Roundcube Webmail < 1.2.11, 1.3.x < 1.3.14, 1.4.x < 1.4.7 XSS Vulnerability

Roundcube Webmail is prone to a cross-site scripting XSS vulnerability. Copyright C 2020 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free...

CVE-2020-14300

The docker packages version docker-1.13.1-108.git4ef4b30.el7 as released for Red Hat Enterprise Linux 7 Extras via RHBA-2020:0053 https://access.redhat.com/errata/RHBA-2020:0053 included an incorrect version of runc that was missing multiple bug and security fixes. One of the fixes regressed in...

UBUNTU-CVE-2020-15562

An issue was discovered in Roundcube Webmail before 1.2.11, 1.3.x before 1.3.14, and 1.4.x before 1.4.7. It allows XSS via a crafted HTML e-mail message, as demonstrated by a JavaScript payload in the xmlns aka XML namespace attribute of a HEAD element when an SVG element exists...

expat: large number of colons in input makes parser consume high amount of resources, leading to DoS

It was discovered that the "setElementTypePrefix" function incorrectly extracted XML namespace prefixes. By tricking an application into processing a specially crafted XML file, an attacker could cause unusually high consumption of memory resources and possibly lead to a denial of service...

CVE-2019-20794

A flaw was found in the Linux kernel. A user with PID namespace mounting a FUSE filesystem could cause a denial of service if the userspace component is terminated pid 1. The highest threat from this vulnerability is to system availability...

Misconfigured Kubeflow workloads are a security risk

Azure Security Center ASC monitors and defends thousands of Kubernetes clusters running on top of AKS. Azure Security Center regularly searches for and research for new attack vectors against Kubernetes workloads. We recently published a blog post about a large scale campaign against Kubernetes...

The vulnerability of the pivot_root function (fs/namespace.c) in Linux operating system kernels, which allows a hacker to trigger a service failure

The vulnerability of the pivotroot function fs/namespace.c in Linux operating system kernels arises due to synchronization errors when using shared resources. Exploiting this vulnerability can allow an attacker to cause a service failure...

ALPINE-CVE-2019-20795

iproute2 before 5.1.0 has a use-after-free in getnetnsidfromname in ip/ipnetns.c. NOTE: security relevance may be limited to certain uses of setuid that, although not a default, are sometimes a configuration option offered to end users. Even when setuid is used, other factors such as C library...

DEBIAN-CVE-2019-20794

An issue was discovered in the Linux kernel 4.18 through 5.6.11 when unprivileged user namespaces are allowed. A user can create their own PID namespace, and mount a FUSE filesystem. Upon interaction with this FUSE filesystem, if the userspace component is terminated via a kill of the PID...

CVE-2019-20794

An issue was discovered in the Linux kernel 4.18 through 5.6.11 when unprivileged user namespaces are allowed. A user can create their own PID namespace, and mount a FUSE filesystem. Upon interaction with this FUSE filesystem, if the userspace component is terminated via a kill of the PID...

UBUNTU-CVE-2019-20794

An issue was discovered in the Linux kernel 4.18 through 5.6.11 when unprivileged user namespaces are allowed. A user can create their own PID namespace, and mount a FUSE filesystem. Upon interaction with this FUSE filesystem, if the userspace component is terminated via a kill of the PID...

CVE-2019-20794

An issue was discovered in the Linux kernel 4.18 through 5.6.11 when unprivileged user namespaces are allowed. A user can create their own PID namespace, and mount a FUSE filesystem. Upon interaction with this FUSE filesystem, if the userspace component is terminated via a kill of the PID...

Linux kernel competitive conditions issue vulnerability (CNVD-2020-31753)

Linux kernel is the kernel used by Linux, the open source operating system released by the Linux Foundation in the United States. A contention condition issue vulnerability exists in the fs/namespace.c file in the Linux kernel, which can be exploited by an attacker to cause a denial of service...

GHSA-6PMV-7PR9-CGRJ Predictable password in Keycloak

A flaw was found in all versions of the Keycloak operator, before version 8.0.2,community only where the operator generates a random admin password when installing Keycloak, however the password remains the same when deployed to the same OpenShift namespace...

The vulnerability of the Firefox software, related to the lack of measures taken to protect the structure of web pages, allows attackers to compromise data integrity.

The vulnerability of the Firefox software, specifically Firefox-esr, is related to an error in the insertion of certain tags from the buffer. These tags are incorrectly associated with the namespace rules. Exploiting this vulnerability can allow a remote attacker to compromise data integrity...

Privilege Escalation

kernel-rt is vulnerable to privilege escalation. The vulnerability exists as a deficiency was found in the Linux kernel signals implementation. The killsomethinginfo function did not check if a process was outside the caller's namespace before sending the kill signal, making it possible to kill...

Microsoft Buys Corp.com

A few months ago, Brian Krebs told the story of the domain corp.com, and how it is basically a security nightmare: At issue is a problem known as "namespace collision," a situation where domain names intended to be used exclusively on an internal company network end up overlapping with domains th...

CVE-2018-18955

A flaw was found in the Linux kernel where mapwrite in kernel/usernamespace.c allows privilege escalation as it mishandles nested user namespaces with more than 5 UID or GID ranges. An unprivileged user with CAPSYSADMIN in an affected user namespace can bypass access controls on resources outside...

CVE-2019-11815

A flaw was found in the Linux kernel's implementation of RDS over TCP. A system that has the rdstcp kernel module loaded either through autoload via local process running listen, or manual loading could possibly cause a use after free UAF in which an attacker who is able to manipulate socket stat...

HashiCorp Vault and Vault Enterprise Unauthorized Access Vulnerability

HashiCorp Vault is a private key access management tool. A security vulnerability exists in the nested path policy in HashiCorp Vault and Vault Enterprise versions 0.11.0 through 1.3.3. An attacker could exploit the vulnerability to access namespaces...