CVE-2024-34363 Envoy can crash due to uncaught nlohmann JSON exception
Envoy is a cloud-native, open source edge and service proxy. Due to how Envoy invoked the nlohmann JSON library, the library could throw an uncaught exception from downstream data if incomplete UTF-8 strings were serialized. The uncaught exception would cause Envoy to...
7.5CVSS
6.8AI Score
0.0005EPSS
A flaw was found in the libarchive library. A heap-based buffer overflow in the execute_filter_e8 function in the libarchive/archive_read_support_format_rar.c file can be triggered when a specially crafted RAR archive is processed, causing a crash to the application linked to the library and...
7.8CVSS
7.3AI Score
0.005EPSS
A flaw was found in the libarchive library. An out-of-bounds access in the copy_from_lzss_window_to_unp function in the libarchive/archive_read_support_format_rar.c file can be triggered due to an integer overflow when a specially crafted RAR archive is processed, causing a crash to the...
7.3CVSS
7.5AI Score
0.003EPSS
malicious container creates symlink "mtab" on the host External
Impact A malicious container can affect the host by taking advantage of code cri-o added to show the container mounts on the host. A workload built from this Dockerfile: ``` FROM docker.io/library/busybox as source RUN mkdir /extra && cd /extra && ln -s ../../../../../../../../root etc FROM...
8.1CVSS
6.7AI Score
0.0004EPSS
malicious container creates symlink "mtab" on the host External
Impact A malicious container can affect the host by taking advantage of code cri-o added to show the container mounts on the host. A workload built from this Dockerfile: ``` FROM docker.io/library/busybox as source RUN mkdir /extra && cd /extra && ln -s ../../../../../../../../root etc FROM...
8.1CVSS
6.7AI Score
0.0004EPSS
apko Exposure of HTTP basic auth credentials in log output
Summary Exposure of HTTP basic auth credentials from repository and keyring URLs in log output Details There was a handful of instances where the apko tool was outputting error messages and log entries where HTTP basic authentication credentials were exposed for one of two reasons: The%s verb was.....
7.5CVSS
6.9AI Score
0.0004EPSS
apko Exposure of HTTP basic auth credentials in log output
Summary Exposure of HTTP basic auth credentials from repository and keyring URLs in log output Details There was a handful of instances where the apko tool was outputting error messages and log entries where HTTP basic authentication credentials were exposed for one of two reasons: The%s verb was.....
7.5CVSS
6.9AI Score
0.0004EPSS
Summary In addition to OS level package updates, multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation 21.0.3-IF033 and 23.0.2-IF005. Vulnerability Details ** CVEID: CVE-2024-21501 DESCRIPTION: **Node.js sanitize-html module could allow a remote attacker to...
8.8CVSS
9.7AI Score
EPSS
Deserialization of untrusted data can occur in versions 0.6 or newer of the skops python library, enabling a maliciously crafted model to run arbitrary code on an end user's system when...
7.8CVSS
7.7AI Score
0.0004EPSS
Deserialization of untrusted data can occur in versions 0.6 or newer of the skops python library, enabling a maliciously crafted model to run arbitrary code on an end user's system when...
7.8CVSS
7.7AI Score
0.0004EPSS
Deseriliazation of untrusted data can occur in versions 3.7.0 or newer of Ydata's ydata-profiling open-source library, enabling a maliciously crafted dataset to run arbitrary code on an end user's system when...
7.8CVSS
7.7AI Score
0.0004EPSS
Deserialization of untrusted data can occur in versions 3.7.0 or newer of Ydata's ydata-profiling open-source library, enabling a malicously crafted report to run arbitrary code on an end user's system when...
7.8CVSS
7.7AI Score
0.0004EPSS
Deseriliazation of untrusted data can occur in versions 3.7.0 or newer of Ydata's ydata-profiling open-source library, enabling a maliciously crafted dataset to run arbitrary code on an end user's system when...
7.8CVSS
7.8AI Score
0.0004EPSS
A cross-site scripting (XSS) vulnerability in versions 3.7.0 or newer of Ydata's ydata-profiling open-source library allows for payloads to be run when a maliocusly crafted report is viewed in the...
7.8CVSS
7AI Score
0.0004EPSS
Deserialization of untrusted data can occur in versions 3.7.0 or newer of Ydata's ydata-profiling open-source library, enabling a malicously crafted report to run arbitrary code on an end user's system when...
7.8CVSS
7.7AI Score
0.0004EPSS
A cross-site scripting (XSS) vulnerability in versions 3.7.0 or newer of Ydata's ydata-profiling open-source library allows for payloads to be run when a maliocusly crafted report is viewed in the...
7.8CVSS
6.9AI Score
0.0004EPSS
A cross-site scripting (XSS) vulnerability in versions 3.7.0 or newer of Ydata's ydata-profiling open-source library allows for payloads to be run when a maliocusly crafted report is viewed in the...
