Buffer Over-read

Simple DirectMedia Layer SDL is heap-based buffer over-read. It is possible due to a flaw in IMAADPCMnibble in audio/SDLwave.c...

nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state

A protocol downgrade flaw was found in Network Security Services NSS. After a HelloRetryRequest has been sent, the client may negotiate a lower protocol than TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data...

nss: PKCS#1 v1.5 signatures can be used for TLS 1.3

A vulnerability exists where it possible to force Network Security Services NSS to sign CertificateVerify with PKCS1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerabilit...

SDL: heap-based buffer over-read in Map1toN in video/SDL_pixels.c

SDL Simple DirectMedia Layer through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in Map1toN in video/SDLpixels.c...

SDL: heap-based buffer over-read in InitMS_ADPCM in audio/SDL_wave.c

SDL Simple DirectMedia Layer through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in InitMSADPCM in audio/SDLwave.c inside the wNumCoef loop...

SDL: heap-based buffer over-read in Blit1to4 in video/SDL_blit_1.c

SDL Simple DirectMedia Layer through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in Blit1to4 in video/SDLblit1.c...

fontforge: out-of-bounds write in SFD_GetFontMetaData function in sfd.c

An out-of-bounds write was discovered in fontforge while parsing SFD files containing very large LayerCount tokens. The flaw allows an attacker to overwrite data before a buffer allocated on the heap, thus causing the application to crash or execute arbitrary code...

Kernel: kvm: nVMX: L2 guest may trick the L0 hypervisor to access sensitive L1 resources

A flaw was found in the way KVM hypervisor handled instruction emulation for the L2 guest when nested=1 virtualization is enabled. In the instruction emulation, the L2 guest could trick the L0 hypervisor into accessing sensitive bits of the L1 hypervisor. An L2 guest could use this flaw to...

OSV-2020-1863 Bad-cast to pcpp::Layer from invalid vptr

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26013 Crash type: Bad-cast Crash state: Bad-cast to pcpp::Layer from invalid vptr pcpp::IDnsResource::getRawData pcpp::DnsResource::getDataLength...

CVE-2020-5929

In versions 13.0.0-13.0.0 HF2, 12.1.0-12.1.2 HF1, and 11.6.1-11.6.2, BIG-IP platforms with Cavium Nitrox SSL hardware acceleration cards, a Virtual Server configured with a Client SSL profile, and using Anonymous ADH or Ephemeral DHE Diffie-Hellman key exchange and Single DH use option not enable...

systemd 239 through 245 accepts any certificate signed by a trusted certificate authority for DNS Over TLS. Server Name Indication (SNI) is not sent and there is no hostname validation with the GnuTLS backend. NOTE: This has been disputed by the developer as not a vulnerability since hostname validation does not have anything to do with this issue (i.e. there is no hostname to be sent)

...

CVE-2018-10432

Pexip Infinity before 18 allows Remote Denial of Service TLS handshakes in RTMP...

Aruba CX Switches Denial of Service Vulnerability

Aruba CX Switches is a switch from Aruba USA. A security vulnerability exists in Aruba CX Switches that can be exploited by an attacker to cause a local denial of service of the LLDP Link Layer Discovery Protocol process in the switch...

Multiple stack-based buffer overflows in the CertDecoder::GetName function in src/asn.cpp in TaoCrypt in yaSSL before 1.9.9 as used in mysqld in MySQL 5.0.x before 5.0.90 MySQL 5.1.x before 5.1.43 MySQL 5.5.x through 5.5.0-m2 and other products allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption and daemon crash) by establishing an SSL connection and sending an X.509 client certificate with a crafted name field as demonstrated by mysql_overflow1.py and the vd_mysql5 module in VulnDisco Pack Professional 8.11. NOTE: this was originally reported for MySQL 5.0.51a.

...

CVE-2020-3512

A vulnerability in the PROFINET handler for Link Layer Discovery Protocol LLDP messages of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to cause a crash on an affected device, resulting in a denial of service DoS condition. The vulnerability is du...

CVE-2020-3480

Multiple vulnerabilities in the Zone-Based Firewall feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause the device to reload or stop forwarding traffic through the firewall. The vulnerabilities are due to incomplete handling of Layer 4 packets through the...

CVE-2020-3421

Multiple vulnerabilities in the Zone-Based Firewall feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause the device to reload or stop forwarding traffic through the firewall. The vulnerabilities are due to incomplete handling of Layer 4 packets through the...

CVE-2020-3421

Multiple vulnerabilities in the Zone-Based Firewall feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause the device to reload or stop forwarding traffic through the firewall. The vulnerabilities are due to incomplete handling of Layer 4 packets through the...

Design/Logic Flaw

Multiple vulnerabilities in the Zone-Based Firewall feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause the device to reload or stop forwarding traffic through the firewall. The vulnerabilities are due to incomplete handling of Layer 4 packets through the...

CVE-2020-3421 Cisco IOS XE Software Zone-Based Firewall Denial of Service Vulnerabilities

Multiple vulnerabilities in the Zone-Based Firewall feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause the device to reload or stop forwarding traffic through the firewall. The vulnerabilities are due to incomplete handling of Layer 4 packets through the...