempolicy.c has a stack-based out-of-bounds write because an empty nodelist is mishandled during mount option parsing, aka CID-aa9f7d5172fa. NOTE: Someone in the security community disagrees that this is a vulnerability because the issue is a bug in parsing mount options which can only be specified by a privileged user, so triggering the bug does not grant any powers not already held.. (CVE-2020-11565)\n\n - In filter.c in slapd in OpenLDAP before 2.4.50, LDAP search filters with nested boolean expressions can result in denial of service (daemon crash). (CVE-2020-12243)\n\n - When converting coordinates from projective to affine, the modular inversion was not performed in constant time, resulting in a possible timing-based side channel attack. This vulnerability affects Firefox < 80 and Firefox for Android < 80. (CVE-2020-12400)\n\n - During ECDSA signature generation, padding applied in the nonce designed to ensure constant-time scalar multiplication was removed, resulting in variable-time execution dependent on secret data. This vulnerability affects Firefox < 80 and Firefox for Android < 80. (CVE-2020-12401)\n\n - During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform electromagnetic-based side channel attacks to record traces leading to the recovery of the secret primes.\n *Note:* An unmodified Firefox browser does not generate RSA keys in normal operation and is not affected, but products built on top of it might. This vulnerability affects Firefox < 78. (CVE-2020-12402)\n\n - A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS in versions before 3.55. When using multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. The highest threat from this vulnerability is to confidentiality and system availability. (CVE-2020-12403)\n\n - An issue was discovered in the Linux kernel through 5.6.11. sg_write lacks an sg_remove_request call in a certain failure case, aka CID-83c6f2390040. (CVE-2020-12770)\n\n - A signal access-control issue was discovered in the Linux kernel before 5.6.5, aka CID-7395ea4e65c2.\n Because exec_id in include/linux/sched.h is only 32 bits, an integer overflow can interfere with a do_notify_parent protection mechanism. A child process can send an arbitrary signal to a parent process in a different security domain. Exploitation limitations include the amount of elapsed time before an integer overflow occurs, and the lack of scenarios where signals to a parent process present a substantial operational threat. (CVE-2020-12826)\n\n - If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources. (CVE-2020-13943)\n\n - An out-of-bounds memory write flaw was found in how the Linux kernel's Voice Over IP H.323 connection tracking functionality handled connections on ipv6 port 1720. This flaw allows an unauthenticated remote user to crash the system, causing a denial of service. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2020-14305)\n\n - A flaw was found in the Linux kernel's implementation of the invert video code on VGA consoles when a local attacker attempts to resize the console, calling an ioctl VT_RESIZE, which causes an out-of-bounds write to occur. This flaw allows a local user with access to the VGA console to crash the system, potentially escalating their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-14331)\n\n - Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created. This is fixed in: v3.5.10, v3.5.10rc1; v3.6.12;\n v3.7.9; v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1; v3.9.0, v3.9.0b4, v3.9.0b5, v3.9.0rc1, v3.9.0rc2.\n (CVE-2020-14422)\n\n - Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2020-15999)\n\n - A flaw was found in the Linux kernel's implementation of some networking protocols in IPsec, such as VXLAN and GENEVE tunnels over IPv6. When an encrypted tunnel is created between two hosts, the kernel isn't correctly routing tunneled data over the encrypted link; rather sending the data unencrypted. This would allow anyone in between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality. (CVE-2020-1749)\n\n - While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests. (CVE-2020-17527)\n\n - In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL. (CVE-2020-1927)\n\n - In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server. (CVE-2020-1934)\n\n - Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.6.46 and prior, 5.7.28 and prior and 8.0.18 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Client.\n Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client. (CVE-2020-2574)\n\n - A flaw was discovered in the way that the KVM hypervisor handled instruction emulation for an L2 guest when nested virtualisation is enabled. Under some circumstances, an L2 guest may trick the L0 guest into accessing sensitive L1 resources that should be inaccessible to the L2 guest. (CVE-2020-2732)\n\n - Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.6.47 and prior, 5.7.27 and prior and 8.0.17 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Client.\n Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client. (CVE-2020-2752)\n\n - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2020-2780)\n\n - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2020-2812)\n\n - When performing EC scalar point multiplication, the wNAF point multiplication algorithm was used; which leaked partial information about the nonce used during signature generation. Given an electro-magnetic trace of a few signature generations, the private key could have been computed. This vulnerability affects Firefox < 80 and Firefox for Android < 80. (CVE-2020-6829)\n\n - xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation. (CVE-2020-7595)\n\n - curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources that can lead too overwriting a local file when the -J flag is used. (CVE-2020-8177)\n\n - Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking. (CVE-2020-8492)\n\n - In BIND 9.0.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.3-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An attacker on the network path for a TSIG-signed request, or operating the server receiving the TSIG-signed request, could send a truncated response to that request, triggering an assertion failure, causing the server to exit. Alternately, an off-path attacker would have to correctly guess when a TSIG-signed request was sent, along with other characteristics of the packet and message, and spoof a truncated response to trigger an assertion failure, causing the server to exit.\n (CVE-2020-8622)\n\n - In BIND 9.10.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.10.5-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An attacker that can reach a vulnerable system with a specially crafted query packet can trigger a crash. To be vulnerable, the system must: * be running BIND that was built with\n --enable-native-pkcs11 * be signing one or more zones with an RSA key * be able to receive queries from a possible attacker (CVE-2020-8623)\n\n - In BIND 9.9.12 -> 9.9.13, 9.10.7 -> 9.10.8, 9.11.3 -> 9.11.21, 9.12.1 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.12-S1 -> 9.9.13-S1, 9.11.3-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An attacker who has been granted privileges to change a specific subset of the zone's content could abuse these unintended additional privileges to update other contents of the zone. (CVE-2020-8624)\n\n - cloud-init through 19.4 relies on Mersenne Twister for a random password, which makes it easier for attackers to predict passwords, because rand_str in cloudinit/util.py calls the random.choice function.\n (CVE-2020-8631)\n\n - In cloud-init through 19.4, rand_user_password in cloudinit/config/cc_set_passwords.py has a small default pwlen value, which makes it easier for attackers to guess passwords. (CVE-2020-8632)\n\n - There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vc_do_resize function in drivers/tty/vt/vt.c. (CVE-2020-8647)\n\n - There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vgacon_invert_region function in drivers/video/console/vgacon.c. (CVE-2020-8649)\n\n - An issue was discovered in the Linux kernel 3.16 through 5.5.6. set_fdc in drivers/block/floppy.c leads to a wait_til_ready out-of-bounds read because the FDC index is not checked for errors before assigning it, aka CID-2e90ca68b0d2. (CVE-2020-9383)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-09-01T00:00:00", "type": "nessus", "title": "Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-5.19.0.5)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-12652", "CVE-2017-15715", "CVE-2017-18190", "CVE-2017-18551", "CVE-2018-10896", "CVE-2018-1283", "CVE-2018-1303", "CVE-2018-20836", "CVE-2018-20843", "CVE-2019-10098", "CVE-2019-1010305", "CVE-2019-11068", "CVE-2019-11719", "CVE-2019-11727", "CVE-2019-11756", "CVE-2019-12450", "CVE-2019-12614", "CVE-2019-12749", "CVE-2019-14822", "CVE-2019-14866", "CVE-2019-15217", "CVE-2019-15807", "CVE-2019-15903", "CVE-2019-15917", "CVE-2019-16231", "CVE-2019-16233", "CVE-2019-16935", "CVE-2019-16994", "CVE-2019-17006", "CVE-2019-17023", "CVE-2019-17053", "CVE-2019-17055", "CVE-2019-17498", "CVE-2019-18197", "CVE-2019-18808", "CVE-2019-19046", "CVE-2019-19055", "CVE-2019-19058", "CVE-2019-19059", "CVE-2019-19062", "CVE-2019-19063", "CVE-2019-19126", "CVE-2019-19332", "CVE-2019-19447", "CVE-2019-19523", "CVE-2019-19524", "CVE-2019-19530", "CVE-2019-19534", "CVE-2019-19537", "CVE-2019-19767", "CVE-2019-19807", "CVE-2019-19956", "CVE-2019-20054", "CVE-2019-20095", "CVE-2019-20386", "CVE-2019-20388", "CVE-2019-20636", "CVE-2019-20811", "CVE-2019-20907", "CVE-2019-2974", "CVE-2019-5094", "CVE-2019-5188", "CVE-2019-5482", "CVE-2019-8675", "CVE-2019-8696", "CVE-2019-9454", "CVE-2019-9458", "CVE-2020-10690", "CVE-2020-10732", "CVE-2020-10742", "CVE-2020-10751", "CVE-2020-10942", "CVE-2020-11565", "CVE-2020-12243", "CVE-2020-12400", "CVE-2020-12401", "CVE-2020-12402", "CVE-2020-12403", "CVE-2020-12770", "CVE-2020-12826", "CVE-2020-13943", "CVE-2020-14305", "CVE-2020-14331", "CVE-2020-14422", "CVE-2020-15999", "CVE-2020-1749", "CVE-2020-17527", "CVE-2020-1927", "CVE-2020-1934", "CVE-2020-2574", "CVE-2020-2732", "CVE-2020-2752", "CVE-2020-2780", "CVE-2020-2812", "CVE-2020-6829", "CVE-2020-7595", "CVE-2020-8177", "CVE-2020-8492", "CVE-2020-8622", "CVE-2020-8623", "CVE-2020-8624", "CVE-2020-8631", "CVE-2020-8632", "CVE-2020-8647", "CVE-2020-8649", "CVE-2020-9383"], "modified": "2023-02-23T00:00:00", "cpe": ["cpe:/o:nutanix:aos"], "id": "NUTANIX_NXSA-AOS-5_19_0_5.NASL", "href": "https://www.tenable.com/plugins/nessus/164556", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(164556);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/23\");\n\n script_cve_id(\n \"CVE-2017-12652\",\n \"CVE-2017-15715\",\n \"CVE-2017-18190\",\n \"CVE-2017-18551\",\n \"CVE-2018-1283\",\n \"CVE-2018-1303\",\n \"CVE-2018-10896\",\n \"CVE-2018-20836\",\n \"CVE-2018-20843\",\n \"CVE-2019-2974\",\n \"CVE-2019-5094\",\n \"CVE-2019-5188\",\n \"CVE-2019-5482\",\n \"CVE-2019-8675\",\n \"CVE-2019-8696\",\n \"CVE-2019-9454\",\n \"CVE-2019-9458\",\n \"CVE-2019-10098\",\n \"CVE-2019-11068\",\n \"CVE-2019-11719\",\n \"CVE-2019-11727\",\n \"CVE-2019-11756\",\n \"CVE-2019-12450\",\n \"CVE-2019-12614\",\n \"CVE-2019-12749\",\n \"CVE-2019-14822\",\n \"CVE-2019-14866\",\n \"CVE-2019-15217\",\n \"CVE-2019-15807\",\n \"CVE-2019-15903\",\n \"CVE-2019-15917\",\n \"CVE-2019-16231\",\n \"CVE-2019-16233\",\n \"CVE-2019-16935\",\n \"CVE-2019-16994\",\n \"CVE-2019-17006\",\n \"CVE-2019-17023\",\n \"CVE-2019-17053\",\n \"CVE-2019-17055\",\n \"CVE-2019-17498\",\n \"CVE-2019-18197\",\n \"CVE-2019-18808\",\n \"CVE-2019-19046\",\n \"CVE-2019-19055\",\n \"CVE-2019-19058\",\n \"CVE-2019-19059\",\n \"CVE-2019-19062\",\n \"CVE-2019-19063\",\n \"CVE-2019-19126\",\n \"CVE-2019-19332\",\n \"CVE-2019-19447\",\n \"CVE-2019-19523\",\n \"CVE-2019-19524\",\n \"CVE-2019-19530\",\n \"CVE-2019-19534\",\n \"CVE-2019-19537\",\n \"CVE-2019-19767\",\n \"CVE-2019-19807\",\n \"CVE-2019-19956\",\n \"CVE-2019-20054\",\n \"CVE-2019-20095\",\n \"CVE-2019-20386\",\n \"CVE-2019-20388\",\n \"CVE-2019-20636\",\n \"CVE-2019-20811\",\n \"CVE-2019-20907\",\n \"CVE-2019-1010305\",\n \"CVE-2020-1749\",\n \"CVE-2020-1927\",\n \"CVE-2020-1934\",\n \"CVE-2020-2574\",\n \"CVE-2020-2732\",\n \"CVE-2020-2752\",\n \"CVE-2020-2780\",\n \"CVE-2020-2812\",\n \"CVE-2020-6829\",\n \"CVE-2020-7595\",\n \"CVE-2020-8177\",\n \"CVE-2020-8492\",\n \"CVE-2020-8622\",\n \"CVE-2020-8623\",\n \"CVE-2020-8624\",\n \"CVE-2020-8631\",\n \"CVE-2020-8632\",\n \"CVE-2020-8647\",\n \"CVE-2020-8649\",\n \"CVE-2020-9383\",\n \"CVE-2020-10690\",\n \"CVE-2020-10732\",\n \"CVE-2020-10742\",\n \"CVE-2020-10751\",\n \"CVE-2020-10942\",\n \"CVE-2020-11565\",\n \"CVE-2020-12243\",\n \"CVE-2020-12400\",\n \"CVE-2020-12401\",\n \"CVE-2020-12402\",\n \"CVE-2020-12403\",\n \"CVE-2020-12770\",\n \"CVE-2020-12826\",\n \"CVE-2020-13943\",\n \"CVE-2020-14305\",\n \"CVE-2020-14331\",\n \"CVE-2020-14422\",\n \"CVE-2020-15999\",\n \"CVE-2020-17527\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0124\");\n\n script_name(english:\"Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-5.19.0.5)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Nutanix AOS host is affected by multiple vulnerabilities .\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of AOS installed on the remote host is prior to 5.19.0.5. It is, therefore, affected by multiple\nvulnerabilities as referenced in the NXSA-AOS-5.19.0.5 advisory.\n\n - libpng before 1.6.32 does not properly check the length of chunks against the user limit. (CVE-2017-12652)\n\n - In Apache httpd 2.4.0 to 2.4.29, the expression specified in <FilesMatch> could match '$' to a newline\n character in a malicious filename, rather than matching only the end of the filename. This could be\n exploited in environments where uploads of some files are are externally blocked, but only by matching the\n trailing portion of the filename. (CVE-2017-15715)\n\n - A localhost.localdomain whitelist entry in valid_host() in scheduler/client.c in CUPS before 2.2.2 allows\n remote attackers to execute arbitrary IPP commands by sending POST requests to the CUPS daemon in\n conjunction with DNS rebinding. The localhost.localdomain name is often resolved via a DNS server (neither\n the OS nor the web browser is responsible for ensuring that localhost.localdomain is 127.0.0.1).\n (CVE-2017-18190)\n\n - An issue was discovered in drivers/i2c/i2c-core-smbus.c in the Linux kernel before 4.14.15. There is an\n out of bounds write in the function i2c_smbus_xfer_emulated. (CVE-2017-18551)\n\n - The default cloud-init configuration, in cloud-init 0.6.2 and newer, included ssh_deletekeys: 0,\n disabling cloud-init's deletion of ssh host keys. In some environments, this could lead to instances\n created by cloning a golden master or template system, sharing ssh host keys, and being able to\n impersonate one another or conduct man-in-the-middle attacks. (CVE-2018-10896)\n\n - In Apache httpd 2.4.0 to 2.4.29, when mod_session is configured to forward its session data to CGI\n applications (SessionEnv on, not the default), a remote user may influence their content by using a\n Session header. This comes from the HTTP_SESSION variable name used by mod_session to forward its data\n to CGIs, since the prefix HTTP_ is also used by the Apache HTTP Server to pass HTTP header fields, per\n CGI specifications. (CVE-2018-1283)\n\n - A specially crafted HTTP request header could have crashed the Apache HTTP Server prior to version 2.4.30\n due to an out of bound read while preparing data to be cached in shared memory. It could be used as a\n Denial of Service attack against users of mod_cache_socache. The vulnerability is considered as low risk\n since mod_cache_socache is not widely used, mod_cache_disk is not concerned by this vulnerability.\n (CVE-2018-1303)\n\n - An issue was discovered in the Linux kernel before 4.20. There is a race condition in smp_task_timedout()\n and smp_task_done() in drivers/scsi/libsas/sas_expander.c, leading to a use-after-free. (CVE-2018-20836)\n\n - In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons\n could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be\n usable for denial-of-service attacks). (CVE-2018-20843)\n\n - In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_rewrite that were intended to be\n self-referential might be fooled by encoded newlines and redirect instead to an unexpected URL within the\n request URL. (CVE-2019-10098)\n\n - libmspack 0.9.1alpha is affected by: Buffer Overflow. The impact is: Information Disclosure. The component\n is: function chmd_read_headers() in libmspack(file libmspack/mspack/chmd.c). The attack vector is: the\n victim must open a specially crafted chm file. The fixed version is: after commit\n 2f084136cfe0d05e5bf5703f3e83c6d955234b4d. (CVE-2019-1010305)\n\n - libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and\n xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a\n crafted URL that is not actually invalid and is subsequently loaded. (CVE-2019-11068)\n\n - When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger\n an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information\n disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.\n (CVE-2019-11719)\n\n - A vulnerability exists where it possible to force Network Security Services (NSS) to sign\n CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in\n CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This\n vulnerability affects Firefox < 68. (CVE-2019-11727)\n\n - Improper refcounting of soft token session objects could cause a use-after-free and crash (likely limited\n to a denial of service). This vulnerability affects Firefox < 71. (CVE-2019-11756)\n\n - file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 does not properly restrict file\n permissions while a copy operation is in progress. Instead, default permissions are used. (CVE-2019-12450)\n\n - An issue was discovered in dlpar_parse_cc_property in arch/powerpc/platforms/pseries/dlpar.c in the Linux\n kernel through 5.1.6. There is an unchecked kstrdup of prop->name, which might allow an attacker to cause\n a denial of service (NULL pointer dereference and system crash). (CVE-2019-12614)\n\n - dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical\n Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of\n symlink mishandling in the reference implementation of DBUS_COOKIE_SHA1 in the libdbus library. (This only\n affects the DBUS_COOKIE_SHA1 authentication mechanism.) A malicious client with write access to its own\n home directory could manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a different uid to\n read and write in unintended locations. In the worst case, this could result in the DBusServer reusing a\n cookie that is known to the malicious client, and treating that cookie as evidence that a subsequent\n client connection came from an attacker-chosen uid, allowing authentication bypass. (CVE-2019-12749)\n\n - A flaw was discovered in ibus in versions before 1.5.22 that allows any unprivileged user to monitor and\n send method calls to the ibus bus of another user due to a misconfiguration in the DBus server setup. A\n local attacker may use this flaw to intercept all keystrokes of a victim user who is using the graphical\n interface, change the input method engine, or modify other input related configurations of the victim\n user. (CVE-2019-14822)\n\n - In all versions of cpio before 2.13 does not properly validate input files when generating TAR archives.\n When cpio is used to create TAR archives from paths an attacker can write to, the resulting archive may\n contain files with permissions the attacker did not have or in paths he did not have access to. Extracting\n those archives from a high-privilege user without carefully reviewing them may lead to the compromise of\n the system. (CVE-2019-14866)\n\n - An issue was discovered in the Linux kernel before 5.2.3. There is a NULL pointer dereference caused by a\n malicious USB device in the drivers/media/usb/zr364xx/zr364xx.c driver. (CVE-2019-15217)\n\n - In the Linux kernel before 5.1.13, there is a memory leak in drivers/scsi/libsas/sas_expander.c when SAS\n expander discovery fails. This will cause a BUG and denial of service. (CVE-2019-15807)\n\n - In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to\n document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber)\n then resulted in a heap-based buffer over-read. (CVE-2019-15903)\n\n - An issue was discovered in the Linux kernel before 5.0.5. There is a use-after-free issue when\n hci_uart_register_dev() fails in hci_uart_set_proto() in drivers/bluetooth/hci_ldisc.c. (CVE-2019-15917)\n\n - drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value,\n leading to a NULL pointer dereference. (CVE-2019-16231)\n\n - drivers/scsi/qla2xxx/qla_os.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value,\n leading to a NULL pointer dereference. (CVE-2019-16233)\n\n - The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has\n XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in\n Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary\n JavaScript can be delivered to clients that visit the http URL for this server. (CVE-2019-16935)\n\n - In the Linux kernel before 5.0, a memory leak exists in sit_init_net() in net/ipv6/sit.c when\n register_netdev() fails to register sitn->fb_tunnel_dev, which may cause denial of service, aka\n CID-07f12b26e21a. (CVE-2019-16994)\n\n - In Network Security Services (NSS) before 3.46, several cryptographic primitives had missing length\n checks. In cases where the application calling the library did not perform a sanity check on the inputs it\n could result in a crash due to a buffer overflow. (CVE-2019-17006)\n\n - After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting\n in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming\n Application Data records will be ignored. This vulnerability affects Firefox < 72. (CVE-2019-17023)\n\n - ieee802154_create in net/ieee802154/socket.c in the AF_IEEE802154 network module in the Linux kernel\n through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket,\n aka CID-e69dbd4619e7. (CVE-2019-17053)\n\n - base_sock_create in drivers/isdn/mISDN/socket.c in the AF_ISDN network module in the Linux kernel through\n 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka\n CID-b91ee4aa2a21. (CVE-2019-17055)\n\n - In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow\n in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent\n memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of\n service condition on the client system when a user connects to the server. (CVE-2019-17498)\n\n - In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain\n circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds\n check could fail and memory outside a buffer could be written to, or uninitialized data could be\n disclosed. (CVE-2019-18197)\n\n - A memory leak in the ccp_run_sha_cmd() function in drivers/crypto/ccp/ccp-ops.c in the Linux kernel\n through 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-128c66429247.\n (CVE-2019-18808)\n\n - ** DISPUTED ** A memory leak in the __ipmi_bmc_register() function in drivers/char/ipmi/ipmi_msghandler.c\n in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by\n triggering ida_simple_get() failure, aka CID-4aa7afb0ee20. NOTE: third parties dispute the relevance of\n this because an attacker cannot realistically control this failure at probe time. (CVE-2019-19046)\n\n - ** DISPUTED ** A memory leak in the nl80211_get_ftm_responder_stats() function in net/wireless/nl80211.c\n in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by\n triggering nl80211hdr_put() failures, aka CID-1399c59fa929. NOTE: third parties dispute the relevance of\n this because it occurs on a code path where a successful allocation has already occurred. (CVE-2019-19055)\n\n - A memory leak in the alloc_sgtable() function in drivers/net/wireless/intel/iwlwifi/fw/dbg.c in the Linux\n kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering\n alloc_page() failures, aka CID-b4b814fec1a5. (CVE-2019-19058)\n\n - Multiple memory leaks in the iwl_pcie_ctxt_info_gen3_init() function in\n drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c in the Linux kernel through 5.3.11 allow\n attackers to cause a denial of service (memory consumption) by triggering iwl_pcie_init_fw_sec() or\n dma_alloc_coherent() failures, aka CID-0f4f199443fa. (CVE-2019-19059)\n\n - A memory leak in the crypto_report() function in crypto/crypto_user_base.c in the Linux kernel through\n 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering\n crypto_report_alg() failures, aka CID-ffdde5932042. (CVE-2019-19062)\n\n - Two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c in the\n Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption), aka\n CID-3f9361695113. (CVE-2019-19063)\n\n - On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the\n LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition,\n allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass\n ASLR for a setuid program. (CVE-2019-19126)\n\n - An out-of-bounds memory write issue was found in the Linux Kernel, version 3.13 through 5.4, in the way\n the Linux kernel's KVM hypervisor handled the 'KVM_GET_EMULATED_CPUID' ioctl(2) request to get CPUID\n features emulated by the KVM hypervisor. A user or process able to access the '/dev/kvm' device could use\n this flaw to crash the system, resulting in a denial of service. (CVE-2019-19332)\n\n - In the Linux kernel 5.0.21, mounting a crafted ext4 filesystem image, performing some operations, and\n unmounting can lead to a use-after-free in ext4_put_super in fs/ext4/super.c, related to dump_orphan_list\n in fs/ext4/super.c. (CVE-2019-19447)\n\n - In the Linux kernel before 5.3.7, there is a use-after-free bug that can be caused by a malicious USB\n device in the drivers/usb/misc/adutux.c driver, aka CID-44efc269db79. (CVE-2019-19523)\n\n - In the Linux kernel before 5.3.12, there is a use-after-free bug that can be caused by a malicious USB\n device in the drivers/input/ff-memless.c driver, aka CID-fa3a5a1880c9. (CVE-2019-19524)\n\n - In the Linux kernel before 5.2.10, there is a use-after-free bug that can be caused by a malicious USB\n device in the drivers/usb/class/cdc-acm.c driver, aka CID-c52873e5a1ef. (CVE-2019-19530)\n\n - In the Linux kernel before 5.3.11, there is an info-leak bug that can be caused by a malicious USB device\n in the drivers/net/can/usb/peak_usb/pcan_usb_core.c driver, aka CID-f7a1337f0d29. (CVE-2019-19534)\n\n - In the Linux kernel before 5.2.10, there is a race condition bug that can be caused by a malicious USB\n device in the USB character device driver layer, aka CID-303911cfc5b9. This affects\n drivers/usb/core/file.c. (CVE-2019-19537)\n\n - The Linux kernel before 5.4.2 mishandles ext4_expand_extra_isize, as demonstrated by use-after-free errors\n in __ext4_expand_extra_isize and ext4_xattr_set_entry, related to fs/ext4/inode.c and fs/ext4/super.c, aka\n CID-4ea99936a163. (CVE-2019-19767)\n\n - In the Linux kernel before 5.3.11, sound/core/timer.c has a use-after-free caused by erroneous code\n refactoring, aka CID-e7af6307a8a5. This is related to snd_timer_open and snd_timer_close_locked. The\n timeri variable was originally intended to be for a newly created timer instance, but was used for a\n different purpose after refactoring. (CVE-2019-19807)\n\n - xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to\n newDoc->oldNs. (CVE-2019-19956)\n\n - In the Linux kernel before 5.0.6, there is a NULL pointer dereference in drop_sysctl_table() in\n fs/proc/proc_sysctl.c, related to put_links, aka CID-23da9588037e. (CVE-2019-20054)\n\n - mwifiex_tm_cmd in drivers/net/wireless/marvell/mwifiex/cfg80211.c in the Linux kernel before 5.1.6 has\n some error-handling cases that did not free allocated hostcmd memory, aka CID-003b686ace82. This will\n cause a memory leak and denial of service. (CVE-2019-20095)\n\n - An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the\n udevadm trigger command, a memory leak may occur. (CVE-2019-20386)\n\n - xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak.\n (CVE-2019-20388)\n\n - In the Linux kernel before 5.4.12, drivers/input/input.c has out-of-bounds writes via a crafted keycode\n table, as demonstrated by input_set_keycode, aka CID-cb222aed03d7. (CVE-2019-20636)\n\n - An issue was discovered in the Linux kernel before 5.0.6. In rx_queue_add_kobject() and\n netdev_queue_add_kobject() in net/core/net-sysfs.c, a reference count is mishandled, aka CID-a3e23f719f5c.\n (CVE-2019-20811)\n\n - In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an\n infinite loop when opened by tarfile.open, because _proc_pax lacks header validation. (CVE-2019-20907)\n\n - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported\n versions that are affected are 5.6.45 and prior, 5.7.27 and prior and 8.0.17 and prior. Easily exploitable\n vulnerability allows low privileged attacker with network access via multiple protocols to compromise\n MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang\n or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2019-2974)\n\n - An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A\n specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code\n execution. An attacker can corrupt a partition to trigger this vulnerability. (CVE-2019-5094)\n\n - A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4.\n A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code\n execution. An attacker can corrupt a partition to trigger this vulnerability. (CVE-2019-5188)\n\n - Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3. (CVE-2019-5482)\n\n - A buffer overflow issue was addressed with improved memory handling. This issue is fixed in macOS Mojave\n 10.14.6, Security Update 2019-004 High Sierra, Security Update 2019-004 Sierra. An attacker in a\n privileged network position may be able to execute arbitrary code. (CVE-2019-8675, CVE-2019-8696)\n\n - In the Android kernel in i2c driver there is a possible out of bounds write due to memory corruption. This\n could lead to local escalation of privilege with System execution privileges needed. User interaction is\n not needed for exploitation. (CVE-2019-9454)\n\n - In the Android kernel in the video driver there is a use after free due to a race condition. This could\n lead to local escalation of privilege with no additional execution privileges needed. User interaction is\n not needed for exploitation. (CVE-2019-9458)\n\n - There is a use-after-free in kernel versions before 5.5 due to a race condition between the release of\n ptp_clock and cdev while resource deallocation. When a (high privileged) process allocates a ptp device\n file (like /dev/ptpX) and voluntarily goes to sleep. During this time if the underlying device is removed,\n it can cause an exploitable condition as the process wakes up to terminate and clean all attached files.\n The system crashes due to the cdev structure being invalid (as already freed) which is pointed to by the\n inode. (CVE-2020-10690)\n\n - A flaw was found in the Linux kernel's implementation of Userspace core dumps. This flaw allows an\n attacker with a local account to crash a trivial program and exfiltrate private kernel data.\n (CVE-2020-10732)\n\n - A flaw was found in the Linux kernel. An index buffer overflow during Direct IO write leading to the NFS\n client to crash. In some cases, a reach out of the index after one memory allocation by kmalloc will cause\n a kernel panic. The highest threat from this vulnerability is to data confidentiality and system\n availability. (CVE-2020-10742)\n\n - A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it\n incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly\n only validate the first netlink message in the skb and allow or deny the rest of the messages within the\n skb with the granted permission without further processing. (CVE-2020-10751)\n\n - In the Linux kernel before 5.5.8, get_raw_socket in drivers/vhost/net.c lacks validation of an sk_family\n field, which might allow attackers to trigger kernel stack corruption via crafted system calls.\n (CVE-2020-10942)\n\n - ** DISPUTED ** An issue was discovered in the Linux kernel through 5.6.2. mpol_parse_str in mm/mempolicy.c\n has a stack-based out-of-bounds write because an empty nodelist is mishandled during mount option parsing,\n aka CID-aa9f7d5172fa. NOTE: Someone in the security community disagrees that this is a vulnerability\n because the issue is a bug in parsing mount options which can only be specified by a privileged user, so\n triggering the bug does not grant any powers not already held.. (CVE-2020-11565)\n\n - In filter.c in slapd in OpenLDAP before 2.4.50, LDAP search filters with nested boolean expressions can\n result in denial of service (daemon crash). (CVE-2020-12243)\n\n - When converting coordinates from projective to affine, the modular inversion was not performed in constant\n time, resulting in a possible timing-based side channel attack. This vulnerability affects Firefox < 80\n and Firefox for Android < 80. (CVE-2020-12400)\n\n - During ECDSA signature generation, padding applied in the nonce designed to ensure constant-time scalar\n multiplication was removed, resulting in variable-time execution dependent on secret data. This\n vulnerability affects Firefox < 80 and Firefox for Android < 80. (CVE-2020-12401)\n\n - During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean\n Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform\n electromagnetic-based side channel attacks to record traces leading to the recovery of the secret primes.\n *Note:* An unmodified Firefox browser does not generate RSA keys in normal operation and is not affected,\n but products built on top of it might. This vulnerability affects Firefox < 78. (CVE-2020-12402)\n\n - A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS in versions before 3.55. When using\n multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling\n multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. The highest\n threat from this vulnerability is to confidentiality and system availability. (CVE-2020-12403)\n\n - An issue was discovered in the Linux kernel through 5.6.11. sg_write lacks an sg_remove_request call in a\n certain failure case, aka CID-83c6f2390040. (CVE-2020-12770)\n\n - A signal access-control issue was discovered in the Linux kernel before 5.6.5, aka CID-7395ea4e65c2.\n Because exec_id in include/linux/sched.h is only 32 bits, an integer overflow can interfere with a\n do_notify_parent protection mechanism. A child process can send an arbitrary signal to a parent process in\n a different security domain. Exploitation limitations include the amount of elapsed time before an integer\n overflow occurs, and the lack of scenarios where signals to a parent process present a substantial\n operational threat. (CVE-2020-12826)\n\n - If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to\n 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the\n HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP\n headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This\n could lead to users seeing responses for unexpected resources. (CVE-2020-13943)\n\n - An out-of-bounds memory write flaw was found in how the Linux kernel's Voice Over IP H.323 connection\n tracking functionality handled connections on ipv6 port 1720. This flaw allows an unauthenticated remote\n user to crash the system, causing a denial of service. The highest threat from this vulnerability is to\n confidentiality, integrity, as well as system availability. (CVE-2020-14305)\n\n - A flaw was found in the Linux kernel's implementation of the invert video code on VGA consoles when a\n local attacker attempts to resize the console, calling an ioctl VT_RESIZE, which causes an out-of-bounds\n write to occur. This flaw allows a local user with access to the VGA console to crash the system,\n potentially escalating their privileges on the system. The highest threat from this vulnerability is to\n data confidentiality and integrity as well as system availability. (CVE-2020-14331)\n\n - Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and\n IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application\n is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this\n attacker can cause many dictionary entries to be created. This is fixed in: v3.5.10, v3.5.10rc1; v3.6.12;\n v3.7.9; v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1; v3.9.0, v3.9.0b4, v3.9.0b5, v3.9.0rc1, v3.9.0rc2.\n (CVE-2020-14422)\n\n - Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to\n potentially exploit heap corruption via a crafted HTML page. (CVE-2020-15999)\n\n - A flaw was found in the Linux kernel's implementation of some networking protocols in IPsec, such as VXLAN\n and GENEVE tunnels over IPv6. When an encrypted tunnel is created between two hosts, the kernel isn't\n correctly routing tunneled data over the encrypted link; rather sending the data unencrypted. This would\n allow anyone in between the two endpoints to read the traffic unencrypted. The main threat from this\n vulnerability is to data confidentiality. (CVE-2020-1749)\n\n - While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to\n 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on\n an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely\n lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak\n between requests. (CVE-2020-17527)\n\n - In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be\n self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within\n the request URL. (CVE-2020-1927)\n\n - In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a\n malicious FTP server. (CVE-2020-1934)\n\n - Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are\n affected are 5.6.46 and prior, 5.7.28 and prior and 8.0.18 and prior. Difficult to exploit vulnerability\n allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Client.\n Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently\n repeatable crash (complete DOS) of MySQL Client. (CVE-2020-2574)\n\n - A flaw was discovered in the way that the KVM hypervisor handled instruction emulation for an L2 guest\n when nested virtualisation is enabled. Under some circumstances, an L2 guest may trick the L0 guest into\n accessing sensitive L1 resources that should be inaccessible to the L2 guest. (CVE-2020-2732)\n\n - Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are\n affected are 5.6.47 and prior, 5.7.27 and prior and 8.0.17 and prior. Difficult to exploit vulnerability\n allows low privileged attacker with network access via multiple protocols to compromise MySQL Client.\n Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently\n repeatable crash (complete DOS) of MySQL Client. (CVE-2020-2752)\n\n - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions\n that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Easily exploitable\n vulnerability allows low privileged attacker with network access via multiple protocols to compromise\n MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang\n or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2020-2780)\n\n - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported\n versions that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Easily exploitable\n vulnerability allows high privileged attacker with network access via multiple protocols to compromise\n MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang\n or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2020-2812)\n\n - When performing EC scalar point multiplication, the wNAF point multiplication algorithm was used; which\n leaked partial information about the nonce used during signature generation. Given an electro-magnetic\n trace of a few signature generations, the private key could have been computed. This vulnerability affects\n Firefox < 80 and Firefox for Android < 80. (CVE-2020-6829)\n\n - xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file\n situation. (CVE-2020-7595)\n\n - curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources\n that can lead too overwriting a local file when the -J flag is used. (CVE-2020-8177)\n\n - Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1\n allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client\n because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking. (CVE-2020-8492)\n\n - In BIND 9.0.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.3-S1 -> 9.11.21-S1 of the\n BIND 9 Supported Preview Edition, An attacker on the network path for a TSIG-signed request, or operating\n the server receiving the TSIG-signed request, could send a truncated response to that request, triggering\n an assertion failure, causing the server to exit. Alternately, an off-path attacker would have to\n correctly guess when a TSIG-signed request was sent, along with other characteristics of the packet and\n message, and spoof a truncated response to trigger an assertion failure, causing the server to exit.