7.8CVSS
5.9AI Score
0.0004EPSS
Deseriliazation of untrusted data can occur in versions 3.7.0 or newer of Ydata's ydata-profiling open-source library, enabling a maliciously crafted dataset to run arbitrary code on an end user's system when...
7.8CVSS
7.6AI Score
0.0004EPSS
Deserialization of untrusted data can occur in versions 0.6 or newer of the skops python library, enabling a maliciously crafted model to run arbitrary code on an end user's system when...
7.8CVSS
7.6AI Score
0.0004EPSS
Deseriliazation of untrusted data can occur in versions 3.7.0 or newer of Ydata's ydata-profiling open-source library, enabling a maliciously crafted dataset to run arbitrary code on an end user's system when...
7.8CVSS
7.7AI Score
0.0004EPSS
A cross-site scripting (XSS) vulnerability in versions 3.7.0 or newer of Ydata's ydata-profiling open-source library allows for payloads to be run when a maliocusly crafted report is viewed in the...
7.8CVSS
7AI Score
0.0004EPSS
Deserialization of untrusted data can occur in versions 0.6 or newer of the skops python library, enabling a maliciously crafted model to run arbitrary code on an end user's system when...
7.8CVSS
7.7AI Score
0.0004EPSS
Deserialization of untrusted data can occur in versions 3.7.0 or newer of Ydata's ydata-profiling open-source library, enabling a malicously crafted report to run arbitrary code on an end user's system when...
7.8CVSS
7.7AI Score
0.0004EPSS
Deserialization of untrusted data can occur in versions 3.7.0 or newer of Ydata's ydata-profiling open-source library, enabling a malicously crafted report to run arbitrary code on an end user's system when...
7.8CVSS
7.6AI Score
0.0004EPSS
Deserialization of untrusted data can occur in versions 0.6 or newer of the skops python library, enabling a maliciously crafted model to run arbitrary code on an end user's system when...
7.8CVSS
7.7AI Score
0.0004EPSS
Deserialization of untrusted data can occur in versions 0.6 or newer of the skops python library, enabling a maliciously crafted model to run arbitrary code on an end user's system when...
7.8CVSS
7.2AI Score
0.0004EPSS
Deseriliazation of untrusted data can occur in versions 3.7.0 or newer of Ydata's ydata-profiling open-source library, enabling a maliciously crafted dataset to run arbitrary code on an end user's system when...
7.8CVSS
7.7AI Score
0.0004EPSS
A cross-site scripting (XSS) vulnerability in versions 3.7.0 or newer of Ydata's ydata-profiling open-source library allows for payloads to be run when a maliocusly crafted report is viewed in the...
7.8CVSS
5.7AI Score
0.0004EPSS
A cross-site scripting (XSS) vulnerability in versions 3.7.0 or newer of Ydata's ydata-profiling open-source library allows for payloads to be run when a maliocusly crafted report is viewed in the...
7.8CVSS
7AI Score
0.0004EPSS
Deserialization of untrusted data can occur in versions 3.7.0 or newer of Ydata's ydata-profiling open-source library, enabling a malicously crafted report to run arbitrary code on an end user's system when...
7.8CVSS
7.7AI Score
0.0004EPSS
Deserialization of untrusted data can occur in versions 3.7.0 or newer of Ydata's ydata-profiling open-source library, enabling a malicously crafted report to run arbitrary code on an end user's system when...
7.8CVSS
7.3AI Score
0.0004EPSS
Releases Ubuntu 24.04 LTS Ubuntu 23.10 Ubuntu 22.04 LTS Packages libarchive - Library to read/write archive files Details It was discovered that libarchive incorrectly handled certain RAR archive files. An attacker could possibly use this issue to execute arbitrary code or cause a...
7.8CVSS
7.5AI Score
0.001EPSS
Mime Types Extended <= 0.11 - Author+ Stored XSS via SVG Upload
Description The plugin does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads. PoC 1. As an admin, enable SVG uploads at https://example.com/wp-admin/options-general.php?page=mime-types-extended 2. As an author,.....
5.7AI Score
0.0004EPSS
Mime Types Extended <= 0.11 - Author+ Stored XSS via SVG Upload
Description The plugin does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS...
6.1AI Score
0.0004EPSS
Testing CVE-2024-2961 (V1 - Under Analysis) This repository...
7.6AI Score
iq80 Snappy is a compression/decompression library. When uncompressing certain data, Snappy tries to read outside the bounds of the given byte arrays. Because Snappy uses the JDK class sun.misc.Unsafe to speed up memory access, no additional bounds checks are performed and this has similar...
5.3CVSS
7.1AI Score
0.0004EPSS
iq80 Snappy is a compression/decompression library. When uncompressing certain data, Snappy tries to read outside the bounds of the given byte arrays. Because Snappy uses the JDK class sun.misc.Unsafe to speed up memory access, no additional bounds checks are performed and this has similar...