\n (CVE-2020-8622)\n\n - In BIND 9.10.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.10.5-S1 -> 9.11.21-S1 of the\n BIND 9 Supported Preview Edition, An attacker that can reach a vulnerable system with a specially crafted\n query packet can trigger a crash. To be vulnerable, the system must: * be running BIND that was built with\n --enable-native-pkcs11 * be signing one or more zones with an RSA key * be able to receive queries from\n a possible attacker (CVE-2020-8623)\n\n - In BIND 9.9.12 -> 9.9.13, 9.10.7 -> 9.10.8, 9.11.3 -> 9.11.21, 9.12.1 -> 9.16.5, 9.17.0 -> 9.17.3, also\n affects 9.9.12-S1 -> 9.9.13-S1, 9.11.3-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An\n attacker who has been granted privileges to change a specific subset of the zone's content could abuse\n these unintended additional privileges to update other contents of the zone. (CVE-2020-8624)\n\n - cloud-init through 19.4 relies on Mersenne Twister for a random password, which makes it easier for\n attackers to predict passwords, because rand_str in cloudinit/util.py calls the random.choice function.\n (CVE-2020-8631)\n\n - In cloud-init through 19.4, rand_user_password in cloudinit/config/cc_set_passwords.py has a small default\n pwlen value, which makes it easier for attackers to guess passwords. (CVE-2020-8632)\n\n - There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vc_do_resize function in\n drivers/tty/vt/vt.c. (CVE-2020-8647)\n\n - There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vgacon_invert_region\n function in drivers/video/console/vgacon.c. (CVE-2020-8649)\n\n - An issue was discovered in the Linux kernel 3.16 through 5.5.6. set_fdc in drivers/block/floppy.c leads to\n a wait_til_ready out-of-bounds read because the FDC index is not checked for errors before assigning it,\n aka CID-2e90ca68b0d2. (CVE-2020-9383)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n # https://portal.nutanix.com/page/documents/security-advisories/release-advisories/details?id=NXSA-AOS-5.19.0.5\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fb66440b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the Nutanix AOS software to recommended version.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-17006\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2019-5482\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/02/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/08/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/09/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:nutanix:aos\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"nutanix_collect.nasl\");\n script_require_keys(\"Host/Nutanix/Data/lts\", \"Host/Nutanix/Data/Service\", \"Host/Nutanix/Data/Version\", \"Host/Nutanix/Data/arch\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nvar app_info = vcf::nutanix::get_app_info();\n\nvar constraints = [\n { 'fixed_version' : '5.19.0.5', 'product' : 'AOS', 'fixed_display' : 'Upgrade the AOS install to 5.19.0.5 or higher.', 'lts' : FALSE },\n { 'fixed_version' : '5.19.0.5', 'product' : 'NDFS', 'fixed_display' : 'Upgrade the AOS install to 5.19.0.5 or higher.', 'lts' : FALSE }\n];\n\nvcf::nutanix::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_HOLE,\n flags:{'xss':TRUE}\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:34:37", "description": "The version of AOS installed on the remote host is prior to 5.15.5. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AOS-5.15.5 advisory.\n\n - libpng before 1.6.32 does not properly check the length of chunks against the user limit. (CVE-2017-12652)\n\n - In Apache httpd 2.4.0 to 2.4.29, the expression specified in <FilesMatch> could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are are externally blocked, but only by matching the trailing portion of the filename. (CVE-2017-15715)\n\n - A localhost.localdomain whitelist entry in valid_host() in scheduler/client.c in CUPS before 2.2.2 allows remote attackers to execute arbitrary IPP commands by sending POST requests to the CUPS daemon in conjunction with DNS rebinding. The localhost.localdomain name is often resolved via a DNS server (neither the OS nor the web browser is responsible for ensuring that localhost.localdomain is 127.0.0.1).\n (CVE-2017-18190)\n\n - An issue was discovered in drivers/i2c/i2c-core-smbus.c in the Linux kernel before 4.14.15. There is an out of bounds write in the function i2c_smbus_xfer_emulated. (CVE-2017-18551)\n\n - The default cloud-init configuration, in cloud-init 0.6.2 and newer, included ssh_deletekeys: 0, disabling cloud-init's deletion of ssh host keys. In some environments, this could lead to instances created by cloning a golden master or template system, sharing ssh host keys, and being able to impersonate one another or conduct man-in-the-middle attacks. (CVE-2018-10896)\n\n - In Apache httpd 2.4.0 to 2.4.29, when mod_session is configured to forward its session data to CGI applications (SessionEnv on, not the default), a remote user may influence their content by using a Session header. This comes from the HTTP_SESSION variable name used by mod_session to forward its data to CGIs, since the prefix HTTP_ is also used by the Apache HTTP Server to pass HTTP header fields, per CGI specifications. (CVE-2018-1283)\n\n - A specially crafted HTTP request header could have crashed the Apache HTTP Server prior to version 2.4.30 due to an out of bound read while preparing data to be cached in shared memory. It could be used as a Denial of Service attack against users of mod_cache_socache. The vulnerability is considered as low risk since mod_cache_socache is not widely used, mod_cache_disk is not concerned by this vulnerability.\n (CVE-2018-1303)\n\n - An issue was discovered in the Linux kernel before 4.20. There is a race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c, leading to a use-after-free. (CVE-2018-20836)\n\n - In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks). (CVE-2018-20843)\n\n - In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an unexpected URL within the request URL. (CVE-2019-10098)\n\n - libmspack 0.9.1alpha is affected by: Buffer Overflow. The impact is: Information Disclosure. The component is: function chmd_read_headers() in libmspack(file libmspack/mspack/chmd.c). The attack vector is: the victim must open a specially crafted chm file. The fixed version is: after commit 2f084136cfe0d05e5bf5703f3e83c6d955234b4d. (CVE-2019-1010305)\n\n - libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded. (CVE-2019-11068)\n\n - When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.\n (CVE-2019-11719)\n\n - A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68. (CVE-2019-11727)\n\n - Improper refcounting of soft token session objects could cause a use-after-free and crash (likely limited to a denial of service). This vulnerability affects Firefox < 71. (CVE-2019-11756)\n\n - file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 does not properly restrict file permissions while a copy operation is in progress. Instead, default permissions are used. (CVE-2019-12450)\n\n - An issue was discovered in dlpar_parse_cc_property in arch/powerpc/platforms/pseries/dlpar.c in the Linux kernel through 5.1.6. There is an unchecked kstrdup of prop->name, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash). (CVE-2019-12614)\n\n - dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of symlink mishandling in the reference implementation of DBUS_COOKIE_SHA1 in the libdbus library. (This only affects the DBUS_COOKIE_SHA1 authentication mechanism.) A malicious client with write access to its own home directory could manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a different uid to read and write in unintended locations. In the worst case, this could result in the DBusServer reusing a cookie that is known to the malicious client, and treating that cookie as evidence that a subsequent client connection came from an attacker-chosen uid, allowing authentication bypass. (CVE-2019-12749)\n\n - A flaw was discovered in ibus in versions before 1.5.22 that allows any unprivileged user to monitor and send method calls to the ibus bus of another user due to a misconfiguration in the DBus server setup. A local attacker may use this flaw to intercept all keystrokes of a victim user who is using the graphical interface, change the input method engine, or modify other input related configurations of the victim user. (CVE-2019-14822)\n\n - In all versions of cpio before 2.13 does not properly validate input files when generating TAR archives.\n When cpio is used to create TAR archives from paths an attacker can write to, the resulting archive may contain files with permissions the attacker did not have or in paths he did not have access to. Extracting those archives from a high-privilege user without carefully reviewing them may lead to the compromise of the system. (CVE-2019-14866)\n\n - An issue was discovered in the Linux kernel before 5.2.3. There is a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/zr364xx/zr364xx.c driver. (CVE-2019-15217)\n\n - In the Linux kernel before 5.1.13, there is a memory leak in drivers/scsi/libsas/sas_expander.c when SAS expander discovery fails. This will cause a BUG and denial of service. (CVE-2019-15807)\n\n - In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read. (CVE-2019-15903)\n\n - An issue was discovered in the Linux kernel before 5.0.5. There is a use-after-free issue when hci_uart_register_dev() fails in hci_uart_set_proto() in drivers/bluetooth/hci_ldisc.c. (CVE-2019-15917)\n\n - drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference. (CVE-2019-16231)\n\n - drivers/scsi/qla2xxx/qla_os.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference. (CVE-2019-16233)\n\n - The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server. (CVE-2019-16935)\n\n - In the Linux kernel before 5.0, a memory leak exists in sit_init_net() in net/ipv6/sit.c when register_netdev() fails to register sitn->fb_tunnel_dev, which may cause denial of service, aka CID-07f12b26e21a. (CVE-2019-16994)\n\n - In Network Security Services (NSS) before 3.46, several cryptographic primitives had missing length checks. In cases where the application calling the library did not perform a sanity check on the inputs it could result in a crash due to a buffer overflow. (CVE-2019-17006)\n\n - After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. This vulnerability affects Firefox < 72. (CVE-2019-17023)\n\n - ieee802154_create in net/ieee802154/socket.c in the AF_IEEE802154 network module in the Linux kernel through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-e69dbd4619e7. (CVE-2019-17053)\n\n - base_sock_create in drivers/isdn/mISDN/socket.c in the AF_ISDN network module in the Linux kernel through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-b91ee4aa2a21. (CVE-2019-17055)\n\n - In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. (CVE-2019-17498)\n\n - In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclosed. (CVE-2019-18197)\n\n - The flow_dissector feature in the Linux kernel 4.3 through 5.x before 5.3.10 has a device tracking vulnerability, aka CID-55667441c84f. This occurs because the auto flowlabel of a UDP IPv6 packet relies on a 32-bit hashrnd value as a secret, and because jhash (instead of siphash) is used. The hashrnd value remains the same starting from boot time, and can be inferred by an attacker. This affects net/core/flow_dissector.c and related code. (CVE-2019-18282)\n\n - A memory leak in the ccp_run_sha_cmd() function in drivers/crypto/ccp/ccp-ops.c in the Linux kernel through 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-128c66429247.\n (CVE-2019-18808)\n\n - ** DISPUTED ** A memory leak in the __ipmi_bmc_register() function in drivers/char/ipmi/ipmi_msghandler.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering ida_simple_get() failure, aka CID-4aa7afb0ee20. NOTE: third parties dispute the relevance of this because an attacker cannot realistically control this failure at probe time. (CVE-2019-19046)\n\n - ** DISPUTED ** A memory leak in the nl80211_get_ftm_responder_stats() function in net/wireless/nl80211.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering nl80211hdr_put() failures, aka CID-1399c59fa929. NOTE: third parties dispute the relevance of this because it occurs on a code path where a successful allocation has already occurred. (CVE-2019-19055)\n\n - A memory leak in the alloc_sgtable() function in drivers/net/wireless/intel/iwlwifi/fw/dbg.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering alloc_page() failures, aka CID-b4b814fec1a5. (CVE-2019-19058)\n\n - Multiple memory leaks in the iwl_pcie_ctxt_info_gen3_init() function in drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption) by triggering iwl_pcie_init_fw_sec() or dma_alloc_coherent() failures, aka CID-0f4f199443fa. (CVE-2019-19059)\n\n - A memory leak in the crypto_report() function in crypto/crypto_user_base.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering crypto_report_alg() failures, aka CID-ffdde5932042. (CVE-2019-19062)\n\n - Two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption), aka CID-3f9361695113. (CVE-2019-19063)\n\n - On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program. (CVE-2019-19126)\n\n - An out-of-bounds memory write issue was found in the Linux Kernel, version 3.13 through 5.4, in the way the Linux kernel's KVM hypervisor handled the 'KVM_GET_EMULATED_CPUID' ioctl(2) request to get CPUID features emulated by the KVM hypervisor. A user or process able to access the '/dev/kvm' device could use this flaw to crash the system, resulting in a denial of service. (CVE-2019-19332)\n\n - In the Linux kernel 5.0.21, mounting a crafted ext4 filesystem image, performing some operations, and unmounting can lead to a use-after-free in ext4_put_super in fs/ext4/super.c, related to dump_orphan_list in fs/ext4/super.c. (CVE-2019-19447)\n\n - In the Linux kernel before 5.3.7, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/adutux.c driver, aka CID-44efc269db79. (CVE-2019-19523)\n\n - In the Linux kernel before 5.3.12, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/input/ff-memless.c driver, aka CID-fa3a5a1880c9. (CVE-2019-19524)\n\n - In the Linux kernel before 5.2.10, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver, aka CID-c52873e5a1ef. (CVE-2019-19530)\n\n - In the Linux kernel before 5.3.11, there is an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_core.c driver, aka CID-f7a1337f0d29. (CVE-2019-19534)\n\n - In the Linux kernel before 5.2.10, there is a race condition bug that can be caused by a malicious USB device in the USB character device driver layer, aka CID-303911cfc5b9. This affects drivers/usb/core/file.c. (CVE-2019-19537)\n\n - The Linux kernel before 5.4.2 mishandles ext4_expand_extra_isize, as demonstrated by use-after-free errors in __ext4_expand_extra_isize and ext4_xattr_set_entry, related to fs/ext4/inode.c and fs/ext4/super.c, aka CID-4ea99936a163. (CVE-2019-19767)\n\n - In the Linux kernel before 5.3.11, sound/core/timer.c has a use-after-free caused by erroneous code refactoring, aka CID-e7af6307a8a5. This is related to snd_timer_open and snd_timer_close_locked. The timeri variable was originally intended to be for a newly created timer instance, but was used for a different purpose after refactoring. (CVE-2019-19807)\n\n - xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc->oldNs. (CVE-2019-19956)\n\n - In the Linux kernel before 5.0.6, there is a NULL pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c, related to put_links, aka CID-23da9588037e. (CVE-2019-20054)\n\n - mwifiex_tm_cmd in drivers/net/wireless/marvell/mwifiex/cfg80211.c in the Linux kernel before 5.1.6 has some error-handling cases that did not free allocated hostcmd memory, aka CID-003b686ace82. This will cause a memory leak and denial of service. (CVE-2019-20095)\n\n - An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the udevadm trigger command, a memory leak may occur. (CVE-2019-20386)\n\n - xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak.\n (CVE-2019-20388)\n\n - In the Linux kernel before 5.4.12, drivers/input/input.c has out-of-bounds writes via a crafted keycode table, as demonstrated by input_set_keycode, aka CID-cb222aed03d7. (CVE-2019-20636)\n\n - An issue was discovered in the Linux kernel before 5.0.6. In rx_queue_add_kobject() and netdev_queue_add_kobject() in net/core/net-sysfs.c, a reference count is mishandled, aka CID-a3e23f719f5c.\n (CVE-2019-20811)\n\n - In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation. (CVE-2019-20907)\n\n - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.6.45 and prior, 5.7.27 and prior and 8.0.17 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2019-2974)\n\n - An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability. (CVE-2019-5094)\n\n - A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4.\n A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability. (CVE-2019-5188)\n\n - Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3. (CVE-2019-5482)\n\n - A buffer overflow issue was addressed with improved memory handling. This issue is fixed in macOS Mojave 10.14.6, Security Update 2019-004 High Sierra, Security Update 2019-004 Sierra. An attacker in a privileged network position may be able to execute arbitrary code. (CVE-2019-8675, CVE-2019-8696)\n\n - In the Android kernel in i2c driver there is a possible out of bounds write due to memory corruption. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. (CVE-2019-9454)\n\n - In the Android kernel in the video driver there is a use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. (CVE-2019-9458)\n\n - There is a use-after-free in kernel versions before 5.5 due to a race condition between the release of ptp_clock and cdev while resource deallocation. When a (high privileged) process allocates a ptp device file (like /dev/ptpX) and voluntarily goes to sleep. During this time if the underlying device is removed, it can cause an exploitable condition as the process wakes up to terminate and clean all attached files.\n The system crashes due to the cdev structure being invalid (as already freed) which is pointed to by the inode. (CVE-2020-10690)\n\n - A flaw was found in the Linux kernel's implementation of Userspace core dumps. This flaw allows an attacker with a local account to crash a trivial program and exfiltrate private kernel data.\n (CVE-2020-10732)\n\n - A flaw was found in the Linux kernel. An index buffer overflow during Direct IO write leading to the NFS client to crash. In some cases, a reach out of the index after one memory allocation by kmalloc will cause a kernel panic. The highest threat from this vulnerability is to data confidentiality and system availability. (CVE-2020-10742)\n\n - A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing. (CVE-2020-10751)\n\n - A buffer over-read flaw was found in RH kernel versions before 5.0 in crypto_authenc_extractkeys in crypto/authenc.c in the IPsec Cryptographic algorithm's module, authenc. When a payload longer than 4 bytes, and is not following 4-byte alignment boundary guidelines, it causes a buffer over-read threat, leading to a system crash. This flaw allows a local attacker with user privileges to cause a denial of service. (CVE-2020-10769)\n\n - In the Linux kernel before 5.5.8, get_raw_socket in drivers/vhost/net.c lacks validation of an sk_family field, which might allow attackers to trigger kernel stack corruption via crafted system calls.\n (CVE-2020-10942)\n\n - ** DISPUTED ** An issue was discovered in the Linux kernel through 5.6.2. mpol_parse_str in mm/mempolicy.c has a stack-based out-of-bounds write because an empty nodelist is mishandled during mount option parsing, aka CID-aa9f7d5172fa. NOTE: Someone in the security community disagrees that this is a vulnerability because the issue is a bug in parsing mount options which can only be specified by a privileged user, so triggering the bug does not grant any powers not already held.. (CVE-2020-11565)\n\n - In filter.c in slapd in OpenLDAP before 2.4.50, LDAP search filters with nested boolean expressions can result in denial of service (daemon crash). (CVE-2020-12243)\n\n - When converting coordinates from projective to affine, the modular inversion was not performed in constant time, resulting in a possible timing-based side channel attack. This vulnerability affects Firefox < 80 and Firefox for Android < 80. (CVE-2020-12400)\n\n - During ECDSA signature generation, padding applied in the nonce designed to ensure constant-time scalar multiplication was removed, resulting in variable-time execution dependent on secret data. This vulnerability affects Firefox < 80 and Firefox for Android < 80. (CVE-2020-12401)\n\n - During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform electromagnetic-based side channel attacks to record traces leading to the recovery of the secret primes.\n *Note:* An unmodified Firefox browser does not generate RSA keys in normal operation and is not affected, but products built on top of it might. This vulnerability affects Firefox < 78. (CVE-2020-12402)\n\n - A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS in versions before 3.55. When using multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. The highest threat from this vulnerability is to confidentiality and system availability. (CVE-2020-12403)\n\n - An issue was discovered in the Linux kernel through 5.6.11. sg_write lacks an sg_remove_request call in a certain failure case, aka CID-83c6f2390040. (CVE-2020-12770)\n\n - A signal access-control issue was discovered in the Linux kernel before 5.6.5, aka CID-7395ea4e65c2.\n Because exec_id in include/linux/sched.h is only 32 bits, an integer overflow can interfere with a do_notify_parent protection mechanism. A child process can send an arbitrary signal to a parent process in a different security domain. Exploitation limitations include the amount of elapsed time before an integer overflow occurs, and the lack of scenarios where signals to a parent process present a substantial operational threat. (CVE-2020-12826)\n\n - If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources. (CVE-2020-13943)\n\n - An out-of-bounds memory write flaw was found in how the Linux kernel's Voice Over IP H.323 connection tracking functionality handled connections on ipv6 port 1720. This flaw allows an unauthenticated remote user to crash the system, causing a denial of service. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2020-14305)\n\n - A memory out-of-bounds read flaw was found in the Linux kernel before 5.9-rc2 with the ext3/ext4 file system, in the way it accesses a directory with broken indexing. This flaw allows a local user to crash the system if the directory exists. The highest threat from this vulnerability is to system availability.\n (CVE-2020-14314)\n\n - A flaw was found in the Linux kernel's implementation of the invert video code on VGA consoles when a local attacker attempts to resize the console, calling an ioctl VT_RESIZE, which causes an out-of-bounds write to occur. This flaw allows a local user with access to the VGA console to crash the system, potentially escalating their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-14331)\n\n - A flaw was found in the Linux kernel before 5.9-rc4. A failure of the file system metadata validator in XFS can cause an inode with a valid, user-creatable extended attribute to be flagged as corrupt. This can lead to the filesystem being shutdown, or otherwise rendered inaccessible until it is remounted, leading to a denial of service. The highest threat from this vulnerability is to system availability.\n (CVE-2020-14385)\n\n - Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created. This is fixed in: v3.5.10, v3.5.10rc1; v3.6.12;\n v3.7.9; v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1; v3.9.0, v3.9.0b4, v3.9.0b5, v3.9.0rc1, v3.9.0rc2.\n (CVE-2020-14422)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization).\n Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261.\n Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.\n Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. (CVE-2020-14779)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JNDI). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. (CVE-2020-14781)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. (CVE-2020-14782, CVE-2020-14797)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.\n (CVE-2020-14792)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). (CVE-2020-14796)\n\n - Vulnerability in the Java SE product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 11.0.8 and 15. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). (CVE-2020-14803)\n\n - Net-SNMP through 5.7.3 has Improper Privilege Management because SNMP WRITE access to the EXTEND MIB provides the ability to run arbitrary commands as root. (CVE-2020-15862)\n\n - Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2020-15999)\n\n - A flaw was found in the Linux kernel's implementation of some networking protocols in IPsec, such as VXLAN and GENEVE tunnels over IPv6. When an encrypted tunnel is created between two hosts, the kernel isn't correctly routing tunneled data over the encrypted link; rather sending the data unencrypted. This would allow anyone in between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality. (CVE-2020-1749)\n\n - While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests. (CVE-2020-17527)\n\n - In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL. (CVE-2020-1927)\n\n - In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server. (CVE-2020-1934)\n\n - The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified.\n OpenSSL's s_server, s_client and verify tools have support for the -crl_download option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue.\n Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w). (CVE-2020-1971)\n\n - In the Linux kernel before 5.7.8, fs/nfsd/vfs.c (in the NFS server) can set incorrect permissions on new filesystem objects when the filesystem lacks ACL support, aka CID-22cf8419f131. This occurs because the current umask is not considered. (CVE-2020-24394)\n\n - A TOCTOU mismatch in the NFS client code in the Linux kernel before 5.8.3 could be used by local attackers to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c instead of fs/nfs/nfs4xdr.c, aka CID-b4487b935452. (CVE-2020-25212)\n\n - A flaw was found in the HDLC_PPP module of the Linux kernel in versions before 5.9-rc7. Memory corruption and a read overflow is caused by improper input validation in the ppp_cp_parse_cr function which can cause the system to crash or cause a denial of service. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-25643)\n\n - Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.6.46 and prior, 5.7.28 and prior and 8.0.18 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Client.\n Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client. (CVE-2020-2574)\n\n - A flaw was discovered in the way that the KVM hypervisor handled instruction emulation for an L2 guest when nested virtualisation is enabled. Under some circumstances, an L2 guest may trick the L0 guest into accessing sensitive L1 resources that should be inaccessible to the L2 guest. (CVE-2020-2732)\n\n - Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.6.47 and prior, 5.7.27 and prior and 8.0.17 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Client.\n Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client. (CVE-2020-2752)\n\n - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2020-2780)\n\n - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2020-2812)\n\n - When performing EC scalar point multiplication, the wNAF point multiplication algorithm was used; which leaked partial information about the nonce used during signature generation. Given an electro-magnetic trace of a few signature generations, the private key could have been computed. This vulnerability affects Firefox < 80 and Firefox for Android < 80. (CVE-2020-6829)\n\n - xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation. (CVE-2020-7595)\n\n - curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources that can lead too overwriting a local file when the -J flag is used. (CVE-2020-8177)\n\n - Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking. (CVE-2020-8492)\n\n - In BIND 9.0.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.3-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An attacker on the network path for a TSIG-signed request, or operating the server receiving the TSIG-signed request, could send a truncated response to that request, triggering an assertion failure, causing the server to exit. Alternately, an off-path attacker would have to correctly guess when a TSIG-signed request was sent, along with other characteristics of the packet and message, and spoof a truncated response to trigger an assertion failure, causing the server to exit.\n (CVE-2020-8622)\n\n - In BIND 9.10.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.10.5-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An attacker that can reach a vulnerable system with a specially crafted query packet can trigger a crash. To be vulnerable, the system must: * be running BIND that was built with\n --enable-native-pkcs11 * be signing one or more zones with an RSA key * be able to receive queries from a possible attacker (CVE-2020-8623)\n\n - In BIND 9.9.12 -> 9.9.13, 9.10.7 -> 9.10.8, 9.11.3 -> 9.11.21, 9.12.1 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.12-S1 -> 9.9.13-S1, 9.11.3-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An attacker who has been granted privileges to change a specific subset of the zone's content could abuse these unintended additional privileges to update other contents of the zone. (CVE-2020-8624)\n\n - cloud-init through 19.4 relies on Mersenne Twister for a random password, which makes it easier for attackers to predict passwords, because rand_str in cloudinit/util.py calls the random.choice function.\n (CVE-2020-8631)\n\n - In cloud-init through 19.4, rand_user_password in cloudinit/config/cc_set_passwords.py has a small default pwlen value, which makes it easier for attackers to guess passwords. (CVE-2020-8632)\n\n - There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vc_do_resize function in drivers/tty/vt/vt.c. (CVE-2020-8647)\n\n - There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vgacon_invert_region function in drivers/video/console/vgacon.c. (CVE-2020-8649)\n\n - An issue was discovered in the Linux kernel 3.16 through 5.5.6. set_fdc in drivers/block/floppy.c leads to a wait_til_ready out-of-bounds read because the FDC index is not checked for errors before assigning it, aka CID-2e90ca68b0d2. (CVE-2020-9383)\n\n - Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via sudoedit -s and a command-line argument that ends with a single backslash character. (CVE-2021-3156)\n\n - A heap-based buffer overflow was found in the way sudo parses command line arguments. This flaw is exploitable by any local user who can execute the sudo command without authentication. Successful exploitation of this flaw could lead to privilege escalation. (CVE-2021-3156)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-09-01T00:00:00", "type": "nessus", "title": "Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-5.15.5)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-12652", "CVE-2017-15715", "CVE-2017-18190", "CVE-2017-18551", "CVE-2018-10896", "CVE-2018-1283", "CVE-2018-1303", "CVE-2018-20836", "CVE-2018-20843", "CVE-2019-10098", "CVE-2019-1010305", "CVE-2019-11068", "CVE-2019-11719", "CVE-2019-11727", "CVE-2019-11756", "CVE-2019-12450", "CVE-2019-12614", "CVE-2019-12749", "CVE-2019-14822", "CVE-2019-14866", "CVE-2019-15217", "CVE-2019-15807", "CVE-2019-15903", "CVE-2019-15917", "CVE-2019-16231", "CVE-2019-16233", "CVE-2019-16935", "CVE-2019-16994", "CVE-2019-17006", "CVE-2019-17023", "CVE-2019-17053", "CVE-2019-17055", "CVE-2019-17498", "CVE-2019-18197", "CVE-2019-18282", "CVE-2019-18808", "CVE-2019-19046", "CVE-2019-19055", "CVE-2019-19058", "CVE-2019-19059", "CVE-2019-19062", "CVE-2019-19063", "CVE-2019-19126", "CVE-2019-19332", "CVE-2019-19447", "CVE-2019-19523", "CVE-2019-19524", "CVE-2019-19530", "CVE-2019-19534", "CVE-2019-19537", "CVE-2019-19767", "CVE-2019-19807", "CVE-2019-19956", "CVE-2019-20054", "CVE-2019-20095", "CVE-2019-20386", "CVE-2019-20388", "CVE-2019-20636", "CVE-2019-20811", "CVE-2019-20907", "CVE-2019-2974", "CVE-2019-5094", "CVE-2019-5188", "CVE-2019-5482", "CVE-2019-8675", "CVE-2019-8696", "CVE-2019-9454", "CVE-2019-9458", "CVE-2020-10690", "CVE-2020-10732", "CVE-2020-10742", "CVE-2020-10751", "CVE-2020-10769", "CVE-2020-10942", "CVE-2020-11565", "CVE-2020-12243", "CVE-2020-12400", "CVE-2020-12401", "CVE-2020-12402", "CVE-2020-12403", "CVE-2020-12770", "CVE-2020-12826", "CVE-2020-13943", "CVE-2020-14305", "CVE-2020-14314", "CVE-2020-14331", "CVE-2020-14385", "CVE-2020-14422", "CVE-2020-14779", "CVE-2020-14781", "CVE-2020-14782", "CVE-2020-14792", "CVE-2020-14796", "CVE-2020-14797", "CVE-2020-14803", "CVE-2020-15862", "CVE-2020-15999", "CVE-2020-1749", "CVE-2020-17527", "CVE-2020-1927", "CVE-2020-1934", "CVE-2020-1971", "CVE-2020-24394", "CVE-2020-25212", "CVE-2020-25643", "CVE-2020-2574", "CVE-2020-2732", "CVE-2020-2752", "CVE-2020-2780", "CVE-2020-2812", "CVE-2020-6829", "CVE-2020-7595", "CVE-2020-8177", "CVE-2020-8492", "CVE-2020-8622", "CVE-2020-8623", "CVE-2020-8624", "CVE-2020-8631", "CVE-2020-8632", "CVE-2020-8647", "CVE-2020-8649", "CVE-2020-9383", "CVE-2021-3156"], "modified": "2023-02-23T00:00:00", "cpe": ["cpe:/o:nutanix:aos"], "id": "NUTANIX_NXSA-AOS-5_15_5.NASL", "href": "https://www.tenable.com/plugins/nessus/164599", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(164599);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/23\");\n\n script_cve_id(\n \"CVE-2017-12652\",\n \"CVE-2017-15715\",\n \"CVE-2017-18190\",\n \"CVE-2017-18551\",\n \"CVE-2018-1283\",\n \"CVE-2018-1303\",\n \"CVE-2018-10896\",\n \"CVE-2018-20836\",\n \"CVE-2018-20843\",\n \"CVE-2019-2974\",\n \"CVE-2019-5094\",\n \"CVE-2019-5188\",\n \"CVE-2019-5482\",\n \"CVE-2019-8675\",\n \"CVE-2019-8696\",\n \"CVE-2019-9454\",\n \"CVE-2019-9458\",\n \"CVE-2019-10098\",\n \"CVE-2019-11068\",\n \"CVE-2019-11719\",\n \"CVE-2019-11727\",\n \"CVE-2019-11756\",\n \"CVE-2019-12450\",\n \"CVE-2019-12614\",\n \"CVE-2019-12749\",\n \"CVE-2019-14822\",\n \"CVE-2019-14866\",\n \"CVE-2019-15217\",\n \"CVE-2019-15807\",\n \"CVE-2019-15903\",\n \"CVE-2019-15917\",\n \"CVE-2019-16231\",\n \"CVE-2019-16233\",\n \"CVE-2019-16935\",\n \"CVE-2019-16994\",\n \"CVE-2019-17006\",\n \"CVE-2019-17023\",\n \"CVE-2019-17053\",\n \"CVE-2019-17055\",\n \"CVE-2019-17498\",\n \"CVE-2019-18197\",\n \"CVE-2019-18282\",\n \"CVE-2019-18808\",\n \"CVE-2019-19046\",\n \"CVE-2019-19055\",\n \"CVE-2019-19058\",\n \"CVE-2019-19059\",\n \"CVE-2019-19062\",\n \"CVE-2019-19063\",\n \"CVE-2019-19126\",\n \"CVE-2019-19332\",\n \"CVE-2019-19447\",\n \"CVE-2019-19523\",\n \"CVE-2019-19524\",\n \"CVE-2019-19530\",\n \"CVE-2019-19534\",\n \"CVE-2019-19537\",\n \"CVE-2019-19767\",\n \"CVE-2019-19807\",\n \"CVE-2019-19956\",\n \"CVE-2019-20054\",\n \"CVE-2019-20095\",\n \"CVE-2019-20386\",\n \"CVE-2019-20388\",\n \"CVE-2019-20636\",\n \"CVE-2019-20811\",\n \"CVE-2019-20907\",\n \"CVE-2019-1010305\",\n \"CVE-2020-1749\",\n \"CVE-2020-1927\",\n \"CVE-2020-1934\",\n \"CVE-2020-1971\",\n \"CVE-2020-2574\",\n \"CVE-2020-2732\",\n \"CVE-2020-2752\",\n \"CVE-2020-2780\",\n \"CVE-2020-2812\",\n \"CVE-2020-6829\",\n \"CVE-2020-7595\",\n \"CVE-2020-8177\",\n \"CVE-2020-8492\",\n \"CVE-2020-8622\",\n \"CVE-2020-8623\",\n \"CVE-2020-8624\",\n \"CVE-2020-8631\",\n \"CVE-2020-8632\",\n \"CVE-2020-8647\",\n \"CVE-2020-8649\",\n \"CVE-2020-9383\",\n \"CVE-2020-10690\",\n \"CVE-2020-10732\",\n \"CVE-2020-10742\",\n \"CVE-2020-10751\",\n \"CVE-2020-10769\",\n \"CVE-2020-10942\",\n \"CVE-2020-11565\",\n \"CVE-2020-12243\",\n \"CVE-2020-12400\",\n \"CVE-2020-12401\",\n \"CVE-2020-12402\",\n \"CVE-2020-12403\",\n \"CVE-2020-12770\",\n \"CVE-2020-12826\",\n \"CVE-2020-13943\",\n \"CVE-2020-14305\",\n \"CVE-2020-14314\",\n \"CVE-2020-14331\",\n \"CVE-2020-14385\",\n \"CVE-2020-14422\",\n \"CVE-2020-14779\",\n \"CVE-2020-14781\",\n \"CVE-2020-14782\",\n \"CVE-2020-14792\",\n \"CVE-2020-14796\",\n \"CVE-2020-14797\",\n \"CVE-2020-14803\",\n \"CVE-2020-15862\",\n \"CVE-2020-15999\",\n \"CVE-2020-17527\",\n \"CVE-2020-24394\",\n \"CVE-2020-25212\",\n \"CVE-2020-25643\",\n \"CVE-2021-3156\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/27\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0124\");\n\n script_name(english:\"Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-5.15.5)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Nutanix AOS host is affected by multiple vulnerabilities .\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of AOS installed on the remote host is prior to 5.15.5. It is, therefore, affected by multiple\nvulnerabilities as referenced in the NXSA-AOS-5.15.5 advisory.\n\n - libpng before 1.6.32 does not properly check the length of chunks against the user limit. (CVE-2017-12652)\n\n - In Apache httpd 2.4.0 to 2.4.29, the expression specified in <FilesMatch> could match '$' to a newline\n character in a malicious filename, rather than matching only the end of the filename. This could be\n exploited in environments where uploads of some files are are externally blocked, but only by matching the\n trailing portion of the filename. (CVE-2017-15715)\n\n - A localhost.localdomain whitelist entry in valid_host() in scheduler/client.c in CUPS before 2.2.2 allows\n remote attackers to execute arbitrary IPP commands by sending POST requests to the CUPS daemon in\n conjunction with DNS rebinding. The localhost.localdomain name is often resolved via a DNS server (neither\n the OS nor the web browser is responsible for ensuring that localhost.localdomain is 127.0.0.1).\n (CVE-2017-18190)\n\n - An issue was discovered in drivers/i2c/i2c-core-smbus.c in the Linux kernel before 4.14.15. There is an\n out of bounds write in the function i2c_smbus_xfer_emulated. (CVE-2017-18551)\n\n - The default cloud-init configuration, in cloud-init 0.6.2 and newer, included ssh_deletekeys: 0,\n disabling cloud-init's deletion of ssh host keys. In some environments, this could lead to instances\n created by cloning a golden master or template system, sharing ssh host keys, and being able to\n impersonate one another or conduct man-in-the-middle attacks. (CVE-2018-10896)\n\n - In Apache httpd 2.4.0 to 2.4.29, when mod_session is configured to forward its session data to CGI\n applications (SessionEnv on, not the default), a remote user may influence their content by using a\n Session header. This comes from the HTTP_SESSION variable name used by mod_session to forward its data\n to CGIs, since the prefix HTTP_ is also used by the Apache HTTP Server to pass HTTP header fields, per\n CGI specifications. (CVE-2018-1283)\n\n - A specially crafted HTTP request header could have crashed the Apache HTTP Server prior to version 2.4.30\n due to an out of bound read while preparing data to be cached in shared memory. It could be used as a\n Denial of Service attack against users of mod_cache_socache. The vulnerability is considered as low risk\n since mod_cache_socache is not widely used, mod_cache_disk is not concerned by this vulnerability.\n (CVE-2018-1303)\n\n - An issue was discovered in the Linux kernel before 4.20. There is a race condition in smp_task_timedout()\n and smp_task_done() in drivers/scsi/libsas/sas_expander.c, leading to a use-after-free. (CVE-2018-20836)\n\n - In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons\n could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be\n usable for denial-of-service attacks). (CVE-2018-20843)\n\n - In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_rewrite that were intended to be\n self-referential might be fooled by encoded newlines and redirect instead to an unexpected URL within the\n request URL. (CVE-2019-10098)\n\n - libmspack 0.9.1alpha is affected by: Buffer Overflow. The impact is: Information Disclosure. The component\n is: function chmd_read_headers() in libmspack(file libmspack/mspack/chmd.c). The attack vector is: the\n victim must open a specially crafted chm file. The fixed version is: after commit\n 2f084136cfe0d05e5bf5703f3e83c6d955234b4d. (CVE-2019-1010305)\n\n - libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and\n xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a\n crafted URL that is not actually invalid and is subsequently loaded. (CVE-2019-11068)\n\n - When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger\n an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information\n disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.\n (CVE-2019-11719)\n\n - A vulnerability exists where it possible to force Network Security Services (NSS) to sign\n CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in\n CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This\n vulnerability affects Firefox < 68. (CVE-2019-11727)\n\n - Improper refcounting of soft token session objects could cause a use-after-free and crash (likely limited\n to a denial of service). This vulnerability affects Firefox < 71. (CVE-2019-11756)\n\n - file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 does not properly restrict file\n permissions while a copy operation is in progress. Instead, default permissions are used. (CVE-2019-12450)\n\n - An issue was discovered in dlpar_parse_cc_property in arch/powerpc/platforms/pseries/dlpar.c in the Linux\n kernel through 5.1.6. There is an unchecked kstrdup of prop->name, which might allow an attacker to cause\n a denial of service (NULL pointer dereference and system crash). (CVE-2019-12614)\n\n - dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical\n Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of\n symlink mishandling in the reference implementation of DBUS_COOKIE_SHA1 in the libdbus library. (This only\n affects the DBUS_COOKIE_SHA1 authentication mechanism.) A malicious client with write access to its own\n home directory could manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a different uid to\n read and write in unintended locations. In the worst case, this could result in the DBusServer reusing a\n cookie that is known to the malicious client, and treating that cookie as evidence that a subsequent\n client connection came from an attacker-chosen uid, allowing authentication bypass. (CVE-2019-12749)\n\n - A flaw was discovered in ibus in versions before 1.5.22 that allows any unprivileged user to monitor and\n send method calls to the ibus bus of another user due to a misconfiguration in the DBus server setup. A\n local attacker may use this flaw to intercept all keystrokes of a victim user who is using the graphical\n interface, change the input method engine, or modify other input related configurations of the victim\n user. (CVE-2019-14822)\n\n - In all versions of cpio before 2.13 does not properly validate input files when generating TAR archives.\n When cpio is used to create TAR archives from paths an attacker can write to, the resulting archive may\n contain files with permissions the attacker did not have or in paths he did not have access to. Extracting\n those archives from a high-privilege user without carefully reviewing them may lead to the compromise of\n the system. (CVE-2019-14866)\n\n - An issue was discovered in the Linux kernel before 5.2.3. There is a NULL pointer dereference caused by a\n malicious USB device in the drivers/media/usb/zr364xx/zr364xx.c driver. (CVE-2019-15217)\n\n - In the Linux kernel before 5.1.13, there is a memory leak in drivers/scsi/libsas/sas_expander.c when SAS\n expander discovery fails. This will cause a BUG and denial of service. (CVE-2019-15807)\n\n - In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to\n document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber)\n then resulted in a heap-based buffer over-read. (CVE-2019-15903)\n\n - An issue was discovered in the Linux kernel before 5.0.5. There is a use-after-free issue when\n hci_uart_register_dev() fails in hci_uart_set_proto() in drivers/bluetooth/hci_ldisc.c. (CVE-2019-15917)\n\n - drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value,\n leading to a NULL pointer dereference. (CVE-2019-16231)\n\n - drivers/scsi/qla2xxx/qla_os.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value,\n leading to a NULL pointer dereference. (CVE-2019-16233)\n\n - The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has\n XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in\n Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary\n JavaScript can be delivered to clients that visit the http URL for this server. (CVE-2019-16935)\n\n - In the Linux kernel before 5.0, a memory leak exists in sit_init_net() in net/ipv6/sit.c when\n register_netdev() fails to register sitn->fb_tunnel_dev, which may cause denial of service, aka\n CID-07f12b26e21a. (CVE-2019-16994)\n\n - In Network Security Services (NSS) before 3.46, several cryptographic primitives had missing length\n checks. In cases where the application calling the library did not perform a sanity check on the inputs it\n could result in a crash due to a buffer overflow. (CVE-2019-17006)\n\n - After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting\n in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming\n Application Data records will be ignored. This vulnerability affects Firefox < 72. (CVE-2019-17023)\n\n - ieee802154_create in net/ieee802154/socket.c in the AF_IEEE802154 network module in the Linux kernel\n through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket,\n aka CID-e69dbd4619e7. (CVE-2019-17053)\n\n - base_sock_create in drivers/isdn/mISDN/socket.c in the AF_ISDN network module in the Linux kernel through\n 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka\n CID-b91ee4aa2a21. (CVE-2019-17055)\n\n - In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow\n in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent\n memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of\n service condition on the client system when a user connects to the server. (CVE-2019-17498)\n\n - In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain\n circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds\n check could fail and memory outside a buffer could be written to, or uninitialized data could be\n disclosed. (CVE-2019-18197)\n\n - The flow_dissector feature in the Linux kernel 4.3 through 5.x before 5.3.10 has a device tracking\n vulnerability, aka CID-55667441c84f. This occurs because the auto flowlabel of a UDP IPv6 packet relies on\n a 32-bit hashrnd value as a secret, and because jhash (instead of siphash) is used. The hashrnd value\n remains the same starting from boot time, and can be inferred by an attacker. This affects\n net/core/flow_dissector.c and related code. (CVE-2019-18282)\n\n - A memory leak in the ccp_run_sha_cmd() function in drivers/crypto/ccp/ccp-ops.c in the Linux kernel\n through 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-128c66429247.\n (CVE-2019-18808)\n\n - ** DISPUTED ** A memory leak in the __ipmi_bmc_register() function in drivers/char/ipmi/ipmi_msghandler.c\n in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by\n triggering ida_simple_get() failure, aka CID-4aa7afb0ee20. NOTE: third parties dispute the relevance of\n this because an attacker cannot realistically control this failure at probe time. (CVE-2019-19046)\n\n - ** DISPUTED ** A memory leak in the nl80211_get_ftm_responder_stats() function in net/wireless/nl80211.c\n in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by\n triggering nl80211hdr_put() failures, aka CID-1399c59fa929. NOTE: third parties dispute the relevance of\n this because it occurs on a code path where a successful allocation has already occurred. (CVE-2019-19055)\n\n - A memory leak in the alloc_sgtable() function in drivers/net/wireless/intel/iwlwifi/fw/dbg.c in the Linux\n kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering\n alloc_page() failures, aka CID-b4b814fec1a5. (CVE-2019-19058)\n\n - Multiple memory leaks in the iwl_pcie_ctxt_info_gen3_init() function in\n drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c in the Linux kernel through 5.3.11 allow\n attackers to cause a denial of service (memory consumption) by triggering iwl_pcie_init_fw_sec() or\n dma_alloc_coherent() failures, aka CID-0f4f199443fa. (CVE-2019-19059)\n\n - A memory leak in the crypto_report() function in crypto/crypto_user_base.c in the Linux kernel through\n 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering\n crypto_report_alg() failures, aka CID-ffdde5932042. (CVE-2019-19062)\n\n - Two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c in the\n Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption), aka\n CID-3f9361695113. (CVE-2019-19063)\n\n - On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the\n LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition,\n allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass\n ASLR for a setuid program. (CVE-2019-19126)\n\n - An out-of-bounds memory write issue was found in the Linux Kernel, version 3.13 through 5.4, in the way\n the Linux kernel's KVM hypervisor handled the 'KVM_GET_EMULATED_CPUID' ioctl(2) request to get CPUID\n features emulated by the KVM hypervisor. A user or process able to access the '/dev/kvm' device could use\n this flaw to crash the system, resulting in a denial of service. (CVE-2019-19332)\n\n - In the Linux kernel 5.0.21, mounting a crafted ext4 filesystem image, performing some operations, and\n unmounting can lead to a use-after-free in ext4_put_super in fs/ext4/super.c, related to dump_orphan_list\n in fs/ext4/super.c. (CVE-2019-19447)\n\n - In the Linux kernel before 5.3.7, there is a use-after-free bug that can be caused by a malicious USB\n device in the drivers/usb/misc/adutux.c driver, aka CID-44efc269db79. (CVE-2019-19523)\n\n - In the Linux kernel before 5.3.12, there is a use-after-free bug that can be caused by a malicious USB\n device in the drivers/input/ff-memless.c driver, aka CID-fa3a5a1880c9. (CVE-2019-19524)\n\n - In the Linux kernel before 5.2.10, there is a use-after-free bug that can be caused by a malicious USB\n device in the drivers/usb/class/cdc-acm.c driver, aka CID-c52873e5a1ef. (CVE-2019-19530)\n\n - In the Linux kernel before 5.3.11, there is an info-leak bug that can be caused by a malicious USB device\n in the drivers/net/can/usb/peak_usb/pcan_usb_core.c driver, aka CID-f7a1337f0d29. (CVE-2019-19534)\n\n - In the Linux kernel before 5.2.10, there is a race condition bug that can be caused by a malicious USB\n device in the USB character device driver layer, aka CID-303911cfc5b9. This affects\n drivers/usb/core/file.c. (CVE-2019-19537)\n\n - The Linux kernel before 5.4.2 mishandles ext4_expand_extra_isize, as demonstrated by use-after-free errors\n in __ext4_expand_extra_isize and ext4_xattr_set_entry, related to fs/ext4/inode.c and fs/ext4/super.c, aka\n CID-4ea99936a163. (CVE-2019-19767)\n\n - In the Linux kernel before 5.3.11, sound/core/timer.c has a use-after-free caused by erroneous code\n refactoring, aka CID-e7af6307a8a5. This is related to snd_timer_open and snd_timer_close_locked. The\n timeri variable was originally intended to be for a newly created timer instance, but was used for a\n different purpose after refactoring. (CVE-2019-19807)\n\n - xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to\n newDoc->oldNs. (CVE-2019-19956)\n\n - In the Linux kernel before 5.0.6, there is a NULL pointer dereference in drop_sysctl_table() in\n fs/proc/proc_sysctl.c, related to put_links, aka CID-23da9588037e. (CVE-2019-20054)\n\n - mwifiex_tm_cmd in drivers/net/wireless/marvell/mwifiex/cfg80211.c in the Linux kernel before 5.1.6 has\n some error-handling cases that did not free allocated hostcmd memory, aka CID-003b686ace82. This will\n cause a memory leak and denial of service. (CVE-2019-20095)\n\n - An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the\n udevadm trigger command, a memory leak may occur. (CVE-2019-20386)\n\n - xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak.\n (CVE-2019-20388)\n\n - In the Linux kernel before 5.4.12, drivers/input/input.c has out-of-bounds writes via a crafted keycode\n table, as demonstrated by input_set_keycode, aka CID-cb222aed03d7. (CVE-2019-20636)\n\n - An issue was discovered in the Linux kernel before 5.0.6. In rx_queue_add_kobject() and\n netdev_queue_add_kobject() in net/core/net-sysfs.c, a reference count is mishandled, aka CID-a3e23f719f5c.\n (CVE-2019-20811)\n\n - In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an\n infinite loop when opened by tarfile.open, because _proc_pax lacks header validation. (CVE-2019-20907)\n\n - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported\n versions that are affected are 5.6.45 and prior, 5.7.27 and prior and 8.0.17 and prior. Easily exploitable\n vulnerability allows low privileged attacker with network access via multiple protocols to compromise\n MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang\n or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2019-2974)\n\n - An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A\n specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code\n execution. An attacker can corrupt a partition to trigger this vulnerability. (CVE-2019-5094)\n\n - A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4.\n A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code\n execution. An attacker can corrupt a partition to trigger this vulnerability. (CVE-2019-5188)\n\n - Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3. (CVE-2019-5482)\n\n - A buffer overflow issue was addressed with improved memory handling. This issue is fixed in macOS Mojave\n 10.14.6, Security Update 2019-004 High Sierra, Security Update 2019-004 Sierra. An attacker in a\n privileged network position may be able to execute arbitrary code. (CVE-2019-8675, CVE-2019-8696)\n\n - In the Android kernel in i2c driver there is a possible out of bounds write due to memory corruption. This\n could lead to local escalation of privilege with System execution privileges needed. User interaction is\n not needed for exploitation. (CVE-2019-9454)\n\n - In the Android kernel in the video driver there is a use after free due to a race condition. This could\n lead to local escalation of privilege with no additional execution privileges needed. User interaction is\n not needed for exploitation. (CVE-2019-9458)\n\n - There is a use-after-free in kernel versions before 5.5 due to a race condition between the release of\n ptp_clock and cdev while resource deallocation. When a (high privileged) process allocates a ptp device\n file (like /dev/ptpX) and voluntarily goes to sleep. During this time if the underlying device is removed,\n it can cause an exploitable condition as the process wakes up to terminate and clean all attached files.\n The system crashes due to the cdev structure being invalid (as already freed) which is pointed to by the\n inode. (CVE-2020-10690)\n\n - A flaw was found in the Linux kernel's implementation of Userspace core dumps. This flaw allows an\n attacker with a local account to crash a trivial program and exfiltrate private kernel data.\n (CVE-2020-10732)\n\n - A flaw was found in the Linux kernel. An index buffer overflow during Direct IO write leading to the NFS\n client to crash. In some cases, a reach out of the index after one memory allocation by kmalloc will cause\n a kernel panic. The highest threat from this vulnerability is to data confidentiality and system\n availability. (CVE-2020-10742)\n\n - A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it\n incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly\n only validate the first netlink message in the skb and allow or deny the rest of the messages within the\n skb with the granted permission without further processing. (CVE-2020-10751)\n\n - A buffer over-read flaw was found in RH kernel versions before 5.0 in crypto_authenc_extractkeys in\n crypto/authenc.c in the IPsec Cryptographic algorithm's module, authenc. When a payload longer than 4\n bytes, and is not following 4-byte alignment boundary guidelines, it causes a buffer over-read threat,\n leading to a system crash. This flaw allows a local attacker with user privileges to cause a denial of\n service. (CVE-2020-10769)\n\n - In the Linux kernel before 5.5.8, get_raw_socket in drivers/vhost/net.c lacks validation of an sk_family\n field, which might allow attackers to trigger kernel stack corruption via crafted system calls.\n (CVE-2020-10942)\n\n - ** DISPUTED ** An issue was discovered in the Linux kernel through 5.6.2. mpol_parse_str in mm/mempolicy.c\n has a stack-based out-of-bounds write because an empty nodelist is mishandled during mount option parsing,\n aka CID-aa9f7d5172fa. NOTE: Someone in the security community disagrees that this is a vulnerability\n because the issue is a bug in parsing mount options which can only be specified by a privileged user, so\n triggering the bug does not grant any powers not already held.. (CVE-2020-11565)\n\n - In filter.c in slapd in OpenLDAP before 2.4.50, LDAP search filters with nested boolean expressions can\n result in denial of service (daemon crash). (CVE-2020-12243)\n\n - When converting coordinates from projective to affine, the modular inversion was not performed in constant\n time, resulting in a possible timing-based side channel attack. This vulnerability affects Firefox < 80\n and Firefox for Android < 80. (CVE-2020-12400)\n\n - During ECDSA signature generation, padding applied in the nonce designed to ensure constant-time scalar\n multiplication was removed, resulting in variable-time execution dependent on secret data. This\n vulnerability affects Firefox < 80 and Firefox for Android < 80. (CVE-2020-12401)\n\n - During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean\n Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform\n electromagnetic-based side channel attacks to record traces leading to the recovery of the secret primes.\n *Note:* An unmodified Firefox browser does not generate RSA keys in normal operation and is not affected,\n but products built on top of it might. This vulnerability affects Firefox < 78. (CVE-2020-12402)\n\n - A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS in versions before 3.55. When using\n multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling\n multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. The highest\n threat from this vulnerability is to confidentiality and system availability. (CVE-2020-12403)\n\n - An issue was discovered in the Linux kernel through 5.6.11. sg_write lacks an sg_remove_request call in a\n certain failure case, aka CID-83c6f2390040. (CVE-2020-12770)\n\n - A signal access-control issue was discovered in the Linux kernel before 5.6.5, aka CID-7395ea4e65c2.\n Because exec_id in include/linux/sched.h is only 32 bits, an integer overflow can interfere with a\n do_notify_parent protection mechanism. A child process can send an arbitrary signal to a parent process in\n a different security domain. Exploitation limitations include the amount of elapsed time before an integer\n overflow occurs, and the lack of scenarios where signals to a parent process present a substantial\n operational threat. (CVE-2020-12826)\n\n - If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to\n 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the\n HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP\n headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This\n could lead to users seeing responses for unexpected resources. (CVE-2020-13943)\n\n - An out-of-bounds memory write flaw was found in how the Linux kernel's Voice Over IP H.323 connection\n tracking functionality handled connections on ipv6 port 1720. This flaw allows an unauthenticated remote\n user to crash the system, causing a denial of service. The highest threat from this vulnerability is to\n confidentiality, integrity, as well as system availability. (CVE-2020-14305)\n\n - A memory out-of-bounds read flaw was found in the Linux kernel before 5.9-rc2 with the ext3/ext4 file\n system, in the way it accesses a directory with broken indexing. This flaw allows a local user to crash\n the system if the directory exists. The highest threat from this vulnerability is to system availability.\n (CVE-2020-14314)\n\n - A flaw was found in the Linux kernel's implementation of the invert video code on VGA consoles when a\n local attacker attempts to resize the console, calling an ioctl VT_RESIZE, which causes an out-of-bounds\n write to occur. This flaw allows a local user with access to the VGA console to crash the system,\n potentially escalating their privileges on the system. The highest threat from this vulnerability is to\n data confidentiality and integrity as well as system availability. (CVE-2020-14331)\n\n - A flaw was found in the Linux kernel before 5.9-rc4. A failure of the file system metadata validator in\n XFS can cause an inode with a valid, user-creatable extended attribute to be flagged as corrupt. This can\n lead to the filesystem being shutdown, or otherwise rendered inaccessible until it is remounted, leading\n to a denial of service. The highest threat from this vulnerability is to system availability.\n (CVE-2020-14385)\n\n - Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and\n IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application\n is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this\n attacker can cause many dictionary entries to be created. This is fixed in: v3.5.10, v3.5.10rc1; v3.6.12;\n v3.7.9; v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1; v3.9.0, v3.9.0b4, v3.9.0b5, v3.9.0rc1, v3.9.0rc2.\n (CVE-2020-14422)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization).\n Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261.\n Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple\n protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.\n Note: Applies to client and server deployment of Java. This vulnerability can be exploited through\n sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying\n data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed\n Java applets, such as through a web service. (CVE-2020-14779)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JNDI). Supported\n versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized\n read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server\n deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and\n sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component\n without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web\n service. (CVE-2020-14781)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported\n versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized\n update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: Applies to\n client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start\n applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the\n specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as\n through a web service. (CVE-2020-14782, CVE-2020-14797)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Hotspot). Supported\n versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other\n than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or\n delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to\n a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of\n Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java\n applets. It can also be exploited by supplying data to APIs in the specified Component without using\n sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.\n (CVE-2020-14792)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported\n versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other\n than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a\n subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments,\n typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load\n and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for\n security. This vulnerability does not apply to Java deployments, typically in servers, that load and run\n only trusted code (e.g., code installed by an administrator). (CVE-2020-14796)\n\n - Vulnerability in the Java SE product of Oracle Java SE (component: Libraries). Supported versions that are\n affected are Java SE: 11.0.8 and 15. Easily exploitable vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can\n result in unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability\n applies to Java deployments, typically in clients running sandboxed Java Web Start applications or\n sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and\n rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in\n servers, that load and run only trusted code (e.g., code installed by an administrator). (CVE-2020-14803)\n\n - Net-SNMP through 5.7.3 has Improper Privilege Management because SNMP WRITE access to the EXTEND MIB\n provides the ability to run arbitrary commands as root. (CVE-2020-15862)\n\n - Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to\n potentially exploit heap corruption via a crafted HTML page. (CVE-2020-15999)\n\n - A flaw was found in the Linux kernel's implementation of some networking protocols in IPsec, such as VXLAN\n and GENEVE tunnels over IPv6. When an encrypted tunnel is created between two hosts, the kernel isn't\n correctly routing tunneled data over the encrypted link; rather sending the data unencrypted. This would\n allow anyone in between the two endpoints to read the traffic unencrypted. The main threat from this\n vulnerability is to data confidentiality. (CVE-2020-1749)\n\n - While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to\n 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on\n an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely\n lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak\n between requests. (CVE-2020-17527)\n\n - In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be\n self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within\n the request URL. (CVE-2020-1927)\n\n - In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a\n malicious FTP server. (CVE-2020-1934)\n\n - The X.509 GeneralName type is a generic type for representing different types of names. One of those name\n types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different\n instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both\n GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a\n possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1)\n Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in\n an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp\n authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an\n attacker can control both items being compared then that attacker could trigger a crash. For example if\n the attacker can trick a client or server into checking a malicious certificate against a malicious CRL\n then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a\n certificate. This checking happens prior to the signatures on the certificate and CRL being verified.\n OpenSSL's s_server, s_client and verify tools have support for the -crl_download option which implements\n automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an\n unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of\n EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will\n accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue.\n Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected\n 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w). (CVE-2020-1971)\n\n - In the Linux kernel before 5.7.8, fs/nfsd/vfs.c (in the NFS server) can set incorrect permissions on new\n filesystem objects when the filesystem lacks ACL support, aka CID-22cf8419f131. This occurs because the\n current umask is not considered. (CVE-2020-24394)\n\n - A TOCTOU mismatch in the NFS client code in the Linux kernel before 5.8.3 could be used by local attackers\n to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c\n instead of fs/nfs/nfs4xdr.c, aka CID-b4487b935452. (CVE-2020-25212)\n\n - A flaw was found in the HDLC_PPP module of the Linux kernel in versions before 5.9-rc7. Memory corruption\n and a read overflow is caused by improper input validation in the ppp_cp_parse_cr function which can cause\n the system to crash or cause a denial of service. The highest threat from this vulnerability is to data\n confidentiality and integrity as well as system availability. (CVE-2020-25643)\n\n - Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are\n affected are 5.6.46 and prior, 5.7.28 and prior and 8.0.18 and prior. Difficult to exploit vulnerability\n allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Client.\n Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently\n repeatable crash (complete DOS) of MySQL Client. (CVE-2020-2574)\n\n - A flaw was discovered in the way that the KVM hypervisor handled instruction emulation for an L2 guest\n when nested virtualisation is enabled. Under some circumstances, an L2 guest may trick the L0 guest into\n accessing sensitive L1 resources that should be inaccessible to the L2 guest. (CVE-2020-2732)\n\n - Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are\n affected are 5.6.47 and prior, 5.7.27 and prior and 8.0.17 and prior. Difficult to exploit vulnerability\n allows low privileged attacker with network access via multiple protocols to compromise MySQL Client.\n Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently\n repeatable crash (complete DOS) of MySQL Client. (CVE-2020-2752)\n\n - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions\n that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Easily exploitable\n vulnerability allows low privileged attacker with network access via multiple protocols to compromise\n MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang\n or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2020-2780)\n\n - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported\n versions that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Easily exploitable\n vulnerability allows high privileged attacker with network access via multiple protocols to compromise\n MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang\n or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2020-2812)\n\n - When performing EC scalar point multiplication, the wNAF point multiplication algorithm was used; which\n leaked partial information about the nonce used during signature generation. Given an electro-magnetic\n trace of a few signature generations, the private key could have been computed. This vulnerability affects\n Firefox < 80 and Firefox for Android < 80. (CVE-2020-6829)\n\n - xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file\n situation. (CVE-2020-7595)\n\n - curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources\n that can lead too overwriting a local file when the -J flag is used. (CVE-2020-8177)\n\n - Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1\n allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client\n because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking. (CVE-2020-8492)\n\n - In BIND 9.0.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.3-S1 -> 9.11.21-S1 of the\n BIND 9 Supported Preview Edition, An attacker on the network path for a TSIG-signed request, or operating\n the server receiving the TSIG-signed request, could send a truncated response to that request, triggering\n an assertion failure, causing the server to exit. Alternately, an off-path attacker would have to\n correctly guess when a TSIG-signed request was sent, along with other characteristics of the packet and\n message, and spoof a truncated response to trigger an assertion failure, causing the server to exit.\n (CVE-2020-8622)\n\n - In BIND 9.10.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.10.5-S1 -> 9.11.21-S1 of the\n BIND 9 Supported Preview Edition, An attacker that can reach a vulnerable system with a specially crafted\n query packet can trigger a crash. To be vulnerable, the system must: * be running BIND that was built with\n --enable-native-pkcs11 * be signing one or more zones with an RSA key * be able to receive queries from\n a possible attacker (CVE-2020-8623)\n\n - In BIND 9.9.12 -> 9.9.13, 9.10.7 -> 9.10.8, 9.11.3 -> 9.11.21, 9.12.1 -> 9.16.5, 9.17.0 -> 9.17.3, also\n affects 9.9.12-S1 -> 9.9.13-S1, 9.11.3-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An\n attacker who has been granted privileges to change a specific subset of the zone's content could abuse\n these unintended additional privileges to update other contents of the zone. (CVE-2020-8624)\n\n - cloud-init through 19.4 relies on Mersenne Twister for a random password, which makes it easier for\n attackers to predict passwords, because rand_str in cloudinit/util.py calls the random.choice function.\n (CVE-2020-8631)\n\n - In cloud-init through 19.4, rand_user_password in cloudinit/config/cc_set_passwords.py has a small default\n pwlen value, which makes it easier for attackers to guess passwords. (CVE-2020-8632)\n\n - There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vc_do_resize function in\n drivers/tty/vt/vt.c. (CVE-2020-8647)\n\n - There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vgacon_invert_region\n function in drivers/video/console/vgacon.c. (CVE-2020-8649)\n\n - An issue was discovered in the Linux kernel 3.16 through 5.5.6. set_fdc in drivers/block/floppy.c leads to\n a wait_til_ready out-of-bounds read because the FDC index is not checked for errors before assigning it,\n aka CID-2e90ca68b0d2. (CVE-2020-9383)\n\n - Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which\n allows privilege escalation to root via sudoedit -s and a command-line argument that ends with a single\n backslash character. (CVE-2021-3156)\n\n - A heap-based buffer overflow was found in the way sudo parses command line arguments. This flaw is\n exploitable by any local user who can execute the sudo command without authentication. Successful\n exploitation of this flaw could lead to privilege escalation. (CVE-2021-3156)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n # https://portal.nutanix.com/page/documents/security-advisories/release-advisories/details?id=NXSA-AOS-5.15.5\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3d45c0ac\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the Nutanix AOS software to recommended version.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-17006\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2019-5482\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Sudo Heap-Based Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/02/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/08/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/09/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:nutanix:aos\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"nutanix_collect.nasl\");\n script_require_keys(\"Host/Nutanix/Data/lts\", \"Host/Nutanix/Data/Service\", \"Host/Nutanix/Data/Version\", \"Host/Nutanix/Data/arch\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nvar app_info = vcf::nutanix::get_app_info();\n\nvar constraints = [\n { 'fixed_version' : '5.15.5', 'product' : 'AOS', 'fixed_display' : 'Upgrade the AOS install to 5.15.5 or higher.', 'lts' : TRUE },\n { 'fixed_version' : '5.15.5', 'product' : 'NDFS', 'fixed_display' : 'Upgrade the AOS install to 5.15.5 or higher.', 'lts' : TRUE }\n];\n\nvcf::nutanix::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_HOLE,\n flags:{'xss':TRUE}\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:34:12", "description": "The version of AOS installed on the remote host is prior to 5.19.1. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AOS-5.19.1 advisory.\n\n - libpng before 1.6.32 does not properly check the length of chunks against the user limit. (CVE-2017-12652)\n\n - In Apache httpd 2.4.0 to 2.4.29, the expression specified in <FilesMatch> could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are are externally blocked, but only by matching the trailing portion of the filename. (CVE-2017-15715)\n\n - A localhost.localdomain whitelist entry in valid_host() in scheduler/client.c in CUPS before 2.2.2 allows remote attackers to execute arbitrary IPP commands by sending POST requests to the CUPS daemon in conjunction with DNS rebinding. The localhost.localdomain name is often resolved via a DNS server (neither the OS nor the web browser is responsible for ensuring that localhost.localdomain is 127.0.0.1).\n (CVE-2017-18190)\n\n - An issue was discovered in drivers/i2c/i2c-core-smbus.c in the Linux kernel before 4.14.15. There is an out of bounds write in the function i2c_smbus_xfer_emulated. (CVE-2017-18551)\n\n - The default cloud-init configuration, in cloud-init 0.6.2 and newer, included ssh_deletekeys: 0, disabling cloud-init's deletion of ssh host keys. In some environments, this could lead to instances created by cloning a golden master or template system, sharing ssh host keys, and being able to impersonate one another or conduct man-in-the-middle attacks. (CVE-2018-10896)\n\n - In Apache httpd 2.4.0 to 2.4.29, when mod_session is configured to forward its session data to CGI applications (SessionEnv on, not the default), a remote user may influence their content by using a Session header. This comes from the HTTP_SESSION variable name used by mod_session to forward its data to CGIs, since the prefix HTTP_ is also used by the Apache HTTP Server to pass HTTP header fields, per CGI specifications. (CVE-2018-1283)\n\n - A specially crafted HTTP request header could have crashed the Apache HTTP Server prior to version 2.4.30 due to an out of bound read while preparing data to be cached in shared memory. It could be used as a Denial of Service attack against users of mod_cache_socache. The vulnerability is considered as low risk since mod_cache_socache is not widely used, mod_cache_disk is not concerned by this vulnerability.\n (CVE-2018-1303)\n\n - An issue was discovered in the Linux kernel before 4.20. There is a race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c, leading to a use-after-free. (CVE-2018-20836)\n\n - In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks). (CVE-2018-20843)\n\n - In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an unexpected URL within the request URL. (CVE-2019-10098)\n\n - libmspack 0.9.1alpha is affected by: Buffer Overflow. The impact is: Information Disclosure. The component is: function chmd_read_headers() in libmspack(file libmspack/mspack/chmd.c). The attack vector is: the victim must open a specially crafted chm file. The fixed version is: after commit 2f084136cfe0d05e5bf5703f3e83c6d955234b4d. (CVE-2019-1010305)\n\n - libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded. (CVE-2019-11068)\n\n - When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.\n (CVE-2019-11719)\n\n - A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68. (CVE-2019-11727)\n\n - Improper refcounting of soft token session objects could cause a use-after-free and crash (likely limited to a denial of service). This vulnerability affects Firefox < 71. (CVE-2019-11756)\n\n - file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 does not properly restrict file permissions while a copy operation is in progress. Instead, default permissions are used. (CVE-2019-12450)\n\n - An issue was discovered in dlpar_parse_cc_property in arch/powerpc/platforms/pseries/dlpar.c in the Linux kernel through 5.1.6. There is an unchecked kstrdup of prop->name, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash). (CVE-2019-12614)\n\n - dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of symlink mishandling in the reference implementation of DBUS_COOKIE_SHA1 in the libdbus library. (This only affects the DBUS_COOKIE_SHA1 authentication mechanism.) A malicious client with write access to its own home directory could manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a different uid to read and write in unintended locations. In the worst case, this could result in the DBusServer reusing a cookie that is known to the malicious client, and treating that cookie as evidence that a subsequent client connection came from an attacker-chosen uid, allowing authentication bypass. (CVE-2019-12749)\n\n - A flaw was discovered in ibus in versions before 1.5.22 that allows any unprivileged user to monitor and send method calls to the ibus bus of another user due to a misconfiguration in the DBus server setup. A local attacker may use this flaw to intercept all keystrokes of a victim user who is using the graphical interface, change the input method engine, or modify other input related configurations of the victim user. (CVE-2019-14822)\n\n - In all versions of cpio before 2.13 does not properly validate input files when generating TAR archives.\n When cpio is used to create TAR archives from paths an attacker can write to, the resulting archive may contain files with permissions the attacker did not have or in paths he did not have access to. Extracting those archives from a high-privilege user without carefully reviewing them may lead to the compromise of the system. (CVE-2019-14866)\n\n - An issue was discovered in the Linux kernel before 5.2.3. There is a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/zr364xx/zr364xx.c driver. (CVE-2019-15217)\n\n - In the Linux kernel before 5.1.13, there is a memory leak in drivers/scsi/libsas/sas_expander.c when SAS expander discovery fails. This will cause a BUG and denial of service. (CVE-2019-15807)\n\n - In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read. (CVE-2019-15903)\n\n - An issue was discovered in the Linux kernel before 5.0.5. There is a use-after-free issue when hci_uart_register_dev() fails in hci_uart_set_proto() in drivers/bluetooth/hci_ldisc.c. (CVE-2019-15917)\n\n - drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference. (CVE-2019-16231)\n\n - drivers/scsi/qla2xxx/qla_os.