5.3CVSS
5.2AI Score
0.0004EPSS
CVE-2024-36124 iq80 Snappy has an out-of-bounds read when uncompressing data, leading to JVM crash
iq80 Snappy is a compression/decompression library. When uncompressing certain data, Snappy tries to read outside the bounds of the given byte arrays. Because Snappy uses the JDK class sun.misc.Unsafe to speed up memory access, no additional bounds checks are performed and this has similar...
5.3CVSS
5.2AI Score
0.0004EPSS
Security Bulletin: Multiple vulnerabilities in eclipse jetty affect IBM Business Automation Workflow
Summary IBM Business Automation Workflow packages a vulnerable version of the eclipse jetty library. Vulnerability Details ** CVEID: CVE-2020-27216 DESCRIPTION: **Eclipse Jetty could allow a local authenticated attacker to gain elevated privileges on the system, caused by a race condition in the...
7.5CVSS
7.1AI Score
0.802EPSS
Malicious code in stw-tenant-library (npm)
This package is considered malicious because it communicates with a domain associated with malicious activity and the package executes one or more commands associated with malicious behavior. -= Per source details. Do not edit below this line.=- Source: ghsa-malware...
7.2AI Score
IT threat evolution in Q1 2024. Mobile statistics
IT threat evolution Q1 2024 IT threat evolution Q1 2024. Mobile statistics IT threat evolution Q1 2024. Non-mobile statistics Quarterly figures According to Kaspersky Security Network, in Q1 2024: 10.1 million attacks using malware, adware, or unwanted mobile software were blocked. The most...
7.9AI Score
Software: libvirt 6.0.0 OS: ROSA Virtualization 2.1 package_evr_string: libvirt-6.0.0-28.module+el8.3.0+7827+5e65edd7.src.rpm CVE-ID: CVE-2021-3631 BDU-ID: 2024-02428 CVE-Crit: MEDIUM CVE-DESC.: A vulnerability in the Libvirt virtualization management library is related to the creation of SELinux.....
6.5CVSS
6.5AI Score
0.001EPSS
Software: libtiff 4.0.9 OS: ROSA Virtualization 2.1 package_evr_string: libtiff-4.0.9-28.rv3 CVE-ID: CVE-2023-2731 BDU-ID: None CVE-Crit: MEDIUM CVE-DESC.: A null pointer dereferencing bug was found in the LZWDecode() function of the Libtiff library in the libtiff/tif_lzw.c file. This flaw allows.....
5.5CVSS
5.9AI Score
0.001EPSS
software: djvulibre 3.5.28 WASP: ROSA-CHROME package_evr_string: djvulibre-3.5.28-4 CVE-ID: CVE-2021-3500 BDU-ID: None CVE-Crit: MEDIUM CVE-DESC.: A flaw was discovered in djvulibre. A stack overflow in DJVU::DjVuDocument::get_djvu_file() via a created djvu file may cause the application to crash.....
7.8CVSS
7.5AI Score
0.001EPSS
RHEL 8 : hdf5 (Unpatched Vulnerability)
The remote Redhat Enterprise Linux 8 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. hdf5: stack-based buffer overflow in the function H5FD_sec2_read in H5FDsec2.c (CVE-2018-13876) A NULL...
9.8CVSS
8.5AI Score
0.005EPSS
RHEL 7 : mesa (Unpatched Vulnerability)
The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by a vulnerability that has been acknowledged by the vendor but will not be patched. mesa: security bypass in 3D library graphics (CVE-2019-5068) Note that Nessus has not tested for this issue but has...
4.4CVSS
4.9AI Score
0.001EPSS
RHEL 8 : dotnet5.0 (Unpatched Vulnerability)
The remote Redhat Enterprise Linux 8 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. urijs: Authorization Bypass Through User-Controlled Key (CVE-2022-0613) URI.js is a Javascript URL...
6.5CVSS
7.2AI Score
0.001EPSS
iq80 Snappy is a compression/decompression library. When uncompressing certain data, Snappy tries to read outside the bounds of the given byte arrays. Because Snappy uses the JDK class sun.misc.Unsafe to speed up memory access, no additional bounds checks are performed and this has similar...
5.3CVSS
5.3AI Score
0.0004EPSS
RHEL 7 : p11-kit (Unpatched Vulnerability)
The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. p11-kit: out-of-bounds read in p11_rpc_buffer_get_byte_array function in rpc-message.c (CVE-2020-29362) ...
7.5CVSS
8AI Score
0.006EPSS
RHEL 5 : ncurses (Unpatched Vulnerability)
The remote Redhat Enterprise Linux 5 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. ncurses: Stack-based buffer overflow caused by format string vulnerability in fmt_entry function ...
7.8CVSS
7.3AI Score
0.021EPSS