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference. (CVE-2019-16233)\n\n - The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server. (CVE-2019-16935)\n\n - In the Linux kernel before 5.0, a memory leak exists in sit_init_net() in net/ipv6/sit.c when register_netdev() fails to register sitn->fb_tunnel_dev, which may cause denial of service, aka CID-07f12b26e21a. (CVE-2019-16994)\n\n - In Network Security Services (NSS) before 3.46, several cryptographic primitives had missing length checks. In cases where the application calling the library did not perform a sanity check on the inputs it could result in a crash due to a buffer overflow. (CVE-2019-17006)\n\n - After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. This vulnerability affects Firefox < 72. (CVE-2019-17023)\n\n - ieee802154_create in net/ieee802154/socket.c in the AF_IEEE802154 network module in the Linux kernel through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-e69dbd4619e7. (CVE-2019-17053)\n\n - base_sock_create in drivers/isdn/mISDN/socket.c in the AF_ISDN network module in the Linux kernel through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-b91ee4aa2a21. (CVE-2019-17055)\n\n - In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. (CVE-2019-17498)\n\n - In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclosed. (CVE-2019-18197)\n\n - The flow_dissector feature in the Linux kernel 4.3 through 5.x before 5.3.10 has a device tracking vulnerability, aka CID-55667441c84f. This occurs because the auto flowlabel of a UDP IPv6 packet relies on a 32-bit hashrnd value as a secret, and because jhash (instead of siphash) is used. The hashrnd value remains the same starting from boot time, and can be inferred by an attacker. This affects net/core/flow_dissector.c and related code. (CVE-2019-18282)\n\n - A memory leak in the ccp_run_sha_cmd() function in drivers/crypto/ccp/ccp-ops.c in the Linux kernel through 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-128c66429247.\n (CVE-2019-18808)\n\n - ** DISPUTED ** A memory leak in the __ipmi_bmc_register() function in drivers/char/ipmi/ipmi_msghandler.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering ida_simple_get() failure, aka CID-4aa7afb0ee20. NOTE: third parties dispute the relevance of this because an attacker cannot realistically control this failure at probe time. (CVE-2019-19046)\n\n - ** DISPUTED ** A memory leak in the nl80211_get_ftm_responder_stats() function in net/wireless/nl80211.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering nl80211hdr_put() failures, aka CID-1399c59fa929. NOTE: third parties dispute the relevance of this because it occurs on a code path where a successful allocation has already occurred. (CVE-2019-19055)\n\n - A memory leak in the alloc_sgtable() function in drivers/net/wireless/intel/iwlwifi/fw/dbg.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering alloc_page() failures, aka CID-b4b814fec1a5. (CVE-2019-19058)\n\n - Multiple memory leaks in the iwl_pcie_ctxt_info_gen3_init() function in drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption) by triggering iwl_pcie_init_fw_sec() or dma_alloc_coherent() failures, aka CID-0f4f199443fa. (CVE-2019-19059)\n\n - A memory leak in the crypto_report() function in crypto/crypto_user_base.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering crypto_report_alg() failures, aka CID-ffdde5932042. (CVE-2019-19062)\n\n - Two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption), aka CID-3f9361695113. (CVE-2019-19063)\n\n - On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program. (CVE-2019-19126)\n\n - An out-of-bounds memory write issue was found in the Linux Kernel, version 3.13 through 5.4, in the way the Linux kernel's KVM hypervisor handled the 'KVM_GET_EMULATED_CPUID' ioctl(2) request to get CPUID features emulated by the KVM hypervisor. A user or process able to access the '/dev/kvm' device could use this flaw to crash the system, resulting in a denial of service. (CVE-2019-19332)\n\n - In the Linux kernel 5.0.21, mounting a crafted ext4 filesystem image, performing some operations, and unmounting can lead to a use-after-free in ext4_put_super in fs/ext4/super.c, related to dump_orphan_list in fs/ext4/super.c. (CVE-2019-19447)\n\n - In the Linux kernel before 5.3.7, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/adutux.c driver, aka CID-44efc269db79. (CVE-2019-19523)\n\n - In the Linux kernel before 5.3.12, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/input/ff-memless.c driver, aka CID-fa3a5a1880c9. (CVE-2019-19524)\n\n - In the Linux kernel before 5.2.10, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver, aka CID-c52873e5a1ef. (CVE-2019-19530)\n\n - In the Linux kernel before 5.3.11, there is an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_core.c driver, aka CID-f7a1337f0d29. (CVE-2019-19534)\n\n - In the Linux kernel before 5.2.10, there is a race condition bug that can be caused by a malicious USB device in the USB character device driver layer, aka CID-303911cfc5b9. This affects drivers/usb/core/file.c. (CVE-2019-19537)\n\n - The Linux kernel before 5.4.2 mishandles ext4_expand_extra_isize, as demonstrated by use-after-free errors in __ext4_expand_extra_isize and ext4_xattr_set_entry, related to fs/ext4/inode.c and fs/ext4/super.c, aka CID-4ea99936a163. (CVE-2019-19767)\n\n - In the Linux kernel before 5.3.11, sound/core/timer.c has a use-after-free caused by erroneous code refactoring, aka CID-e7af6307a8a5. This is related to snd_timer_open and snd_timer_close_locked. The timeri variable was originally intended to be for a newly created timer instance, but was used for a different purpose after refactoring. (CVE-2019-19807)\n\n - xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc->oldNs. (CVE-2019-19956)\n\n - In the Linux kernel before 5.0.6, there is a NULL pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c, related to put_links, aka CID-23da9588037e. (CVE-2019-20054)\n\n - mwifiex_tm_cmd in drivers/net/wireless/marvell/mwifiex/cfg80211.c in the Linux kernel before 5.1.6 has some error-handling cases that did not free allocated hostcmd memory, aka CID-003b686ace82. This will cause a memory leak and denial of service. (CVE-2019-20095)\n\n - An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the udevadm trigger command, a memory leak may occur. (CVE-2019-20386)\n\n - xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak.\n (CVE-2019-20388)\n\n - In the Linux kernel before 5.4.12, drivers/input/input.c has out-of-bounds writes via a crafted keycode table, as demonstrated by input_set_keycode, aka CID-cb222aed03d7. (CVE-2019-20636)\n\n - An issue was discovered in the Linux kernel before 5.0.6. In rx_queue_add_kobject() and netdev_queue_add_kobject() in net/core/net-sysfs.c, a reference count is mishandled, aka CID-a3e23f719f5c.\n (CVE-2019-20811)\n\n - In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation. (CVE-2019-20907)\n\n - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.6.45 and prior, 5.7.27 and prior and 8.0.17 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2019-2974)\n\n - An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability. (CVE-2019-5094)\n\n - A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4.\n A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability. (CVE-2019-5188)\n\n - Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3. (CVE-2019-5482)\n\n - A buffer overflow issue was addressed with improved memory handling. This issue is fixed in macOS Mojave 10.14.6, Security Update 2019-004 High Sierra, Security Update 2019-004 Sierra. An attacker in a privileged network position may be able to execute arbitrary code. (CVE-2019-8675, CVE-2019-8696)\n\n - In the Android kernel in i2c driver there is a possible out of bounds write due to memory corruption. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. (CVE-2019-9454)\n\n - In the Android kernel in the video driver there is a use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. (CVE-2019-9458)\n\n - There is a use-after-free in kernel versions before 5.5 due to a race condition between the release of ptp_clock and cdev while resource deallocation. When a (high privileged) process allocates a ptp device file (like /dev/ptpX) and voluntarily goes to sleep. During this time if the underlying device is removed, it can cause an exploitable condition as the process wakes up to terminate and clean all attached files.\n The system crashes due to the cdev structure being invalid (as already freed) which is pointed to by the inode. (CVE-2020-10690)\n\n - A flaw was found in the Linux kernel's implementation of Userspace core dumps. This flaw allows an attacker with a local account to crash a trivial program and exfiltrate private kernel data.\n (CVE-2020-10732)\n\n - A flaw was found in the Linux kernel. An index buffer overflow during Direct IO write leading to the NFS client to crash. In some cases, a reach out of the index after one memory allocation by kmalloc will cause a kernel panic. The highest threat from this vulnerability is to data confidentiality and system availability. (CVE-2020-10742)\n\n - A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing. (CVE-2020-10751)\n\n - A buffer over-read flaw was found in RH kernel versions before 5.0 in crypto_authenc_extractkeys in crypto/authenc.c in the IPsec Cryptographic algorithm's module, authenc. When a payload longer than 4 bytes, and is not following 4-byte alignment boundary guidelines, it causes a buffer over-read threat, leading to a system crash. This flaw allows a local attacker with user privileges to cause a denial of service. (CVE-2020-10769)\n\n - In the Linux kernel before 5.5.8, get_raw_socket in drivers/vhost/net.c lacks validation of an sk_family field, which might allow attackers to trigger kernel stack corruption via crafted system calls.\n (CVE-2020-10942)\n\n - ** DISPUTED ** An issue was discovered in the Linux kernel through 5.6.2. mpol_parse_str in mm/mempolicy.c has a stack-based out-of-bounds write because an empty nodelist is mishandled during mount option parsing, aka CID-aa9f7d5172fa. NOTE: Someone in the security community disagrees that this is a vulnerability because the issue is a bug in parsing mount options which can only be specified by a privileged user, so triggering the bug does not grant any powers not already held.. (CVE-2020-11565)\n\n - In filter.c in slapd in OpenLDAP before 2.4.50, LDAP search filters with nested boolean expressions can result in denial of service (daemon crash). (CVE-2020-12243)\n\n - When converting coordinates from projective to affine, the modular inversion was not performed in constant time, resulting in a possible timing-based side channel attack. This vulnerability affects Firefox < 80 and Firefox for Android < 80. (CVE-2020-12400)\n\n - During ECDSA signature generation, padding applied in the nonce designed to ensure constant-time scalar multiplication was removed, resulting in variable-time execution dependent on secret data. This vulnerability affects Firefox < 80 and Firefox for Android < 80. (CVE-2020-12401)\n\n - During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform electromagnetic-based side channel attacks to record traces leading to the recovery of the secret primes.\n *Note:* An unmodified Firefox browser does not generate RSA keys in normal operation and is not affected, but products built on top of it might. This vulnerability affects Firefox < 78. (CVE-2020-12402)\n\n - A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS in versions before 3.55. When using multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. The highest threat from this vulnerability is to confidentiality and system availability. (CVE-2020-12403)\n\n - An issue was discovered in the Linux kernel through 5.6.11. sg_write lacks an sg_remove_request call in a certain failure case, aka CID-83c6f2390040. (CVE-2020-12770)\n\n - A signal access-control issue was discovered in the Linux kernel before 5.6.5, aka CID-7395ea4e65c2.\n Because exec_id in include/linux/sched.h is only 32 bits, an integer overflow can interfere with a do_notify_parent protection mechanism. A child process can send an arbitrary signal to a parent process in a different security domain. Exploitation limitations include the amount of elapsed time before an integer overflow occurs, and the lack of scenarios where signals to a parent process present a substantial operational threat. (CVE-2020-12826)\n\n - If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources. (CVE-2020-13943)\n\n - An out-of-bounds memory write flaw was found in how the Linux kernel's Voice Over IP H.323 connection tracking functionality handled connections on ipv6 port 1720. This flaw allows an unauthenticated remote user to crash the system, causing a denial of service. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2020-14305)\n\n - A memory out-of-bounds read flaw was found in the Linux kernel before 5.9-rc2 with the ext3/ext4 file system, in the way it accesses a directory with broken indexing. This flaw allows a local user to crash the system if the directory exists. The highest threat from this vulnerability is to system availability.\n (CVE-2020-14314)\n\n - A flaw was found in the Linux kernel's implementation of the invert video code on VGA consoles when a local attacker attempts to resize the console, calling an ioctl VT_RESIZE, which causes an out-of-bounds write to occur. This flaw allows a local user with access to the VGA console to crash the system, potentially escalating their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-14331)\n\n - A flaw was found in the Linux kernel before 5.9-rc4. A failure of the file system metadata validator in XFS can cause an inode with a valid, user-creatable extended attribute to be flagged as corrupt. This can lead to the filesystem being shutdown, or otherwise rendered inaccessible until it is remounted, leading to a denial of service. The highest threat from this vulnerability is to system availability.\n (CVE-2020-14385)\n\n - Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created. This is fixed in: v3.5.10, v3.5.10rc1; v3.6.12;\n v3.7.9; v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1; v3.9.0, v3.9.0b4, v3.9.0b5, v3.9.0rc1, v3.9.0rc2.\n (CVE-2020-14422)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization).\n Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261.\n Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.\n Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. (CVE-2020-14779)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JNDI). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. (CVE-2020-14781)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. (CVE-2020-14782, CVE-2020-14797)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.\n (CVE-2020-14792)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). (CVE-2020-14796)\n\n - Vulnerability in the Java SE product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 11.0.8 and 15. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). (CVE-2020-14803)\n\n - Net-SNMP through 5.7.3 has Improper Privilege Management because SNMP WRITE access to the EXTEND MIB provides the ability to run arbitrary commands as root. (CVE-2020-15862)\n\n - Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2020-15999)\n\n - A flaw was found in the Linux kernel's implementation of some networking protocols in IPsec, such as VXLAN and GENEVE tunnels over IPv6. When an encrypted tunnel is created between two hosts, the kernel isn't correctly routing tunneled data over the encrypted link; rather sending the data unencrypted. This would allow anyone in between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality. (CVE-2020-1749)\n\n - While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests. (CVE-2020-17527)\n\n - In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL. (CVE-2020-1927)\n\n - In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server. (CVE-2020-1934)\n\n - The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified.\n OpenSSL's s_server, s_client and verify tools have support for the -crl_download option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue.\n Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w). (CVE-2020-1971)\n\n - In the Linux kernel before 5.7.8, fs/nfsd/vfs.c (in the NFS server) can set incorrect permissions on new filesystem objects when the filesystem lacks ACL support, aka CID-22cf8419f131. This occurs because the current umask is not considered. (CVE-2020-24394)\n\n - A TOCTOU mismatch in the NFS client code in the Linux kernel before 5.8.3 could be used by local attackers to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c instead of fs/nfs/nfs4xdr.c, aka CID-b4487b935452. (CVE-2020-25212)\n\n - A flaw was found in the HDLC_PPP module of the Linux kernel in versions before 5.9-rc7. Memory corruption and a read overflow is caused by improper input validation in the ppp_cp_parse_cr function which can cause the system to crash or cause a denial of service. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-25643)\n\n - Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.6.46 and prior, 5.7.28 and prior and 8.0.18 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Client.\n Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client. (CVE-2020-2574)\n\n - A flaw was discovered in the way that the KVM hypervisor handled instruction emulation for an L2 guest when nested virtualisation is enabled. Under some circumstances, an L2 guest may trick the L0 guest into accessing sensitive L1 resources that should be inaccessible to the L2 guest. (CVE-2020-2732)\n\n - Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.6.47 and prior, 5.7.27 and prior and 8.0.17 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Client.\n Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client. (CVE-2020-2752)\n\n - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2020-2780)\n\n - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2020-2812)\n\n - When performing EC scalar point multiplication, the wNAF point multiplication algorithm was used; which leaked partial information about the nonce used during signature generation. Given an electro-magnetic trace of a few signature generations, the private key could have been computed. This vulnerability affects Firefox < 80 and Firefox for Android < 80. (CVE-2020-6829)\n\n - xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation. (CVE-2020-7595)\n\n - curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources that can lead too overwriting a local file when the -J flag is used. (CVE-2020-8177)\n\n - Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking. (CVE-2020-8492)\n\n - In BIND 9.0.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.3-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An attacker on the network path for a TSIG-signed request, or operating the server receiving the TSIG-signed request, could send a truncated response to that request, triggering an assertion failure, causing the server to exit. Alternately, an off-path attacker would have to correctly guess when a TSIG-signed request was sent, along with other characteristics of the packet and message, and spoof a truncated response to trigger an assertion failure, causing the server to exit.\n (CVE-2020-8622)\n\n - In BIND 9.10.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.10.5-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An attacker that can reach a vulnerable system with a specially crafted query packet can trigger a crash. To be vulnerable, the system must: * be running BIND that was built with\n --enable-native-pkcs11 * be signing one or more zones with an RSA key * be able to receive queries from a possible attacker (CVE-2020-8623)\n\n - In BIND 9.9.12 -> 9.9.13, 9.10.7 -> 9.10.8, 9.11.3 -> 9.11.21, 9.12.1 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.12-S1 -> 9.9.13-S1, 9.11.3-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An attacker who has been granted privileges to change a specific subset of the zone's content could abuse these unintended additional privileges to update other contents of the zone. (CVE-2020-8624)\n\n - cloud-init through 19.4 relies on Mersenne Twister for a random password, which makes it easier for attackers to predict passwords, because rand_str in cloudinit/util.py calls the random.choice function.\n (CVE-2020-8631)\n\n - In cloud-init through 19.4, rand_user_password in cloudinit/config/cc_set_passwords.py has a small default pwlen value, which makes it easier for attackers to guess passwords. (CVE-2020-8632)\n\n - There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vc_do_resize function in drivers/tty/vt/vt.c. (CVE-2020-8647)\n\n - There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vgacon_invert_region function in drivers/video/console/vgacon.c. (CVE-2020-8649)\n\n - An issue was discovered in the Linux kernel 3.16 through 5.5.6. set_fdc in drivers/block/floppy.c leads to a wait_til_ready out-of-bounds read because the FDC index is not checked for errors before assigning it, aka CID-2e90ca68b0d2. (CVE-2020-9383)\n\n - Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via sudoedit -s and a command-line argument that ends with a single backslash character. (CVE-2021-3156)\n\n - A heap-based buffer overflow was found in the way sudo parses command line arguments. This flaw is exploitable by any local user who can execute the sudo command without authentication. Successful exploitation of this flaw could lead to privilege escalation. (CVE-2021-3156)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-09-01T00:00:00", "type": "nessus", "title": "Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-5.19.1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-12652", "CVE-2017-15715", "CVE-2017-18190", "CVE-2017-18551", "CVE-2018-10896", "CVE-2018-1283", "CVE-2018-1303", "CVE-2018-20836", "CVE-2018-20843", "CVE-2019-10098", "CVE-2019-1010305", "CVE-2019-11068", "CVE-2019-11719", "CVE-2019-11727", "CVE-2019-11756", "CVE-2019-12450", "CVE-2019-12614", "CVE-2019-12749", "CVE-2019-14822", "CVE-2019-14866", "CVE-2019-15217", "CVE-2019-15807", "CVE-2019-15903", "CVE-2019-15917", "CVE-2019-16231", "CVE-2019-16233", "CVE-2019-16935", "CVE-2019-16994", "CVE-2019-17006", "CVE-2019-17023", "CVE-2019-17053", "CVE-2019-17055", "CVE-2019-17498", "CVE-2019-18197", "CVE-2019-18282", "CVE-2019-18808", "CVE-2019-19046", "CVE-2019-19055", "CVE-2019-19058", "CVE-2019-19059", "CVE-2019-19062", "CVE-2019-19063", "CVE-2019-19126", "CVE-2019-19332", "CVE-2019-19447", "CVE-2019-19523", "CVE-2019-19524", "CVE-2019-19530", "CVE-2019-19534", "CVE-2019-19537", "CVE-2019-19767", "CVE-2019-19807", "CVE-2019-19956", "CVE-2019-20054", "CVE-2019-20095", "CVE-2019-20386", "CVE-2019-20388", "CVE-2019-20636", "CVE-2019-20811", "CVE-2019-20907", "CVE-2019-2974", "CVE-2019-5094", "CVE-2019-5188", "CVE-2019-5482", "CVE-2019-8675", "CVE-2019-8696", "CVE-2019-9454", "CVE-2019-9458", "CVE-2020-10690", "CVE-2020-10732", "CVE-2020-10742", "CVE-2020-10751", "CVE-2020-10769", "CVE-2020-10942", "CVE-2020-11565", "CVE-2020-12243", "CVE-2020-12400", "CVE-2020-12401", "CVE-2020-12402", "CVE-2020-12403", "CVE-2020-12770", "CVE-2020-12826", "CVE-2020-13943", "CVE-2020-14305", "CVE-2020-14314", "CVE-2020-14331", "CVE-2020-14385", "CVE-2020-14422", "CVE-2020-14779", "CVE-2020-14781", "CVE-2020-14782", "CVE-2020-14792", "CVE-2020-14796", "CVE-2020-14797", "CVE-2020-14803", "CVE-2020-15862", "CVE-2020-15999", "CVE-2020-1749", "CVE-2020-17527", "CVE-2020-1927", "CVE-2020-1934", "CVE-2020-1971", "CVE-2020-24394", "CVE-2020-25212", "CVE-2020-25643", "CVE-2020-2574", "CVE-2020-2732", "CVE-2020-2752", "CVE-2020-2780", "CVE-2020-2812", "CVE-2020-6829", "CVE-2020-7595", "CVE-2020-8177", "CVE-2020-8492", "CVE-2020-8622", "CVE-2020-8623", "CVE-2020-8624", "CVE-2020-8631", "CVE-2020-8632", "CVE-2020-8647", "CVE-2020-8649", "CVE-2020-9383", "CVE-2021-3156"], "modified": "2023-02-23T00:00:00", "cpe": ["cpe:/o:nutanix:aos"], "id": "NUTANIX_NXSA-AOS-5_19_1.NASL", "href": "https://www.tenable.com/plugins/nessus/164584", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(164584);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/23\");\n\n script_cve_id(\n \"CVE-2017-12652\",\n \"CVE-2017-15715\",\n \"CVE-2017-18190\",\n \"CVE-2017-18551\",\n \"CVE-2018-1283\",\n \"CVE-2018-1303\",\n \"CVE-2018-10896\",\n \"CVE-2018-20836\",\n \"CVE-2018-20843\",\n \"CVE-2019-2974\",\n \"CVE-2019-5094\",\n \"CVE-2019-5188\",\n \"CVE-2019-5482\",\n \"CVE-2019-8675\",\n \"CVE-2019-8696\",\n \"CVE-2019-9454\",\n \"CVE-2019-9458\",\n \"CVE-2019-10098\",\n \"CVE-2019-11068\",\n \"CVE-2019-11719\",\n \"CVE-2019-11727\",\n \"CVE-2019-11756\",\n \"CVE-2019-12450\",\n \"CVE-2019-12614\",\n \"CVE-2019-12749\",\n \"CVE-2019-14822\",\n \"CVE-2019-14866\",\n \"CVE-2019-15217\",\n \"CVE-2019-15807\",\n \"CVE-2019-15903\",\n \"CVE-2019-15917\",\n \"CVE-2019-16231\",\n \"CVE-2019-16233\",\n \"CVE-2019-16935\",\n \"CVE-2019-16994\",\n \"CVE-2019-17006\",\n \"CVE-2019-17023\",\n \"CVE-2019-17053\",\n \"CVE-2019-17055\",\n \"CVE-2019-17498\",\n \"CVE-2019-18197\",\n \"CVE-2019-18282\",\n \"CVE-2019-18808\",\n \"CVE-2019-19046\",\n \"CVE-2019-19055\",\n \"CVE-2019-19058\",\n \"CVE-2019-19059\",\n \"CVE-2019-19062\",\n \"CVE-2019-19063\",\n \"CVE-2019-19126\",\n \"CVE-2019-19332\",\n \"CVE-2019-19447\",\n \"CVE-2019-19523\",\n \"CVE-2019-19524\",\n \"CVE-2019-19530\",\n \"CVE-2019-19534\",\n \"CVE-2019-19537\",\n \"CVE-2019-19767\",\n \"CVE-2019-19807\",\n \"CVE-2019-19956\",\n \"CVE-2019-20054\",\n \"CVE-2019-20095\",\n \"CVE-2019-20386\",\n \"CVE-2019-20388\",\n \"CVE-2019-20636\",\n \"CVE-2019-20811\",\n \"CVE-2019-20907\",\n \"CVE-2019-1010305\",\n \"CVE-2020-1749\",\n \"CVE-2020-1927\",\n \"CVE-2020-1934\",\n \"CVE-2020-1971\",\n \"CVE-2020-2574\",\n \"CVE-2020-2732\",\n \"CVE-2020-2752\",\n \"CVE-2020-2780\",\n \"CVE-2020-2812\",\n \"CVE-2020-6829\",\n \"CVE-2020-7595\",\n \"CVE-2020-8177\",\n \"CVE-2020-8492\",\n \"CVE-2020-8622\",\n \"CVE-2020-8623\",\n \"CVE-2020-8624\",\n \"CVE-2020-8631\",\n \"CVE-2020-8632\",\n \"CVE-2020-8647\",\n \"CVE-2020-8649\",\n \"CVE-2020-9383\",\n \"CVE-2020-10690\",\n \"CVE-2020-10732\",\n \"CVE-2020-10742\",\n \"CVE-2020-10751\",\n \"CVE-2020-10769\",\n \"CVE-2020-10942\",\n \"CVE-2020-11565\",\n \"CVE-2020-12243\",\n \"CVE-2020-12400\",\n \"CVE-2020-12401\",\n \"CVE-2020-12402\",\n \"CVE-2020-12403\",\n \"CVE-2020-12770\",\n \"CVE-2020-12826\",\n \"CVE-2020-13943\",\n \"CVE-2020-14305\",\n \"CVE-2020-14314\",\n \"CVE-2020-14331\",\n \"CVE-2020-14385\",\n \"CVE-2020-14422\",\n \"CVE-2020-14779\",\n \"CVE-2020-14781\",\n \"CVE-2020-14782\",\n \"CVE-2020-14792\",\n \"CVE-2020-14796\",\n \"CVE-2020-14797\",\n \"CVE-2020-14803\",\n \"CVE-2020-15862\",\n \"CVE-2020-15999\",\n \"CVE-2020-17527\",\n \"CVE-2020-24394\",\n \"CVE-2020-25212\",\n \"CVE-2020-25643\",\n \"CVE-2021-3156\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/27\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0124\");\n\n script_name(english:\"Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-5.19.1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Nutanix AOS host is affected by multiple vulnerabilities .\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of AOS installed on the remote host is prior to 5.19.1. It is, therefore, affected by multiple\nvulnerabilities as referenced in the NXSA-AOS-5.19.1 advisory.\n\n - libpng before 1.6.32 does not properly check the length of chunks against the user limit. (CVE-2017-12652)\n\n - In Apache httpd 2.4.0 to 2.4.29, the expression specified in <FilesMatch> could match '$' to a newline\n character in a malicious filename, rather than matching only the end of the filename. This could be\n exploited in environments where uploads of some files are are externally blocked, but only by matching the\n trailing portion of the filename. (CVE-2017-15715)\n\n - A localhost.localdomain whitelist entry in valid_host() in scheduler/client.c in CUPS before 2.2.2 allows\n remote attackers to execute arbitrary IPP commands by sending POST requests to the CUPS daemon in\n conjunction with DNS rebinding. The localhost.localdomain name is often resolved via a DNS server (neither\n the OS nor the web browser is responsible for ensuring that localhost.localdomain is 127.0.0.1).\n (CVE-2017-18190)\n\n - An issue was discovered in drivers/i2c/i2c-core-smbus.c in the Linux kernel before 4.14.15. There is an\n out of bounds write in the function i2c_smbus_xfer_emulated. (CVE-2017-18551)\n\n - The default cloud-init configuration, in cloud-init 0.6.2 and newer, included ssh_deletekeys: 0,\n disabling cloud-init's deletion of ssh host keys. In some environments, this could lead to instances\n created by cloning a golden master or template system, sharing ssh host keys, and being able to\n impersonate one another or conduct man-in-the-middle attacks. (CVE-2018-10896)\n\n - In Apache httpd 2.4.0 to 2.4.29, when mod_session is configured to forward its session data to CGI\n applications (SessionEnv on, not the default), a remote user may influence their content by using a\n Session header. This comes from the HTTP_SESSION variable name used by mod_session to forward its data\n to CGIs, since the prefix HTTP_ is also used by the Apache HTTP Server to pass HTTP header fields, per\n CGI specifications. (CVE-2018-1283)\n\n - A specially crafted HTTP request header could have crashed the Apache HTTP Server prior to version 2.4.30\n due to an out of bound read while preparing data to be cached in shared memory. It could be used as a\n Denial of Service attack against users of mod_cache_socache. The vulnerability is considered as low risk\n since mod_cache_socache is not widely used, mod_cache_disk is not concerned by this vulnerability.\n (CVE-2018-1303)\n\n - An issue was discovered in the Linux kernel before 4.20. There is a race condition in smp_task_timedout()\n and smp_task_done() in drivers/scsi/libsas/sas_expander.c, leading to a use-after-free. (CVE-2018-20836)\n\n - In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons\n could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be\n usable for denial-of-service attacks). (CVE-2018-20843)\n\n - In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_rewrite that were intended to be\n self-referential might be fooled by encoded newlines and redirect instead to an unexpected URL within the\n request URL. (CVE-2019-10098)\n\n - libmspack 0.9.1alpha is affected by: Buffer Overflow. The impact is: Information Disclosure. The component\n is: function chmd_read_headers() in libmspack(file libmspack/mspack/chmd.c). The attack vector is: the\n victim must open a specially crafted chm file. The fixed version is: after commit\n 2f084136cfe0d05e5bf5703f3e83c6d955234b4d. (CVE-2019-1010305)\n\n - libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and\n xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a\n crafted URL that is not actually invalid and is subsequently loaded. (CVE-2019-11068)\n\n - When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger\n an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information\n disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.\n (CVE-2019-11719)\n\n - A vulnerability exists where it possible to force Network Security Services (NSS) to sign\n CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in\n CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This\n vulnerability affects Firefox < 68. (CVE-2019-11727)\n\n - Improper refcounting of soft token session objects could cause a use-after-free and crash (likely limited\n to a denial of service). This vulnerability affects Firefox < 71. (CVE-2019-11756)\n\n - file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 does not properly restrict file\n permissions while a copy operation is in progress. Instead, default permissions are used. (CVE-2019-12450)\n\n - An issue was discovered in dlpar_parse_cc_property in arch/powerpc/platforms/pseries/dlpar.c in the Linux\n kernel through 5.1.6. There is an unchecked kstrdup of prop->name, which might allow an attacker to cause\n a denial of service (NULL pointer dereference and system crash). (CVE-2019-12614)\n\n - dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical\n Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of\n symlink mishandling in the reference implementation of DBUS_COOKIE_SHA1 in the libdbus library. (This only\n affects the DBUS_COOKIE_SHA1 authentication mechanism.) A malicious client with write access to its own\n home directory could manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a different uid to\n read and write in unintended locations. In the worst case, this could result in the DBusServer reusing a\n cookie that is known to the malicious client, and treating that cookie as evidence that a subsequent\n client connection came from an attacker-chosen uid, allowing authentication bypass. (CVE-2019-12749)\n\n - A flaw was discovered in ibus in versions before 1.5.22 that allows any unprivileged user to monitor and\n send method calls to the ibus bus of another user due to a misconfiguration in the DBus server setup. A\n local attacker may use this flaw to intercept all keystrokes of a victim user who is using the graphical\n interface, change the input method engine, or modify other input related configurations of the victim\n user. (CVE-2019-14822)\n\n - In all versions of cpio before 2.13 does not properly validate input files when generating TAR archives.\n When cpio is used to create TAR archives from paths an attacker can write to, the resulting archive may\n contain files with permissions the attacker did not have or in paths he did not have access to. Extracting\n those archives from a high-privilege user without carefully reviewing them may lead to the compromise of\n the system. (CVE-2019-14866)\n\n - An issue was discovered in the Linux kernel before 5.2.3. There is a NULL pointer dereference caused by a\n malicious USB device in the drivers/media/usb/zr364xx/zr364xx.c driver. (CVE-2019-15217)\n\n - In the Linux kernel before 5.1.13, there is a memory leak in drivers/scsi/libsas/sas_expander.c when SAS\n expander discovery fails. This will cause a BUG and denial of service. (CVE-2019-15807)\n\n - In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to\n document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber)\n then resulted in a heap-based buffer over-read. (CVE-2019-15903)\n\n - An issue was discovered in the Linux kernel before 5.0.5. There is a use-after-free issue when\n hci_uart_register_dev() fails in hci_uart_set_proto() in drivers/bluetooth/hci_ldisc.c. (CVE-2019-15917)\n\n - drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value,\n leading to a NULL pointer dereference. (CVE-2019-16231)\n\n - drivers/scsi/qla2xxx/qla_os.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value,\n leading to a NULL pointer dereference. (CVE-2019-16233)\n\n - The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has\n XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in\n Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary\n JavaScript can be delivered to clients that visit the http URL for this server. (CVE-2019-16935)\n\n - In the Linux kernel before 5.0, a memory leak exists in sit_init_net() in net/ipv6/sit.c when\n register_netdev() fails to register sitn->fb_tunnel_dev, which may cause denial of service, aka\n CID-07f12b26e21a. (CVE-2019-16994)\n\n - In Network Security Services (NSS) before 3.46, several cryptographic primitives had missing length\n checks. In cases where the application calling the library did not perform a sanity check on the inputs it\n could result in a crash due to a buffer overflow. (CVE-2019-17006)\n\n - After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting\n in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming\n Application Data records will be ignored. This vulnerability affects Firefox < 72. (CVE-2019-17023)\n\n - ieee802154_create in net/ieee802154/socket.c in the AF_IEEE802154 network module in the Linux kernel\n through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket,\n aka CID-e69dbd4619e7. (CVE-2019-17053)\n\n - base_sock_create in drivers/isdn/mISDN/socket.c in the AF_ISDN network module in the Linux kernel through\n 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka\n CID-b91ee4aa2a21. (CVE-2019-17055)\n\n - In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow\n in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent\n memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of\n service condition on the client system when a user connects to the server. (CVE-2019-17498)\n\n - In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain\n circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds\n check could fail and memory outside a buffer could be written to, or uninitialized data could be\n disclosed. (CVE-2019-18197)\n\n - The flow_dissector feature in the Linux kernel 4.3 through 5.x before 5.3.10 has a device tracking\n vulnerability, aka CID-55667441c84f. This occurs because the auto flowlabel of a UDP IPv6 packet relies on\n a 32-bit hashrnd value as a secret, and because jhash (instead of siphash) is used. The hashrnd value\n remains the same starting from boot time, and can be inferred by an attacker. This affects\n net/core/flow_dissector.c and related code. (CVE-2019-18282)\n\n - A memory leak in the ccp_run_sha_cmd() function in drivers/crypto/ccp/ccp-ops.c in the Linux kernel\n through 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-128c66429247.\n (CVE-2019-18808)\n\n - ** DISPUTED ** A memory leak in the __ipmi_bmc_register() function in drivers/char/ipmi/ipmi_msghandler.c\n in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by\n triggering ida_simple_get() failure, aka CID-4aa7afb0ee20. NOTE: third parties dispute the relevance of\n this because an attacker cannot realistically control this failure at probe time. (CVE-2019-19046)\n\n - ** DISPUTED ** A memory leak in the nl80211_get_ftm_responder_stats() function in net/wireless/nl80211.c\n in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by\n triggering nl80211hdr_put() failures, aka CID-1399c59fa929. NOTE: third parties dispute the relevance of\n this because it occurs on a code path where a successful allocation has already occurred. (CVE-2019-19055)\n\n - A memory leak in the alloc_sgtable() function in drivers/net/wireless/intel/iwlwifi/fw/dbg.c in the Linux\n kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering\n alloc_page() failures, aka CID-b4b814fec1a5. (CVE-2019-19058)\n\n - Multiple memory leaks in the iwl_pcie_ctxt_info_gen3_init() function in\n drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c in the Linux kernel through 5.3.11 allow\n attackers to cause a denial of service (memory consumption) by triggering iwl_pcie_init_fw_sec() or\n dma_alloc_coherent() failures, aka CID-0f4f199443fa. (CVE-2019-19059)\n\n - A memory leak in the crypto_report() function in crypto/crypto_user_base.c in the Linux kernel through\n 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering\n crypto_report_alg() failures, aka CID-ffdde5932042. (CVE-2019-19062)\n\n - Two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c in the\n Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption), aka\n CID-3f9361695113. (CVE-2019-19063)\n\n - On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the\n LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition,\n allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass\n ASLR for a setuid program. (CVE-2019-19126)\n\n - An out-of-bounds memory write issue was found in the Linux Kernel, version 3.13 through 5.4, in the way\n the Linux kernel's KVM hypervisor handled the 'KVM_GET_EMULATED_CPUID' ioctl(2) request to get CPUID\n features emulated by the KVM hypervisor. A user or process able to access the '/dev/kvm' device could use\n this flaw to crash the system, resulting in a denial of service. (CVE-2019-19332)\n\n - In the Linux kernel 5.0.21, mounting a crafted ext4 filesystem image, performing some operations, and\n unmounting can lead to a use-after-free in ext4_put_super in fs/ext4/super.c, related to dump_orphan_list\n in fs/ext4/super.c. (CVE-2019-19447)\n\n - In the Linux kernel before 5.3.7, there is a use-after-free bug that can be caused by a malicious USB\n device in the drivers/usb/misc/adutux.c driver, aka CID-44efc269db79. (CVE-2019-19523)\n\n - In the Linux kernel before 5.3.12, there is a use-after-free bug that can be caused by a malicious USB\n device in the drivers/input/ff-memless.c driver, aka CID-fa3a5a1880c9. (CVE-2019-19524)\n\n - In the Linux kernel before 5.2.10, there is a use-after-free bug that can be caused by a malicious USB\n device in the drivers/usb/class/cdc-acm.c driver, aka CID-c52873e5a1ef. (CVE-2019-19530)\n\n - In the Linux kernel before 5.3.11, there is an info-leak bug that can be caused by a malicious USB device\n in the drivers/net/can/usb/peak_usb/pcan_usb_core.c driver, aka CID-f7a1337f0d29. (CVE-2019-19534)\n\n - In the Linux kernel before 5.2.10, there is a race condition bug that can be caused by a malicious USB\n device in the USB character device driver layer, aka CID-303911cfc5b9. This affects\n drivers/usb/core/file.c. (CVE-2019-19537)\n\n - The Linux kernel before 5.4.2 mishandles ext4_expand_extra_isize, as demonstrated by use-after-free errors\n in __ext4_expand_extra_isize and ext4_xattr_set_entry, related to fs/ext4/inode.c and fs/ext4/super.c, aka\n CID-4ea99936a163. (CVE-2019-19767)\n\n - In the Linux kernel before 5.3.11, sound/core/timer.c has a use-after-free caused by erroneous code\n refactoring, aka CID-e7af6307a8a5. This is related to snd_timer_open and snd_timer_close_locked. The\n timeri variable was originally intended to be for a newly created timer instance, but was used for a\n different purpose after refactoring. (CVE-2019-19807)\n\n - xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to\n newDoc->oldNs. (CVE-2019-19956)\n\n - In the Linux kernel before 5.0.6, there is a NULL pointer dereference in drop_sysctl_table() in\n fs/proc/proc_sysctl.c, related to put_links, aka CID-23da9588037e. (CVE-2019-20054)\n\n - mwifiex_tm_cmd in drivers/net/wireless/marvell/mwifiex/cfg80211.c in the Linux kernel before 5.1.6 has\n some error-handling cases that did not free allocated hostcmd memory, aka CID-003b686ace82. This will\n cause a memory leak and denial of service. (CVE-2019-20095)\n\n - An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the\n udevadm trigger command, a memory leak may occur. (CVE-2019-20386)\n\n - xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak.\n (CVE-2019-20388)\n\n - In the Linux kernel before 5.4.12, drivers/input/input.c has out-of-bounds writes via a crafted keycode\n table, as demonstrated by input_set_keycode, aka CID-cb222aed03d7. (CVE-2019-20636)\n\n - An issue was discovered in the Linux kernel before 5.0.6. In rx_queue_add_kobject() and\n netdev_queue_add_kobject() in net/core/net-sysfs.c, a reference count is mishandled, aka CID-a3e23f719f5c.\n (CVE-2019-20811)\n\n - In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an\n infinite loop when opened by tarfile.open, because _proc_pax lacks header validation. (CVE-2019-20907)\n\n - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported\n versions that are affected are 5.6.45 and prior, 5.7.27 and prior and 8.0.17 and prior. Easily exploitable\n vulnerability allows low privileged attacker with network access via multiple protocols to compromise\n MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang\n or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2019-2974)\n\n - An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A\n specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code\n execution. An attacker can corrupt a partition to trigger this vulnerability. (CVE-2019-5094)\n\n - A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4.\n A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code\n execution. An attacker can corrupt a partition to trigger this vulnerability. (CVE-2019-5188)\n\n - Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3. (CVE-2019-5482)\n\n - A buffer overflow issue was addressed with improved memory handling. This issue is fixed in macOS Mojave\n 10.14.6, Security Update 2019-004 High Sierra, Security Update 2019-004 Sierra. An attacker in a\n privileged network position may be able to execute arbitrary code. (CVE-2019-8675, CVE-2019-8696)\n\n - In the Android kernel in i2c driver there is a possible out of bounds write due to memory corruption. This\n could lead to local escalation of privilege with System execution privileges needed. User interaction is\n not needed for exploitation. (CVE-2019-9454)\n\n - In the Android kernel in the video driver there is a use after free due to a race condition. This could\n lead to local escalation of privilege with no additional execution privileges needed. User interaction is\n not needed for exploitation. (CVE-2019-9458)\n\n - There is a use-after-free in kernel versions before 5.5 due to a race condition between the release of\n ptp_clock and cdev while resource deallocation. When a (high privileged) process allocates a ptp device\n file (like /dev/ptpX) and voluntarily goes to sleep. During this time if the underlying device is removed,\n it can cause an exploitable condition as the process wakes up to terminate and clean all attached files.\n The system crashes due to the cdev structure being invalid (as already freed) which is pointed to by the\n inode. (CVE-2020-10690)\n\n - A flaw was found in the Linux kernel's implementation of Userspace core dumps. This flaw allows an\n attacker with a local account to crash a trivial program and exfiltrate private kernel data.\n (CVE-2020-10732)\n\n - A flaw was found in the Linux kernel. An index buffer overflow during Direct IO write leading to the NFS\n client to crash. In some cases, a reach out of the index after one memory allocation by kmalloc will cause\n a kernel panic. The highest threat from this vulnerability is to data confidentiality and system\n availability. (CVE-2020-10742)\n\n - A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it\n incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly\n only validate the first netlink message in the skb and allow or deny the rest of the messages within the\n skb with the granted permission without further processing. (CVE-2020-10751)\n\n - A buffer over-read flaw was found in RH kernel versions before 5.0 in crypto_authenc_extractkeys in\n crypto/authenc.c in the IPsec Cryptographic algorithm's module, authenc. When a payload longer than 4\n bytes, and is not following 4-byte alignment boundary guidelines, it causes a buffer over-read threat,\n leading to a system crash. This flaw allows a local attacker with user privileges to cause a denial of\n service. (CVE-2020-10769)\n\n - In the Linux kernel before 5.5.8, get_raw_socket in drivers/vhost/net.c lacks validation of an sk_family\n field, which might allow attackers to trigger kernel stack corruption via crafted system calls.\n (CVE-2020-10942)\n\n - ** DISPUTED ** An issue was discovered in the Linux kernel through 5.6.2. mpol_parse_str in mm/mempolicy.c\n has a stack-based out-of-bounds write because an empty nodelist is mishandled during mount option parsing,\n aka CID-aa9f7d5172fa. NOTE: Someone in the security community disagrees that this is a vulnerability\n because the issue is a bug in parsing mount options which can only be specified by a privileged user, so\n triggering the bug does not grant any powers not already held.. (CVE-2020-11565)\n\n - In filter.c in slapd in OpenLDAP before 2.4.50, LDAP search filters with nested boolean expressions can\n result in denial of service (daemon crash). (CVE-2020-12243)\n\n - When converting coordinates from projective to affine, the modular inversion was not performed in constant\n time, resulting in a possible timing-based side channel attack. This vulnerability affects Firefox < 80\n and Firefox for Android < 80. (CVE-2020-12400)\n\n - During ECDSA signature generation, padding applied in the nonce designed to ensure constant-time scalar\n multiplication was removed, resulting in variable-time execution dependent on secret data. This\n vulnerability affects Firefox < 80 and Firefox for Android < 80. (CVE-2020-12401)\n\n - During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean\n Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform\n electromagnetic-based side channel attacks to record traces leading to the recovery of the secret primes.\n *Note:* An unmodified Firefox browser does not generate RSA keys in normal operation and is not affected,\n but products built on top of it might. This vulnerability affects Firefox < 78. (CVE-2020-12402)\n\n - A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS in versions before 3.55. When using\n multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling\n multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. The highest\n threat from this vulnerability is to confidentiality and system availability. (CVE-2020-12403)\n\n - An issue was discovered in the Linux kernel through 5.6.11. sg_write lacks an sg_remove_request call in a\n certain failure case, aka CID-83c6f2390040. (CVE-2020-12770)\n\n - A signal access-control issue was discovered in the Linux kernel before 5.6.5, aka CID-7395ea4e65c2.\n Because exec_id in include/linux/sched.h is only 32 bits, an integer overflow can interfere with a\n do_notify_parent protection mechanism. A child process can send an arbitrary signal to a parent process in\n a different security domain. Exploitation limitations include the amount of elapsed time before an integer\n overflow occurs, and the lack of scenarios where signals to a parent process present a substantial\n operational threat. (CVE-2020-12826)\n\n - If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to\n 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the\n HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP\n headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This\n could lead to users seeing responses for unexpected resources. (CVE-2020-13943)\n\n - An out-of-bounds memory write flaw was found in how the Linux kernel's Voice Over IP H.323 connection\n tracking functionality handled connections on ipv6 port 1720. This flaw allows an unauthenticated remote\n user to crash the system, causing a denial of service. The highest threat from this vulnerability is to\n confidentiality, integrity, as well as system availability. (CVE-2020-14305)\n\n - A memory out-of-bounds read flaw was found in the Linux kernel before 5.9-rc2 with the ext3/ext4 file\n system, in the way it accesses a directory with broken indexing. This flaw allows a local user to crash\n the system if the directory exists. The highest threat from this vulnerability is to system availability.\n (CVE-2020-14314)\n\n - A flaw was found in the Linux kernel's implementation of the invert video code on VGA consoles when a\n local attacker attempts to resize the console, calling an ioctl VT_RESIZE, which causes an out-of-bounds\n write to occur. This flaw allows a local user with access to the VGA console to crash the system,\n potentially escalating their privileges on the system. The highest threat from this vulnerability is to\n data confidentiality and integrity as well as system availability. (CVE-2020-14331)\n\n - A flaw was found in the Linux kernel before 5.9-rc4. A failure of the file system metadata validator in\n XFS can cause an inode with a valid, user-creatable extended attribute to be flagged as corrupt. This can\n lead to the filesystem being shutdown, or otherwise rendered inaccessible until it is remounted, leading\n to a denial of service. The highest threat from this vulnerability is to system availability.\n (CVE-2020-14385)\n\n - Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and\n IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application\n is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this\n attacker can cause many dictionary entries to be created. This is fixed in: v3.5.10, v3.5.10rc1; v3.6.12;\n v3.7.9; v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1; v3.9.0, v3.9.0b4, v3.9.0b5, v3.9.0rc1, v3.9.0rc2.\n (CVE-2020-14422)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization).\n Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261.\n Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple\n protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.\n Note: Applies to client and server deployment of Java. This vulnerability can be exploited through\n sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying\n data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed\n Java applets, such as through a web service. (CVE-2020-14779)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JNDI). Supported\n versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized\n read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server\n deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and\n sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component\n without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web\n service. (CVE-2020-14781)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported\n versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized\n update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: Applies to\n client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start\n applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the\n specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as\n through a web service. (CVE-2020-14782, CVE-2020-14797)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Hotspot). Supported\n versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other\n than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or\n delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to\n a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of\n Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java\n applets. It can also be exploited by supplying data to APIs in the specified Component without using\n sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.\n (CVE-2020-14792)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported\n versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other\n than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a\n subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments,\n typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load\n and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for\n security. This vulnerability does not apply to Java deployments, typically in servers, that load and run\n only trusted code (e.g., code installed by an administrator). (CVE-2020-14796)\n\n - Vulnerability in the Java SE product of Oracle Java SE (component: Libraries). Supported versions that are\n affected are Java SE: 11.0.8 and 15. Easily exploitable vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can\n result in unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability\n applies to Java deployments, typically in clients running sandboxed Java Web Start applications or\n sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and\n rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in\n servers, that load and run only trusted code (e.g., code installed by an administrator). (CVE-2020-14803)\n\n - Net-SNMP through 5.7.3 has Improper Privilege Management because SNMP WRITE access to the EXTEND MIB\n provides the ability to run arbitrary commands as root. (CVE-2020-15862)\n\n - Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to\n potentially exploit heap corruption via a crafted HTML page. (CVE-2020-15999)\n\n - A flaw was found in the Linux kernel's implementation of some networking protocols in IPsec, such as VXLAN\n and GENEVE tunnels over IPv6. When an encrypted tunnel is created between two hosts, the kernel isn't\n correctly routing tunneled data over the encrypted link; rather sending the data unencrypted. This would\n allow anyone in between the two endpoints to read the traffic unencrypted. The main threat from this\n vulnerability is to data confidentiality. (CVE-2020-1749)\n\n - While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to\n 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on\n an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely\n lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak\n between requests. (CVE-2020-17527)\n\n - In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be\n self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within\n the request URL. (CVE-2020-1927)\n\n - In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a\n malicious FTP server. (CVE-2020-1934)\n\n - The X.509 GeneralName type is a generic type for representing different types of names. One of those name\n types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different\n instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both\n GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a\n possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1)\n Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in\n an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp\n authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an\n attacker can control both items being compared then that attacker could trigger a crash. For example if\n the attacker can trick a client or server into checking a malicious certificate against a malicious CRL\n then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a\n certificate. This checking happens prior to the signatures on the certificate and CRL being verified.\n OpenSSL's s_server, s_client and verify tools have support for the -crl_download option which implements\n automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an\n unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of\n EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will\n accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue.\n Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected\n 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w). (CVE-2020-1971)\n\n - In the Linux kernel before 5.7.8, fs/nfsd/vfs.c (in the NFS server) can set incorrect permissions on new\n filesystem objects when the filesystem lacks ACL support, aka CID-22cf8419f131. This occurs because the\n current umask is not considered. (CVE-2020-24394)\n\n - A TOCTOU mismatch in the NFS client code in the Linux kernel before 5.8.3 could be used by local attackers\n to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c\n instead of fs/nfs/nfs4xdr.c, aka CID-b4487b935452. (CVE-2020-25212)\n\n - A flaw was found in the HDLC_PPP module of the Linux kernel in versions before 5.9-rc7. Memory corruption\n and a read overflow is caused by improper input validation in the ppp_cp_parse_cr function which can cause\n the system to crash or cause a denial of service. The highest threat from this vulnerability is to data\n confidentiality and integrity as well as system availability. (CVE-2020-25643)\n\n - Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are\n affected are 5.6.46 and prior, 5.7.28 and prior and 8.0.18 and prior. Difficult to exploit vulnerability\n allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Client.\n Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently\n repeatable crash (complete DOS) of MySQL Client. (CVE-2020-2574)\n\n - A flaw was discovered in the way that the KVM hypervisor handled instruction emulation for an L2 guest\n when nested virtualisation is enabled. Under some circumstances, an L2 guest may trick the L0 guest into\n accessing sensitive L1 resources that should be inaccessible to the L2 guest. (CVE-2020-2732)\n\n - Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are\n affected are 5.6.47 and prior, 5.7.27 and prior and 8.0.17 and prior. Difficult to exploit vulnerability\n allows low privileged attacker with network access via multiple protocols to compromise MySQL Client.\n Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently\n repeatable crash (complete DOS) of MySQL Client. (CVE-2020-2752)\n\n - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions\n that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Easily exploitable\n vulnerability allows low privileged attacker with network access via multiple protocols to compromise\n MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang\n or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2020-2780)\n\n - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported\n versions that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Easily exploitable\n vulnerability allows high privileged attacker with network access via multiple protocols to compromise\n MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang\n or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2020-2812)\n\n - When performing EC scalar point multiplication, the wNAF point multiplication algorithm was used; which\n leaked partial information about the nonce used during signature generation. Given an electro-magnetic\n trace of a few signature generations, the private key could have been computed. This vulnerability affects\n Firefox < 80 and Firefox for Android < 80. (CVE-2020-6829)\n\n - xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file\n situation. (CVE-2020-7595)\n\n - curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources\n that can lead too overwriting a local file when the -J flag is used. (CVE-2020-8177)\n\n - Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1\n allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client\n because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking. (CVE-2020-8492)\n\n - In BIND 9.0.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.3-S1 -> 9.11.21-S1 of the\n BIND 9 Supported Preview Edition, An attacker on the network path for a TSIG-signed request, or operating\n the server receiving the TSIG-signed request, could send a truncated response to that request, triggering\n an assertion failure, causing the server to exit. Alternately, an off-path attacker would have to\n correctly guess when a TSIG-signed request was sent, along with other characteristics of the packet and\n message, and spoof a truncated response to trigger an assertion failure, causing the server to exit.\n (CVE-2020-8622)\n\n - In BIND 9.10.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.10.5-S1 -> 9.11.21-S1 of the\n BIND 9 Supported Preview Edition, An attacker that can reach a vulnerable system with a specially crafted\n query packet can trigger a crash. To be vulnerable, the system must: * be running BIND that was built with\n --enable-native-pkcs11 * be signing one or more zones with an RSA key * be able to receive queries from\n a possible attacker (CVE-2020-8623)\n\n - In BIND 9.9.12 -> 9.9.13, 9.10.7 -> 9.10.8, 9.11.3 -> 9.11.21, 9.12.1 -> 9.16.5, 9.17.0 -> 9.17.3, also\n affects 9.9.12-S1 -> 9.9.13-S1, 9.11.3-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An\n attacker who has been granted privileges to change a specific subset of the zone's content could abuse\n these unintended additional privileges to update other contents of the zone. (CVE-2020-8624)\n\n - cloud-init through 19.4 relies on Mersenne Twister for a random password, which makes it easier for\n attackers to predict passwords, because rand_str in cloudinit/util.py calls the random.choice function.\n (CVE-2020-8631)\n\n - In cloud-init through 19.4, rand_user_password in cloudinit/config/cc_set_passwords.py has a small default\n pwlen value, which makes it easier for attackers to guess passwords. (CVE-2020-8632)\n\n - There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vc_do_resize function in\n drivers/tty/vt/vt.c. (CVE-2020-8647)\n\n - There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vgacon_invert_region\n function in drivers/video/console/vgacon.c. (CVE-2020-8649)\n\n - An issue was discovered in the Linux kernel 3.16 through 5.5.6. set_fdc in drivers/block/floppy.c leads to\n a wait_til_ready out-of-bounds read because the FDC index is not checked for errors before assigning it,\n aka CID-2e90ca68b0d2. (CVE-2020-9383)\n\n - Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which\n allows privilege escalation to root via sudoedit -s and a command-line argument that ends with a single\n backslash character. (CVE-2021-3156)\n\n - A heap-based buffer overflow was found in the way sudo parses command line arguments. This flaw is\n exploitable by any local user who can execute the sudo command without authentication. Successful\n exploitation of this flaw could lead to privilege escalation. (CVE-2021-3156)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n # https://portal.nutanix.com/page/documents/security-advisories/release-advisories/details?id=NXSA-AOS-5.19.1\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c6af7891\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the Nutanix AOS software to recommended version.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-17006\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2019-5482\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Sudo Heap-Based Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/02/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/08/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/09/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:nutanix:aos\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"nutanix_collect.nasl\");\n script_require_keys(\"Host/Nutanix/Data/lts\", \"Host/Nutanix/Data/Service\", \"Host/Nutanix/Data/Version\", \"Host/Nutanix/Data/arch\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nvar app_info = vcf::nutanix::get_app_info();\n\nvar constraints = [\n { 'fixed_version' : '5.19.1', 'product' : 'AOS', 'fixed_display' : 'Upgrade the AOS install to 5.19.1 or higher.', 'lts' : FALSE },\n { 'fixed_version' : '5.19.1', 'product' : 'NDFS', 'fixed_display' : 'Upgrade the AOS install to 5.19.1 or higher.', 'lts' : FALSE }\n];\n\nvcf::nutanix::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_HOLE,\n flags:{'xss':TRUE}\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "osv": [{"lastseen": "2023-04-11T01:38:44", "description": "While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-02-09T22:58:06", "type": "osv", "title": "Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17527"], "modified": "2023-04-11T01:38:40", "id": "OSV:GHSA-VVW4-RFWF-P6HX", "href": "https://osv.dev/vulnerability/GHSA-vvw4-rfwf-p6hx", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-08-05T05:19:01", "description": "\nIt was discovered that Apache Tomcat from 8.5.0 to 8.5.59 could\nre-use an HTTP request header value from the previous stream\nreceived on an HTTP/2 connection for the request associated with\nthe subsequent stream. While this would most likely lead to an\nerror and the closure of the HTTP/2 connection, it is possible\nthat information could leak between requests.\n\n\nFor Debian 9 stretch, this problem has been fixed in version\n8.5.54-0+deb9u5.\n\n\nWe recommend that you upgrade your tomcat8 packages.\n\n\nFor the detailed security status of tomcat8 please refer to\nits security tracker page at:\n<https://security-tracker.debian.org/tracker/tomcat8>\n\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: <https://wiki.debian.org/LTS>\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-12-16T00:00:00", "type": "osv", "title": "tomcat8 - security update", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17527"], "modified": "2022-08-05T05:18:59", "id": "OSV:DLA-2495-1", "href": "https://osv.dev/vulnerability/DLA-2495-1", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "ibm": [{"lastseen": "2023-02-27T21:45:02", "description": "## Summary\n\nApp Connect Professional has addressed the following vulnerabilities reported in Apache Tomcat.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-17527](<https://vulners.com/cve/CVE-2020-17527>) \n** DESCRIPTION: **Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by an issue when the HTTP request header value can be reused from the previous stream received on an HTTP/2 connection. By sending a specially-crafted HTTP request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/192612](<https://exchange.xforce.ibmcloud.com/vulnerabilities/192612>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nApp Connect Professional v 7.5.3.0\n\nApp Connect Professional v 7.5.4.0\n\n \n\n\n \n\n\n## Remediation/Fixes\n\n_roduct_| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \nApp Connect Professional| 7.5.4.0| LI81933| [7540 Fixcentral link](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm%2FWebSphere%2FApp+Connect+Professional&release=7.5.4.0&platform=All&function=fixId&fixids=7.5.4.0-WS-ACP-20210113-0010_H29_64-CUMUIFIX-010.builtDockerImage,7.5.4.0-WS-ACP-20210113-0010_H29_64-CUMUIFIX-010.docker,7.5.4.0-WS-ACP-20210113-0010_H29_64-CUMUIFIX-010.vcrypt2,&includeSupersedes=0> \"7540 Fixcentral link\" ) \nApp Connect Professional| 7.5.3.0| LI81933| [7530 Fixcentral link](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm%2FWebSphere%2FApp+Connect+Professional&release=7.5.3.0&platform=All&function=fixId&fixids=7.5.3.0-WS-ACP-20210113-0730_H15_64-CUMUIFIX-018.builtDockerImage,7.5.3.0-WS-ACP-20210113-0730_H15_64-CUMUIFIX-018.docker,7.5.3.0-WS-ACP-20210113-0730_H15_64-CUMUIFIX-018.vcrypt2,&includeSupersedes=0> \"7530 Fixcentral link\" ) \n \n \n\n\n \n\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-03-19T12:18:03", "type": "ibm", "title": "Security Bulletin: : App Connect Professional is affected by Apache Tomcat vulnerabilities.", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17527"], "modified": "2021-03-19T12:18:03", "id": "508080EC2619947743811C2CDFEC88743E56A6A7B5472534F08845B6126E5BEA", "href": "https://www.ibm.com/support/pages/node/6434169", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-06-06T17:53:09", "description": "## Summary\n\nIBM UrbanCode Release version 6.2.2.7 - 6.2.5.2 are affected by CVE-2020-17527\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-17527](<https://vulners.com/cve/CVE-2020-17527>) \n** DESCRIPTION: **Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by an issue when the HTTP request header value can be reused from the previous stream received on an HTTP/2 connection. By sending a specially-crafted HTTP request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/192612](<https://exchange.xforce.ibmcloud.com/vulnerabilities/192612>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM UrbanCode Release| 6.2.2.7 - 6.2.5.2 \n \n\n\n## Remediation/Fixes\n\nIBM strongly recommends addressing the vulnerability now by upgrading to IBM UrbanCode Release version 6.2.5.3 or above. \n\n**Affected Supporting Product(s)**\n\n| \n\n**Remediation/Fix** \n \n---|--- \n \nIBM UrbanCode Release 6.2.2.7 \u2013 6.2.5.2\n\n| \n\n[Download](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FRational%2FUrbanCode+Release&fixids=6.2.5.5-UrbanCode-Release&source=SAR>) IBM UrbanCode Release 6.2.5.5 \u2013 Includes Tomcat 8.5.69 \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-01-25T07:51:28", "type": "ibm", "title": "Security Bulletin: IBM UrbanCode Release is affected by CVE-2020-17527", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17527"], "modified": "2022-01-25T07:51:28", "id": "95EA56D6055115B49AA8D0630FEC4CFD34FF4271A5FA42CFC289248EA2AEBEDC", "href": "https://www.ibm.com/support/pages/node/6550782", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-06-06T14:39:26", "description": "## Summary\n\nThe product includes vulnerable components (e.g., framework libraries) that may be identified and exploited with automated tools.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-13949](<https://vulners.com/cve/CVE-2020-13949>) \n** DESCRIPTION: **Apache Thrift is vulnerable to a denial of service, caused by improper input validation. By sending specially-crafted messages, a remote attacker could exploit this vulnerability to cause a large memory allocation. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/196738](<https://exchange.xforce.ibmcloud.com/vulnerabilities/196738>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2020-25649](<https://vulners.com/cve/CVE-2020-25649>) \n** DESCRIPTION: **FasterXML Jackson Databind could provide weaker than expected security, caused by not having entity expansion secured properly. A remote attacker could exploit this vulnerability to launch XML external entity (XXE) attacks to have impact over data integrity. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/192648](<https://exchange.xforce.ibmcloud.com/vulnerabilities/192648>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) \n \n** CVEID: **[CVE-2021-25329](<https://vulners.com/cve/CVE-2021-25329>) \n** DESCRIPTION: **Apache Tomcat could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a flaw with a configuration edge case. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 8.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/197519](<https://exchange.xforce.ibmcloud.com/vulnerabilities/197519>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2021-25122](<https://vulners.com/cve/CVE-2021-25122>) \n** DESCRIPTION: **Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by a flaw when responding to new h2c connection requests. By sending a specially-crafted request, an attacker could exploit this vulnerability to see the request body information from one request to another, and use this information to launch further attacks against the affected system. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/197517](<https://exchange.xforce.ibmcloud.com/vulnerabilities/197517>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2020-17527](<https://vulners.com/cve/CVE-2020-17527>) \n** DESCRIPTION: **Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by an issue when the HTTP request header value can be reused from the previous stream received on an HTTP/2 connection. By sending a specially-crafted HTTP request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/192612](<https://exchange.xforce.ibmcloud.com/vulnerabilities/192612>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM QRadar SIEM 7.3.0 to 7.3.3 Patch 8\n\nIBM QRadar SIEM 7.4.0 to 7.4.3 GA\n\n \n\n\n \n\n\n## Remediation/Fixes\n\n[QRadar / QRM / QVM / QRIF / QNI 7.3.3 Patch 9](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+Vulnerability+Manager&release=All&platform=All&function=fixId&fixids=7.3.3-QRADAR-QRSIEM-20210716155826&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp&source=SAR> \"QRadar / QRM / QVM / QRIF / QNI 7.3.3 Patch 9\" )\n\n[QRadar / QRM / QVM / QRIF / QNI 7.4.3 Patch 1](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.4.0&platform=Linux&function=fixId&fixids=7.4.3-QRADAR-QRSIEM-20210708143944&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp> \"QRadar / QRM / QVM / QRIF / QNI 7.4.3 Patch 1\" )\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-07-27T16:25:09", "type": "ibm", "title": "Security Bulletin: IBM QRadar SIEM is vulnerable to Using Components with Known Vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13949", "CVE-2020-17527", "CVE-2020-25649", "CVE-2021-25122", "CVE-2021-25329"], "modified": "2021-07-27T16:25:09", "id": "1A226F41CCEE49F182D2CE6E2913B939C921267EC05F27A8773B9DAF87654A6F", "href": "https://www.ibm.com/support/pages/node/6475673", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-05-30T15:13:48", "description": "## Summary\n\nMultiple Apache Tomcat vulnerabilities affect IBM Control Center. See vulnerability details for descriptions.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-9484](<https://vulners.com/cve/CVE-2020-9484>) \n** DESCRIPTION: **Apache Tomcat could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization when the server is configured to use the PersistenceManager with a FileStore. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 8.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/182231](<https://exchange.xforce.ibmcloud.com/vulnerabilities/182231>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-11996](<https://vulners.com/cve/CVE-2020-11996>) \n** DESCRIPTION: **Apache Tomcat is vulnerable to a denial of service. By sending a specially crafted sequence of HTTP/2 requests, a remote attacker could exploit this vulnerability to trigger high CPU usage for several seconds. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/184012](<https://exchange.xforce.ibmcloud.com/vulnerabilities/184012>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2020-13934](<https://vulners.com/cve/CVE-2020-13934>) \n** DESCRIPTION: **Apache Tomcat is vulnerable to a denial of service, caused by not releasing the HTTP/1.1 processor after the upgrade to HTTP/2 in an h2c direct connection. By sending specially-crafted requests, a remote attacker could exploit this vulnerability to cause OutOfMemoryException resulting in a denial of service. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185239](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185239>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2020-13935](<https://vulners.com/cve/CVE-2020-13935>) \n** DESCRIPTION: **Apache Tomcat is vulnerable to a denial of service, caused by improper validation of the payload length in a WebSocket frame. By sending multiple requests with invalid payload lengths, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185227](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185227>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2020-13943](<https://vulners.com/cve/CVE-2020-13943>) \n** DESCRIPTION: **Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by a flaw when HTTP/2 client exceeded the agreed maximum number of concurrent streams for a connection. By sending a specially-crafted HTTP request, an attacker could exploit this vulnerability to see the responses for unexpected resources, and use this information to launch further attacks against the affected system. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/189643](<https://exchange.xforce.ibmcloud.com/vulnerabilities/189643>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2020-17527](<https://vulners.com/cve/CVE-2020-17527>) \n** DESCRIPTION: **Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by an issue when the HTTP request header value can be reused from the previous stream received on an HTTP/2 connection. By sending a specially-crafted HTTP request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/192612](<https://exchange.xforce.ibmcloud.com/vulnerabilities/192612>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2021-24122](<https://vulners.com/cve/CVE-2021-24122>) \n** DESCRIPTION: **Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by a flaw when serving resources from a network location using the NTFS file system. By sending a specially-crafted request, an attacker could exploit this vulnerability to view the source code for JSPs in some configurations, and use this information to launch further attacks against the affected system. \nCVSS Base score: 8.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/194894](<https://exchange.xforce.ibmcloud.com/vulnerabilities/194894>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Control Center| 6.2.0.0 \n \n\n\n## Remediation/Fixes\n\n**Product** | \n\n**VRMF**\n\n| \n\n**iFix**\n\n| \n\n**Remediation** \n \n---|---|---|--- \n \nIBM Control Center\n\n| \n\n6.2.0.0\n\n| \n\niFix08\n\n| \n\n[Fix Central - 6.2.0.0](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+Control+Center&release=6.2.0.0&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-14T21:27:15", "type": "ibm", "title": "Security Bulletin: Multiple Apache Tomcat Vulnerabilities Affect IBM Control Center", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11996", "CVE-2020-13934", "CVE-2020-13935", "CVE-2020-13943", "CVE-2020-17527", "CVE-2020-9484", "CVE-2021-24122"], "modified": "2021-05-14T21:27:15", "id": "C53D3C47BD4A155045F99C1E4CBF677182A1008DEB57811C876885F82676C572", "href": "https://www.ibm.com/support/pages/node/6453463", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-27T21:47:04", "description": "## Summary\n\nIBM Data Risk Manager has addressed the following vulnerabilities:\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-14305](<https://vulners.com/cve/CVE-2020-14305>) \n** DESCRIPTION: **Linux Kernel could allow a remote attacker to gain elevated privileges on the system, caused by an out-of-bounds memory write flaw in how the Voice Over IP H.323 connection tracking functionality handled connections on ipv6 port 1720. An attacker could exploit this vulnerability to gain elevated privileges on the system. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/192482](<https://exchange.xforce.ibmcloud.com/vulnerabilities/192482>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-10942](<https://vulners.com/cve/CVE-2020-10942>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a denial of service, caused by improper validation of an sk_family field by the get_raw_socket function in drivers/vhost/net.c. By sending specially-crafted system calls, a local attacker could exploit this vulnerability to cause a kernel stack corruption resulting in a denial of service condition. \nCVSS Base score: 6.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/178539](<https://exchange.xforce.ibmcloud.com/vulnerabilities/178539>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2020-2732](<https://vulners.com/cve/CVE-2020-2732>) \n** DESCRIPTION: **Linux Kernel could allow a local authenticated attacker to obtain sensitive information, caused by an issue with the vmx_check_intercept function not fully implemented by KVM on Intel processors. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive L1 resource information, and use this information to launch further attacks against the affected system. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/176766](<https://exchange.xforce.ibmcloud.com/vulnerabilities/176766>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2020-9383](<https://vulners.com/cve/CVE-2020-9383>) \n** DESCRIPTION: **Linux Kernel could allow a local attacker to obtain sensitive information, caused by an out-of-bounds read flaw in the set_fdc function in drivers/block/floppy.c. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service condition. \nCVSS Base score: 7.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/176792](<https://exchange.xforce.ibmcloud.com/vulnerabilities/176792>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H) \n \n** CVEID: **[CVE-2021-24122](<https://vulners.com/cve/CVE-2021-24122>) \n** DESCRIPTION: **Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by a flaw when serving resources from a network location using the NTFS file system. By sending a specially-crafted request, an attacker could exploit this vulnerability to view the source code for JSPs in some configurations, and use this information to launch further attacks against the affected system. \nCVSS Base score: 8.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/194894](<https://exchange.xforce.ibmcloud.com/vulnerabilities/194894>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N) \n \n** CVEID: **[CVE-2020-25695](<https://vulners.com/cve/CVE-2020-25695>) \n** DESCRIPTION: **PostgreSQL could allow a remote authenticated attacker to gain elevated privileges on the system, caused by a flaw when creating non-temporary objects in at least one schema. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary SQL functions under the identity of a superuser. \nCVSS Base score: 8.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/191771](<https://exchange.xforce.ibmcloud.com/vulnerabilities/191771>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-25694](<https://vulners.com/cve/CVE-2020-25694>) \n** DESCRIPTION: **PostgreSQL could allow a remote attacker to obtain sensitive information, caused by the use of clear-text transmissions when reusing the basic connection parameters while dropping security-relevant parameters. By using man-in-the-middle attack techniques, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/191770](<https://exchange.xforce.ibmcloud.com/vulnerabilities/191770>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-5412](<https://vulners.com/cve/CVE-2020-5412>) \n** DESCRIPTION: **Spring Cloud Netflix could allow a remote attacker to bypass security restrictions, caused by a flaw when using the Hystrix Dashboard proxy.stream endpoint. An attacker could exploit this vulnerability to send a request to other servers that should not be exposed publicly. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186504](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186504>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2020-11656](<https://vulners.com/cve/CVE-2020-11656>) \n** DESCRIPTION: **SQLite could allow a remote attacker to obtain sensitive information, caused by a use-after-free in the ALTER TABLE implementation. By sending a specially crafted request, a remote attacker could exploit this vulnerability to obtain sensitive information and then use this information to launch further attacks against the affected system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/180285](<https://exchange.xforce.ibmcloud.com/vulnerabilities/180285>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2020-11655](<https://vulners.com/cve/CVE-2020-11655>) \n** DESCRIPTION: **SQLite is vulnerable to a denial of service, caused by mishandling the AggInfo object's initialization. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a segmentation fault. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/180289](<https://exchange.xforce.ibmcloud.com/vulnerabilities/180289>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2020-10754](<https://vulners.com/cve/CVE-2020-10754>) \n** DESCRIPTION: **NetworkManager could allow a remote authenticated attacker to bypass security restrictions, caused by improper configuration in the nmcli. By connecting to a network, an attacker could exploit this vulnerability to bypass authentication. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/184636](<https://exchange.xforce.ibmcloud.com/vulnerabilities/184636>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2020-5411](<https://vulners.com/cve/CVE-2020-5411>) \n** DESCRIPTION: **VMware Spring Batch could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization when configured to enable default typing. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/183336](<https://exchange.xforce.ibmcloud.com/vulnerabilities/183336>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-25696](<https://vulners.com/cve/CVE-2020-25696>) \n** DESCRIPTION: **PostgreSQL could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the psql interactive terminal. If an interactive psql session uses \\gset when querying a compromised server, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/192321](<https://exchange.xforce.ibmcloud.com/vulnerabilities/192321>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-19768](<https://vulners.com/cve/CVE-2019-19768>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a denial of service, caused by a use-after-free in the __blk_add_trace function in kernel/trace/blktrace.c. By sending a specially-crafted request, a local attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 6.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/173055](<https://exchange.xforce.ibmcloud.com/vulnerabilities/173055>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2019-19338](<https://vulners.com/cve/CVE-2019-19338>) \n** DESCRIPTION: **Linux Kernel could allow a local authenticated attacker to obtain sensitive information, caused by a Transaction Asynchronous Abort (TAA) h/w issue in KVM. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/172836](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172836>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2019-19767](<https://vulners.com/cve/CVE-2019-19767>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a denial of service, caused by a use-after-free in the __ext4_expand_extra_isize and ext4_xattr_set_entry functions in fs/ext4/inode.c and fs/ext4/super.c. By sending a specially-crafted request, a local attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 6.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/173054](<https://exchange.xforce.ibmcloud.com/vulnerabilities/173054>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2019-19332](<https://vulners.com/cve/CVE-2019-19332>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a denial of service, caused by an out-of-bounds memory write in KVM hypervisor. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/173143](<https://exchange.xforce.ibmcloud.com/vulnerabilities/173143>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2019-19447](<https://vulners.com/cve/CVE-2019-19447>) \n** DESCRIPTION: **Linux Kernel could allow a local attacker to execute arbitrary code on the system, caused by a use-after-free flaw in the ext4_put_super function in fs/ext4/super.c. By using a specially-crafted image file, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system. \nCVSS Base score: 8.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/172760](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172760>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-5408](<https://vulners.com/cve/CVE-2020-5408>) \n** DESCRIPTION: **VMware Tanzu Spring Security could allow a remote attacker to obtain sensitive information, caused by the use of a fixed null initialization vector with CBC Mode. By using dictionary attack techniques, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181969](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181969>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2020-5407](<https://vulners.com/cve/CVE-2020-5407>) \n** DESCRIPTION: **Spring Security could allow a remote attacker to bypass security restrictions, caused by a signature wrapping vulnerability during SAML response validation. An attacker could exploit this vulnerability to modify an otherwise valid SAML response and append an arbitrary assertion that Spring Security will accept as valid. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181939](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181939>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2020-13943](<https://vulners.com/cve/CVE-2020-13943>) \n** DESCRIPTION: **Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by a flaw when HTTP/2 client exceeded the agreed maximum number of concurrent streams for a connection. By sending a specially-crafted HTTP request, an attacker could exploit this vulnerability to see the responses for unexpected resources, and use this information to launch further attacks against the affected system. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/189643](<https://exchange.xforce.ibmcloud.com/vulnerabilities/189643>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2020-9327](<https://vulners.com/cve/CVE-2020-9327>) \n** DESCRIPTION: **SQLite is vulnerable to a denial of service, caused by a NULL pointer dereference in isAuxiliaryVtabOperator. By generating column optimization, a remote attacker could exploit this vulnerability to cause a segmentation fault. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/176691](<https://exchange.xforce.ibmcloud.com/vulnerabilities/176691>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2020-17527](<https://vulners.com/cve/CVE-2020-17527>) \n** DESCRIPTION: **Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by an issue when the HTTP request header value can be reused from the previous stream received on an HTTP/2 connection. By sending a specially-crafted HTTP request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/192612](<https://exchange.xforce.ibmcloud.com/vulnerabilities/192612>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2020-8647](<https://vulners.com/cve/CVE-2020-8647>) \n** DESCRIPTION: **Linux kernel could allow a remote attacker to obtain sensitive information, caused by a use-after-free in the vc_do_resize function of drivers/tty/vt/vt.c. An attacker could exploit this vulnerability to read memory that should not be available for access. \nCVSS Base score: 4.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/175842](<https://exchange.xforce.ibmcloud.com/vulnerabilities/175842>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L) \n \n** CVEID: **[CVE-2020-8649](<https://vulners.com/cve/CVE-2020-8649>) \n** DESCRIPTION: **Linux kernel could allow a remote attacker to obtain sensitive information, caused by a use-after-free in the vgacon_invert_region function of drivers/video/console/vgacon.c. An attacker could exploit this vulnerability to read memory that should not be available for access. \nCVSS Base score: 4.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/175844](<https://exchange.xforce.ibmcloud.com/vulnerabilities/175844>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L) \n \n** CVEID: **[CVE-2020-2590](<https://vulners.com/cve/CVE-2020-2590>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Java SE Security component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/174538](<https://exchange.xforce.ibmcloud.com/vulnerabilities/174538>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2020-14792](<https://vulners.com/cve/CVE-2020-14792>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Hotspot component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base score: 4.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/190110](<https://exchange.xforce.ibmcloud.com/vulnerabilities/190110>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-14797](<https://vulners.com/cve/CVE-2020-14797>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/190115](<https://exchange.xforce.ibmcloud.com/vulnerabilities/190115>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2020-14779](<https://vulners.com/cve/CVE-2020-14779>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Serialization component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/190097](<https://exchange.xforce.ibmcloud.com/vulnerabilities/190097>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2020-14796](<https://vulners.com/cve/CVE-2020-14796>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. \nCVSS Base score: 3.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/190114](<https://exchange.xforce.ibmcloud.com/vulnerabilities/190114>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2020-12352](<https://vulners.com/cve/CVE-2020-12352>) \n** DESCRIPTION: **Linux Kernel could allow a remote attacker to obtain sensitive information, caused by improper access control in the BlueZ implementation. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/189720](<https://exchange.xforce.ibmcloud.com/vulnerabilities/189720>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2020-12351](<https://vulners.com/cve/CVE-2020-12351>) \n** DESCRIPTION: **Linux Kernel could allow a remote attacker to gain elevated privileges on the system, caused by improper input validation in the BlueZ implementation. By sending a specially-crafted request, an attacker could exploit this vulnerability to gain elevated privileges. \nCVSS Base score: 8.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/189719](<https://exchange.xforce.ibmcloud.com/vulnerabilities/189719>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-12770](<https://vulners.com/cve/CVE-2020-12770>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a denial of service, caused by an issue with sg_write lacks an sg_remove_request call in a certain failure case. By sending a specially-crafted request, a local attacker could exploit this vulnerability to cause a panic. \nCVSS Base score: 6.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181750](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181750>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2020-10693](<https://vulners.com/cve/CVE-2020-10693>) \n** DESCRIPTION: **Hibernate Hibernate Validator could allow a remote attacker to bypass security restrictions, caused by a flaw in the message interpolation processor. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass input sanitation controls when handling user-controlled data in error messages. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/182240](<https://exchange.xforce.ibmcloud.com/vulnerabilities/182240>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2020-11565](<https://vulners.com/cve/CVE-2020-11565>) \n** DESCRIPTION: **Linux Kernel could allow a local attacker to execute arbitrary code on the system, caused by a stack-based out-of-bounds write flaw in the mpol_parse_str function in mm/mempolicy.c. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system. \nCVSS Base score: 8.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/179100](<https://exchange.xforce.ibmcloud.com/vulnerabilities/179100>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-10690](<https://vulners.com/cve/CVE-2020-10690>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a denial of service, caused by a use-after-free in the cdev_put function in the Precision Time Protocol (PTP). By removing a PTP device while chardev is open, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 4.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/180182](<https://exchange.xforce.ibmcloud.com/vulnerabilities/180182>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2020-13934](<https://vulners.com/cve/CVE-2020-13934>) \n** DESCRIPTION: **Apache Tomcat is vulnerable to a denial of service, caused by not releasing the HTTP/1.1 processor after the upgrade to HTTP/2 in an h2c direct connection. By sending specially-crafted requests, a remote attacker could exploit this vulnerability to cause OutOfMemoryException resulting in a denial of service. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185239](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185239>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2020-5413](<https://vulners.com/cve/CVE-2020-5413>) \n** DESCRIPTION: **VMware Tanzu Spring Integration could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization when configuring Kryo in code. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186211](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186211>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-10751](<https://vulners.com/cve/CVE-2020-10751>) \n** DESCRIPTION: **Linux Kernel could allow a local authenticated attacker to bypass security restrictions, caused by a flaw with improper validation of first netlink message by the SELinux LSM hook implementation. By sending a specially-crafted request, an attacker could exploit this vulnerability to allow or deny the rest of the netlink messages within the skb with the granted permission without further processing. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/182451](<https://exchange.xforce.ibmcloud.com/vulnerabilities/182451>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N) \n \n** CVEID: **[CVE-2020-2601](<https://vulners.com/cve/CVE-2020-2601>) \n** DESCRIPTION: **An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Security component could allow an unauthenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors. \nCVSS Base score: 6.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/174548](<https://exchange.xforce.ibmcloud.com/vulnerabilities/174548>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2020-10732](<https://vulners.com/cve/CVE-2020-10732>) \n** DESCRIPTION: **Linux Kernel could allow a local authenticated attacker to obtain sensitive information, caused by a flaw in the implementation of Userspace core dumps. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information or cause a program to crash. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181554](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181554>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2019-18282](<https://vulners.com/cve/CVE-2019-18282>) \n** DESCRIPTION: **Linux Kernel could allow a local attacker to obtain sensitive information, caused by a device tracking vulnerability in flow_dissector feature. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information and then use this information to launch further attacks against the affected system. \nCVSS Base score: 4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/174716](<https://exchange.xforce.ibmcloud.com/vulnerabilities/174716>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2020-14349](<https://vulners.com/cve/CVE-2020-14349>) \n** DESCRIPTION: **PostgreSQL could allow a remote authenticated attacker to execute arbitrary command on the system, caused by improper sanitization of search_path during logical replication. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary SQL command in the context of the user used for replication. \nCVSS Base score: 8.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/187185](<https://exchange.xforce.ibmcloud.com/vulnerabilities/187185>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-14350](<https://vulners.com/cve/CVE-2020-14350>) \n** DESCRIPTION: **PostgreSQL could allow a remote authenticated attacker to execute arbitrary code on the system, caused by the failure to use search_path safely in their installation script. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary script. \nCVSS Base score: 8.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/187183](<https://exchange.xforce.ibmcloud.com/vulnerabilities/187183>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-25212](<https://vulners.com/cve/CVE-2020-25212>) \n** DESCRIPTION: **Linux Kernel could allow a local attacker to execute arbitrary code on the system, caused by a TOCTOU mismatch in the NFS client code. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code or corrupt memory. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/188137](<https://exchange.xforce.ibmcloud.com/vulnerabilities/188137>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2020-15358](<https://vulners.com/cve/CVE-2020-15358>) \n** DESCRIPTION: **SQLite is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the mishandling of query-flattener optimization in select.c. By sending a specially-crafted request, a remote attacker could overflow a buffer and execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/184103](<https://exchange.xforce.ibmcloud.com/vulnerabilities/184103>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-24394](<https://vulners.com/cve/CVE-2020-24394>) \n** DESCRIPTION: **Linux Kernel could allow a local authenticated attacker to bypass security restrictions, caused by the lack of ACL support to the filesystems in fs/nfsd/vfs.c (in the NFS server). By sending a specially-crafted request, an attacker could exploit this vulnerability to set incorrect permissions on new filesystem objects. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186968](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186968>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N) \n \n** CVEID: **[CVE-2019-20636](<https://vulners.com/cve/CVE-2019-20636>) \n** DESCRIPTION: **Linux Linux could allow a local attacker to execute arbitrary code on the system, caused by an out-of-bounds write flaw in the input_set_keycode function. By using a specially-crafted keycode table, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system. \nCVSS Base score: 8.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181202](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181202>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-14331](<https://vulners.com/cve/CVE-2020-14331>) \n** DESCRIPTION: **Linux Kernel could allow a local authenticated attacker to gain elevated privileges on the system, caused by an out-of-bounds write flaw in the implementation of the invert video code on VGA consoles. By sending a specially-crafted request to resize the console, an authenticated attacker could exploit this vulnerability to gain elevated privileges or crash the system. \nCVSS Base score: 6.6 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185987](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185987>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-11971](<https://vulners.com/cve/CVE-2020-11971>) \n** DESCRIPTION: **Apache Camel could allow a remote attacker to obtain sensitive information, caused by a rebind flaw in JMX. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181961](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181961>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2020-11973](<https://vulners.com/cve/CVE-2020-11973>) \n** DESCRIPTION: **Apache Camel could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in the Java application component in Netty. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181963](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181963>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-11972](<https://vulners.com/cve/CVE-2020-11972>) \n** DESCRIPTION: **Apache Camel could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in the Java application component in RabbitMQ. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181962](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181962>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-13435](<https://vulners.com/cve/CVE-2020-13435>) \n** DESCRIPTION: **SQLite is vulnerable to a denial of service, caused by flaw in the sqlite3ExprCodeTarget function in expr.c. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a segmentation fault. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/182406](<https://exchange.xforce.ibmcloud.com/vulnerabilities/182406>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2020-13434](<https://vulners.com/cve/CVE-2020-13434>) \n** DESCRIPTION: **SQLite is vulnerable to a stack-based buffer overflow, caused by an integer overflow in the sqlite3_str_vappendf function. By sending a specially-crafted request, a remote attacker could overflow a buffer and execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/182405](<https://exchange.xforce.ibmcloud.com/vulnerabilities/182405>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-10757](<https://vulners.com/cve/CVE-2020-10757>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a denial of service, caused by a flaw when mremap a mmaped DAX nvdimm to a mmaped anonymous memory region. By executing a specially-crafted program, a local attacker could exploit this vulnerability to cause corrupted page table resulting in a denial of service condition. \nCVSS Base score: 6.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/182919](<https://exchange.xforce.ibmcloud.com/vulnerabilities/182919>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2020-12826](<https://vulners.com/cve/CVE-2020-12826>) \n** DESCRIPTION: **Linux Kernel could allow a local attacker to bypass security restrictions, caused by a signal access-control issue in exec_id in include/linux/sched.h. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass checks to send any signal to a privileged process. \nCVSS Base score: 6.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/182113](<https://exchange.xforce.ibmcloud.com/vulnerabilities/182113>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) \n \n** CVEID: **[CVE-2020-1749](<https://vulners.com/cve/CVE-2020-1749>) \n** DESCRIPTION: **Linux Kernel could allow a remote attacker to obtain sensitive information, caused by an error in the implementation of some ipv6 protocols in encrypted Ipsec tunnels. By using man-in-the-middle attack techniques, an attacker could exploit this vulnerability to read the traffic unencrypted. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181872](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181872>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2020-14583](<https://vulners.com/cve/CVE-2020-14583>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base score: 8.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185061](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185061>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-14593](<https://vulners.com/cve/CVE-2020-14593>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the 2D component could allow an unauthenticated attacker to cause no confidentiality impact, high integrity impact, and no availability impact. \nCVSS Base score: 7.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185071](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185071>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N) \n \n** CVEID: **[CVE-2020-14621](<https://vulners.com/cve/CVE-2020-14621>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185099](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185099>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2020-14556](<https://vulners.com/cve/CVE-2020-14556>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base score: 4.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185034](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185034>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-14581](<https://vulners.com/cve/CVE-2020-14581>) \n** DESCRIPTION: **An unspecified vulnerability in Oracle Java SE and Java SE Embedded related to the 2D component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185059](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185059>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2020-14579](<https://vulners.com/cve/CVE-2020-14579>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185057](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185057>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2020-14578](<https://vulners.com/cve/CVE-2020-14578>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185056](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185056>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2020-14577](<https://vulners.com/cve/CVE-2020-14577>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JSSE component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185055](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185055>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2019-17639](<https://vulners.com/cve/CVE-2019-17639>) \n** DESCRIPTION: **Eclipse OpenJ9 could allow a remote attacker to obtain sensitive information, caused by the premature return of the current method with an undefined return value. By invoking the System.arraycopy method with a length longer than the length of the source or destination array can, an attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185437](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185437>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2020-13631](<https://vulners.com/cve/CVE-2020-13631>) \n** DESCRIPTION: **SQLite could allow a remote attacker to bypass security restrictions, caused by a flaw in the alter.c and build.c. By sending a specially crafted request, an attacker could exploit this vulnerability to rename the virtual table to the name of one of its shadow tables. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/182611](<https://exchange.xforce.ibmcloud.com/vulnerabilities/182611>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2020-13632](<https://vulners.com/cve/CVE-2020-13632>) \n** DESCRIPTION: **SQLite is vulnerable to a denial of service, caused by a NULL pointer dereference in ext/fts3/fts3_snippet.c. By sending a specially crafted matchinfo() query, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/182610](<https://exchange.xforce.ibmcloud.com/vulnerabilities/182610>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2020-13630](<https://vulners.com/cve/CVE-2020-13630>) \n** DESCRIPTION: **SQLite is vulnerable to a denial of service, caused by a use-after-free in fts3EvalNextRow in ext/fts3/fts3.c. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/182613](<https://exchange.xforce.ibmcloud.com/vulnerabilities/182613>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2020-5421](<https://vulners.com/cve/CVE-2020-5421>) \n** DESCRIPTION: **VMware Tanzu Spring Framework could allow a remote attacker to bypass security restrictions, caused by improper input validation. By using a specially-crafted jsessionid path parameter, an attacker could exploit this vulnerability to bypass RFD Protection. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/188530](<https://exchange.xforce.ibmcloud.com/vulnerabilities/188530>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2020-14385](<https://vulners.com/cve/CVE-2020-14385>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a denial of service, caused by a failure of the file system metadata validator in XFS. By sending a specially crafted request, a local attacker could exploit this vulnerability to cause the system to shutdown. \nCVSS Base score: 4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/188394](<https://exchange.xforce.ibmcloud.com/vulnerabilities/188394>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2020-14314](<https://vulners.com/cve/CVE-2020-14314>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a denial of service, caused by a memory out-of-bounds read flaw. By sending a specially crafted request, a local attacker could exploit this vulnerability to cause the system to crash. \nCVSS Base score: 4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/188395](<https://exchange.xforce.ibmcloud.com/vulnerabilities/188395>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2020-13935](<https://vulners.com/cve/CVE-2020-13935>) \n** DESCRIPTION: **Apache Tomcat is vulnerable to a denial of service, caused by improper validation of the payload length in a WebSocket frame. By sending multiple requests with invalid payload lengths, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185227](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185227>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2020-25643](<https://vulners.com/cve/CVE-2020-25643>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a denial of service, caused by a memory corruption and a read overflow flaws in the ppp_cp_parse_cr function in the HDLC_PPP module. By sending a specially-crafted request, a local attacker could exploit this vulnerability to cause the system to crash or a denial of service condition. \nCVSS Base score: 6.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/189415](<https://exchange.xforce.ibmcloud.com/vulnerabilities/189415>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2020-25638](<https://vulners.com/cve/CVE-2020-25638>) \n** DESCRIPTION: **Hibernate ORM is vulnerable to SQL injection, caused by misconfiguration for hibernate.use_sql_comments. A remote attacker could send specially-crafted SQL statements to view, add, modify or delete information in the back-end database. \nCVSS Base score: 7.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/192057](<https://exchange.xforce.ibmcloud.com/vulnerabilities/192057>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) \n \n** CVEID: **[CVE-2019-14895](<https://vulners.com/cve/CVE-2019-14895>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the mwifiex_process_country_ie function in drivers/net/wireless/marvell/mwifiex/sta_ioctl.c. By sending a specially-crafted beacon packet, a remote attacker could overflow a buffer and execute arbitrary code or cause a denial of service on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/172101](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172101>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-17133](<https://vulners.com/cve/CVE-2019-17133>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a buffer overflow, caused by improper bounds checking by the cfg80211_mgd_wext_giwessid functions in net/wireless/wext-sme.c. By sending an overly long long SSID IE, a remote attacker could overflow a buffer and execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/168370](<https://exchange.xforce.ibmcloud.com/vulnerabilities/168370>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-18660](<https://vulners.com/cve/CVE-2019-18660>) \n** DESCRIPTION: **Linux Kernel for PowerPC could allow a local authenticated attacker to obtain sensitive information, caused by the failure to activate the mitigation for Spectre-RSB on context switch. By using side channel attacks, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system. \nCVSS Base score: 5.6 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/172297](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172297>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2019-19046](<https://vulners.com/cve/CVE-2019-19046>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a denial of service, caused by a memory leak in the __ipmi_bmc_register() function in drivers/char/ipmi/ipmi_msghandler.c. A remote attacker could exploit this vulnerability to consume all available memory resources. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/171754](<https://exchange.xforce.ibmcloud.com/vulnerabilities/171754>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2019-17666](<https://vulners.com/cve/CVE-2019-17666>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a buffer overflow, caused by improper bounds checking by the rtl_p2p_noa_ie function in drivers/net/wireless/realtek/rtlwifi/ps.c. By sending a specially-crafted request, a remote attacker could overflow a buffer and execute arbitrary code on the system. \nCVSS Base score: 8.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169487](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169487>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-19062](<https://vulners.com/cve/CVE-2019-19062>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a denial of service, caused by a memory leak in the crypto_report() function in crypto/crypto_user_base.c. A remote attacker could exploit this vulnerability to consume all available memory resources. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/171776](<https://exchange.xforce.ibmcloud.com/vulnerabilities/171776>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2019-14901](<https://vulners.com/cve/CVE-2019-14901>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the mwifiex_process_tdls_action_frame function in marvell/mwifiex/tdls.c. By sending a specially-crafted request, a remote attacker could overflow a buffer and execute arbitrary code or cause a denial of service on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/172100](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172100>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-20907](<https://vulners.com/cve/CVE-2019-20907>) \n** DESCRIPTION: **Python is vulnerable to a denial of service, caused by a flaw in the tarfile module in Lib/tarfile.py. By persuading a victim to open a specially-craft a TAR archive, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185442](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185442>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM DRM| 2.0.6 \n \n\n\n## Remediation/Fixes\n\nTo obtain fixes for all reported issues, customers are advised first to upgrade to v2.0.6.6, and then apply the latest FixPack 2.0.6.7. The FixPack is not cumulative. So it must be applied on top of 2.0.6.6 in sequence.\n\n_Product_| _VRMF_| _APAR \n_| _Remediation / First Fix_ \n---|---|---|--- \nIBM Data Risk Manager| 2.0.6| \n\n-\n\n| \n\n1) Apply [DRM_2.0.6.1_Fixpack ](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.4.1&platform=Linux&function=all>)\n\n2) Apply [DRM_2.0.6.2_Fixpack ](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.1&platform=Linux&function=all>)\n\n3) Apply [DRM_2.0.6.3_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.2&platform=Linux&function=all>)\n\n4) Apply [DRM_2.0.6.4_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.3&platform=Linux&function=all> \"DRM_2.0.6.4_FixPack\" )\n\n5) Apply [DRM_2.0.6.5_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.3&platform=Linux&function=all>)\n\n6) Apply [DRM_2.0.6.6_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.5&platform=Linux&function=all>)\n\n7) Apply [DRM_2.0.6.7_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.6&platform=Linux&function=all>) \n \nIBM Data Risk Manager| 2.0.6.1| \n\n-\n\n| \n\n1) Apply [DRM_2.0.6.2_Fixpack ](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.1&platform=Linux&function=all>)\n\n2) Apply [DRM_2.0.6.3_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.2&platform=Linux&function=all>)\n\n3) Apply [DRM_2.0.6.4_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.3&platform=Linux&function=all> \"DRM_2.0.6.4_FixPack\" )\n\n4) Apply [DRM_2.0.6.5_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.3&platform=Linux&function=all>)\n\n5) Apply [DRM_2.0.6.6_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.5&platform=Linux&function=all>)\n\n6) Apply [DRM_2.0.6.7_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.6&platform=Linux&function=all>) \n \nIBM Data Risk Manager| 2.0.6.2| \n\n-\n\n| \n\n1) Apply [DRM_2.0.6.3_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.2&platform=Linux&function=all>)\n\n2) Apply [DRM_2.0.6.4_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.3&platform=Linux&function=all> \"DRM_2.0.6.4_FixPack\" )\n\n3) Apply [DRM_2.0.6.5_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.3&platform=Linux&function=all>)\n\n4) Apply [DRM_2.0.6.6_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.5&platform=Linux&function=all>)\n\n5) Apply [DRM_2.0.6.7_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.6&platform=Linux&function=all>) \n \nIBM Data Risk Manager| 2.0.6.3| \n\n-\n\n| \n\n1) Apply [DRM_2.0.6.4_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.3&platform=Linux&function=all> \"DRM_2.0.6.4_FixPack\" )\n\n2) Apply [DRM_2.0.6.5_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.3&platform=Linux&function=all>)\n\n3) Apply [DRM_2.0.6.6_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.5&platform=Linux&function=all>)\n\n4) Apply [DRM_2.0.6.7_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.6&platform=Linux&function=all>) \n \nIBM Data Risk Manager| 2.0.6.4| \n\n-\n\n| \n\n1) Apply [DRM_2.0.6.5_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.3&platform=Linux&function=all>)\n\n2) Apply [DRM_2.0.6.6_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.5&platform=Linux&function=all>)\n\n3) Apply [DRM_2.0.6.7_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.6&platform=Linux&function=all>) \n \nIBM Data Risk Manager| 2.0.6.5| \n\n- \n\n\n| \n\n1) Apply [DRM_2.0.6.6_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.5&platform=Linux&function=all>)\n\n2) Apply [DRM_2.0.6.7_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.6&platform=Linux&function=all>) \n \nIBM Data Risk Manager| 2.0.6.6| \n\n- \n\n\n| \n\n1) Apply [DRM_2.0.6.7_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.6&platform=Linux&function=all>) \n \n \n\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-02T05:06:51", "type": "ibm", "title": "Security Bulletin: IBM Data Risk Manager is affected by multiple vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14895", "CVE-2019-14901", "CVE-2019-17133", "CVE-2019-17639", "CVE-2019-17666", "CVE-2019-18282", "CVE-2019-18660", "CVE-2019-19046", "CVE-2019-19062", "CVE-2019-19332", "CVE-2019-19338", "CVE-2019-19447", "CVE-2019-19767", "CVE-2019-19768", "CVE-2019-20636", "CVE-2019-20907", "CVE-2020-10690", "CVE-2020-10693", "CVE-2020-10732", "CVE-2020-10751", "CVE-2020-10754", "CVE-2020-10757", "CVE-2020-10942", "CVE-2020-11565", "CVE-2020-11655", "CVE-2020-11656", "CVE-2020-11971", "CVE-2020-11972", "CVE-2020-11973", "CVE-2020-12351", "CVE-2020-12352", "CVE-2020-12770", "CVE-2020-12826", "CVE-2020-13434", "CVE-2020-13435", "CVE-2020-13630", "CVE-2020-13631", "CVE-2020-13632", "CVE-2020-13934", "CVE-2020-13935", "CVE-2020-13943", "CVE-2020-14305", "CVE-2020-14314", "CVE-2020-14331", "CVE-2020-14349", "CVE-2020-14350", "CVE-2020-14385", "CVE-2020-14556", "CVE-2020-14577", "CVE-2020-14578", "CVE-2020-14579", "CVE-2020-14581", "CVE-2020-14583", "CVE-2020-14593", "CVE-2020-14621", "CVE-2020-14779", "CVE-2020-14792", "CVE-2020-14796", "CVE-2020-14797", "CVE-2020-15358", "CVE-2020-1749", "CVE-2020-17527", "CVE-2020-24394", "CVE-2020-25212", "CVE-2020-25638", "CVE-2020-25643", "CVE-2020-25694", "CVE-2020-25695", "CVE-2020-25696", "CVE-2020-2590", "CVE-2020-2601", "CVE-2020-2732", "CVE-2020-5407", "CVE-2020-5408", "CVE-2020-5411", "CVE-2020-5412", "CVE-2020-5413", "CVE-2020-5421", "CVE-2020-8647", "CVE-2020-8649", "CVE-2020-9327", "CVE-2020-9383", "CVE-2021-24122"], "modified": "2021-02-02T05:06:51", "id": "F0AFFAB5446BEF6A6B346CA7237A1583252E55B1EA002352E7DFDFFB5796363C", "href": "https://www.ibm.com/support/pages/node/6410788", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "amazon": [{"lastseen": "2020-12-19T03:33:10", "description": "**Issue Overview:**\n\nWhile investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests. ([CVE-2020-17527 __](<https://access.redhat.com/security/cve/CVE-2020-17527>))\n\n \n**Affected Packages:** \n\n\ntomcat8\n\n \n**Issue Correction:** \nRun _yum update tomcat8_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n noarch: \n tomcat8-admin-webapps-8.5.60-1.86.amzn1.noarch \n tomcat8-lib-8.5.60-1.86.amzn1.noarch \n tomcat8-log4j-8.5.60-1.86.amzn1.noarch \n tomcat8-jsp-2.3-api-8.5.60-1.86.amzn1.noarch \n tomcat8-javadoc-8.5.60-1.86.amzn1.noarch \n tomcat8-webapps-8.5.60-1.86.amzn1.noarch \n tomcat8-el-3.0-api-8.5.60-1.86.amzn1.noarch \n tomcat8-servlet-3.1-api-8.5.60-1.86.amzn1.noarch \n tomcat8-docs-webapp-8.5.60-1.86.amzn1.noarch \n tomcat8-8.5.60-1.86.amzn1.noarch \n \n src: \n tomcat8-8.5.60-1.86.amzn1.src \n \n \n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-12-16T20:52:00", "type": "amazon", "title": "Medium: tomcat8", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17527"], "modified": "2020-12-16T20:52:00", "id": "ALAS-2020-1473", "href": "https://alas.aws.amazon.com/ALAS-2020-1473.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-06-06T15:17:36", "description": "**Issue Overview:**\n\nWhile investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests. (CVE-2020-17527)\n\n \n**Affected Packages:** \n\n\ntomcat8\n\n \n**Issue Correction:** \nRun _yum update tomcat8_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n noarch: \n \u00a0\u00a0\u00a0 tomcat8-admin-webapps-8.5.60-1.86.amzn1.noarch \n \u00a0\u00a0\u00a0 tomcat8-lib-8.5.60-1.86.amzn1.noarch \n \u00a0\u00a0\u00a0 tomcat8-log4j-8.5.60-1.86.amzn1.noarch \n \u00a0\u00a0\u00a0 tomcat8-jsp-2.3-api-8.5.60-1.86.amzn1.noarch \n \u00a0\u00a0\u00a0 tomcat8-javadoc-8.5.60-1.86.amzn1.noarch \n \u00a0\u00a0\u00a0 tomcat8-webapps-8.5.60-1.86.amzn1.noarch \n \u00a0\u00a0\u00a0 tomcat8-el-3.0-api-8.5.60-1.86.amzn1.noarch \n \u00a0\u00a0\u00a0 tomcat8-servlet-3.1-api-8.5.60-1.86.amzn1.noarch \n \u00a0\u00a0\u00a0 tomcat8-docs-webapp-8.5.60-1.86.amzn1.noarch \n \u00a0\u00a0\u00a0 tomcat8-8.5.60-1.86.amzn1.noarch \n \n src: \n \u00a0\u00a0\u00a0 tomcat8-8.5.60-1.86.amzn1.src \n \n \n\n### Additional References\n\nRed Hat: [CVE-2020-17527](<https://access.redhat.com/security/cve/CVE-2020-17527>)\n\nMitre: [CVE-2020-17527](<https://vulners.com/cve/CVE-2020-17527>)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-01-12T22:52:00", "type": "amazon", "title": "Medium: tomcat8", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17527"], "modified": "2021-01-13T18:29:00", "id": "ALAS-2021-1473", "href": "https://alas.aws.amazon.com/ALAS-2021-1473.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "mageia": [{"lastseen": "2023-06-06T16:28:09", "description": "While investigating Apache issue 64830 it was discovered that Apache Tomcat could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests (CVE-2020-17527). The tomcat package has been updated to version 9.0.39, and patched to fix this issue. \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-01-10T19:46:12", "type": "mageia", "title": "Updated tomcat packages fix security vulnerability\n", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17527"], "modified": "2021-01-10T19:46:12", "id": "MGASA-2021-0020", "href": "https://advisories.mageia.org/MGASA-2021-0020.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "ubuntucve": [{"lastseen": "2023-06-29T14:04:08", "description": "While investigating bug 64830 it was discovered that Apache Tomcat\n10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use\nan HTTP request header value from the previous stream received on an HTTP/2\nconnection for the request associated with the subsequent stream. While\nthis would most likely lead to an error and the closure of the HTTP/2\nconnection, it is possible that information could leak between requests.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-12-03T00:00:00", "type": "ubuntucve", "title": "CVE-2020-17527", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17527"], "modified": "2020-12-03T00:00:00", "id": "UB:CVE-2020-17527", "href": "https://ubuntu.com/security/CVE-2020-17527", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "f5": [{"lastseen": "2023-02-21T20:06:29", "description": "While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests. ([CVE-2020-17527](<https://vulners.com/cve/CVE-2020-17527>))\n\nImpact\n\nA remote attacker can exploit this vulnerability to obtain sensitive data from information leakage between HTTP requests. \n \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-12-31T14:12:00", "type": "f5", "title": "Apache Tomcat vulnerability CVE-2020-17527", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17527"], "modified": "2020-12-31T14:12:00", "id": "F5:K44415301", "href": "https://support.f5.com/csp/article/K44415301", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "archlinux": [{"lastseen": "2023-06-06T15:10:19", "description": "Arch Linux Security Advisory ASA-202012-4\n=========================================\n\nSeverity: Medium\nDate : 2020-12-05\nCVE-ID : CVE-2020-17527\nPackage : tomcat8\nType : information disclosure\nRemote : Yes\nLink : https://security.archlinux.org/AVG-1316\n\nSummary\n=======\n\nThe package tomcat8 before version 8.5.60-1 is vulnerable to\ninformation disclosure.\n\nResolution\n==========\n\nUpgrade to 8.5.60-1.\n\n# pacman -Syu \"tomcat8>=8.5.60-1\"\n\nThe problem has been fixed upstream in version 8.5.60.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\nIt was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1\nto 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value\nfrom the previous stream received on an HTTP/2 connection for the\nrequest associated with the subsequent stream. While this would most\nlikely lead to an error and the closure of the HTTP/2 connection, it is\npossible that information could leak between requests.\n\nImpact\n======\n\nA remote attacker might be able to access sensitive information via\nwell-timed HTTP/2 requests.\n\nReferences\n==========\n\nhttps://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.60\nhttps://github.com/apache/tomcat/commit/21e3408671aac7e0d7e264e720cac8b1b189eb29\nhttps://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.40\nhttps://github.com/apache/tomcat/commit/d56293f816d6dc9e2b47107f208fa9e95db58c65\nhttps://security.archlinux.org/CVE-2020-17527", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-12-05T00:00:00", "type": "archlinux", "title": "[ASA-202012-4] tomcat8: information disclosure", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17527"], "modified": "2020-12-05T00:00:00", "id": "ASA-202012-4", "href": "https://security.archlinux.org/ASA-202012-4", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-06-06T15:10:20", "description": "Arch Linux Security Advisory ASA-202012-3\n=========================================\n\nSeverity: Medium\nDate : 2020-12-05\nCVE-ID : CVE-2020-17527\nPackage : tomcat9\nType : information disclosure\nRemote : Yes\nLink : https://security.archlinux.org/AVG-1317\n\nSummary\n=======\n\nThe package tomcat9 before version 9.0.40-1 is vulnerable to\ninformation disclosure.\n\nResolution\n==========\n\nUpgrade to 9.0.40-1.\n\n# pacman -Syu \"tomcat9>=9.0.40-1\"\n\nThe problem has been fixed upstream in version 9.0.40.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\nIt was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1\nto 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value\nfrom the previous stream received on an HTTP/2 connection for the\nrequest associated with the subsequent stream. While this would most\nlikely lead to an error and the closure of the HTTP/2 connection, it is\npossible that information could leak between requests.\n\nImpact\n======\n\nA remote attacker might be able to access sensitive information via\nwell-timed HTTP/2 requests.\n\nReferences\n==========\n\nhttps://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.40\nhttps://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.60\nhttps://github.com/apache/tomcat/commit/21e3408671aac7e0d7e264e720cac8b1b189eb29\nhttps://github.com/apache/tomcat/commit/d56293f816d6dc9e2b47107f208fa9e95db58c65\nhttps://security.archlinux.org/CVE-2020-17527", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-12-05T00:00:00", "type": "archlinux", "title": "[ASA-202012-3] tomcat9: information disclosure", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17527"], "modified": "2020-12-05T00:00:00", "id": "ASA-202012-3", "href": "https://security.archlinux.org/ASA-202012-3", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "gentoo": [{"lastseen": "2023-06-06T15:24:49", "description": "### Background\n\nApache Tomcat is a Servlet-3.0/JSP-2.2 Container.\n\n### Description\n\nIt was discovered that Apache Tomcat could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. \n\n### Impact\n\nA remote attacker, by sending well-timed HTTP/2 requests, could possibly obtain sensitive information. \n\n### Workaround\n\nDisable HTTP/2 support.\n\n### Resolution\n\nAll Apache Tomcat 8.5.x users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=www-servers/tomcat-8.5.60:8.5\"\n \n\nAll Apache Tomcat 9.x users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=www-servers/tomcat-9.0.40:9\"", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-12-24T00:00:00", "type": "gentoo", "title": "Apache Tomcat: Information disclosure", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17527"], "modified": "2020-12-24T00:00:00", "id": "GLSA-202012-23", "href": "https://security.gentoo.org/glsa/202012-23", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "suse": [{"lastseen": "2022-11-09T21:01:18", "description": "An update that fixes one vulnerability is now available.\n\nDescription:\n\n This update for tomcat fixes the following issue:\n\n - CVE-2020-17527: Fixed a HTTP/2 request header mix-up (bsc#1179602).\n\n This update was imported from the SUSE:SLE-15-SP2:Update update project.\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.2:\n\n zypper in -t patch openSUSE-2021-43=1", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-01-11T00:00:00", "type": "suse", "title": "Security update for tomcat (moderate)", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17527"], "modified": "2021-01-11T00:00:00", "id": "OPENSUSE-SU-2021:0043-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4EA4UBW4STKIATR7VTJBCM2FBGG23C3G/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-04-18T12:40:44", "description": "An update that fixes one vulnerability is now available.\n\nDescription:\n\n This update for tomcat fixes the following issue:\n\n - CVE-2020-17527: Fixed a HTTP/2 request header mix-up (bsc#1179602).\n\n This update was imported from the SUSE:SLE-15-SP1:Update update project.\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.1:\n\n zypper in -t patch openSUSE-2021-81=1", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-01-16T00:00:00", "type": "suse", "title": "Security update for tomcat (moderate)", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17527"], "modified": "2021-01-16T00:00:00", "id": "OPENSUSE-SU-2021:0081-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/633VPXBTLJ3ECQFTNOKFL457XMKHKZ32/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "cve": [{"lastseen": "2023-06-06T14:31:24", "description": "While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-12-03T19:15:00", "type": "cve", "title": "CVE-2020-17527", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17527"], "modified": "2022-05-12T14:47:00", "cpe": ["cpe:/a:netapp:oncommand_system_manager:3.1.3", "cpe:/o:debian:debian_linux:9.0", "cpe:/a:oracle:workload_manager:19c", "cpe:/a:oracle:communications_instant_messaging_server:10.0.1.5.0", "cpe:/a:apache:tomcat:9.0.35", "cpe:/a:oracle:workload_manager:18c", "cpe:/a:apache:tomcat:9.0.37", "cpe:/a:oracle:sd-wan_edge:9.0", "cpe:/a:apache:tomcat:8.5.59", "cpe:/a:oracle:instantis_enterprisetrack:17.2", "cpe:/a:oracle:communications_cloud_native_core_policy:1.14.0", "cpe:/a:netapp:element_plug-in:-", "cpe:/a:apache:tomcat:9.0.0", "cpe:/a:apache:tomcat:9.0.35-3.57.3", "cpe:/a:apache:tomcat:9.0.36", "cpe:/a:oracle:instantis_enterprisetrack:17.3", "cpe:/a:apache:tomcat:10.0.0", "cpe:/a:apache:tomcat:9.0.39", "cpe:/a:apache:tomcat:9.0.38", "cpe:/o:debian:debian_linux:10.0", "cpe:/a:oracle:communications_cloud_native_core_binding_support_function:1.10.0", "cpe:/a:apache:tomcat:9.0.35-3.39.1", "cpe:/a:oracle:instantis_enterprisetrack:17.1"], "id": "CVE-2020-17527", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-17527", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:10.0.0:milestone2:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:10.0.0:milestone5:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:10.0.0:milestone8:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:10.0.0:milestone4:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:9.0.0:milestone22:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:9.0.0:milestone26:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:8.5.59:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:10.0.0:milestone3:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:9.0.36:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:10.0.0:milestone9:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:9.0.37:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*", "cpe:2.3:a:oracle:workload_manager:18c:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:9.0.0:milestone19:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*", "cpe:2.3:a:oracle:workload_manager:19c:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.10.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:9.0.35-3.57.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:9.0.35:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:9.0.38:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:9.0.0:milestone21:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:10.0.0:milestone6:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*", "cpe:2.3:a:netapp:element_plug-in:-:*:*:*:*:vcenter_server:*:*", "cpe:2.3:a:apache:tomcat:9.0.0:milestone24:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*", "cpe:2.3:a:netapp:oncommand_system_manager:3.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:9.0.0:milestone20:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:10.0.0:milestone1:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:9.0.0:milestone27:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:9.0.39:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:9.0.0:milestone23:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:9.0.0:milestone25:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:9.0.35-3.39.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:sd-wan_edge:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:10.0.0:milestone7:*:*:*:*:*:*"]}], "cisa": [{"lastseen": "2021-02-24T18:06:34", "description": "The Apache Software Foundation has released a security advisory to address a vulnerability in Apache Tomcat. An attacker could exploit this vulnerability to cause a denial-of-service condition.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Apache security advisory for [CVE-2020-17527](<http://mail-archives.us.apache.org/mod_mbox/www-announce/202012.mbox/%3C52858194-2efd-6f17-1821-9036c8494df0%40apache.org%3E>) and upgrade to the appropriate version.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/12/04/apache-releases-security-advisory-apache-tomcat>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-12-04T00:00:00", "type": "cisa", "title": "Apache Releases Security Advisory for Apache Tomcat", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17527"], "modified": "2020-12-04T00:00:00", "id": "CISA:727AB64FBBEAE210BE92EA5DFD66647C", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/12/04/apache-releases-security-advisory-apache-tomcat", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "debian": [{"lastseen": "2021-10-22T11:40:26", "description": "- -----------------------------------------------------------------------\nDebian LTS Advisory DLA-2495-1 debian-lts@lists.debian.org\nhttps://www.debian.org/lts/security/ Utkarsh Gupta\nDecember 16, 2020 https://wiki.debian.org/LTS\n- -----------------------------------------------------------------------\n\nPackage : tomcat8\nVersion : 8.5.54-0+deb9u5\nCVE ID : CVE-2020-17527\n\nIt was discovered that Apache Tomcat from 8.5.0 to 8.5.59 could\nre-use an HTTP request header value from the previous stream\nreceived on an HTTP/2 connection for the request associated with\nthe subsequent stream. While this would most likely lead to an\nerror and the closure of the HTTP/2 connection, it is possible\nthat information could leak between requests.\n\nFor Debian 9 stretch, this problem has been fixed in version\n8.5.54-0+deb9u5.\n\nWe recommend that you upgrade your tomcat8 packages.\n\nFor the detailed security status of tomcat8 please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/tomcat8\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-12-16T17:28:07", "type": "debian", "title": "[SECURITY] [DLA 2495-1] tomcat8 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17527"], "modified": "2020-12-16T17:28:07", "id": "DEBIAN:DLA-2495-1:A5479", "href": "https://lists.debian.org/debian-lts-announce/2020/12/msg00022.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-06-07T14:40:17", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4835-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nJanuary 22, 2021 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : tomcat9\nCVE ID : CVE-2020-13943 CVE-2020-17527\n\nTwo vulnerabilities were discovered in the Tomcat servlet and JSP\nengine, which could result in information disclosure.\n\nFor the stable distribution (buster), these problems have been fixed in\nversion 9.0.31-1~deb10u3.\n\nWe recommend that you upgrade your tomcat9 packages.\n\nFor the detailed security status of tomcat9 please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/tomcat9\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-01-22T18:48:45", "type": "debian", "title": "[SECURITY] [DSA 4835-1] tomcat9 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13943", "CVE-2020-17527"], "modified": "2021-01-22T18:48:45", "id": "DEBIAN:DSA-4835-1:22674", "href": "https://lists.debian.org/debian-security-announce/2021/msg00014.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "debiancve": [{"lastseen": "2023-06-06T15:03:27", "description": "While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-12-03T19:15:00", "type": "debiancve", "title": "CVE-2020-17527", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17527"], "modified": "2020-12-03T19:15:00", "id": "DEBIANCVE:CVE-2020-17527", "href": "https://security-tracker.debian.org/tracker/CVE-2020-17527", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "veracode": [{"lastseen": "2022-07-26T16:38:30", "description": "tomcat is vulnerable to denial of service. Re-use of an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream would most likely lead to an error and the closure of the HTTP/2 connection which allows an attacker to leak information.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-12-04T02:58:16", "type": "veracode", "title": "Denial Of Service (DoS)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17527"], "modified": "2022-05-12T16:32:26", "id": "VERACODE:28041", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-28041/summary", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "redhatcve": [{"lastseen": "2023-09-06T05:52:03", "description": "While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-12-03T21:23:17", "type": "redhatcve", "title": "CVE-2020-17527", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17527"], "modified": "2023-08-31T15:58:34", "id": "RH:CVE-2020-17527", "href": "https://access.redhat.com/security/cve/cve-2020-17527", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "photon": [{"lastseen": "2022-05-12T18:45:11", "description": "Updates of ['openldap', 'apache-tomcat'] packages of Photon OS have been released.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-12-17T00:00:00", "type": "photon", "title": "Important Photon OS Security Update - PHSA-2020-0180", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17527", "CVE-2020-25692"], "modified": "2020-12-17T00:00:00", "id": "PHSA-2020-0180", "href": "https://github.com/vmware/photon/wiki/Security-Update-3.0-180", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-09-24T14:42:06", "description": "Updates of ['apache-tomcat', 'openldap'] packages of Photon OS have been released.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-12-17T00:00:00", "type": "photon", "title": "Important Photon OS Security Update - PHSA-2020-3.0-0180", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17527", "CVE-2020-25692"], "modified": "2020-12-17T00:00:00", "id": "PHSA-2020-3.0-0180", "href": "https://github.com/vmware/photon/wiki/Security-Update-3.0-180", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-11-03T08:47:44", "description": "An update of {'apache-tomcat', 'linux-esx', 'linux'} packages of Photon OS has been released.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-12-19T00:00:00", "type": "photon", "title": "Home\nDownload Photon OS\nUser Documentation\nFAQ\nSecurity Advisories\nRelated Information\n\nLightwave - PHSA-2020-1.0-0350", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17527", "CVE-2020-29660", "CVE-2020-29661"], "modified": "2020-12-19T00:00:00", "id": "PHSA-2020-1.0-0350", "href": "https://github.com/vmware/photon/wiki/Security-Updates-1.0-350", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-06T16:17:00", "description": "Updates of ['linux', 'apache-tomcat', 'linux-esx'] packages of Photon OS have been released.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-19T00:00:00", "type": "photon", "title": "Important Photon OS Security Update - PHSA-2020-0350", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17527", "CVE-2020-29660", "CVE-2020-29661"], "modified": "2020-12-19T00:00:00", "id": "PHSA-2020-0350", "href": "https://github.com/vmware/photon/wiki/Security-Update-1.0-350", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-03T20:57:25", "description": "An update of {'influxdb', 'openldap', 'linux-aws', 'glib', 'linux', 'apache-tomcat', 'linux-secure', 'linux-esx'} packages of Photon OS has been released.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-06T00:00:00", "type": "photon", "title": "Home\nDownload Photon OS\nUser Documentation\nFAQ\nSecurity Advisories\nRelated Information\n\nLightwave - PHSA-2021-2.0-0308", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-20933", "CVE-2020-17527", "CVE-2020-25692", "CVE-2020-29660", "CVE-2020-29661", "CVE-2020-35457"], "modified": "2021-01-06T00:00:00", "id": "PHSA-2021-2.0-0308", "href": "https://github.com/vmware/photon/wiki/Security-Updates-2-308", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-13T15:38:31", "description": "Updates of ['linux-aws', 'glib', 'linux-secure', 'linux-esx', 'linux', 'apache-tomcat', 'openldap', 'influxdb'] packages of Photon OS have been released.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-05T00:00:00", "type": "photon", "title": "Critical Photon OS Security Update - PHSA-2021-0308", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-20933", "CVE-2020-17527", "CVE-2020-25692", "CVE-2020-29660", "CVE-2020-29661", "CVE-2020-35457"], "modified": "2021-01-05T00:00:00", "id": "PHSA-2021-0308", "href": "https://github.com/vmware/photon/wiki/Security-Update-2.0-308", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-12T18:57:43", "description": "Updates of ['linux-aws', 'containerd', 'linux-secure', 'glib', 'libtiff', 'linux-rt', 'curl', 'linux', 'libvirt', 'openssl', 'mysql', 'wpa_supplicant', 'apache-tomcat', 'python3', 'nodejs', 'docker'] packages of Photon OS have been released.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-07T00:00:00", "type": "photon", "title": "Critical Photon OS Security Update - PHSA-2021-0007", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10161", "CVE-2019-15239", "CVE-2020-11080", "CVE-2020-11655", "CVE-2020-11656", "CVE-2020-12351", "CVE-2020-14765", "CVE-2020-14769", "CVE-2020-14773", "CVE-2020-14775", "CVE-2020-14776", "CVE-2020-14777", "CVE-2020-14785", "CVE-2020-14786", "CVE-2020-14789", "CVE-2020-14790", "CVE-2020-14793", "CVE-2020-14794", "CVE-2020-14800", "CVE-2020-14804", "CVE-2020-14809", "CVE-2020-14812", "CVE-2020-14814", "CVE-2020-14821", "CVE-2020-14827", "CVE-2020-14828", "CVE-2020-14829", "CVE-2020-14830", "CVE-2020-14836", "CVE-2020-14837", "CVE-2020-14838", "CVE-2020-14839", "CVE-2020-14844", "CVE-2020-14845", "CVE-2020-14846", "CVE-2020-14848", "CVE-2020-14852", "CVE-2020-14861", "CVE-2020-14866", "CVE-2020-14867", "CVE-2020-14868", "CVE-2020-14869", "CVE-2020-14870", "CVE-2020-14873", "CVE-2020-14878", "CVE-2020-14888", "CVE-2020-14891", "CVE-2020-14893", "CVE-2020-15257", "CVE-2020-15358", "CVE-2020-17527", "CVE-2020-1971", "CVE-2020-25637", "CVE-2020-25639", "CVE-2020-27170", "CVE-2020-27171", "CVE-2020-28374", "CVE-2020-35499", "CVE-2020-35521", "CVE-2020-35522", "CVE-2020-35523", "CVE-2020-35524", "CVE-2020-36158", "CVE-2020-8265", "CVE-2020-8277", "CVE-2020-8287", "CVE-2021-2002", "CVE-2021-2010", "CVE-2021-2011", "CVE-2021-2021", "CVE-2021-2022", "CVE-2021-2024", "CVE-2021-2028", "CVE-2021-2030", "CVE-2021-2031", "CVE-2021-2032", "CVE-2021-2036", "CVE-2021-2038", "CVE-2021-2046", "CVE-2021-2048", "CVE-2021-2055", "CVE-2021-2056", "CVE-2021-2058", "CVE-2021-2060", "CVE-2021-2061", "CVE-2021-2065", "CVE-2021-2070", "CVE-2021-2072", "CVE-2021-2076", "CVE-2021-2081", "CVE-2021-2087", "CVE-2021-2088", "CVE-2021-2122", "CVE-2021-21284", "CVE-2021-21285", "CVE-2021-21334", "CVE-2021-22876", "CVE-2021-22883", "CVE-2021-22884", "CVE-2021-22890", "CVE-2021-23336", "CVE-2021-23840", "CVE-2021-23841", "CVE-2021-24122", "CVE-2021-25122", "CVE-2021-25329", "CVE-2021-26708", "CVE-2021-26930", "CVE-2021-26931", "CVE-2021-26932", "CVE-2021-27363", "CVE-2021-27364", "CVE-2021-27365", "CVE-2021-27803", "CVE-2021-28038", "CVE-2021-28039", "CVE-2021-28153", "CVE-2021-28375", "CVE-2021-29265", "CVE-2021-3177", "CVE-2021-3178", "CVE-2021-3347", "CVE-2021-3348", "CVE-2021-3444", "CVE-2021-3449", "CVE-2021-3450"], "modified": "2021-04-07T00:00:00", "id": "PHSA-2021-0007", "href": "https://github.com/vmware/photon/wiki/Security-Update-4.0-7", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-09-25T11:55:55", "description": "Updates of ['libvirt', 'python3', 'wpa_supplicant', 'linux-aws', 'docker', 'curl', 'mysql', 'apache-tomcat', 'glib', 'linux-rt', 'libtiff', 'linux-secure', 'containerd', 'openssl', 'linux', 'nodejs'] packages of Photon OS have been released.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-03T00:00:00", "type": "photon", "title": "Critical Photon OS Security Update - PHSA-2021-4.0-0007", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10161", "CVE-2019-15239", "CVE-2020-11080", "CVE-2020-11655", "CVE-2020-11656", "CVE-2020-12351", "CVE-2020-14765", "CVE-2020-14769", "CVE-2020-14773", "CVE-2020-14775", "CVE-2020-14776", "CVE-2020-14777", "CVE-2020-14785", "CVE-2020-14786", "CVE-2020-14789", "CVE-2020-14790", "CVE-2020-14793", "CVE-2020-14794", "CVE-2020-14800", "CVE-2020-14804", "CVE-2020-14809", "CVE-2020-14812", "CVE-2020-14814", "CVE-2020-14821", "CVE-2020-14827", "CVE-2020-14828", "CVE-2020-14829", "CVE-2020-14830", "CVE-2020-14836", "CVE-2020-14837", "CVE-2020-14838", "CVE-2020-14839", "CVE-2020-14844", "CVE-2020-14845", "CVE-2020-14846", "CVE-2020-14848", "CVE-2020-14852", "CVE-2020-14861", "CVE-2020-14866", "CVE-2020-14867", "CVE-2020-14868", "CVE-2020-14869", "CVE-2020-14870", "CVE-2020-14873", "CVE-2020-14878", "CVE-2020-14888", "CVE-2020-14891", "CVE-2020-14893", "CVE-2020-15257", "CVE-2020-15358", "CVE-2020-17527", "CVE-2020-1971", "CVE-2020-25637", "CVE-2020-25639", "CVE-2020-27170", "CVE-2020-27171", "CVE-2020-28374", "CVE-2020-35499", "CVE-2020-35521", "CVE-2020-35522", "CVE-2020-35523", "CVE-2020-35524", "CVE-2020-36158", "CVE-2020-8265", "CVE-2020-8277", "CVE-2020-8287", "CVE-2021-2002", "CVE-2021-2010", "CVE-2021-2011", "CVE-2021-2021", "CVE-2021-2022", "CVE-2021-2024", "CVE-2021-2028", "CVE-2021-2030", "CVE-2021-2031", "CVE-2021-2032", "CVE-2021-2036", "CVE-2021-2038", "CVE-2021-2046", "CVE-2021-2048", "CVE-2021-2055", "CVE-2021-2056", "CVE-2021-2058", "CVE-2021-2060", "CVE-2021-2061", "CVE-2021-2065", "CVE-2021-2070", "CVE-2021-2072", "CVE-2021-2076", "CVE-2021-2081", "CVE-2021-2087", "CVE-2021-2088", "CVE-2021-2122", "CVE-2021-21284", "CVE-2021-21285", "CVE-2021-21334", "CVE-2021-22876", "CVE-2021-22883", "CVE-2021-22884", "CVE-2021-22890", "CVE-2021-23336", "CVE-2021-23840", "CVE-2021-23841", "CVE-2021-24122", "CVE-2021-25122", "CVE-2021-25329", "CVE-2021-26708", "CVE-2021-26930", "CVE-2021-26931", "CVE-2021-26932", "CVE-2021-27363", "CVE-2021-27364", "CVE-2021-27365", "CVE-2021-27803", "CVE-2021-28038", "CVE-2021-28039", "CVE-2021-28153", "CVE-2021-28375", "CVE-2021-29265", "CVE-2021-3177", "CVE-2021-3178", "CVE-2021-3347", "CVE-2021-3348", "CVE-2021-3444", "CVE-2021-3449", "CVE-2021-3450"], "modified": "2021-04-03T00:00:00", "id": "PHSA-2021-4.0-0007", "href": "https://github.com/vmware/photon/wiki/Security-Update-4.0-7", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "kaspersky": [{"lastseen": "2023-06-06T15:22:05", "description": "### *Detect date*:\n11/17/2020\n\n### *Severity*:\nWarning\n\n### *Description*:\nMultiple vulnerabilities were found in Apache Tomcat. Malicious users can exploit these vulnerabilities to obtain sensitive information, spoof user interface.\n\n### *Affected products*:\nApache Tomcat 8.5.x earlier than 8.5.60 \nApache Tomcat 9.x earlier than 9.0.40\n\n### *Solution*:\nUpdate to the latest version \n[Tomcat 8.5 Software Downloads](<https://tomcat.apache.org/download-80.cgi>) \n[Tomcat 9 Software Downloads](<https://tomcat.apache.org/download-90.cgi>)\n\n### *Original advisories*:\n[Apache Tomcat 8.5.x vulnerabilities](<http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.60>) \n[Apache Tomcat 9.x vulnerabilities](<http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.40>) \n\n\n### *Impacts*:\nOSI \n\n### *Related products*:\n[Apache Tomcat](<https://threats.kaspersky.com/en/product/Apache-Tomcat/>)\n\n### *CVE-IDS*:\n[CVE-2021-24122](<https://vulners.com/cve/CVE-2021-24122>)4.3Warning \n[CVE-2020-17527](<https://vulners.com/cve/CVE-2020-17527>)5.0Critical", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-11-17T00:00:00", "type": "kaspersky", "title": "KLA12087 Multiple vulnerabilities in Apache Tomcat", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17527", "CVE-2021-24122"], "modified": "2021-02-16T00:00:00", "id": "KLA12087", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12087/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "tomcat": [{"lastseen": "2023-06-07T13:58:01", "description": "**Important: Information disclosure** [CVE-2021-24122](<https://vulners.com/cve/CVE-2021-24122>)\n\nWhen serving resources from a network location using the NTFS file system it was possible to bypass security constraints and/or view the source code for JSPs in some configurations. The root cause was the unexpected behaviour of the JRE API *File.getCanonicalPath()* which in turn was caused by the inconsistent behaviour of the Windows API (*FindFirstFileW*) in some circumstances. \n\nThis was fixed with commit [935fc558](<https://github.com/apache/tomcat/commit/935fc5582dc25ae10bab6f9d5629ff8d996cb533>).\n\nThis issue was reported the Apache Tomcat Security team by Ilja Brander on 26 October 2020. The issue was made public on 14 January 2021.\n\nAffects: 9.0.0.M1 to 9.0.39\n\n**Moderate: HTTP/2 request header mix-up** [CVE-2020-17527](<https://vulners.com/cve/CVE-2020-17527>)\n\nWhile investigating issue [64830](<https://bz.apache.org/bugzilla/show_bug.cgi?id=64830>) it was discovered that Apache Tomcat could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests. \n\nThis was fixed with commit [d56293f8](<https://github.com/apache/tomcat/commit/d56293f816d6dc9e2b47107f208fa9e95db58c65>).\n\nThis issue was identified by the Apache Tomcat Security team on 10 November 2020. The issue was made public on 3 December 2020.\n\nAffects: 9.0.0-M1 to 9.0.39", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-11-17T00:00:00", "type": "tomcat", "title": "Fixed in Apache Tomcat 9.0.40", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17527", "CVE-2021-24122"], "modified": "2020-11-17T00:00:00", "id": "TOMCAT:324E50A03961FCE2265C4097A2D9383A", "href": "https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.40", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-06-07T13:58:01", "description": "**Important: Information disclosure** [CVE-2021-24122](<https://vulners.com/cve/CVE-2021-24122>)\n\nWhen serving resources from a network location using the NTFS file system it was possible to bypass security constraints and/or view the source code for JSPs in some configurations. The root cause was the unexpected behaviour of the JRE API *File.getCanonicalPath()* which in turn was caused by the inconsistent behaviour of the Windows API (*FindFirstFileW*) in some circumstances. \n\nThis was fixed with commit [7f004ac4](<https://github.com/apache/tomcat/commit/7f004ac4531c45f9a2a2d1470561fe135cf27bc2>).\n\nThis issue was reported the Apache Tomcat Security team by Ilja Brander on 26 October 2020. The issue was made public on 14 January 2021.\n\nAffects: 10.0.0-M1 to 10.0.0-M9\n\n**Moderate: HTTP/2 request header mix-up** [CVE-2020-17527](<https://vulners.com/cve/CVE-2020-17527>)\n\nWhile investigating issue [64830](<https://bz.apache.org/bugzilla/show_bug.cgi?id=64830>) it was discovered that Apache Tomcat could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests. \n\nThis was fixed with commit [8d2fe689](<https://github.com/apache/tomcat/commit/8d2fe6894d6e258a6d615d7f786acca80e6020cb>).\n\nThis issue was identified by the Apache Tomcat Security team on 10 November 2020. The issue was made public on 3 December 2020.\n\nAffects: 10.0.0-M1 to 10.0.0-M9", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-11-17T00:00:00", "type": "tomcat", "title": "Fixed in Apache Tomcat 10.0.0-M10", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17527", "CVE-2021-24122"], "modified": "2020-11-17T00:00:00", "id": "TOMCAT:297A2EAE99263A165E24C66156B7872A", "href": "https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M10", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-06-07T13:58:02", "description": "**Important: Information disclosure** [CVE-2021-24122](<https://vulners.com/cve/CVE-2021-24122>)\n\nWhen serving resources from a network location using the NTFS file system it was possible to bypass security constraints and/or view the source code for JSPs in some configurations. The root cause was the unexpected behaviour of the JRE API *File.getCanonicalPath()* which in turn was caused by the inconsistent behaviour of the Windows API (*FindFirstFileW*) in some circumstances. \n\nThis was fixed with commit [920dddbd](<https://github.com/apache/tomcat/commit/920dddbdb981f92e8d5872a4bb126a10af5ca8a9>).\n\nThis issue was reported the Apache Tomcat Security team by Ilja Brander on 26 October 2020. The issue was made public on 14 January 2021.\n\nAffects: 8.5.0 to 8.5.59\n\n**Moderate: HTTP/2 request header mix-up** [CVE-2020-17527](<https://vulners.com/cve/CVE-2020-17527>)\n\nWhile investigating issue [64830](<https://bz.apache.org/bugzilla/show_bug.cgi?id=64830>) it was discovered that Apache Tomcat could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests. \n\nThis was fixed with commit [21e34086](<https://github.com/apache/tomcat/commit/21e3408671aac7e0d7e264e720cac8b1b189eb29>).\n\nThis issue was identified by the Apache Tomcat Security team on 10 November 2020. The issue was made public on 3 December 2020.\n\nAffects: 8.5.0 to 8.5.59", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-11-17T00:00:00", "type": "tomcat", "title": "Fixed in Apache Tomcat 8.5.60", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17527", "CVE-2021-24122"], "modified": "2020-11-17T00:00:00", "id": "TOMCAT:BAAFFB46A35FA23A4961B3B00F383DC9", "href": "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.60", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "redhat": [{"lastseen": "2023-08-16T15:29:43", "description": "Red Hat support for Spring Boot provides an application platform that reduces the complexity of developing and operating applications (monoliths and microservices) for OpenShift as a containerized platform.\n\nThis release of Red Hat support for Spring Boot 2.4.9 serves as a replacement for Red Hat support for Spring Boot 2.3.10 and includes security, bug fixes, and enhancements. For more information, see the release notes listed in the References section.\n\nSecurity Fix(es):\n\n* tomcat: Apache Tomcat HTTP/2 Request mix-up (CVE-2020-13943)\n\n* tomcat: HTTP/2 request header mix-up (CVE-2020-17527)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-28T07:47:56", "type": "redhat", "title": "(RHSA-2021:4012) Moderate: Red Hat support for Spring Boot 2.4.9 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13943", "CVE-2020-17527"], "modified": "2021-10-28T07:48:42", "id": "RHSA-2021:4012", "href": "https://access.redhat.com/errata/RHSA-2021:4012", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-08-16T15:33:04", "description": "Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.\n\nThis release of Red Hat JBoss Web Server 5.4.1 serves as a replacement for Red Hat JBoss Web Server 5.4.0, and includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes, linked to in the References.\n\nSecurity Fix(es):\n\n* tomcat: Apache Tomcat HTTP/2 Request mix-up (CVE-2020-13943)\n* tomcat: HTTP/2 request header mix-up (CVE-2020-17527)\n* tomcat: Information disclosure when using NTFS file system (CVE-2021-24122)\n* openssl: EDIPARTYNAME NULL pointer de-reference (CVE-2020-1971)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-02-11T13:39:58", "type": "redhat", "title": "(RHSA-2021:0494) Moderate: Red Hat JBoss Web Server 5.4.1 Security Update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13943", "CVE-2020-17527", "CVE-2020-1971", "CVE-2021-24122"], "modified": "2021-02-11T13:46:01", "id": "RHSA-2021:0494", "href": "https://access.redhat.com/errata/RHSA-2021:0494", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-08-16T15:33:04", "description": "Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.\n\nThis release of Red Hat JBoss Web Server 5.4.1 serves as a replacement for Red Hat JBoss Web Server 5.4.0, and includes bug fixes, enhancements, and component upgrades, which are documented in the Release Notes, linked to in the References.\n\nSecurity Fix(es):\n\n* tomcat: Apache Tomcat HTTP/2 Request mix-up (CVE-2020-13943)\n* tomcat: HTTP/2 request header mix-up (CVE-2020-17527)\n* tomcat: Information disclosure when using NTFS file system (CVE-2021-24122)\n* openssl: EDIPARTYNAME NULL pointer de-reference (CVE-2020-1971)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-02-11T13:46:15", "type": "redhat", "title": "(RHSA-2021:0495) Moderate: Red Hat JBoss Web Server 5.4.1 Security Update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13943", "CVE-2020-17527", "CVE-2020-1971", "CVE-2021-24122"], "modified": "2021-02-11T13:47:03", "id": "RHSA-2021:0495", "href": "https://access.redhat.com/errata/RHSA-2021:0495", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-08-16T15:27:36", "description": "This release of Red Hat Fuse 7.10.0 serves as a replacement for Red Hat Fuse 7.9, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* log4j-core (CVE-2020-9488, CVE-2021-44228)\n\n* nodejs-lodash (CVE-2019-10744)\n\n* libthrift (CVE-2020-13949)\n\n* xstream (CVE-2020-26217, CVE-2020-26259, CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344, CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348, CVE-2021-21349, CVE-2021-21350, CVE-2021-21351)\n\n* undertow (CVE-2020-27782, CVE-2021-3597, CVE-2021-3629, CVE-2021-3690)\n\n* xmlbeans (CVE-2021-23926)\n\n* batik (CVE-2020-11987)\n\n* xmlgraphics-commons (CVE-2020-11988)\n\n* tomcat (CVE-2020-13943)\n\n* bouncycastle (CVE-2020-15522, CVE-2020-15522)\n\n* groovy (CVE-2020-17521)\n\n* tomcat (CVE-2020-17527)\n\n* jetty (CVE-2020-27218, CVE-2020-27223, CVE-2021-28163, CVE-2021-28164, CVE-2021-28169, CVE-2021-34428)\n\n* jackson-dataformat-cbor (CVE-2020-28491)\n\n* jboss-remoting (CVE-2020-35510)\n\n* kubernetes-client (CVE-2021-20218)\n\n* netty (CVE-2021-21290, CVE-2021-21295, CVE-2021-21409)\n\n* spring-web (CVE-2021-22118)\n\n* cxf-core (CVE-2021-22696)\n\n* json-smart (CVE-2021-27568)\n\n* jakarta.el (CVE-2021-28170)\n\n* commons-io (CVE-2021-29425)\n\n* sshd-core (CVE-2021-30129)\n\n* cxf-rt-rs-json-basic (CVE-2021-30468)\n\n* netty-codec (CVE-2021-37136, CVE-2021-37137)\n\n* jsoup (CVE-2021-37714)\n\n* poi (CVE-2019-12415)\n\n* mysql-connector-java (CVE-2020-2875, CVE-2020-2934)\n\n* wildfly (CVE-2021-3536)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-14T21:27:54", "type": "redhat", "title": "(RHSA-2021:5134) Critical: Red Hat Fuse 7.10.0 release and security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10744", "CVE-2019-12415", "CVE-2020-11987", "CVE-2020-11988", "CVE-2020-13943", "CVE-2020-13949", "CVE-2020-15522", "CVE-2020-17521", "CVE-2020-17527", "CVE-2020-26217", "CVE-2020-26259", "CVE-2020-27218", "CVE-2020-27223", "CVE-2020-27782", "CVE-2020-28491", "CVE-2020-2875", "CVE-2020-2934", "CVE-2020-35510", "CVE-2020-9488", "CVE-2021-20218", "CVE-2021-21290", "CVE-2021-21295", "CVE-2021-21341", "CVE-2021-21342", "CVE-2021-21343", "CVE-2021-21344", "CVE-2021-21345", "CVE-2021-21346", "CVE-2021-21347", "CVE-2021-21348", "CVE-2021-21349", "CVE-2021-21350", "CVE-2021-21351", "CVE-2021-21409", "CVE-2021-22118", "CVE-2021-22696", "CVE-2021-23926", "CVE-2021-27568", "CVE-2021-28163", "CVE-2021-28164", "CVE-2021-28169", "CVE-2021-28170", "CVE-2021-29425", "CVE-2021-30129", "CVE-2021-30468", "CVE-2021-34428", "CVE-2021-3536", "CVE-2021-3597", "CVE-2021-3629", "CVE-2021-3690", "CVE-2021-37136", "CVE-2021-37137", "CVE-2021-37714", "CVE-2021-44228"], "modified": "2021-12-14T21:28:27", "id": "RHSA-2021:5134", "href": "https://access.redhat.com/errata/RHSA-2021:5134", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "ubuntu": [{"lastseen": "2023-06-06T15:30:24", "description": "## Releases\n\n * Ubuntu 20.04 LTS\n * Ubuntu 18.04 ESM\n\n## Packages\n\n * tomcat9 \\- Apache Tomcat 9 - Servlet and JSP engine\n\nIt was discovered that Tomcat incorrectly performed input verification. \nA remote attacker could possibly use this issue to intercept sensitive \ninformation. (CVE-2020-13943, CVE-2020-17527, CVE-2021-25122, CVE-2021-30640)\n\nIt was discovered that Tomcat did not properly deserialize untrusted data. \nAn attacker could possibly use this issue to execute arbitrary code. \n(CVE-2020-9484, CVE-2021-33037)\n\nIt was discovered that Tomcat did not properly validate the input length. An \nattacker could possibly use this to trigger an infinite loop, resulting in a \ndenial of service. (CVE-2021-25329, CVE-2021-41079)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-03-31T00:00:00", "type": "ubuntu", "title": "Tomcat vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13943", "CVE-2020-17527", "CVE-2020-9484", "CVE-2021-25122", "CVE-2021-25329", "CVE-2021-30640", "CVE-2021-33037", "CVE-2021-41079"], "modified": "2022-03-31T00:00:00", "id": "USN-5360-1", "href": "https://ubuntu.com/security/notices/USN-5360-1", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}], "symantec": [{"lastseen": "2022-01-11T11:31:58", "description": "**Summary**\n\nSymantec Network and Information Security (NIS) products using affected versions of Apache Tomcat may be susceptible to multiple vulnerabilities. A remote attacker may be able to execute arbitrary code on the target server, observe HTTP responses for other users' requests, obtain JSP source code, or cause denial of service.\n\n**Affected Product(s)**\n\nThe following products and product versions are vulnerable to the CVEs listed. If a CVE is not listed, the product or version is not known to be vulnerable to it.\n\n**Management Center (MC)** \n--- \n**CVE** | **Supported Version(s)** | **Remediation** \nCVE-2020-13935 | 3.0 | Upgrade to later release with fixes. \n3.1, 3.2 | Remediation is not available at this time. \n \n** \nAdditional Product Information**\n\nThe following products are not vulnerable: \n**Advanced Secure Gateway (ASG) \nAuthConnector \nBCAAA \nContent Analysis (CA) \nGeneral Auth Connector Login Application \nPacketShaper S-Series \nPolicyCenter S-Series \nProxySG \nReporter \nSecurity Analytics \nSSL Visibility (SSLV) \n****Symantec Messaging Gateway (SMG) \nUnified Agent \nWeb Isolation \nWSS Agent** \n**WSS Mobile Agent**\n\nThe following products are under investigation:** \nHSM Agent**\n\n**Issue Details**\n\n**CVE-2020-9484** \n--- \n**Severity / CVSS v3.1:** | High / 7.0 (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) \n**References:** | NVD: [CVE-2020-9484](<https://nvd.nist.gov/vuln/detail/CVE-2020-9484>) \n**Impact:** | Remote code execution \n**Description:** | A deserialization flaw allows a remote attacker to send crafted requests and execute arbitrary code on the target system. The attacker must have control over a file stored on the target system. \n \n \n\n**CVE-2020-11996** \n--- \n**Severity / CVSS v3.1:** | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n**References:** | NVD: [CVE-2020-11996](<https://nvd.nist.gov/vuln/detail/CVE-2020-11996>) \n**Impact:** | Denial of service \n**Description:** | A flaw in HTTP/2 request handling allows a remote attacker to send crafted requests on concurrent HTTP/2 connections and cause denial of service through excessive CPU utilization. \n \n \n\n**CVE-2020-13934** \n--- \n**Severity / CVSS v3.1:** | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n**References:** | NVD: [CVE-2020-13934](<https://nvd.nist.gov/vuln/detail/CVE-2020-13934>) \n**Impact:** | Denial of service \n**Description:** | A flaw in HTTP/1.1 to HTTP/2 protocol upgrade handling in direct h2c connections allows a remote attacker to cause denial of service through excessive memory utilization. \n \n \n\n**CVE-2020-13935** \n--- \n**Severity / CVSS v3.1:** | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n**References:** | NVD: [CVE-2020-13935](<https://nvd.nist.gov/vuln/detail/CVE-2020-13935>) \n**Impact:** | Denial of service \n**Description:** | A flaw in WebSocket frame handling allows a remote attacker to cause denial of service through infinite CPU loops. \n \n \n\n**CVE-2020-13943** \n--- \n**Severity / CVSS v3.1:** | Medium / 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) \n**References:** | NVD: [CVE-2020-13943](<https://nvd.nist.gov/vuln/detail/CVE-2020-13943>) \n**Impact:** | Information disclosure \n**Description:** | A flaw in HTTP/2 concurrent stream handling can cause a remote attacker to cause users to see responses for other users' requests. This is a different vulnerability from CVE-2020-17527. \n \n \n\n**CVE-2020-17527** \n--- \n**Severity / CVSS v3.1:** | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n**References:** | NVD: [CVE-2020-17527](<https://nvd.nist.gov/vuln/detail/CVE-2020-17527>) \n**Impact:** | Information disclosure \n**Description:** | A flaw in HTTP/2 concurrent stream handling can cause a remote attacker to cause users to see responses for other users' requests. This is a different vulnerability from CVE-2020-13943. \n \n \n\n**CVE-2021-24122** \n--- \n**Severity / CVSS v3.1:** | Medium / 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n**References:** | NVD: [CVE-2021-24122](<https://nvd.nist.gov/vuln/detail/CVE-2021-24122>) \n**Impact:** | Information disclosure \n**Description:** | A flaw in server-side source code handling allows a remote attacker to obtain JSP source code from a Windows-based server. \n \n \n\n**CVE-2021-25122** \n--- \n**Severity / CVSS v3.1:** | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n**References:** | NVD: [CVE-2021-25122](<https://nvd.nist.gov/vuln/detail/CVE-2021-25122>) \n**Impact:** | Information disclosure \n**Description:** | A flaw in new HTTP/2 h2c request handling can cause a remote attacker to cause users to see responses for other users' requests. \n \n \n\n**CVE-2021-25329** \n--- \n**Severity / CVSS v3.1:** | High / 7.0 (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) \n**References:** | NVD: [CVE-2021-25329](<https://nvd.nist.gov/vuln/detail/CVE-2021-25329>) \n**Impact:** | Remote code execution \n**Description:** | A deserialization flaw allows a remote attacker to send crafted requests and execute arbitrary code on the target system. The attacker must have control over a file stored on the target system. This is caused by an incomplete fix to CVE-2020-9484. \n \n \n\n**Mitigation**\n\nCVE-2020-13935 is exploitable in MC only when authenticated MC users send invalid WebSocket frames to the web management console.\n\n**References**\n\nApache Tomcat 7 vulnerabilities - <http://tomcat.apache.org/security-7.html> \nApache Tomcat 8 vulnerabilities - <http://tomcat.apache.org/security-8.html> \nApache Tomcat 9 vulnerabilities - <http://tomcat.apache.org/security-9.html> \nApache Tomcat 7 vulnerabilities - <http://tomcat.apache.org/security-10.html>\n\n**Revisions**\n\n2021-08-12 MC 3.2 is vulnerable to CVE-2020-13935. \n2021-06-01 A fix for MC 3.0 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2021-03-16 initial public release\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-03-16T19:59:07", "type": "symantec", "title": "Apache Tomcat Vulnerabilities May 2020 - Mar 2021", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11996", "CVE-2020-13934", "CVE-2020-13935", "CVE-2020-13943", "CVE-2020-17527", "CVE-2020-9484", "CVE-2021-24122", "CVE-2021-25122", "CVE-2021-25329"], "modified": "2022-01-10T20:23:58", "id": "SMNTC-17650", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "oracle": [{"lastseen": "2023-09-25T08:21:00", "description": "A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third-party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Refer to [\u201cCritical Patch Updates, Security Alerts and Bulletins\u201d](<https://www.oracle.com/security-alerts/>) for information about Oracle Security advisories. \n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.**\n\nThis Critical Patch Update contains 342 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at [ July 2021 Critical Patch Update: Executive Summary and Analysis](<https://support.oracle.com/rs?type=doc&id=2788740.1>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-07-20T00:00:00", "type": "oracle", "title": "Oracle Critical Patch Update Advisory - July 2021", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0881", "CVE-2015-0254", "CVE-2016-0762", "CVE-2016-4429", "CVE-2017-14735", "CVE-2017-16931", "CVE-2017-3735", "CVE-2017-5461", "CVE-2017-5637", "CVE-2017-7656", "CVE-2017-7657", "CVE-2017-7658", "CVE-2017-9735", "CVE-2018-0737", "CVE-2018-0739", "CVE-2018-15686", "CVE-2018-21010", "CVE-2018-7160", "CVE-2018-7183", "CVE-2019-0190", "CVE-2019-0201", "CVE-2019-0205", "CVE-2019-0210", "CVE-2019-0219", "CVE-2019-0228", "CVE-2019-10086", "CVE-2019-10173", "CVE-2019-10746", "CVE-2019-11358", "CVE-2019-12260", "CVE-2019-12399", "CVE-2019-12402", "CVE-2019-12415", "CVE-2019-12973", "CVE-2019-13990", "CVE-2019-15604", "CVE-2019-15605", "CVE-2019-15606", "CVE-2019-16942", "CVE-2019-16943", "CVE-2019-17195", "CVE-2019-17531", "CVE-2019-17543", "CVE-2019-17545", "CVE-2019-17566", "CVE-2019-20330", "CVE-2019-2725", "CVE-2019-2729", "CVE-2019-2897", "CVE-2019-3738", "CVE-2019-3739", "CVE-2019-3740", "CVE-2019-5063", "CVE-2019-5064", "CVE-2020-10543", "CVE-2020-10683", "CVE-2020-10878", "CVE-2020-11022", "CVE-2020-11023", "CVE-2020-11612", "CVE-2020-11868", "CVE-2020-11973", "CVE-2020-11979", "CVE-2020-11987", "CVE-2020-11988", "CVE-2020-11998", "CVE-2020-12723", "CVE-2020-13934", "CVE-2020-13935", "CVE-2020-13949", "CVE-2020-13956", "CVE-2020-14060", "CVE-2020-14061", "CVE-2020-14062", "CVE-2020-14195", "CVE-2020-14756", "CVE-2020-15389", "CVE-2020-17521", "CVE-2020-17527", "CVE-2020-17530", "CVE-2020-1941", "CVE-2020-1945", "CVE-2020-1967", "CVE-2020-1968", "CVE-2020-1971", "CVE-2020-24553", "CVE-2020-24616", "CVE-2020-24750", "CVE-2020-2555", "CVE-2020-25638", "CVE-2020-25648", "CVE-2020-25649", "CVE-2020-2604", "CVE-2020-26217", "CVE-2020-26870", "CVE-2020-27193", "CVE-2020-27216", "CVE-2020-27218", "CVE-2020-27783", "CVE-2020-27814", "CVE-2020-27841", "CVE-2020-27842", "CVE-2020-27843", "CVE-2020-27844", "CVE-2020-27845", "CVE-2020-28052", "CVE-2020-28196", "CVE-2020-28928", "CVE-2020-29582", "CVE-2020-35490", "CVE-2020-35491", "CVE-2020-35728", "CVE-2020-36179", "CVE-2020-36180", "CVE-2020-36181", "CVE-2020-36182", "CVE-2020-36183", "CVE-2020-36184", "CVE-2020-36185", "CVE-2020-36186", "CVE-2020-36187", "CVE-2020-36188", "CVE-2020-36189", "CVE-2020-5258", "CVE-2020-5397", "CVE-2020-5398", "CVE-2020-5413", "CVE-2020-5421", "CVE-2020-7016", "CVE-2020-7017", "CVE-2020-7712", "CVE-2020-7733", "CVE-2020-7760", "CVE-2020-8174", "CVE-2020-8203", "CVE-2020-8277", "CVE-2020-8284", "CVE-2020-8285", "CVE-2020-8286", "CVE-2020-8554", "CVE-2020-8908", "CVE-2020-9484", "CVE-2020-9489", "CVE-2021-20190", "CVE-2021-20227", "CVE-2021-21275", "CVE-2021-21290", "CVE-2021-21341", "CVE-2021-21342", "CVE-2021-21343", "CVE-2021-21344", "CVE-2021-21345", "CVE-2021-21346", "CVE-2021-21347", "CVE-2021-21348", "CVE-2021-21349", "CVE-2021-21350", "CVE-2021-21351", "CVE-2021-21409", "CVE-2021-22112", "CVE-2021-22118", "CVE-2021-2244", "CVE-2021-22876", "CVE-2021-22883", "CVE-2021-22884", "CVE-2021-22890", "CVE-2021-22897", "CVE-2021-22898", "CVE-2021-22901", "CVE-2021-2323", "CVE-2021-2324", "CVE-2021-2326", "CVE-2021-2328", "CVE-2021-2329", "CVE-2021-2330", "CVE-2021-2333", "CVE-2021-23336", "CVE-2021-2334", "CVE-2021-2335", "CVE-2021-2336", "CVE-2021-2337", "CVE-2021-2338", "CVE-2021-2339", "CVE-2021-2340", "CVE-2021-2341", "CVE-2021-2342", "CVE-2021-2343", "CVE-2021-2344", "CVE-2021-2345", "CVE-2021-2346", "CVE-2021-2347", "CVE-2021-2348", "CVE-2021-2349", "CVE-2021-2350", "CVE-2021-2351", "CVE-2021-2352", "CVE-2021-2353", "CVE-2021-2354", "CVE-2021-2355", "CVE-2021-2356", "CVE-2021-2357", "CVE-2021-2358", "CVE-2021-2359", "CVE-2021-2360", "CVE-2021-2361", "CVE-2021-2362", "CVE-2021-2363", "CVE-2021-2364", "CVE-2021-2365", "CVE-2021-2366", "CVE-2021-2367", "CVE-2021-2368", "CVE-2021-2369", "CVE-2021-2370", "CVE-2021-2371", "CVE-2021-2372", "CVE-2021-2373", "CVE-2021-2374", "CVE-2021-2375", "CVE-2021-2376", "CVE-2021-2377", "CVE-2021-2378", "CVE-2021-2380", "CVE-2021-2381", "CVE-2021-2382", "CVE-2021-2383", "CVE-2021-23839", "CVE-2021-2384", "CVE-2021-23840", "CVE-2021-23841", "CVE-2021-2385", "CVE-2021-2386", "CVE-2021-2387", "CVE-2021-2388", "CVE-2021-2389", "CVE-2021-2390", "CVE-2021-2391", "CVE-2021-2392", "CVE-2021-2393", "CVE-2021-2394", "CVE-2021-2395", "CVE-2021-2396", "CVE-2021-2397", "CVE-2021-2398", "CVE-2021-2399", "CVE-2021-2400", "CVE-2021-2401", "CVE-2021-2402", "CVE-2021-2403", "CVE-2021-2404", "CVE-2021-2405", "CVE-2021-2406", "CVE-2021-2407", "CVE-2021-2408", "CVE-2021-2409", "CVE-2021-2410", "CVE-2021-2411", "CVE-2021-2412", "CVE-2021-24122", "CVE-2021-2415", "CVE-2021-2417", "CVE-2021-2418", "CVE-2021-2419", "CVE-2021-2420", "CVE-2021-2421", "CVE-2021-2422", "CVE-2021-2423", "CVE-2021-2424", "CVE-2021-2425", "CVE-2021-2426", "CVE-2021-2427", "CVE-2021-2428", "CVE-2021-2429", "CVE-2021-2430", "CVE-2021-2431", "CVE-2021-2432", "CVE-2021-2433", "CVE-2021-2434", "CVE-2021-2435", "CVE-2021-2436", "CVE-2021-2437", "CVE-2021-2438", "CVE-2021-2439", "CVE-2021-2440", "CVE-2021-2441", "CVE-2021-2442", "CVE-2021-2443", "CVE-2021-2444", "CVE-2021-2445", "CVE-2021-2446", "CVE-2021-2447", "CVE-2021-2448", "CVE-2021-2449", "CVE-2021-2450", "CVE-2021-2451", "CVE-2021-2452", "CVE-2021-2453", "CVE-2021-2454", "CVE-2021-2455", "CVE-2021-2456", "CVE-2021-2457", "CVE-2021-2458", "CVE-2021-2460", "CVE-2021-2462", "CVE-2021-2463", "CVE-2021-25122", "CVE-2021-25329", "CVE-2021-26117", "CVE-2021-26271", "CVE-2021-26272", "CVE-2021-27568", "CVE-2021-27807", "CVE-2021-27906", "CVE-2021-28041", "CVE-2021-29921", "CVE-2021-30369", "CVE-2021-30640", "CVE-2021-3156", "CVE-2021-3177", "CVE-2021-31811", "CVE-2021-33037", "CVE-2021-3345", "CVE-2021-3449", "CVE-2021-3450", "CVE-2021-3520", "CVE-2021-3560"], "modified": "2021-09-03T00:00:00", "id": "ORACLE:CPUJUL2021", "href": "https://www.oracle.com/security-alerts/cpujul2021.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-24T08:22:10", "description": "A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third-party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Refer to [\u201cCritical Patch Updates, Security Alerts and Bulletins\u201d](<https://www.oracle.com/security-alerts/>) for information about Oracle Security advisories. \n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.**\n\nThis Critical Patch Update contains 497 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at [ January 2022 Critical Patch Update: Executive Summary and Analysis](<https://support.oracle.com/rs?type=doc&id=2832416.1>).\n\n**Please note that on December 10, 2021, Oracle released a Security Alert for Apache Log4j vulnerabilities [CVE-2021-44228 and CVE-2021-45046](<https://www.oracle.com/security-alerts/alert-cve-2021-44228.html>). Customers should review the Alert if they have not already done so.**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-18T00:00:00", "type": "oracle", "title": "Oracle Critical Patch Update Advisory - January 2022", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-7103", "CVE-2018-11771", "CVE-2018-1311", "CVE-2018-1324", "CVE-2019-10086", "CVE-2019-10219", "CVE-2019-11358", "CVE-2019-13734", "CVE-2019-17091", "CVE-2019-17495", "CVE-2019-17566", "CVE-2020-10543", "CVE-2020-10683", "CVE-2020-10878", "CVE-2020-11022", "CVE-2020-11023", "CVE-2020-11979", "CVE-2020-11987", "CVE-2020-12723", "CVE-2020-13817", "CVE-2020-13934", "CVE-2020-13935", "CVE-2020-13936", "CVE-2020-13949", "CVE-2020-13956", "CVE-2020-14340", "CVE-2020-14642", "CVE-2020-14756", "CVE-2020-15824", "CVE-2020-17521", "CVE-2020-17527", "CVE-2020-17530", "CVE-2020-1945", "CVE-2020-24616", "CVE-2020-24750", "CVE-2020-25649", "CVE-2020-27618", "CVE-2020-28052", "CVE-2020-28469", "CVE-2020-28500", "CVE-2020-2934", "CVE-2020-29582", "CVE-2020-35490", "CVE-2020-35491", "CVE-2020-35728", "CVE-2020-36179", "CVE-2020-36180", "CVE-2020-36181", "CVE-2020-36182", "CVE-2020-36183", "CVE-2020-36184", "CVE-2020-36185", "CVE-2020-36186", "CVE-2020-36187", "CVE-2020-36188", "CVE-2020-36189", "CVE-2020-5258", "CVE-2020-5421", "CVE-2020-6950", "CVE-2020-7712", "CVE-2020-8177", "CVE-2020-8203", "CVE-2020-8284", "CVE-2020-8285", "CVE-2020-8554", "CVE-2020-8908", "CVE-2020-9281", "CVE-2020-9484", "CVE-2021-20718", "CVE-2021-21409", "CVE-2021-21703", "CVE-2021-21705", "CVE-2021-21783", "CVE-2021-22118", "CVE-2021-22119", "CVE-2021-2277", "CVE-2021-22897", "CVE-2021-22898", "CVE-2021-22901", "CVE-2021-22924", "CVE-2021-22925", "CVE-2021-22926", "CVE-2021-22931", "CVE-2021-22939", "CVE-2021-22940", "CVE-2021-22946", "CVE-2021-22947", "CVE-2021-22959", "CVE-2021-22960", "CVE-2021-23017", "CVE-2021-23336", "CVE-2021-23337", "CVE-2021-2344", "CVE-2021-23440", "CVE-2021-2351", "CVE-2021-2371", "CVE-2021-23840", "CVE-2021-2428", "CVE-2021-25122", "CVE-2021-25329", "CVE-2021-26691", "CVE-2021-27568", "CVE-2021-28163", "CVE-2021-28164", "CVE-2021-28165", "CVE-2021-28169", "CVE-2021-29425", "CVE-2021-29505", "CVE-2021-29921", "CVE-2021-29923", "CVE-2021-30369", "CVE-2021-30639", "CVE-2021-30640", "CVE-2021-31684", "CVE-2021-3177", "CVE-2021-31811", "CVE-2021-31812", "CVE-2021-32012", "CVE-2021-32013", "CVE-2021-32014", "CVE-2021-32723", "CVE-2021-32808", "CVE-2021-32809", "CVE-2021-32827", "CVE-2021-33037", "CVE-2021-33193", "CVE-2021-3326", "CVE-2021-33560", "CVE-2021-33880", "CVE-2021-33909", "CVE-2021-3426", "CVE-2021-34428", "CVE-2021-34429", "CVE-2021-3448", "CVE-2021-34558", "CVE-2021-34798", "CVE-2021-35043", "CVE-2021-3516", "CVE-2021-3517", "CVE-2021-3541", "CVE-2021-35515", "CVE-2021-35516", "CVE-2021-35517", "CVE-2021-35587", "CVE-2021-35683", "CVE-2021-35684", "CVE-2021-35685", "CVE-2021-35686", "CVE-2021-35687", "CVE-2021-36090", "CVE-2021-36160", "CVE-2021-36221", "CVE-2021-3634", "CVE-2021-36373", "CVE-2021-36374", "CVE-2021-36690", "CVE-2021-3711", "CVE-2021-3712", "CVE-2021-37136", "CVE-2021-37137", "CVE-2021-37695", "CVE-2021-37714", "CVE-2021-38153", "CVE-2021-39139", "CVE-2021-39140", "CVE-2021-39141", "CVE-2021-39144", "CVE-2021-39145", "CVE-2021-39146", "CVE-2021-39147", "CVE-2021-39148", "CVE-2021-39149", "CVE-2021-39150", "CVE-2021-39151", "CVE-2021-39152", "CVE-2021-39153", "CVE-2021-39154", "CVE-2021-39275", "CVE-2021-40438", "CVE-2021-4104", "CVE-2021-41164", "CVE-2021-41165", "CVE-2021-41524", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42340", "CVE-2021-42575", "CVE-2021-43395", "CVE-2021-44224", "CVE-2021-44228", "CVE-2021-44790", "CVE-2021-44832", "CVE-2021-45046", "CVE-2021-45105", "CVE-2022-21242", "CVE-2022-21243", "CVE-2022-21244", "CVE-2022-21245", "CVE-2022-21246", "CVE-2022-21247", "CVE-2022-21248", "CVE-2022-21249", "CVE-2022-21250", "CVE-2022-21251", "CVE-2022-21252", "CVE-2022-21253", "CVE-2022-21254", "CVE-2022-21255", "CVE-2022-21256", "CVE-2022-21257", "CVE-2022-21258", "CVE-2022-21259", "CVE-2022-21260", "CVE-2022-21261", "CVE-2022-21262", "CVE-2022-21263", "CVE-2022-21264", "CVE-2022-21265", "CVE-2022-21266", "CVE-2022-21267", "CVE-2022-21268", "CVE-2022-21269", "CVE-2022-21270", "CVE-2022-21271", "CVE-2022-21272", "CVE-2022-21273", "CVE-2022-21274", "CVE-2022-21275", "CVE-2022-21276", "CVE-2022-21277", "CVE-2022-21278", "CVE-2022-21279", "CVE-2022-21280", "CVE-2022-21281", "CVE-2022-21282", "CVE-2022-21283", "CVE-2022-21284", "CVE-2022-21285", "CVE-2022-21286", "CVE-2022-21287", "CVE-2022-21288", "CVE-2022-21289", "CVE-2022-21290", "CVE-2022-21291", "CVE-2022-21292", "CVE-2022-21293", "CVE-2022-21294", "CVE-2022-21295", "CVE-2022-21296", "CVE-2022-21297", "CVE-2022-21298", "CVE-2022-21299", "CVE-2022-21300", "CVE-2022-21301", "CVE-2022-21302", "CVE-2022-21303", "CVE-2022-21304", "CVE-2022-21305", "CVE-2022-21306", "CVE-2022-21307", "CVE-2022-21308", "CVE-2022-21309", "CVE-2022-21310", "CVE-2022-21311", "CVE-2022-21312", "CVE-2022-21313", "CVE-2022-21314", "CVE-2022-21315", "CVE-2022-21316", "CVE-2022-21317", "CVE-2022-21318", "CVE-2022-21319", "CVE-2022-21320", "CVE-2022-21321", "CVE-2022-21322", "CVE-2022-21323", "CVE-2022-21324", "CVE-2022-21325", "CVE-2022-21326", "CVE-2022-21327", "CVE-2022-21328", "CVE-2022-21329", "CVE-2022-21330", "CVE-2022-21331", "CVE-2022-21332", "CVE-2022-21333", "CVE-2022-21334", "CVE-2022-21335", "CVE-2022-21336", "CVE-2022-21337", "CVE-2022-21338", "CVE-2022-21339", "CVE-2022-21340", "CVE-2022-21341", "CVE-2022-21342", "CVE-2022-21344", "CVE-2022-21345", "CVE-2022-21346", "CVE-2022-21347", "CVE-2022-21348", "CVE-2022-21349", "CVE-2022-21350", "CVE-2022-21351", "CVE-2022-21352", "CVE-2022-21353", "CVE-2022-21354", "CVE-2022-21355", "CVE-2022-21356", "CVE-2022-21357", "CVE-2022-21358", "CVE-2022-21359", "CVE-2022-21360", "CVE-2022-21361", "CVE-2022-21362", "CVE-2022-21363", "CVE-2022-21364", "CVE-2022-21365", "CVE-2022-21366", "CVE-2022-21367", "CVE-2022-21368", "CVE-2022-21369", "CVE-2022-21370", "CVE-2022-21371", "CVE-2022-21372", "CVE-2022-21373", "CVE-2022-21374", "CVE-2022-21375", "CVE-2022-21376", "CVE-2022-21377", "CVE-2022-21378", "CVE-2022-21379", "CVE-2022-21380", "CVE-2022-21381", "CVE-2022-21382", "CVE-2022-21383", "CVE-2022-21386", "CVE-2022-21387", "CVE-2022-21388", "CVE-2022-21389", "CVE-2022-21390", "CVE-2022-21391", "CVE-2022-21392", "CVE-2022-21393", "CVE-2022-21394", "CVE-2022-21395", "CVE-2022-21396", "CVE-2022-21397", "CVE-2022-21398", "CVE-2022-21399", "CVE-2022-21400", "CVE-2022-21401", "CVE-2022-21402", "CVE-2022-21403", "CVE-2022-23302", "CVE-2022-23305", "CVE-2022-23307"], "modified": "2022-03-14T00:00:00", "id": "ORACLE:CPUJAN2022", "href": "https://www.oracle.com/security-alerts/cpujan2022.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-25T08:20:57", "description": "A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third-party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Refer to [\u201cCritical Patch Updates, Security Alerts and Bulletins\u201d](<https://www.oracle.com/security-alerts/>) for information about Oracle Security advisories. \n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.**\n\nThis Critical Patch Update contains 391 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at [ April 2021 Critical Patch Update: Executive Summary and Analysis](<https://support.oracle.com/rs?type=doc&id=2765149.1>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-04-20T00:00:00", "type": "oracle", "title": "Oracle Critical Patch Update Advisory - April 2021", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-2542", "CVE-2016-5725", "CVE-2016-7103", "CVE-2017-1000061", "CVE-2017-12626", "CVE-2017-14735", "CVE-2017-18640", "CVE-2017-5645", "CVE-2018-1000180", "CVE-2018-1000613", "CVE-2018-1000632", "CVE-2018-1285", "CVE-2018-14040", "CVE-2018-14041", "CVE-2018-14042", "CVE-2018-14550", "CVE-2018-14613", "CVE-2018-16884", "CVE-2018-20843", "CVE-2018-8032", "CVE-2019-0219", "CVE-2019-0221", "CVE-2019-0227", "CVE-2019-0228", "CVE-2019-0230", "CVE-2019-0232", "CVE-2019-0233", "CVE-2019-10072", "CVE-2019-10080", "CVE-2019-10086", "CVE-2019-10098", "CVE-2019-10173", "CVE-2019-10246", "CVE-2019-10247", "CVE-2019-10638", "CVE-2019-10639", "CVE-2019-11358", "CVE-2019-11487", "CVE-2019-11599", "CVE-2019-12086", "CVE-2019-12399", "CVE-2019-12402", "CVE-2019-12406", "CVE-2019-1241", "CVE-2019-12415", "CVE-2019-12419", "CVE-2019-12423", "CVE-2019-14379", "CVE-2019-14898", "CVE-2019-15218", "CVE-2019-1551", "CVE-2019-16746", "CVE-2019-16942", "CVE-2019-17075", "CVE-2019-17133", "CVE-2019-17195", "CVE-2019-17495", "CVE-2019-17566", "CVE-2019-17571", "CVE-2019-17573", "CVE-2019-17632", "CVE-2019-17638", "CVE-2019-18885", "CVE-2019-19052", "CVE-2019-19063", "CVE-2019-19066", "CVE-2019-19073", "CVE-2019-19074", "CVE-2019-19078", "CVE-2019-19535", "CVE-2019-19922", "CVE-2019-20812", "CVE-2019-2904", "CVE-2019-3738", "CVE-2019-3739", "CVE-2019-3740", "CVE-2019-3773", "CVE-2019-3874", "CVE-2019-3900", "CVE-2019-5063", "CVE-2019-5064", "CVE-2019-5108", "CVE-2019-5428", "CVE-2019-7317", "CVE-2019-8331", "CVE-2020-10188", "CVE-2020-10543", "CVE-2020-10683", "CVE-2020-10751", "CVE-2020-10769", "CVE-2020-10878", "CVE-2020-11022", "CVE-2020-11023", "CVE-2020-11612", "CVE-2020-11655", "CVE-2020-11656", "CVE-2020-11973", "CVE-2020-11979", "CVE-2020-11987", "CVE-2020-11994", "CVE-2020-11998", "CVE-2020-12114", "CVE-2020-12723", "CVE-2020-12771", "CVE-2020-13434", "CVE-2020-13435", "CVE-2020-13871", "CVE-2020-13934", "CVE-2020-13935", "CVE-2020-13943", "CVE-2020-13954", "CVE-2020-13956", "CVE-2020-14039", "CVE-2020-14060", "CVE-2020-14061", "CVE-2020-14062", "CVE-2020-14195", "CVE-2020-1472", "CVE-2020-15358", "CVE-2020-15586", "CVE-2020-16166", "CVE-2020-16845", "CVE-2020-17521", "CVE-2020-17527", "CVE-2020-17530", "CVE-2020-1927", "CVE-2020-1941", "CVE-2020-1945", "CVE-2020-1967", "CVE-2020-1968", "CVE-2020-1971", "CVE-2020-24394", "CVE-2020-24553", "CVE-2020-24616", "CVE-2020-24750", "CVE-2020-25649", "CVE-2020-26217", "CVE-2020-26418", "CVE-2020-26419", "CVE-2020-26420", "CVE-2020-26421", "CVE-2020-26422", "CVE-2020-27193", "CVE-2020-27216", "CVE-2020-27218", "CVE-2020-27223", "CVE-2020-27841", "CVE-2020-27842", "CVE-2020-27843", "CVE-2020-27844", "CVE-2020-27845", "CVE-2020-28052", "CVE-2020-28196", "CVE-2020-35490", "CVE-2020-35491", "CVE-2020-35728", "CVE-2020-36179", "CVE-2020-36180", "CVE-2020-36181", "CVE-2020-36182", "CVE-2020-36183", "CVE-2020-36184", "CVE-2020-36185", "CVE-2020-36186", "CVE-2020-36187", "CVE-2020-36188", "CVE-2020-36189", "CVE-2020-5359", "CVE-2020-5360", "CVE-2020-5398", "CVE-2020-5407", "CVE-2020-5408", "CVE-2020-5413", "CVE-2020-5421", "CVE-2020-7059", "CVE-2020-7060", "CVE-2020-7069", "CVE-2020-7760", "CVE-2020-7774", "CVE-2020-7919", "CVE-2020-8203", "CVE-2020-8277", "CVE-2020-8284", "CVE-2020-8285", "CVE-2020-8286", "CVE-2020-8908", "CVE-2020-9281", "CVE-2020-9327", "CVE-2020-9480", "CVE-2020-9484", "CVE-2020-9488", "CVE-2020-9489", "CVE-2021-2008", "CVE-2021-20227", "CVE-2021-2053", "CVE-2021-21290", "CVE-2021-2134", "CVE-2021-21345", "CVE-2021-2135", "CVE-2021-2136", "CVE-2021-2140", "CVE-2021-2141", "CVE-2021-2142", "CVE-2021-2144", "CVE-2021-2145", "CVE-2021-2146", "CVE-2021-2147", "CVE-2021-2149", "CVE-2021-2150", "CVE-2021-2151", "CVE-2021-2152", "CVE-2021-2153", "CVE-2021-2154", "CVE-2021-2155", "CVE-2021-2156", "CVE-2021-2157", "CVE-2021-2158", "CVE-2021-2159", "CVE-2021-2160", "CVE-2021-2161", "CVE-2021-2162", "CVE-2021-2163", "CVE-2021-2164", "CVE-2021-2166", "CVE-2021-2167", "CVE-2021-2169", "CVE-2021-2170", "CVE-2021-2171", "CVE-2021-2172", "CVE-2021-2173", "CVE-2021-2174", "CVE-2021-2175", "CVE-2021-2177", "CVE-2021-2178", "CVE-2021-2179", "CVE-2021-2180", "CVE-2021-2181", "CVE-2021-2182", "CVE-2021-2183", "CVE-2021-2184", "CVE-2021-2185", "CVE-2021-2186", "CVE-2021-2187", "CVE-2021-2188", "CVE-2021-2189", "CVE-2021-2190", "CVE-2021-2191", "CVE-2021-2192", "CVE-2021-2193", "CVE-2021-2194", "CVE-2021-2195", "CVE-2021-2196", "CVE-2021-2197", "CVE-2021-2198", "CVE-2021-2199", "CVE-2021-2200", "CVE-2021-2201", "CVE-2021-2202", "CVE-2021-2203", "CVE-2021-2204", "CVE-2021-2205", "CVE-2021-2206", "CVE-2021-2207", "CVE-2021-2208", "CVE-2021-2209", "CVE-2021-2210", "CVE-2021-2211", "CVE-2021-22112", "CVE-2021-2212", "CVE-2021-2213", "CVE-2021-2214", "CVE-2021-2215", "CVE-2021-2216", "CVE-2021-2217", "CVE-2021-22173", "CVE-2021-22174", "CVE-2021-2218", "CVE-2021-2219", "CVE-2021-22191", "CVE-2021-2220", "CVE-2021-2221", "CVE-2021-2222", "CVE-2021-2223", "CVE-2021-2224", "CVE-2021-2225", "CVE-2021-2226", "CVE-2021-2227", "CVE-2021-2228", "CVE-2021-2229", "CVE-2021-2230", "CVE-2021-2231", "CVE-2021-2232", "CVE-2021-2233", "CVE-2021-2234", "CVE-2021-2235", "CVE-2021-2236", "CVE-2021-2237", "CVE-2021-2238", "CVE-2021-2239", "CVE-2021-2240", "CVE-2021-2241", "CVE-2021-2242", "CVE-2021-2244", "CVE-2021-2245", "CVE-2021-2246", "CVE-2021-2247", "CVE-2021-2248", "CVE-2021-2249", "CVE-2021-2250", "CVE-2021-2251", "CVE-2021-2252", "CVE-2021-2253", "CVE-2021-2254", "CVE-2021-2255", "CVE-2021-2256", "CVE-2021-2257", "CVE-2021-2258", "CVE-2021-2259", "CVE-2021-2260", "CVE-2021-2261", "CVE-2021-2262", "CVE-2021-2263", "CVE-2021-2264", "CVE-2021-2266", "CVE-2021-2267", "CVE-2021-2268", "CVE-2021-2269", "CVE-2021-2270", "CVE-2021-2271", "CVE-2021-2272", "CVE-2021-2273", "CVE-2021-2274", "CVE-2021-2275", "CVE-2021-2276", "CVE-2021-2277", "CVE-2021-2278", "CVE-2021-2279", "CVE-2021-2280", "CVE-2021-2281", "CVE-2021-2282", "CVE-2021-2283", "CVE-2021-2284", "CVE-2021-2285", "CVE-2021-2286", "CVE-2021-2287", "CVE-2021-2288", "CVE-2021-22883", "CVE-2021-22884", "CVE-2021-2289", "CVE-2021-2290", "CVE-2021-2291", "CVE-2021-2292", "CVE-2021-2293", "CVE-2021-2294", "CVE-2021-2295", "CVE-2021-2296", "CVE-2021-2297", "CVE-2021-2298", "CVE-2021-2299", "CVE-2021-2300", "CVE-2021-2301", "CVE-2021-2302", "CVE-2021-2303", "CVE-2021-2304", "CVE-2021-2305", "CVE-2021-2306", "CVE-2021-2307", "CVE-2021-2308", "CVE-2021-2309", "CVE-2021-2310", "CVE-2021-2311", "CVE-2021-2312", "CVE-2021-2314", "CVE-2021-2315", "CVE-2021-2316", "CVE-2021-2317", "CVE-2021-2318", "CVE-2021-2319", "CVE-2021-2320", "CVE-2021-2321", "CVE-2021-23336", "CVE-2021-23839", "CVE-2021-23840", "CVE-2021-23841", "CVE-2021-3449", "CVE-2021-3450"], "modified": "2021-09-04T00:00:00", "id": "ORACLE:CPUAPR2021", "href": "https://www.oracle.com/security-alerts/cpuapr2021.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-23T08:08:31", "description": "A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third-party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Refer to [\u201cCritical Patch Updates, Security Alerts and Bulletins\u201d](<https://www.oracle.com/security-alerts/>) for information about Oracle Security advisories. \n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.**\n\nThis Critical Patch Update contains 520 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at [ April 2022 Critical Patch Update: Executive Summary and Analysis](<https://support.oracle.com/rs?type=doc&id=2857016.1>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-19T00:00:00", "type": "oracle", "title": "Oracle Critical Patch Update Advisory - April 2022", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000353", "CVE-2017-14159", "CVE-2017-17740", "CVE-2017-9287", "CVE-2018-1000067", "CVE-2018-1000068", "CVE-2018-1000192", "CVE-2018-1000193", "CVE-2018-1000194", "CVE-2018-1000195", "CVE-2018-11212", "CVE-2018-1285", "CVE-2018-1999001", "CVE-2018-1999002", "CVE-2018-1999003", "CVE-2018-1999004", "CVE-2018-1999005", "CVE-2018-1999007", "CVE-2018-2601", "CVE-2018-6356", "CVE-2018-8032", "CVE-2019-0227", "CVE-2019-1003049", "CVE-2019-1003050", "CVE-2019-10086", "CVE-2019-10247", "CVE-2019-10383", "CVE-2019-10384", "CVE-2019-12086", "CVE-2019-12399", "CVE-2019-12402", "CVE-2019-13038", "CVE-2019-13057", "CVE-2019-13565", "CVE-2019-13750", "CVE-2019-13751", "CVE-2019-14822", "CVE-2019-14862", "CVE-2019-16785", "CVE-2019-16786", "CVE-2019-16789", "CVE-2019-16792", "CVE-2019-17195", "CVE-2019-17571", "CVE-2019-18218", "CVE-2019-18276", "CVE-2019-19603", "CVE-2019-20388", "CVE-2019-20838", "CVE-2019-20916", "CVE-2019-3738", "CVE-2019-3739", "CVE-2019-3740", "CVE-2019-3799", "CVE-2019-5827", "CVE-2020-10531", "CVE-2020-10543", "CVE-2020-10693", "CVE-2020-10878", "CVE-2020-11022", "CVE-2020-11023", "CVE-2020-11080", "CVE-2020-11612", "CVE-2020-11971", "CVE-2020-11979", "CVE-2020-12243", "CVE-2020-12723", "CVE-2020-13434", "CVE-2020-13435", "CVE-2020-13935", "CVE-2020-13936", "CVE-2020-13956", "CVE-2020-14155", "CVE-2020-14340", "CVE-2020-14343", "CVE-2020-15250", "CVE-2020-15358", "CVE-2020-15719", "CVE-2020-16135", "CVE-2020-17521", "CVE-2020-17527", "CVE-2020-17530", "CVE-2020-1968", "CVE-2020-1971", "CVE-2020-24616", "CVE-2020-24750", "CVE-2020-24977", "CVE-2020-25638", "CVE-2020-25649", "CVE-2020-25659", "CVE-2020-27218", "CVE-2020-28052", "CVE-2020-28196", "CVE-2020-28895", "CVE-2020-29363", "CVE-2020-29582", "CVE-2020-35198", "CVE-2020-35490", "CVE-2020-35491", "CVE-2020-35728", "CVE-2020-36179", "CVE-2020-36180", "CVE-2020-36181", "CVE-2020-36182", "CVE-2020-36183", "CVE-2020-36184", "CVE-2020-36185", "CVE-2020-36186", "CVE-2020-36187", "CVE-2020-36188", "CVE-2020-36189", "CVE-2020-36242", "CVE-2020-36518", "CVE-2020-5245", "CVE-2020-5413", "CVE-2020-5421", "CVE-2020-6950", "CVE-2020-7226", "CVE-2020-7595", "CVE-2020-7760", "CVE-2020-8172", "CVE-2020-8174", "CVE-2020-8203", "CVE-2020-8231", "CVE-2020-8277", "CVE-2020-8284", "CVE-2020-8285", "CVE-2020-8286", "CVE-2020-8554", "CVE-2020-8908", "CVE-2020-9488", "CVE-2021-20231", "CVE-2021-20232", "CVE-2021-20289", "CVE-2021-21275", "CVE-2021-21290", "CVE-2021-21295", "CVE-2021-21409", "CVE-2021-21703", "CVE-2021-22096", "CVE-2021-22118", "CVE-2021-22132", "CVE-2021-22134", "CVE-2021-22144", "CVE-2021-22145", "CVE-2021-22569", "CVE-2021-22570", "CVE-2021-22696", "CVE-2021-22897", "CVE-2021-22898", "CVE-2021-22901", "CVE-2021-22946", "CVE-2021-22947", "CVE-2021-23017", "CVE-2021-23450", "CVE-2021-2351", "CVE-2021-23839", "CVE-2021-23840", "CVE-2021-23841", "CVE-2021-2427", "CVE-2021-2464", "CVE-2021-2471", "CVE-2021-25219", "CVE-2021-26291", "CVE-2021-27568", "CVE-2021-27645", "CVE-2021-27807", "CVE-2021-27906", "CVE-2021-28168", "CVE-2021-28169", "CVE-2021-28170", "CVE-2021-28657", "CVE-2021-29425", "CVE-2021-29505", "CVE-2021-29921", "CVE-2021-30129", "CVE-2021-30468", "CVE-2021-3156", "CVE-2021-31799", "CVE-2021-31810", "CVE-2021-31811", "CVE-2021-31812", "CVE-2021-3200", "CVE-2021-32066", "CVE-2021-32626", "CVE-2021-32627", "CVE-2021-32628", "CVE-2021-32672", "CVE-2021-32675", "CVE-2021-32687", "CVE-2021-32762", "CVE-2021-32785", "CVE-2021-32786", "CVE-2021-32791", "CVE-2021-32792", "CVE-2021-33037", "CVE-2021-33193", "CVE-2021-33560", "CVE-2021-33574", "CVE-2021-33813", "CVE-2021-33880", "CVE-2021-34429", "CVE-2021-3445", "CVE-2021-3449", "CVE-2021-3450", "CVE-2021-34798", "CVE-2021-35043", "CVE-2021-3517", "CVE-2021-3518", "CVE-2021-3520", "CVE-2021-3521", "CVE-2021-3537", "CVE-2021-35515", "CVE-2021-35516", "CVE-2021-35517", "CVE-2021-35574", "CVE-2021-3572", "CVE-2021-3580", "CVE-2021-35942", "CVE-2021-36084", "CVE-2021-36085", "CVE-2021-36086", "CVE-2021-36087", "CVE-2021-36090", "CVE-2021-36160", "CVE-2021-36373", "CVE-2021-36374", "CVE-2021-3690", "CVE-2021-3711", "CVE-2021-3712", "CVE-2021-37136", "CVE-2021-37137", "CVE-2021-37714", "CVE-2021-3807", "CVE-2021-38153", "CVE-2021-39139", "CVE-2021-39140", "CVE-2021-39141", "CVE-2021-39144", "CVE-2021-39145", "CVE-2021-39146", "CVE-2021-39147", "CVE-2021-39148", "CVE-2021-39149", "CVE-2021-39150", "CVE-2021-39151", "CVE-2021-39152", "CVE-2021-39153", "CVE-2021-39154", "CVE-2021-39275", "CVE-2021-4034", "CVE-2021-40438", "CVE-2021-40690", "CVE-2021-4104", "CVE-2021-41099", "CVE-2021-41164", "CVE-2021-41165", "CVE-2021-41182", "CVE-2021-41183", "CVE-2021-41184", "CVE-2021-4160", "CVE-2021-41617", "CVE-2021-4181", "CVE-2021-4182", "CVE-2021-4183", "CVE-2021-4184", "CVE-2021-4185", "CVE-2021-41973", "CVE-2021-42013", "CVE-2021-42340", "CVE-2021-42392", "CVE-2021-42717", "CVE-2021-43395", "CVE-2021-43527", "CVE-2021-43797", "CVE-2021-43818", "CVE-2021-43859", "CVE-2021-44224", "CVE-2021-44531", "CVE-2021-44532", "CVE-2021-44533", "CVE-2021-44790", "CVE-2021-44832", "CVE-2021-45105", "CVE-2022-0391", "CVE-2022-0778", "CVE-2022-20612", "CVE-2022-20613", "CVE-2022-20614", "CVE-2022-20615", "CVE-2022-21271", "CVE-2022-21375", "CVE-2022-21384", "CVE-2022-21404", "CVE-2022-21405", "CVE-2022-21409", "CVE-2022-21410", "CVE-2022-21411", "CVE-2022-21412", "CVE-2022-21413", "CVE-2022-21414", "CVE-2022-21415", "CVE-2022-21416", "CVE-2022-21417", "CVE-2022-21418", "CVE-2022-21419", "CVE-2022-21420", "CVE-2022-21421", "CVE-2022-21422", "CVE-2022-21423", "CVE-2022-21424", "CVE-2022-21425", "CVE-2022-21426", "CVE-2022-21427", "CVE-2022-21430", "CVE-2022-21431", "CVE-2022-21434", "CVE-2022-21435", "CVE-2022-21436", "CVE-2022-21437", "CVE-2022-21438", "CVE-2022-21440", "CVE-2022-21441", "CVE-2022-21442", "CVE-2022-21443", "CVE-2022-21444", "CVE-2022-21445", "CVE-2022-21446", "CVE-2022-21447", "CVE-2022-21448", "CVE-2022-21449", "CVE-2022-21450", "CVE-2022-21451", "CVE-2022-21452", "CVE-2022-21453", "CVE-2022-21454", "CVE-2022-21457", "CVE-2022-21458", "CVE-2022-21459", "CVE-2022-21460", "CVE-2022-21461", "CVE-2022-21462", "CVE-2022-21463", "CVE-2022-21464", "CVE-2022-21465", "CVE-2022-21466", "CVE-2022-21467", "CVE-2022-21468", "CVE-2022-21469", "CVE-2022-21470", "CVE-2022-21471", "CVE-2022-21472", "CVE-2022-21473", "CVE-2022-21474", "CVE-2022-21475", "CVE-2022-21476", "CVE-2022-21477", "CVE-2022-21478", "CVE-2022-21479", "CVE-2022-21480", "CVE-2022-21481", "CVE-2022-21482", "CVE-2022-21483", "CVE-2022-21484", "CVE-2022-21485", "CVE-2022-21486", "CVE-2022-21487", "CVE-2022-21488", "CVE-2022-21489", "CVE-2022-21490", "CVE-2022-21491", "CVE-2022-21492", "CVE-2022-21493", "CVE-2022-21494", "CVE-2022-21496", "CVE-2022-21497", "CVE-2022-21498", "CVE-2022-21716", "CVE-2022-21824", "CVE-2022-22719", "CVE-2022-22720", "CVE-2022-22721", "CVE-2022-22947", "CVE-2022-22963", "CVE-2022-22965", "CVE-2022-22968", "CVE-2022-23181", "CVE-2022-23221", "CVE-2022-23302", "CVE-2022-23305", "CVE-2022-23307", "CVE-2022-23437", "CVE-2022-23852", "CVE-2022-23943", "CVE-2022-23990", "CVE-2022-24329", "CVE-2022-25235", "CVE-2022-25236", "CVE-2022-25313", "CVE-2022-25314", "CVE-2022-25315"], "modified": "2022-06-16T00:00:00", "id": "ORACLE:CPUAPR2022", "href": "https://www.oracle.com/security-alerts/cpuapr2022.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}